From f42ac6ccc84d77d1c7cadc9cc294249fe8e5bb11 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 10:37:32 +0200 Subject: [PATCH 01/47] initial release --- .../MSFT_AADPasswordRuleSettings.psm1 | 483 ++++++++++++++++++ .../MSFT_AADPasswordRuleSettings.schema.mof | 19 + .../MSFT_AADPasswordRuleSettings/Readme.md | 5 + .../settings.json | 45 ++ ...ft365DSC.AADPasswordRuleSettings.Tests.ps1 | 457 +++++++++++++++++ 5 files changed, 1009 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/Readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 new file mode 100644 index 0000000000..0e220677eb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 @@ -0,0 +1,483 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + [ValidateSet('Yes')] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $LockoutThreshold, + + [Parameter()] + [System.UInt32] + $LockoutDurationInSeconds, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheck, + + [Parameter()] + [System.String[]] + $BannedPasswordList, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheckOnPremises, + + [Parameter()] + [validateset('Enforced', 'Audit')] + [System.String] + $BannedPasswordCheckOnPremisesMode, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message 'Getting configuration of AzureAD Groups Settings' + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullReturn = $PSBoundParameters + $nullReturn.Ensure = 'Absent' + try + { + $Policy = Get-MgBetaDirectorySetting -All | Where-Object -FilterScript { $_.DisplayName -eq 'Password Rule Settings' } + + if ($null -eq $Policy) + { + return $nullReturn + } + else + { + Write-Verbose -Message 'Found existing AzureAD DirectorySetting for Password Rule Settings' + $valueBannedPasswordCheckOnPremisesMode = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'BannedPasswordCheckOnPremisesMode'} + $valueEnableBannedPasswordCheckOnPremises = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'EnableBannedPasswordCheckOnPremises'} + $valueEnableBannedPasswordCheck = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'EnableBannedPasswordCheck'} + $valueLockoutDurationInSeconds = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'LockoutDurationInSeconds'} + $valueLockoutThreshold = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'LockoutThreshold'} + $valueBannedPasswordList = $Policy.Values | Where-Object -FilterScript {$_.Name -eq 'BannedPasswordList'} + + $result = @{ + IsSingleInstance = 'Yes' + BannedPasswordCheckOnPremisesMode = $valueBannedPasswordCheckOnPremisesMode.Value + EnableBannedPasswordCheckOnPremises = [Boolean]::Parse($valueEnableBannedPasswordCheckOnPremises.Value) + EnableBannedPasswordCheck = [Boolean]::Parse($valueEnableBannedPasswordCheck.Value) + LockoutDurationInSeconds = $valueLockoutDurationInSeconds.Value + LockoutThreshold = $valueLockoutThreshold.Value + BannedPasswordList = $valueBannedPasswordList.Value -split "`t" # list is tab-delimited + Ensure = 'Present' + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" + return $result + } + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullReturn + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + [ValidateSet('Yes')] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $LockoutThreshold, + + [Parameter()] + [System.UInt32] + $LockoutDurationInSeconds, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheck, + + [Parameter()] + [System.String[]] + $BannedPasswordList, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheckOnPremises, + + [Parameter()] + [validateset('Enforced', 'Audit')] + [System.String] + $BannedPasswordCheckOnPremisesMode, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message 'Setting configuration of Azure AD Groups Settings' + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentPolicy = Get-TargetResource @PSBoundParameters + + # Policy should exist but it doesn't + $needToUpdate = $false + if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') + { + $template = Get-MgBetaDirectorySettingTemplate -All | Where-Object -FilterScript {$_.Displayname -eq 'Password Rule Settings'} + $Policy = New-MgBetaDirectorySetting -TemplateId $template.Id | Out-Null + $needToUpdate = $true + } + + $Policy = Get-MgBetaDirectorySetting -All | Where-Object -FilterScript { $_.DisplayName -eq 'Password Rule Settings' } + + if (($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') -or $needToUpdate) + { + $index = 0 + foreach ($property in $Policy.Values) + { + if ($property.Name -eq 'LockoutThreshold') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = $LockoutThreshold + } + elseif ($property.Name -eq 'LockoutDurationInSeconds') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = $LockoutDurationInSeconds + } + elseif ($property.Value -eq 'EnableBannedPasswordCheck') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = [System.Boolean]$EnableBannedPasswordCheck + } + elseif ($property.Value -eq 'BannedPasswordList') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = $BannedPasswordList -join "`t" + } + elseif ($property.Value -eq 'EnableBannedPasswordCheckOnPremises') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = [System.Boolean]$EnableBannedPasswordCheckOnPremises + } + elseif ($property.Value -eq 'BannedPasswordCheckOnPremisesMode') + { + $entry = $Policy.Values | Where-Object -FilterScript {$_.Name -eq $property.Name} + $entry.Value = $BannedPasswordCheckOnPremisesMode + } + $index++ + } + + Write-Verbose -Message "Updating Policy's Values with $($Policy.Values | Out-String)" + Update-MgBetaDirectorySetting -DirectorySettingId $Policy.id -Values $Policy.Values | Out-Null + } + elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') + { + Write-Verbose -Message "An existing Directory Setting entry exists, and we don't allow to have it removed." + throw 'The AADPasswordRuleSettings resource cannot delete existing Directory Setting entries. Please specify Present.' + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + [ValidateSet('Yes')] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $LockoutThreshold, + + [Parameter()] + [System.UInt32] + $LockoutDurationInSeconds, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheck, + + [Parameter()] + [System.String[]] + $BannedPasswordList, + + [Parameter()] + [System.Boolean] + $EnableBannedPasswordCheckOnPremises, + + [Parameter()] + [validateset('Enforced', 'Audit')] + [System.String] + $BannedPasswordCheckOnPremisesMode, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message 'Testing configuration of AzureAD Password Rule Settings' + + $CurrentValues = Get-TargetResource @PSBoundParameters + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $ValuesToCheck = $PSBoundParameters + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $Params = @{ + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + IsSingleInstance = 'Yes' + ApplicationSecret = $ApplicationSecret + Credential = $Credential + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + $dscContent = '' + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof new file mode 100644 index 0000000000..7fd52a97e9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof @@ -0,0 +1,19 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADPasswordRuleSettings")] +class MSFT_AADPasswordRuleSettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("The number of failed login attempts before the first lockout period begins.")] UInt32 LockoutThreshold; + [Write, Description("The duration in seconds of the initial lockout period.")] UInt32 LockoutDurationInSeconds; + [Write, Description("Boolean indicating if the banned password check for tenant specific banned password list is turned on or not.")] Boolean EnableBannedPasswordCheck; + [Write, Description("A list of banned words in passwords.")] String[] BannedPasswordList; + [Write, Description("How should we enforce password policy check in on-premises system.")] Boolean BannedPasswordCheckOnPremisesMode; + [Write, Description("Boolean indicating if the banned password check is turned on or not for on-premises system.")] Boolean EnableBannedPasswordCheckOnPremises; + [Write, Description("Specify if the Azure AD Password Rule Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/Readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/Readme.md new file mode 100644 index 0000000000..94efd9bcd6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/Readme.md @@ -0,0 +1,5 @@ +# AADPasswordRuleSettings + +## Description + +This resource configures the Azure Active Directory Password Rule Settings. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json new file mode 100644 index 0000000000..f2fcba1008 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "AADGroupsSettings", + "description": "This resource configures the Azure Active Directory Password Rule Settings.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Directory.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "Directory.Read.All" + }, + { + "name": "Directory.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Directory.Read.All" + } + ], + "update": [ + { + "name": "Directory.Read.All" + }, + { + "name": "Directory.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 new file mode 100644 index 0000000000..14f15f107b --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 @@ -0,0 +1,457 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'AADGroupsSettings' -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDirectorySetting -MockWith { + } + + Mock -CommandName Remove-MgBetaDirectorySetting -MockWith { + } + + Mock -CommandName New-MgBetaDirectorySetting -MockWith { + } + Mock -CommandName Get-MgBetaDirectorySettingTemplate -MockWith { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + DefaultValue = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + DefaultValue = $true + }, + @{ + Name = 'EnableBannedPasswordCheck' + DefaultValue = $true + }, + @{ + Name = 'LockoutDurationInSeconds' + DefaultValue = 60 + }, + @{ + Name = 'LockoutThreshold' + DefaultValue = 10 + }, + @{ + Name = 'BannedPasswordList' + DefaultValue = $null + } + ) + } + } + + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name 'The Policy should exist but it DOES NOT' -Fixture { + BeforeAll { + $Script:calledOnceAlready = $false + $testParams = @{ + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + LockoutDurationInSeconds = 30 + LockoutThreshold = 6 + Ensure = 'Present' + Credential = $Credential + IsSingleInstance = 'Yes' + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + } + + BeforeEach { + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + if (-not $Script:calledOnceAlready) + { + $Script:calledOnceAlready = $true + return $null + } + else + { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $true + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $true + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 60 + }, + @{ + Name = 'LockoutThreshold' + Value = 10 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + Should -Invoke -CommandName 'Get-MgBetaDirectorySetting' -Exactly 1 + } + + It 'Should return true from the Test method' { + $Script:calledOnceAlready = $false + Test-TargetResource @testParams | Should -Be $false + } + BeforeEach { + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + if (-not $Script:calledOnceAlready) + { + $Script:calledOnceAlready = $true + return $null + } + else + { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $true + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $true + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 60 + }, + @{ + Name = 'LockoutThreshold' + Value = 10 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + } + } + It 'Should create and set the settings in the Set method' { + $Script:calledOnceAlready = $false + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgBetaDirectorySetting' -Exactly 1 + Should -Invoke -CommandName 'Update-MgBetaDirectorySetting' -Exactly 1 + } + } + + Context -Name 'The Policy exists but it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $true + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $true + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 60 + }, + @{ + Name = 'LockoutThreshold' + Value = 10 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + Should -Invoke -CommandName 'Get-MgBetaDirectorySetting' -Exactly 1 + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Prevent Remove the Policy from the Set method' { + { Set-TargetResource @testParams } | Should -Throw 'The AADPasswordRuleSettings resource cannot delete existing Directory Setting entries. Please specify Present.' + } + } + Context -Name 'The Policy Exists and Values are already in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + LockoutDurationInSeconds = 30 + LockoutThreshold = 6 + BannedPasswordList = $null + Ensure = 'Present' + Credential = $Credential + IsSingleInstance = 'Yes' + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $false + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $false + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 30 + }, + @{ + Name = 'LockoutThreshold' + Value = 6 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + + } + + It 'Should return Values from the Get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaDirectorySetting' -Exactly 1 + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'Values are NOT in the desired state' -Fixture { + BeforeAll { + $testParams = @{ + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + LockoutDurationInSeconds = 30 + LockoutThreshold = 6 + BannedPasswordList = $null + Ensure = 'Present' + Credential = $Credential + IsSingleInstance = 'Yes' + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Enforced' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $true + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $true + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 60 + }, + @{ + Name = 'LockoutThreshold' + Value = 10 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + } + } + + It 'Should return Values from the Get method' { + Get-TargetResource @testParams + Should -Invoke -CommandName 'Get-MgBetaDirectorySetting' -Exactly 1 + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'Update-MgBetaDirectorySetting' -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDirectorySetting -MockWith { + return @{ + DisplayName = 'Password Rule Settings' + Id = '123456-1234-1234-1234-123456789012' + TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' + Values = @( + @{ + Name = 'BannedPasswordCheckOnPremisesMode' + Value = 'Audit' + }, + @{ + Name = 'EnableBannedPasswordCheckOnPremises' + Value = $false + }, + @{ + Name = 'EnableBannedPasswordCheck' + Value = $false + }, + @{ + Name = 'LockoutDurationInSeconds' + Value = 30 + }, + @{ + Name = 'LockoutThreshold' + Value = 6 + }, + @{ + Name = 'BannedPasswordList' + Value = $null + } + ) + } + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 161fb05c9ea058fc533e06223c2cdc4134c2d87d Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 10:57:22 +0200 Subject: [PATCH 02/47] fixed mof --- .../MSFT_AADPasswordRuleSettings.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof index 7fd52a97e9..353e64c585 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof @@ -5,7 +5,7 @@ class MSFT_AADPasswordRuleSettings : OMI_BaseResource [Write, Description("The number of failed login attempts before the first lockout period begins.")] UInt32 LockoutThreshold; [Write, Description("The duration in seconds of the initial lockout period.")] UInt32 LockoutDurationInSeconds; [Write, Description("Boolean indicating if the banned password check for tenant specific banned password list is turned on or not.")] Boolean EnableBannedPasswordCheck; - [Write, Description("A list of banned words in passwords.")] String[] BannedPasswordList; + [Write, Description("A list of banned words in passwords.")] String BannedPasswordList[]; [Write, Description("How should we enforce password policy check in on-premises system.")] Boolean BannedPasswordCheckOnPremisesMode; [Write, Description("Boolean indicating if the banned password check is turned on or not for on-premises system.")] Boolean EnableBannedPasswordCheckOnPremises; [Write, Description("Specify if the Azure AD Password Rule Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; From 36b8c5d61652984da6df41ea5c293600cba300cf Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 12:33:51 +0200 Subject: [PATCH 03/47] fixed unittest --- .../Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 index 14f15f107b..33bf15a0d1 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 @@ -15,7 +15,7 @@ Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` -Resolve) $Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` - -DscResource 'AADGroupsSettings' -GenericStubModule $GenericStubPath + -DscResource 'AADPasswordRuleSettings' -GenericStubModule $GenericStubPath Describe -Name $Global:DscHelper.DescribeHeader -Fixture { InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope @@ -380,7 +380,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } ) } - } } } From a6f1da1ab245add344d4bce61bcbd2ec57b70a56 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 12:59:56 +0200 Subject: [PATCH 04/47] added example --- .../AADPasswordRulesSettings/1-Update.ps1 | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 new file mode 100644 index 0000000000..dcb58a5fa6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADPasswordRuleSettings 'GeneralPasswordRuleSettings' + { + IsSingleInstance = "Yes" + LockoutThreshold = 6 + LockoutDurationInSeconds = 30 + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + BannedPasswordList = $null + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} From 1cd8a1d3f1e1ccedfd578e056218a9a70d079d74 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 13:05:00 +0200 Subject: [PATCH 05/47] fixed misspelled foldername for example --- .../AADPasswordRuleSettings/1-Update.ps1 | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADPasswordRuleSettings/1-Update.ps1 diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRuleSettings/1-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRuleSettings/1-Update.ps1 new file mode 100644 index 0000000000..dcb58a5fa6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRuleSettings/1-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADPasswordRuleSettings 'GeneralPasswordRuleSettings' + { + IsSingleInstance = "Yes" + LockoutThreshold = 6 + LockoutDurationInSeconds = 30 + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + BannedPasswordList = $null + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} From e6668e73fa26c55cc421c3c8cc3c424ab6d2ccdf Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 13:05:46 +0200 Subject: [PATCH 06/47] remove misspelled example-folder --- .../AADPasswordRulesSettings/1-Update.ps1 | 40 ------------------- 1 file changed, 40 deletions(-) delete mode 100644 Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 deleted file mode 100644 index dcb58a5fa6..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADPasswordRulesSettings/1-Update.ps1 +++ /dev/null @@ -1,40 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.String] - $CertificateThumbprint - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADPasswordRuleSettings 'GeneralPasswordRuleSettings' - { - IsSingleInstance = "Yes" - LockoutThreshold = 6 - LockoutDurationInSeconds = 30 - BannedPasswordCheckOnPremisesMode = 'Audit' - EnableBannedPasswordCheckOnPremises = $false - EnableBannedPasswordCheck = $false - BannedPasswordList = $null - Ensure = "Present" - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - } - } -} From 15c84dc643a0d238f19898ca12ee998207aa1c9e Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 13:21:45 +0200 Subject: [PATCH 07/47] fixed mof for parameter BannedPasswordCheckOnPremisesMode --- .../MSFT_AADPasswordRuleSettings.schema.mof | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof index 353e64c585..1356eee844 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.schema.mof @@ -6,7 +6,7 @@ class MSFT_AADPasswordRuleSettings : OMI_BaseResource [Write, Description("The duration in seconds of the initial lockout period.")] UInt32 LockoutDurationInSeconds; [Write, Description("Boolean indicating if the banned password check for tenant specific banned password list is turned on or not.")] Boolean EnableBannedPasswordCheck; [Write, Description("A list of banned words in passwords.")] String BannedPasswordList[]; - [Write, Description("How should we enforce password policy check in on-premises system.")] Boolean BannedPasswordCheckOnPremisesMode; + [Write, Description("How should we enforce password policy check in on-premises system.")] String BannedPasswordCheckOnPremisesMode; [Write, Description("Boolean indicating if the banned password check is turned on or not for on-premises system.")] Boolean EnableBannedPasswordCheckOnPremises; [Write, Description("Specify if the Azure AD Password Rule Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; From 9500772f5da702ab84dbc501fcc889ed8e8fc260 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 13:58:49 +0200 Subject: [PATCH 08/47] removed usage of Get-MgBetaDirectorySettingTemplate --- .../MSFT_AADPasswordRuleSettings.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 index 0e220677eb..2f293f01f6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 @@ -227,8 +227,8 @@ function Set-TargetResource $needToUpdate = $false if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { - $template = Get-MgBetaDirectorySettingTemplate -All | Where-Object -FilterScript {$_.Displayname -eq 'Password Rule Settings'} - $Policy = New-MgBetaDirectorySetting -TemplateId $template.Id | Out-Null + #$template = Get-MgBetaDirectorySettingTemplate -All | Where-Object -FilterScript {$_.Displayname -eq 'Password Rule Settings'} + $Policy = New-MgBetaDirectorySetting -TemplateId '5cf42378-d67d-4f36-ba46-e8b86229381d' | Out-Null $needToUpdate = $true } From 18d022f8b154b9a42d8add393600d5a722bd3702 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Fri, 16 Aug 2024 14:34:16 +0200 Subject: [PATCH 09/47] also removed cmdlet Get-MgBetaDirectorySettingTemplate from unittest --- ...ft365DSC.AADPasswordRuleSettings.Tests.ps1 | 34 ------------------- 1 file changed, 34 deletions(-) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 index 33bf15a0d1..28d5984aa9 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADPasswordRuleSettings.Tests.ps1 @@ -41,40 +41,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName New-MgBetaDirectorySetting -MockWith { } - Mock -CommandName Get-MgBetaDirectorySettingTemplate -MockWith { - return @{ - DisplayName = 'Password Rule Settings' - Id = '123456-1234-1234-1234-123456789012' - TemplateId = '5cf42378-d67d-4f36-ba46-e8b86229381d' - Values = @( - @{ - Name = 'BannedPasswordCheckOnPremisesMode' - DefaultValue = 'Audit' - }, - @{ - Name = 'EnableBannedPasswordCheckOnPremises' - DefaultValue = $true - }, - @{ - Name = 'EnableBannedPasswordCheck' - DefaultValue = $true - }, - @{ - Name = 'LockoutDurationInSeconds' - DefaultValue = 60 - }, - @{ - Name = 'LockoutThreshold' - DefaultValue = 10 - }, - @{ - Name = 'BannedPasswordList' - DefaultValue = $null - } - ) - } - } - # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { From 2e0dbf8c08e1c9a3fbb6adcb53f81245fb105425 Mon Sep 17 00:00:00 2001 From: AtFabianW Date: Thu, 29 Aug 2024 15:39:54 +0200 Subject: [PATCH 10/47] Add support for AccountTransferEnabled parameter --- CHANGELOG.md | 3 +++ .../MSFT_EXOOwaMailboxPolicy.psm1 | 13 +++++++++++++ .../MSFT_EXOOwaMailboxPolicy.schema.mof | 1 + 3 files changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 332ce5de54..147adf795e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Change log for Microsoft365DSC +* EXOOwaMailboxPolicy + * Add support for AccountTransferEnabled parameter + # 1.24.828.1 * AADAdministrativeUnit diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.psm1 index a87e051558..2ccf08d877 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.psm1 @@ -9,6 +9,10 @@ function Get-TargetResource [System.String] $Name, + [Parameter()] + [System.Boolean] + $AccountTransferEnabled, + [Parameter()] [ValidateSet('Allow', 'ForceSave', 'Block')] [System.String] @@ -434,6 +438,7 @@ function Get-TargetResource { $result = @{ Name = $OwaMailboxPolicy.Name + AccountTransferEnabled = $OwaMailboxPolicy.AccountTransferEnabled ActionForUnknownFileAndMIMETypes = $OwaMailboxPolicy.ActionForUnknownFileAndMIMETypes ActiveSyncIntegrationEnabled = $OwaMailboxPolicy.ActiveSyncIntegrationEnabled AdditionalAccountsEnabled = $OwaMailboxPolicy.AdditionalAccountsEnabled @@ -556,6 +561,10 @@ function Set-TargetResource [System.String] $Name, + [Parameter()] + [System.Boolean] + $AccountTransferEnabled, + [Parameter()] [ValidateSet('Allow', 'ForceSave', 'Block')] [System.String] @@ -1015,6 +1024,10 @@ function Test-TargetResource [System.String] $Name, + [Parameter()] + [System.Boolean] + $AccountTransferEnabled, + [Parameter()] [ValidateSet('Allow', 'ForceSave', 'Block')] [System.String] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.schema.mof index 2388eeb9c1..63d4455764 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOOwaMailboxPolicy/MSFT_EXOOwaMailboxPolicy.schema.mof @@ -2,6 +2,7 @@ class MSFT_EXOOwaMailboxPolicy : OMI_BaseResource { [Key, Description("The Name parameter specifies the unique name for the policy. The maximum length is 64 characters.")] String Name; + [Write, Description("The AccountTransferEnabled parameter specifies whether to enable or disable QR code sign-in. By default, QR code sign-in is enabled.")] Boolean AccountTransferEnabled; [Write, Description("The ActionForUnknownFileAndMIMETypes parameter specifies how to handle file types that aren't specified in the Allow, Block, and Force Save lists for file types and MIME types"), ValueMap{"Allow","ForceSave","Block"}, Values{"Allow","ForceSave","Block"}] String ActionForUnknownFileAndMIMETypes; [Write, Description("The ActiveSyncIntegrationEnabled parameter specifies whether to enable or disable Exchange ActiveSync settings in Outlook on the web. ")] Boolean ActiveSyncIntegrationEnabled; [Write, Description("No description available.")] Boolean AdditionalAccountsEnabled; From 539f3755f9ed2786de2e1547f5913e0b5fb537fb Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Mon, 2 Sep 2024 17:05:49 +0530 Subject: [PATCH 11/47] EXOMangementScope Initial Release --- CHANGELOG.md | 2 + .../MSFT_EXOManagementScope.psm1 | 416 ++++++++++++++++++ .../MSFT_EXOManagementScope.schema.mof | 16 + .../MSFT_EXOManagementScope/readme.md | 6 + .../MSFT_EXOManagementScope/settings.json | 33 ++ .../Resources/EXOManagementScope/1-Create.ps1 | 26 ++ .../Resources/EXOManagementScope/2-Update.ps1 | 34 ++ .../Resources/EXOManagementScope/3-Remove.ps1 | 35 ++ ...crosoft365DSC.EXOManagementScope.Tests.ps1 | 210 +++++++++ Tests/Unit/Stubs/Microsoft365.psm1 | 96 ++++ 10 files changed, 874 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOManagementScope.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 24b85d6bd6..6d0b75b9cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ # UNRELEASED +* EXOManagementScope + * Initial Release. * EXOSweepRule * Initial Release. * M365DSCDRGUtil diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 new file mode 100644 index 0000000000..33a84bd0b3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 @@ -0,0 +1,416 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.String] + $RecipientRestrictionFilter, + + [Parameter()] + [System.String] + $RecipientRoot, + + [Parameter()] + [System.Boolean] + $Exclusive, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + ##TODO - Replace the workload by the one associated to your resource + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + ##TODO - Replace the PrimaryKey in the Filter by the one for the resource + $ManagementScope = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + ##TODO - Replace the cmdlet by the one to retrieve a specific instance. + $ManagementScope = Get-ManagementScope -Identity $Identity -ErrorAction Stop + } + if ($null -eq $ManagementScope) + { + return $nullResult + } + + $results = @{ + ##TODO - Add the list of parameters to be returned + Identity = $Identity + Name = $ManagementScope.Name + RecipientRestrictionFilter = $ManagementScope.RecipientFilter + RecipientRoot = $ManagementScope.RecipientRoot + Exclusive = $ManagementScope.Exclusive + Ensure = "Present" + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.String] + $RecipientRestrictionFilter, + + [Parameter()] + [System.String] + $RecipientRoot, + + [Parameter()] + [System.Boolean] + $Exclusive, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + if ($setParameters.ContainsKey('Identity')) + { + $setParameters.Remove('Identity') | Out-Null + } + New-ManagementScope @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + if ($setParameters.ContainsKey('Exclusive')) + { + $setParameters.Remove('Exclusive') | Out-Null + } + Set-ManagementScope @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + ## should I just send identity to the remove cmdlet? + Remove-ManagementScope -Identity $Identity + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.String] + $RecipientRestrictionFilter, + + [Parameter()] + [System.String] + $RecipientRoot, + + [Parameter()] + [System.Boolean] + $Exclusive, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + ##TODO - Replace workload + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + ##TODO - Replace Get-Cmdlet by the cmdlet to retrieve all instances + [array] $Script:exportedInstances = Get-ManagementScope -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + ##TODO - Specify the Primary Key + #PrimaryKey = $config.PrimaryKey + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof new file mode 100644 index 0000000000..9c6726ec14 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOManagementScope")] +class MSFT_EXOManagementScope : OMI_BaseResource +{ + [Key, Description("The Identity parameter specifies the name of the management scope to modify.")] String Identity; + [Write, Description("The Name parameter specifies the name of the management scope.")] String Name; + [Write, Description("The RecipientRestrictionFilter parameter uses OPATH filter syntax to specify the recipients that are included in the scope.")] String RecipientRestrictionFilter; + [Write, Description("The RecipientRoot parameter specifies the organizational unit (OU) under which the filter specified with the RecipientRestrictionFilter parameter should be applied.")] String RecipientRoot; + [Write, Description("The Exclusive switch specifies that the role should be an exclusive scope.")] Boolean Exclusive; + [Write, Description("")] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/readme.md new file mode 100644 index 0000000000..2a43485a5b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/readme.md @@ -0,0 +1,6 @@ + +# EXOManagementScope + +## Description + +Use this resource to create ManagementScopes. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/settings.json new file mode 100644 index 0000000000..09c305555c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "EXOManagementScope", + "description": "Use this resource to create Management Scope.", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Hygiene Management", + "Compliance Management", + "Organization Management", + "View-Only Organization Management" + ], + "requiredrolegroups": "Organization Management" + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 new file mode 100644 index 0000000000..64528717e8 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 new file mode 100644 index 0000000000..3524dc103d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Absent"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } + + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOManagementScope.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOManagementScope.Tests.ps1 new file mode 100644 index 0000000000..dde34a4529 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOManagementScope.Tests.ps1 @@ -0,0 +1,210 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + ##TODO - Mock any Remove/Set/New cmdlets + Mock -CommandName New-ManagementScope -MockWith { + } + + Mock -CommandName Set-ManagementScope -MockWith { + } + + Mock -CommandName Remove-ManagementScope -MockWith { + } + + Mock -CommandName Get-ManagementScope -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientRestrictionFilter = "Name -like 'Nik*'"; + } + + ##TODO - Mock the Get-Cmdlet to return $null + Mock -CommandName Get-ManagementScope -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-ManagementScope -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Credential = $Credscredential; + Ensure = "Absent"; + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientRestrictionFilter = "Name -like 'Nik*'"; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-ManagementScope -MockWith { + return @{ + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientFilter = "Name -like 'Nik*'"; + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-ManagementScope -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientRestrictionFilter = "Name -like 'Nik*'"; + } + + ##TODO - Mock the Get-Cmdlet to return the desired values + Mock -CommandName Get-ManagementScope -MockWith { + return @{ + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientFilter = "Name -like 'Nik*'"; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource -Verbose @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientRestrictionFilter = "Name -like 'Nik*'"; + } + + ##TODO - Mock the Get-Cmdlet to return a drift + Mock -CommandName Get-ManagementScope -MockWith { + return @{ + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs Drift"; + RecipientFilter = "Name -like 'Nik*'"; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ManagementScope -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + ##TODO - Mock the Get-Cmdlet to return an instance + Mock -CommandName Get-ManagementScope -MockWith { + return @{ + Exclusive = $False; + Identity = "Nik DGs"; + Name = "Nik DGs"; + RecipientFilter = "Name -like 'Nik*'"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index d8d8db6694..9278ceb5e8 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1,4 +1,100 @@ # region ExchangeOnlineManagement +function Get-ManagementScope +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Boolean] + $Exclusive, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Orphan + ) +} + +function New-ManagementScope +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Exclusive, + + [Parameter()] + [System.Object] + $RecipientRoot, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $RecipientRestrictionFilter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + +function Set-ManagementScope +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $RecipientRoot, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $RecipientRestrictionFilter, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + +function Remove-ManagementScope +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Force + ) +} + function Get-SweepRule { [CmdletBinding()] From 475ac5c8147ee5686e3bd90656cdd01dea61107b Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Mon, 2 Sep 2024 17:11:14 +0530 Subject: [PATCH 12/47] added create example --- .../Resources/EXOManagementScope/1-Create.ps1 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 index b516274848..ba630d844a 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 @@ -18,9 +18,19 @@ Configuration Example [System.String] $CertificateThumbprint ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost { - + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'Test*'"; + } } } From c65e6972428a15fb3bc53ad009182412a5f3972d Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 3 Sep 2024 14:05:53 -0400 Subject: [PATCH 13/47] Update CHANGELOG.md --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24b85d6bd6..d9956fd347 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -67,8 +67,6 @@ * M365DSCUtil * Fix `Compare-PSCustomObjectArrays` by allowing empty arrays as input FIXES [#4952](https://github.com/microsoft/Microsoft365DSC/issues/4952) -* O365OrgSettings - * FIXES [#4741](https://github.com/microsoft/Microsoft365DSC/issues/4741) * MISC * Improve module updates and PowerShell Core support across the DSC resources. From 05020f3364e51ed831ce8a0a0f4f77f82bfd4141 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Wed, 24 Jul 2024 23:41:47 +0200 Subject: [PATCH 14/47] Add Intune Device Control Policy --- CHANGELOG.md | 4 + ...FT_IntuneDeviceControlPolicyWindows10.psm1 | 1174 +++++++++++++++++ ...uneDeviceControlPolicyWindows10.schema.mof | 83 ++ .../readme.md | 6 + .../settings.json | 32 + .../1-Create.ps1 | 63 + .../2-Update.ps1 | 63 + .../3-Remove.ps1 | 34 + .../Modules/M365DSCDRGUtil.psm1 | 64 +- ...tuneDeviceControlPolicyWindows10.Tests.ps1 | 730 ++++++++++ 10 files changed, 2229 insertions(+), 24 deletions(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/3-Remove.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 24b85d6bd6..4eb948450f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,14 @@ * EXOSweepRule * Initial Release. +* IntuneDeviceControlPolicyWindows10 + * Initial Release * M365DSCDRGUtil * Fixes an issue where a Intune settings catalog DSC param was not handled correctly when it was not specified. FIXES [#5000](https://github.com/microsoft/Microsoft365DSC/issues/5000) + * Fixes an issue where the exported nested CIM instances had too many line breaks. + * Fixes an issue where Settings Catalog properties were not correctly handled. # 1.24.828.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.psm1 new file mode 100644 index 0000000000..e9a0626642 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.psm1 @@ -0,0 +1,1174 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Allow_Deny_Layered, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Unspecified_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Removable_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowFullScanRemovableDriveScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDirectMemoryAccess, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $DeviceEnumerationPolicy, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $RemovableDiskDenyWriteAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUSBConnection, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $AllowBluetooth, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowAdvertising, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDiscoverableMode, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPrepairing, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPromptedProximalConnections, + + [Parameter()] + [ValidateLength(0, 87516)] + [System.String[]] + $ServicesAllowedList, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRule, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowStorageCard, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Control Policy for Windows10 with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { + $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.DeviceManagementConfigurationPolicy" + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Control Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Device Control Policy for Windows10 with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + #region resource generator code + $complexPolicyRule = @() + foreach ($currentPolicyRule in $policySettings.policyRule) + { + $complexEntry = @() + foreach ($currentEntry in $currentPolicyRule.entry) + { + $complexEntry += @{ + Type = $currentEntry.Type + Options = $currentEntry.Options + Sid = $currentEntry.Sid + AccessMask = $currentEntry.AccessMask + ComputerSid = $currentEntry.ComputerSid + } + } + $myPolicyRule = @{} + $myPolicyRule.Add('Entry', $complexEntry) + $myPolicyRule.Add('Name', $currentPolicyRule.name) + $myPolicyRule.Add('ExcludedIdList_GroupId', $currentPolicyRule.excludedIdList_GroupId) + $myPolicyRule.Add('IncludedIdList_GroupId', $currentPolicyRule.includedIdList_GroupId) + $complexPolicyRule += $myPolicyRule + } + $policySettings.Remove('PolicyRule') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + PolicyRule = $complexPolicyRule + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Allow_Deny_Layered, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Unspecified_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Removable_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowFullScanRemovableDriveScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDirectMemoryAccess, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $DeviceEnumerationPolicy, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $RemovableDiskDenyWriteAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUSBConnection, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $AllowBluetooth, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowAdvertising, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDiscoverableMode, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPrepairing, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPromptedProximalConnections, + + [Parameter()] + [ValidateLength(0, 87516)] + [System.String[]] + $ServicesAllowedList, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRule, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowStorageCard, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '0f2034c6-3cd6-4ee1-bd37-f3c0693e9548_1' + $platforms = 'windows10' + $technologies = 'mdm,microsoftSense' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Control Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Device Control Policy for Windows10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Device Control Policy for Windows10 with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Allow_Deny_Layered, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Allow, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Allow_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Unspecified_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Instance_IDs_Deny_Retroactive, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Instance_IDs_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $DeviceInstall_Classes_Deny_List, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Classes_Deny_Retroactive, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DeviceInstall_Removable_Deny, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyRead_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_2, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WPDDevices_DenyWrite_Access_1, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowFullScanRemovableDriveScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDirectMemoryAccess, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $DeviceEnumerationPolicy, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $RemovableDiskDenyWriteAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUSBConnection, + + [Parameter()] + [ValidateSet('0', '1', '2')] + [System.String] + $AllowBluetooth, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowAdvertising, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowDiscoverableMode, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPrepairing, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPromptedProximalConnections, + + [Parameter()] + [ValidateLength(0, 87516)] + [System.String[]] + $ServicesAllowedList, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $PolicyRule, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowStorageCard, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Control Policy for Windows10 with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "0f2034c6-3cd6-4ee1-bd37-f3c0693e9548_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.PolicyRule) + { + $complexMapping = @( + @{ + Name = 'PolicyRule' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogPolicyRule' + IsRequired = $False + } + @{ + Name = 'Entry' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.PolicyRule ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogPolicyRule' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.PolicyRule = $complexTypeStringResult + } + else + { + $Results.Remove('PolicyRule') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.PolicyRule) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "PolicyRule" -IsCIMArray:$True + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.schema.mof new file mode 100644 index 0000000000..25e4529e0d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/MSFT_IntuneDeviceControlPolicyWindows10.schema.mof @@ -0,0 +1,83 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule +{ + [Write, Description("Entry"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry")] String Entry[]; + [Write, Description("Name")] String Name; + [Write, Description("Excluded ID")] String ExcludedIdList_GroupId[]; + [Write, Description("Included ID")] String IncludedIdList_GroupId[]; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry +{ + [Write, Description("Type (allow: Allow, deny: Deny, auditallowed: AuditAllowed, auditdenied: AuditDenied)"), ValueMap{"allow", "deny", "auditallowed", "auditdenied"}, Values{"allow", "deny", "auditallowed", "auditdenied"}] String Type; + [Write, Description("Options (0: None, 1: ShowNotification, 2: SendEvent, 3: SendNotificationAndEvent, 4: Disable)"), ValueMap{"0", "1", "2", "3", "4"}, Values{"0", "1", "2", "3", "4"}] String Options; + [Write, Description("Sid")] String Sid; + [Write, Description("Access mask (1: WDD_READ_ACCESS, 2: WDD_WRITE_ACCESS, 4: WDD_EXECUTE_ACCESS, 8: WDD_FS_READ_ACCESS, 16: WDD_FS_WRITE_ACCESS, 32: WDD_FS_EXECUTE_ACCESS, 64: WDD_PRINT_ACCESS)"), ValueMap{"1", "2", "4", "8", "16", "32", "64"}, Values{"1", "2", "4", "8", "16", "32", "64"}] SInt32 AccessMask[]; + [Write, Description("Computer Sid")] String ComputerSid; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceControlPolicyWindows10")] +class MSFT_IntuneDeviceControlPolicyWindows10 : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The list of policy rules to apply."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule")] String PolicyRule[]; + [Write, Description("Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Allow_Deny_Layered; + [Write, Description("Allow installation of devices that match any of these device IDs (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_IDs_Allow; + [Write, Description("Allowed device IDs")] String DeviceInstall_IDs_Allow_List[]; + [Write, Description("Allow installation of devices that match any of these device instance IDs (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Instance_IDs_Allow; + [Write, Description("Allowed Instance IDs")] String DeviceInstall_Instance_IDs_Allow_List[]; + [Write, Description("Allow installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Allow; + [Write, Description("Allowed classes")] String DeviceInstall_Classes_Allow_List[]; + [Write, Description("Prevent installation of devices not described by other policy settings (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Unspecified_Deny; + [Write, Description("Prevent installation of devices that match any of these device IDs (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_IDs_Deny; + [Write, Description("Prevented device IDs")] String DeviceInstall_IDs_Deny_List[]; + [Write, Description("Also apply to matching devices that are already installed. (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_IDs_Deny_Retroactive; + [Write, Description("Prevent installation of devices that match any of these device instance IDs (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Instance_IDs_Deny; + [Write, Description("Also apply to matching devices that are already installed. (Device) (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Instance_IDs_Deny_Retroactive; + [Write, Description("Prevented Instance IDs")] String DeviceInstall_Instance_IDs_Deny_List[]; + [Write, Description("Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny; + [Write, Description("Prevented Classes")] String DeviceInstall_Classes_Deny_List[]; + [Write, Description("Also apply to matching devices that are already installed. (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny_Retroactive; + [Write, Description("Prevent installation of removable devices (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Removable_Deny; + [Write, Description("WPD Devices: Deny read access (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WPDDevices_DenyRead_Access_2; + [Write, Description("WPD Devices: Deny read access (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WPDDevices_DenyRead_Access_1; + [Write, Description("WPD Devices: Deny write access (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WPDDevices_DenyWrite_Access_2; + [Write, Description("WPD Devices: Deny write access (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WPDDevices_DenyWrite_Access_1; + [Write, Description("Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowFullScanRemovableDriveScanning; + [Write, Description("Allow Direct Memory Access (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowDirectMemoryAccess; + [Write, Description("Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DeviceEnumerationPolicy; + [Write, Description("Removable Disk Deny Write Access (0: Disabled., 1: Enabled.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RemovableDiskDenyWriteAccess; + [Write, Description("Allow USB Connection (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowUSBConnection; + [Write, Description("Allow Bluetooth (0: Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on., 1: Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on., 2: Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String AllowBluetooth; + [Write, Description("Allow Advertising (0: Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral., 1: Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowAdvertising; + [Write, Description("Allow Discoverable Mode (0: Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device., 1: Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowDiscoverableMode; + [Write, Description("Allow Prepairing (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPrepairing; + [Write, Description("Allow Prompted Proximal Connections (0: Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios, 1: Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPromptedProximalConnections; + [Write, Description("Services Allowed List")] String ServicesAllowedList[]; + [Write, Description("Allow Storage Card (0: SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card., 1: Allow a storage card.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowStorageCard; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/readme.md new file mode 100644 index 0000000000..11a926f75b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/readme.md @@ -0,0 +1,6 @@ + +# IntuneDeviceControlPolicyWindows10 + +## Description + +Intune Device Control Policy for Windows10 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json new file mode 100644 index 0000000000..750c8444e2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceControlPolicyWindows10/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName":"IntuneDeviceControlPolicyWindows10", + "description":"This resource configures an Intune Device Control Policy for Windows10.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/1-Create.ps1 new file mode 100644 index 0000000000..d087f36334 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/1-Create.ps1 @@ -0,0 +1,63 @@ +<# +This example creates a new Device Control Policy. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + AllowStorageCard = "1"; + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + Description = 'Description' + DisplayName = "Device Control"; + DeviceInstall_IDs_Allow = "1"; + DeviceInstall_IDs_Allow_List = @("1234"); + PolicyRule = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule{ + Name = 'asdf' + Entry = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry{ + AccessMask = @( + '1' + '2' + ) + Sid = '1234' + ComputerSid = '1234' + Type = 'allow' + Options = '4' + } + ) + } + ); + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/2-Update.ps1 new file mode 100644 index 0000000000..5281d2a23e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/2-Update.ps1 @@ -0,0 +1,63 @@ +<# +This example updates a Device Control Policy. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + AllowStorageCard = "1"; + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + Description = 'Description' + DisplayName = "Device Control"; + DeviceInstall_IDs_Allow = "1"; + DeviceInstall_IDs_Allow_List = @("1234"); + PolicyRule = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule{ + Name = 'asdf' + Entry = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry{ + AccessMask = @( + '1' + '2' + ) + Sid = '1234' + ComputerSid = '1234' + Type = 'deny' # Updated property + Options = '4' + } + ) + } + ); + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..83cd3c3cbd --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceControlPolicyWindows10/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example removes a Device Control Policy. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'Device Control' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 4122bd19ea..6bf838c5d6 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -272,7 +272,7 @@ function Get-M365DSCDRGComplexTypeToString [Parameter()] [switch] - $isArray = $false + $IsArray ) if ($null -eq $ComplexObject) @@ -281,7 +281,7 @@ function Get-M365DSCDRGComplexTypeToString } $indent = '' - for ($i = 0; $i -lt $IndentLevel ; $i++) + for ($i = 0; $i -lt $IndentLevel; $i++) { $indent += ' ' } @@ -299,10 +299,10 @@ function Get-M365DSCDRGComplexTypeToString } if ($ComplexTypeMapping) { - $splat.add('ComplexTypeMapping', $ComplexTypeMapping) + $splat.Add('ComplexTypeMapping', $ComplexTypeMapping) } - $currentProperty += Get-M365DSCDRGComplexTypeToString -isArray:$true @splat + $currentProperty += Get-M365DSCDRGComplexTypeToString -IsArray @splat } # PowerShell returns all non-captured stream output, not just the argument of the return statement. @@ -312,7 +312,7 @@ function Get-M365DSCDRGComplexTypeToString } $currentProperty = '' - if ($isArray) + if ($IsArray) { $currentProperty += "`r`n" $currentProperty += $indent @@ -338,29 +338,29 @@ function Get-M365DSCDRGComplexTypeToString { $hashPropertyType = $ComplexObject[$key].GetType().Name.ToLower() - $isArray = $false + $IsArray = $false if ($ComplexObject[$key].GetType().FullName -like '*[[\]]') { - $isArray = $true + $IsArray = $true } #overwrite type if object defined in mapping complextypemapping if ($key -in $ComplexTypeMapping.Name) { $hashPropertyType = ([Array]($ComplexTypeMapping | Where-Object -FilterScript { $_.Name -eq $key }).CimInstanceName)[0] $hashProperty = $ComplexObject[$key] - $currentProperty += "`r`n" + #$currentProperty += "`r`n" } else { $hashProperty = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $ComplexObject[$key] } - if (-not $isArray) + if (-not $IsArray) { $currentProperty += $indent + $key + ' = ' } - if ($isArray -and $key -in $ComplexTypeMapping.Name) + if ($IsArray -and $key -in $ComplexTypeMapping.Name) { if ($ComplexObject.$key.Count -gt 0) { @@ -369,11 +369,12 @@ function Get-M365DSCDRGComplexTypeToString } } - if ($isArray) + if ($IsArray) { $IndentLevel++ - foreach ($item in $ComplexObject[$key]) + for ($i = 0; $i -lt $ComplexObject[$key].Count; $i++) { + $item = $ComplexObject.$key[$i] if ($ComplexObject.$key.GetType().FullName -like 'Microsoft.Graph.PowerShell.Models.*') { $item = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $item @@ -383,11 +384,17 @@ function Get-M365DSCDRGComplexTypeToString -CIMInstanceName $hashPropertyType ` -IndentLevel $IndentLevel ` -ComplexTypeMapping $ComplexTypeMapping ` - -IsArray:$true + -IsArray if ([string]::IsNullOrWhiteSpace($nestedPropertyString)) { $nestedPropertyString = "@()`r`n" } + if ($i -ne 0) + { + # Remove the line break at the start because every item contains a trailing line break + # which would lead to two line breaks between each item + $nestedPropertyString = $nestedPropertyString.Substring(2) + } $currentProperty += $nestedPropertyString } $IndentLevel-- @@ -405,7 +412,7 @@ function Get-M365DSCDRGComplexTypeToString } $currentProperty += $nestedPropertyString } - if ($isArray) + if ($IsArray) { if ($ComplexObject.$key.Count -gt 0) { @@ -414,7 +421,7 @@ function Get-M365DSCDRGComplexTypeToString $currentProperty += "`r`n" } } - $isArray = $PSBoundParameters.IsArray + $IsArray = $PSBoundParameters.IsArray } else { @@ -432,7 +439,7 @@ function Get-M365DSCDRGComplexTypeToString if ($mappedKey -and $mappedKey.isRequired) { - if ($mappedKey.isArray) + if ($mappedKey.IsArray) { $currentProperty += "$indent$key = @()`r`n" } @@ -451,7 +458,7 @@ function Get-M365DSCDRGComplexTypeToString } $currentProperty += "$indent}" - if ($isArray -or $IndentLevel -gt 4) + if ($IsArray -or $IndentLevel -gt 4) { $currentProperty += "`r`n" } @@ -1643,8 +1650,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue # GroupSettingCollections are a collection of settings without a value of their own { $_ -eq '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' -or $_ -eq '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' } { - $groupSettingCollectionValue = @{} - $groupSettingCollectionValueChildren = @() + $groupSettingCollectionValue = @() $groupSettingCollectionDefinitionChildren = @() $templates = $SettingTemplates | Where-Object { @@ -1686,6 +1692,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue for ($i = 0; $i -lt $instanceCount; $i++) { + $groupSettingCollectionValueChildren = @() $currentDSCParams = if ($instanceCount -eq 1) { if (-not [System.String]::IsNullOrEmpty($cimDSCParamsName)) { $DSCParams.$cimDSCParamsName @@ -1708,7 +1715,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) { $childSettingName = $childDefinition.Name - $childSettingType = $childDefinition.AdditionalProperties.'@odata.type'.Replace('Definition', 'Instance') + $childSettingType = $childDefinition.AdditionalProperties.'@odata.type'.Replace('Definition', 'Instance').Replace('SettingGroup', 'GroupSetting') $childSettingValueName = $childSettingType.Replace('#microsoft.graph.deviceManagementConfiguration', '').Replace('Instance', 'Value') $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) @@ -1740,10 +1747,15 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $groupSettingCollectionValueChildren += $childSettingValue } } + if ($groupSettingCollectionValueChildren.Count -gt 0) + { + $groupSettingCollectionValue += @{ + children = @($groupSettingCollectionValueChildren) + } + } } - if ($groupSettingCollectionDefinitionChildren.Count -gt 0) { - $groupSettingCollectionValue.Add('children', $groupSettingCollectionValueChildren) + if ($groupSettingCollectionDefinitionChildren.Count -gt 0 -and $groupSettingCollectionValue.Count -gt 0) { $settingValuesToReturn.Add('groupSettingCollectionValue', @($groupSettingCollectionValue)) } } @@ -1988,7 +2000,11 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue # Parent was combined with child setting. Since there can be multiple settings with the same Name, we need to check the Id as well if ($SettingDefinition.Id -eq $childDefinition.Id) { - $global:excludedDscParams += $key + # Only exclude the combined setting if it is not part of a group setting collection (which could be of a separate CIM type) + if ($parentDefinition.AdditionalProperties.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition') + { + $global:excludedDscParams += $key + } $matchCombined = $true } } @@ -2125,7 +2141,7 @@ function Export-IntuneSettingCatalogPolicySettings } elseif ($settingDefinition.AdditionalProperties.options.dependentOn.parentSettingId.Count -gt 0) { - $parentSetting = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $($settingDefinition.AdditionalProperties.dependentOn.parentSettingId | Select-Object -Unique -First 1) } + $parentSetting = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $($settingDefinition.AdditionalProperties.options.dependentOn.parentSettingId | Select-Object -Unique -First 1) } } $combinationMatches = $SettingDefinitions | Where-Object -FilterScript { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 new file mode 100644 index 0000000000..31712d60ea --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceControlPolicyWindows10.Tests.ps1 @@ -0,0 +1,730 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneDeviceControlPolicyWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '0f2034c6-3cd6-4ee1-bd37-f3c0693e9548_1' + } + } + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_bluetooth_servicesallowedlist' + Name = 'ServicesAllowedList' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_bluetooth_servicesallowedlist' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '47d9b9c4-e714-4a51-a099-33f548e4ea49' + } + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' + simpleSettingCollectionValue = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'abcd' + } + ) + } + ) + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_connectivity_allowusbconnection' + Name = 'AllowUSBConnection' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @( + @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_connectivity_allowusbconnection' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'bc92aa99-0993-4c65-a005-d5e5e6701486' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = '1' + } + } + } + ) + }, + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + Name = 'Entry' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_id', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_sid', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_computersid' + ) + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + } + ) + maximumCount = 100 + minimumCount = 1 + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options' + Name = 'Options' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + # Only option used in the tests is defined here + @{ + name = 'Disable' + itemId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options_4' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type_allow' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type' + }, + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type_deny' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type' + Name = 'Type' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + # Only option used in the tests is defined here + @{ + name = 'Allow' + itemId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type_allow' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist_groupid' + Name = 'GroupId' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_name' + Name = 'Name' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}' + Name = 'ruleid' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + ) + maximumCount = 100 + minimumCount = 1 + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist' + Name = 'ExcludedIdList' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist_groupid' + ) + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + } + ) + maximumCount = 100 + minimumCount = 1 + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_sid' + Name = 'Sid' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_id' + Name = 'Id' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist' + Name = 'IncludedIdList' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + Name = 'PolicyRule' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_id', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_name', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_excludedidlist', + 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + ) + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}' + } + ) + maximumCount = 1 + minimumCount = 1 + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist_groupid' + Name = 'GroupId' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_includedidlist' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask' + Name = 'AccessMask' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingCollectionDefinition' + maximumCount = 100 + minimumCount = 0 + options = @( + @{ + name = 'WDD_READ_ACCESS' + itemId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + }, + @{ + name = 'WDD_WRITE_ACCESS' + itemId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask_2' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + # No more options for clarity + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_id' + Name = 'Id' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_computersid' + Name = 'ComputerSid' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + parentSettingId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a5c5409c-886a-4909-81c7-28156aee9419' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_id' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '{4fc8d684-1ff9-4525-a67e-9c8525f9fcd7}' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_name' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'asdf' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_options_4' + } + } + ) + value = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_type_allow' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingCollectionInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask' + choiceSettingCollectionValue = @( + @{ + children = @() + value = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask_1' + }, + @{ + children = @() + value = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_accesmask_2' + } + ) + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_sid' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '1234' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_computersid' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '1234' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata_entry_id' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '{51b6ad7f-7b07-493c-94c9-907a1842abd3}' + } + } + ) + } + ) + + } + ) + } + ) + settingDefinitionId = 'device_vendor_msft_defender_configuration_devicecontrol_policyrules_{ruleid}_ruledata' + settingInstanceTemplateReference = @{ + settingInstanceTemplateId = '46c91d1a-89d2-4f6a-93f8-7a1dc4184024' + } + } + ) + } + ) + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + } + # Test contexts + Context -Name "The IntuneDeviceControlPolicyWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + AllowUSBConnection = "1" + PolicyRule = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule -Property @{ + Entry = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry -Property @{ + AccessMask = @("1", "2") + Sid = "1234" + ComputerSid = "1234" + Type = "allow" + Options = "4" + } -ClientOnly) + ) + Name = "asdf" + } -ClientOnly) + ) + ServicesAllowedList = @("abcd") + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneDeviceControlPolicyWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + AllowUSBConnection = "1" + PolicyRule = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule -Property @{ + Entry = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry -Property @{ + AccessMask = @("1", "2") + Sid = "1234" + ComputerSid = "1234" + Type = "allow" + Options = "4" + } -ClientOnly) + ) + Name = "asdf" + } -ClientOnly) + ) + ServicesAllowedList = @("abcd") + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneDeviceControlPolicyWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + AllowUSBConnection = "1" + PolicyRule = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule -Property @{ + Entry = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry -Property @{ + AccessMask = @("1", "2") + Sid = "1234" + ComputerSid = "1234" + Type = "allow" + Options = "4" + } -ClientOnly) + ) + Name = "asdf" + } -ClientOnly) + ) + ServicesAllowedList = @("abcd") + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneDeviceControlPolicyWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + AllowUSBConnection = "1" + PolicyRule = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule -Property @{ + Entry = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry -Property @{ + AccessMask = @("1", "2") + Sid = "1234" + ComputerSid = "1234" + Type = "deny" # Updated property + Options = "4" + } -ClientOnly) + ) + Name = "asdf" + } -ClientOnly) + ) + ServicesAllowedList = @("abcd") + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From d11579cb4e75fcc0e0d935034ad8e8c872990b45 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 4 Sep 2024 13:27:00 -0400 Subject: [PATCH 15/47] FabricAdminTenantSettings - Initial Release. --- CHANGELOG.md | 4 + .../MSFT_FabricAdminTenantSettings.psm1 | 2135 +++++++++++++++++ .../MSFT_FabricAdminTenantSettings.schema.mof | 172 ++ .../MSFT_FabricAdminTenantSettings/readme.md | 6 + .../settings.json | 20 + .../Dependencies/Manifest.psd1 | 2 +- .../4-MonitorOnly.ps1 | 45 + Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 1 + .../Modules/M365DSCReverse.psm1 | 2 +- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 4 +- .../WorkloadHelpers/M365DSCFabricHelper.psm1 | 26 + ...365DSC.FabricAdminTenantSettings.Tests.ps1 | 220 ++ 12 files changed, 2633 insertions(+), 4 deletions(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 create mode 100644 Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCFabricHelper.psm1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.FabricAdminTenantSettings.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index d9956fd347..6d2f2acbd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,14 @@ * EXOSweepRule * Initial Release. +* FabricAdminTenantSettings + * Initial Release. * M365DSCDRGUtil * Fixes an issue where a Intune settings catalog DSC param was not handled correctly when it was not specified. FIXES [#5000](https://github.com/microsoft/Microsoft365DSC/issues/5000) +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.1.20. # 1.24.828.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 new file mode 100644 index 0000000000..482c9524c7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 @@ -0,0 +1,2135 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AADSSOForGateway, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeDetailedMetadata, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeExpressions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminCustomDisclaimer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AISkillArtifactTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowAccessOverPrivateLinks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVAuthenticationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVLocalStorageV2Tenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVToExportDataToFileTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowEndorsementMasterDataSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingReceiverSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowFreeTrial, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestLookup, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestUserToAccessSharedContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowPowerBIASDQOnTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendAOAIDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendNLToDaxDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsCreateAndUseProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsUseReadAdminAPIs, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AppPush, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ArtifactSearchTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASCollectQueryTextTelemetryTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASShareableCloudConnectionBindingSecurityModeTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruContinuousExportTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutoInstallPowerBIAppInTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsEntryPoints, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AzureMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BingMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAccessFromPublicNetworks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAutoDiscoverAndPackageRefresh, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockProtectedLabelSharingToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockResourceKeyAuthentication, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CDSAManagement, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifiedCustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifyDatasets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ConfigureFolderRetentionPeriod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CreateAppWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatamartTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatasetExecuteQueries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DevelopServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsConsumption, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsCertified, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsPromoted, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DremioSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDataSourceInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDownstreamInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionEdit, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionLessElevated, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ElevatedGuestsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSecurityGroupsOnOutage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToB2BUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToExternalUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Embedding, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableAOAI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableDatasetInPlaceSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableExcelYellowIntegration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableFabricAirflow, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableNLToDax, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableReassignDataDomainSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EsriVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExpFlightingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportReport, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToCsv, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToExcelSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToImage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToMHTML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToPowerPoint, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToWord, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToXML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportVisualImageTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalDatasetSharingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalSharingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricAddPartnerWorkload, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricFeedbackTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricGAWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricThirdPartyWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitHubTenantSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationCrossGeoTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationSensitivityLabelsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GoogleBigQuerySSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GraphQLTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $HealthcareSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallNonvalidatedTemplateApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KustoDashboardTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LiveConnection, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LogAnalyticsAttachForWorkspaceAdmins, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $M365DataSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Mirroring, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ODSPRefreshEnforcementTenantAllowAutomaticUpdate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointAllowSharingTenantSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointViewerIntegrationTenantSettingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeFileExplorer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeForThirdParty, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremAnalyzeInExcel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerBIGoalsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerPlatformSolutionsIntegrationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Printing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PromoteContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishContentPack, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishToWeb, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaFeedbackLoop, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaLsdlSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QueryScaleOutTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RedshiftSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RestrictMyFolderCapacity, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RetailSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RScriptVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ServicePrincipalAccess, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareLinkToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareToTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SnowflakeSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $StorytellingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SustainabilitySolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TemplatePublish, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TenantSettingPublishGetHelpInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TridentPrivatePreview, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetrics, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetricsTrackUserLevelInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UseDatasetsAcrossWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $VisualizeListInPowerBI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebContentTilesTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebModelingTenantSwitch, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Fabric' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances + } + else + { + $uri = $global:MsCloudLoginConnectionProfile.Fabric.HostUrl + "/v1/admin/tenantsettings" + $instance = Invoke-M365DSCFabricWebRequest -Uri $uri -Method 'GET' + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + IsSingleInstance = 'Yes' + AADSSOForGateway = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AADSSOForGateway'}) + AdminApisIncludeDetailedMetadata = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AdminApisIncludeDetailedMetadata'}) + AdminApisIncludeExpressions = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AdminApisIncludeExpressions'}) + AdminCustomDisclaimer = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AdminCustomDisclaimer'}) + AISkillArtifactTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AISkillArtifactTenantSwitch'}) + AllowAccessOverPrivateLinks = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowAccessOverPrivateLinks'}) + AllowCVAuthenticationTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowCVAuthenticationTenant'}) + AllowCVLocalStorageV2Tenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowCVLocalStorageV2Tenant'}) + AllowCVToExportDataToFileTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowCVToExportDataToFileTenant'}) + AllowEndorsementMasterDataSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowEndorsementMasterDataSwitch'}) + AllowExternalDataSharingReceiverSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowExternalDataSharingReceiverSwitch'}) + AllowExternalDataSharingSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowExternalDataSharingSwitch'}) + AllowFreeTrial = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowFreeTrial'}) + AllowGuestLookup = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowGuestLookup'}) + AllowGuestUserToAccessSharedContent = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowGuestUserToAccessSharedContent'}) + AllowPowerBIASDQOnTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowPowerBIASDQOnTenant'}) + AllowSendAOAIDataToOtherRegions = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowSendAOAIDataToOtherRegions'}) + AllowSendNLToDaxDataToOtherRegions = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowSendNLToDaxDataToOtherRegions'}) + AllowServicePrincipalsCreateAndUseProfiles = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowServicePrincipalsCreateAndUseProfiles'}) + AllowServicePrincipalsUseReadAdminAPIs = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AllowServicePrincipalsUseReadAdminAPIs'}) + AppPush = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AppPush'}) + ArtifactSearchTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ArtifactSearchTenant'}) + ASCollectQueryTextTelemetryTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ASCollectQueryTextTelemetryTenantSwitch'}) + ASShareableCloudConnectionBindingSecurityModeTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ASShareableCloudConnectionBindingSecurityModeTenant'}) + ASWritethruContinuousExportTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ASWritethruContinuousExportTenantSwitch'}) + ASWritethruTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ASWritethruTenantSwitch'}) + AutoInstallPowerBIAppInTeamsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AutoInstallPowerBIAppInTeamsTenant'}) + AutomatedInsightsEntryPoints = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AutomatedInsightsEntryPoints'}) + AutomatedInsightsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AutomatedInsightsTenant'}) + AzureMap = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'AzureMap'}) + BingMap = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'BingMap'}) + BlockAccessFromPublicNetworks = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'BlockAccessFromPublicNetworks'}) + BlockAutoDiscoverAndPackageRefresh = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'BlockAutoDiscoverAndPackageRefresh'}) + BlockProtectedLabelSharingToEntireOrg = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'BlockProtectedLabelSharingToEntireOrg'}) + BlockResourceKeyAuthentication = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'BlockResourceKeyAuthentication'}) + CDSAManagement = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'CDSAManagement'}) + CertifiedCustomVisualsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'CertifiedCustomVisualsTenant'}) + CertifyDatasets = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'CertifyDatasets'}) + ConfigureFolderRetentionPeriod = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ConfigureFolderRetentionPeriod'}) + CreateAppWorkspaces = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'CreateAppWorkspaces'}) + CustomVisualsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'CustomVisualsTenant'}) + DatamartTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DatamartTenant'}) + DatasetExecuteQueries = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DatasetExecuteQueries'}) + DevelopServiceApps = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DevelopServiceApps'}) + DiscoverDatasetsConsumption = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DiscoverDatasetsConsumption'}) + DiscoverDatasetsSettingsCertified = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DiscoverDatasetsSettingsCertified'}) + DiscoverDatasetsSettingsPromoted = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DiscoverDatasetsSettingsPromoted'}) + DremioSSO = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'DremioSSO'}) + EimInformationProtectionDataSourceInheritanceSetting = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EimInformationProtectionDataSourceInheritanceSetting'}) + EimInformationProtectionDownstreamInheritanceSetting = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EimInformationProtectionDownstreamInheritanceSetting'}) + EimInformationProtectionEdit = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EimInformationProtectionEdit'}) + EimInformationProtectionLessElevated = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EimInformationProtectionLessElevated'}) + EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting'}) + ElevatedGuestsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ElevatedGuestsTenant'}) + EmailSecurityGroupsOnOutage = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EmailSecurityGroupsOnOutage'}) + EmailSubscriptionsToB2BUsers = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EmailSubscriptionsToB2BUsers'}) + EmailSubscriptionsToExternalUsers = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EmailSubscriptionsToExternalUsers'}) + EmailSubscriptionTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EmailSubscriptionTenant'}) + Embedding = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'Embedding'}) + EnableAOAI = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableAOAI'}) + EnableDatasetInPlaceSharing = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableDatasetInPlaceSharing'}) + EnableExcelYellowIntegration = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableExcelYellowIntegration'}) + EnableFabricAirflow = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableFabricAirflow'}) + EnableNLToDax = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableNLToDax'}) + EnableReassignDataDomainSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EnableReassignDataDomainSwitch'}) + EsriVisual = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'EsriVisual'}) + ExpFlightingTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExpFlightingTenant'}) + ExportReport = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportReport'}) + ExportToCsv = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToCsv'}) + ExportToExcelSetting = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToExcelSetting'}) + ExportToImage = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToImage'}) + ExportToMHTML = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToMHTML'}) + ExportToPowerPoint = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToPowerPoint'}) + ExportToWord = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToWord'}) + ExportToXML = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportToXML'}) + ExportVisualImageTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExportVisualImageTenant'}) + ExternalDatasetSharingTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExternalDatasetSharingTenant'}) + ExternalSharingV2 = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ExternalSharingV2'}) + FabricAddPartnerWorkload = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'FabricAddPartnerWorkload'}) + FabricFeedbackTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'FabricFeedbackTenantSwitch'}) + FabricGAWorkloads = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'FabricGAWorkloads'}) + FabricThirdPartyWorkloads = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'FabricThirdPartyWorkloads'}) + GitHubTenantSettings = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GitHubTenantSettings'}) + GitIntegrationCrossGeoTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GitIntegrationCrossGeoTenantSwitch'}) + GitIntegrationSensitivityLabelsTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GitIntegrationSensitivityLabelsTenantSwitch'}) + GitIntegrationTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GitIntegrationTenantSwitch'}) + GoogleBigQuerySSO = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GoogleBigQuerySSO'}) + GraphQLTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'GraphQLTenant'}) + HealthcareSolutionsTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'HealthcareSolutionsTenantSwitch'}) + InstallNonvalidatedTemplateApps = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'InstallNonvalidatedTemplateApps'}) + InstallServiceApps = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'InstallServiceApps'}) + KustoDashboardTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'KustoDashboardTenantSwitch'}) + LiveConnection = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'LiveConnection'}) + LogAnalyticsAttachForWorkspaceAdmins = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'LogAnalyticsAttachForWorkspaceAdmins'}) + M365DataSharing = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'M365DataSharing'}) + Mirroring = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'Mirroring'}) + ODSPRefreshEnforcementTenantAllowAutomaticUpdate = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ODSPRefreshEnforcementTenantAllowAutomaticUpdate'}) + OneDriveSharePointAllowSharingTenantSetting = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'OneDriveSharePointAllowSharingTenantSetting'}) + OneDriveSharePointViewerIntegrationTenantSettingV2 = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'OneDriveSharePointViewerIntegrationTenantSettingV2'}) + OneLakeFileExplorer = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'OneLakeFileExplorer'}) + OneLakeForThirdParty = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'OneLakeForThirdParty'}) + OnPremAnalyzeInExcel = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'OnPremAnalyzeInExcel'}) + PowerBIGoalsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'PowerBIGoalsTenant'}) + PowerPlatformSolutionsIntegrationTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'PowerPlatformSolutionsIntegrationTenant'}) + Printing = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'Printing'}) + PromoteContent = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'PromoteContent'}) + PublishContentPack = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'PublishContentPack'}) + PublishToWeb = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'PublishToWeb'}) + QnaFeedbackLoop = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'QnaFeedbackLoop'}) + QnaLsdlSharing = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'QnaLsdlSharing'}) + QueryScaleOutTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'QueryScaleOutTenant'}) + RedshiftSSO = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'RedshiftSSO'}) + RestrictMyFolderCapacity = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'RestrictMyFolderCapacity'}) + RetailSolutionsTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'RetailSolutionsTenantSwitch'}) + RScriptVisual = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'RScriptVisual'}) + ServicePrincipalAccess = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ServicePrincipalAccess'}) + ShareLinkToEntireOrg = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ShareLinkToEntireOrg'}) + ShareToTeamsTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'ShareToTeamsTenant'}) + SnowflakeSSO = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'SnowflakeSSO'}) + StorytellingTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'StorytellingTenant'}) + SustainabilitySolutionsTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'SustainabilitySolutionsTenantSwitch'}) + TemplatePublish = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'TemplatePublish'}) + TenantSettingPublishGetHelpInfo = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'TenantSettingPublishGetHelpInfo'}) + TridentPrivatePreview = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'TridentPrivatePreview'}) + UsageMetrics = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'UsageMetrics'}) + UsageMetricsTrackUserLevelInfo = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'UsageMetricsTrackUserLevelInfo'}) + UseDatasetsAcrossWorkspaces = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'UseDatasetsAcrossWorkspaces'}) + VisualizeListInPowerBI = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'VisualizeListInPowerBI'}) + WebContentTilesTenant = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'WebContentTilesTenant'}) + WebModelingTenantSwitch = Get-M365DSCFabricTenantSettingObject -Setting ($instance.tenantSettings | Where-Object -FilterScript {$_.settingName -eq 'WebModelingTenantSwitch'}) + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AADSSOForGateway, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeDetailedMetadata, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeExpressions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminCustomDisclaimer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AISkillArtifactTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowAccessOverPrivateLinks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVAuthenticationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVLocalStorageV2Tenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVToExportDataToFileTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowEndorsementMasterDataSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingReceiverSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowFreeTrial, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestLookup, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestUserToAccessSharedContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowPowerBIASDQOnTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendAOAIDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendNLToDaxDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsCreateAndUseProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsUseReadAdminAPIs, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AppPush, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ArtifactSearchTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASCollectQueryTextTelemetryTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASShareableCloudConnectionBindingSecurityModeTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruContinuousExportTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutoInstallPowerBIAppInTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsEntryPoints, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AzureMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BingMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAccessFromPublicNetworks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAutoDiscoverAndPackageRefresh, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockProtectedLabelSharingToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockResourceKeyAuthentication, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CDSAManagement, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifiedCustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifyDatasets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ConfigureFolderRetentionPeriod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CreateAppWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatamartTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatasetExecuteQueries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DevelopServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsConsumption, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsCertified, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsPromoted, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DremioSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDataSourceInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDownstreamInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionEdit, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionLessElevated, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ElevatedGuestsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSecurityGroupsOnOutage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToB2BUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToExternalUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Embedding, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableAOAI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableDatasetInPlaceSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableExcelYellowIntegration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableFabricAirflow, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableNLToDax, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableReassignDataDomainSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EsriVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExpFlightingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportReport, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToCsv, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToExcelSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToImage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToMHTML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToPowerPoint, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToWord, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToXML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportVisualImageTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalDatasetSharingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalSharingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricAddPartnerWorkload, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricFeedbackTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricGAWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricThirdPartyWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitHubTenantSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationCrossGeoTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationSensitivityLabelsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GoogleBigQuerySSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GraphQLTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $HealthcareSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallNonvalidatedTemplateApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KustoDashboardTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LiveConnection, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LogAnalyticsAttachForWorkspaceAdmins, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $M365DataSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Mirroring, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ODSPRefreshEnforcementTenantAllowAutomaticUpdate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointAllowSharingTenantSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointViewerIntegrationTenantSettingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeFileExplorer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeForThirdParty, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremAnalyzeInExcel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerBIGoalsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerPlatformSolutionsIntegrationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Printing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PromoteContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishContentPack, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishToWeb, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaFeedbackLoop, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaLsdlSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QueryScaleOutTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RedshiftSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RestrictMyFolderCapacity, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RetailSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RScriptVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ServicePrincipalAccess, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareLinkToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareToTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SnowflakeSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $StorytellingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SustainabilitySolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TemplatePublish, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TenantSettingPublishGetHelpInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TridentPrivatePreview, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetrics, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetricsTrackUserLevelInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UseDatasetsAcrossWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $VisualizeListInPowerBI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebContentTilesTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebModelingTenantSwitch, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Warning -Message "This resource is read-only and does not support changing the settings. It is used for monitoring purposes only." +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AADSSOForGateway, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeDetailedMetadata, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminApisIncludeExpressions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AdminCustomDisclaimer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AISkillArtifactTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowAccessOverPrivateLinks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVAuthenticationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVLocalStorageV2Tenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowCVToExportDataToFileTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowEndorsementMasterDataSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingReceiverSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowExternalDataSharingSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowFreeTrial, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestLookup, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowGuestUserToAccessSharedContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowPowerBIASDQOnTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendAOAIDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowSendNLToDaxDataToOtherRegions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsCreateAndUseProfiles, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AllowServicePrincipalsUseReadAdminAPIs, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AppPush, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ArtifactSearchTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASCollectQueryTextTelemetryTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASShareableCloudConnectionBindingSecurityModeTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruContinuousExportTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ASWritethruTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutoInstallPowerBIAppInTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsEntryPoints, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomatedInsightsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AzureMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BingMap, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAccessFromPublicNetworks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockAutoDiscoverAndPackageRefresh, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockProtectedLabelSharingToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $BlockResourceKeyAuthentication, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CDSAManagement, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifiedCustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CertifyDatasets, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ConfigureFolderRetentionPeriod, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CreateAppWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $CustomVisualsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatamartTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DatasetExecuteQueries, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DevelopServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsConsumption, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsCertified, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DiscoverDatasetsSettingsPromoted, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DremioSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDataSourceInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionDownstreamInheritanceSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionEdit, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionLessElevated, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ElevatedGuestsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSecurityGroupsOnOutage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToB2BUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionsToExternalUsers, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EmailSubscriptionTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Embedding, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableAOAI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableDatasetInPlaceSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableExcelYellowIntegration, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableFabricAirflow, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableNLToDax, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EnableReassignDataDomainSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $EsriVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExpFlightingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportReport, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToCsv, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToExcelSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToImage, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToMHTML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToPowerPoint, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToWord, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportToXML, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExportVisualImageTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalDatasetSharingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExternalSharingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricAddPartnerWorkload, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricFeedbackTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricGAWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $FabricThirdPartyWorkloads, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitHubTenantSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationCrossGeoTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationSensitivityLabelsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GitIntegrationTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GoogleBigQuerySSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $GraphQLTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $HealthcareSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallNonvalidatedTemplateApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $InstallServiceApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $KustoDashboardTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LiveConnection, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LogAnalyticsAttachForWorkspaceAdmins, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $M365DataSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Mirroring, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ODSPRefreshEnforcementTenantAllowAutomaticUpdate, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointAllowSharingTenantSetting, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneDriveSharePointViewerIntegrationTenantSettingV2, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeFileExplorer, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OneLakeForThirdParty, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremAnalyzeInExcel, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerBIGoalsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PowerPlatformSolutionsIntegrationTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $Printing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PromoteContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishContentPack, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $PublishToWeb, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaFeedbackLoop, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QnaLsdlSharing, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $QueryScaleOutTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RedshiftSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RestrictMyFolderCapacity, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RetailSolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $RScriptVisual, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ServicePrincipalAccess, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareLinkToEntireOrg, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ShareToTeamsTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SnowflakeSSO, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $StorytellingTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $SustainabilitySolutionsTenantSwitch, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TemplatePublish, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TenantSettingPublishGetHelpInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $TridentPrivatePreview, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetrics, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UsageMetricsTrackUserLevelInfo, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UseDatasetsAcrossWorkspaces, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $VisualizeListInPowerBI, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebContentTilesTenant, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $WebModelingTenantSwitch, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + Write-Verbose -Message "Difference found for $key" + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + + } + } + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Fabric' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $uri = $global:MsCloudLoginConnectionProfile.Fabric.HostUrl + "/v1/admin/tenantsettings" + [array] $Script:exportedInstances = Invoke-M365DSCFabricWebRequest -Uri $uri -Method 'GET' + + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $dscContent = '' + $params = @{ + IsSingleInstance = 'Yes' + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $newResults = ([Hashtable]$Results).Clone() + foreach ($key in $Results.Keys) + { + if ($null -ne $Results.$key -and $key -notin $params.Keys) + { + $newResults.$key = Get-M365DSCFabricTenantSettingAsString -Setting $Results.$key + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $newResults ` + -Credential $Credential + foreach ($key in $Results.Keys) + { + if ($null -ne $Results.$key -and $key -notin $params.Keys) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName $key + } + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCFabricTenantSettingAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.Hashtable] + $Setting + ) + + $StringContent += "MSFT_FabricTenantSetting {`r`n" + $StringContent += " settingName = '" + $setting.settingName + "'`r`n" + if (-not [System.String]::IsNullOrEmpty($setting.canSpecifySecurityGroups)) + { + $StringContent += " canSpecifySecurityGroups = `$" + $setting.canSpecifySecurityGroups + "`r`n" + } + if (-not [System.String]::IsNullOrEmpty($setting.delegateToWorkspace)) + { + $StringContent += " delegateToWorkspace = `$" + $setting.delegateToWorkspace + "`r`n" + } + if (-not [System.String]::IsNullOrEmpty($setting.delegatedFrom)) + { + $StringContent += " delegatedFrom = '" + $setting.delegatedFrom + "'`r`n" + } + $StringContent += " enabled = `$" + $setting.enabled + "`r`n" + if (-not [System.String]::IsNullOrEmpty($setting.tenantSettingGroup)) + { + $StringContent += " tenantSettingGroup = '" + $setting.tenantSettingGroup + "'`r`n" + } + $StringContent += " title = '" + $setting.title + "'`r`n" + if (-not [System.String]::IsNullOrEmpty($setting.properties)) + { + $StringContent += " properties = @(" + foreach ($property in $setting.properties) + { + $StringContent += " MSFT_FabricTenantSettingProperty{`r`n" + $StringContent += " name = '$($property.name)'`r`n" + $StringContent += " value = '$($property.value)'`r`n" + $StringContent += " type = '$($property.type)'`r`n" + $StringContent += " }`r`n" + } + $StringContent += ")" + } + if (-not [System.String]::IsNullOrEmpty($setting.excludedSecurityGroups)) + { + $excludedSecurityGroupsValue = $setting.excludedSecurityGroups -join "','" + if ($setting.excludedSecurityGroups.Length -gt 1) + { + $excludedSecurityGroupsValue = $excludedSecurityGroupsValue.Substring(0, $excludedSecurityGroupsValue.Length -3) + } + $StringContent += " excludedSecurityGroups = @('" + $excludedSecurityGroupsValue + "')`r`n" + } + if (-not [System.String]::IsNullOrEmpty($setting.enabledSecurityGroups)) + { + $enabledSecurityGroupsValue = $setting.enabledSecurityGroups -join "','" + if ($setting.enabledSecurityGroups.Length -gt 1) + { + $enabledSecurityGroupsValue = $setting.enabledSecurityGroups -join "','" + $enabledSecurityGroupsValue = $enabledSecurityGroupsValue.Substring(0, $enabledSecurityGroupsValue.Length -3) + } + $StringContent += " enabledSecurityGroups = @('" + $enabledSecurityGroupsValue + "')`r`n" + } + $StringContent += " }`r`n" + return $StringContent +} + +function Get-M365DSCFabricTenantSettingObject +{ + [CmdletBinding()] + [OutputType([PSCustomObject])] + param( + [Parameter()] + $Setting + ) + + if ($null -eq $Setting) + { + return $null + } + + Write-Verbose -Message "Retrieving values for setting {$($Setting.settingName)}" + + $values = @{ + settingName = $Setting.settingName + enabled = [Boolean]$Setting.enabled + title = $Setting.title.Replace("'", "''") + } + if (-not [System.String]::IsNullOrEmpty($Setting.canSpecifySecurityGroups)) + { + $values.Add('canSpecifySecurityGroups', [Boolean]$Setting.canSpecifySecurityGroups) + } + if (-not [System.String]::IsNullOrEmpty($Setting.delegateToWorkspace)) + { + $values.Add('delegateToWorkspace', $Setting.delegateToWorkspace) + } + if (-not [System.String]::IsNullOrEmpty($Setting.delegatedFrom)) + { + $values.Add('delegatedFrom', $Setting.delegatedFrom) + } + if (-not [System.String]::IsNullOrEmpty($Setting.tenantSettingGroup)) + { + $values.Add('tenantSettingGroup', $Setting.tenantSettingGroup) + } + if ($null -ne $Setting.properties -and $Setting.properties.Length -gt 0) + { + $propertiesValue = @() + foreach ($property in $Setting.Properties) + { + $curProperty = @{ + name = $property.name + value = $property.value.Replace("'", "''") + type = $property.type + } + $propertiesValue += $curProperty + } + + $values.Add('properties', $propertiesValue) + } + if ($null -ne $Setting.excludedSecurityGroups -and $Setting.excludedSecurityGroups.Length -gt 0) + { + $values.Add('excludedSecurityGroups', [Array]$Setting.excludedSecurityGroups.name) + } + if ($null -ne $Setting.enabledSecurityGroups -and $Setting.enabledSecurityGroups.Length -gt 0) + { + $values.Add('enabledSecurityGroups', [Array]$Setting.enabledSecurityGroups.name) + } + return $values +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof new file mode 100644 index 0000000000..4b91816f4a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof @@ -0,0 +1,172 @@ +[ClassVersion("1.0.0")] +class MSFT_FabricDelegatedFrom +{ + [Write, Description("The setting is delegated from a capacity.")] String Capacity; + [Write, Description("The setting is delegated from a domain.")] String Domain; + [Write, Description("The setting is delegated from a tenant.")] String Tenant; +}; + +[ClassVersion("1.0.0")] +class MSFT_FabricTenantSettingProperty +{ + [Write, Description("The name of the property.")] String name; + [Write, Description("The type of the property.")] String type; + [Write, Description("The value of the property.")] String value; +}; + +[ClassVersion("1.0.0")] +class MSFT_FabricTenantSetting +{ + [Write, Description("Indicates if the tenant setting is enabled for a security group. 0 - The tenant setting is enabled for the entire organization.")] Boolean canSpecifySecurityGroups; + [Write, Description("Indicates whether the tenant setting can be delegated to a workspace admin. False - Workspace admin cannot override the tenant setting.")] Boolean delegateToWorkspace; + [Write, Description("Tenant setting delegated from tenant, capacity or domain."), EmbeddedInstance("MSFT_FabricDelegatedFrom")] string delegatedFrom; + [Write, Description("The name of the tenant setting.")] String settingName; + [Write, Description("The status of the tenant setting.")] Boolean enabled; + [Write, Description("Tenant setting group name.")] String tenantSettingGroup; + [Write, Description("The title of the tenant setting.")] String title; + [Write, Description("Tenant setting properties."), EmbeddedInstance("MSFT_FabricTenantSettingProperty")] String properties[]; + [Write, Description("A list of excluded security groups.")] String excludedSecurityGroups[]; + [Write, Description("A list of enabled security groups.")] String enabledSecurityGroups[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("FabricAdminTenantSettings")] +class MSFT_FabricAdminTenantSettings : OMI_BaseResource +{ + [Key, Description("Specifies the resource is a single instance, the value must be 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Microsoft Entra single sign-on for data gateway"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AADSSOForGateway; + [Write, Description("Enhance admin APIs responses with detailed metadata"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AdminApisIncludeDetailedMetadata; + [Write, Description("Enhance admin APIs responses with DAX and mashup expressions"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AdminApisIncludeExpressions; + [Write, Description("Show a custom message before publishing reports"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AdminCustomDisclaimer; + [Write, Description("Users can create and share AI skill item types (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AISkillArtifactTenantSwitch; + [Write, Description("Azure Private Link"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowAccessOverPrivateLinks; + [Write, Description("AppSource Custom Visuals SSO"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowCVAuthenticationTenant; + [Write, Description("Allow access to the browser's local storage"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowCVLocalStorageV2Tenant; + [Write, Description("Allow downloads from custom visuals"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowCVToExportDataToFileTenant; + [Write, Description("Endorse master data (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowEndorsementMasterDataSwitch; + [Write, Description("Users can accept external data shares (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowExternalDataSharingReceiverSwitch; + [Write, Description("External data sharing (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowExternalDataSharingSwitch; + [Write, Description("Users can try Microsoft Fabric paid features"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowFreeTrial; + [Write, Description("Users can see guest users in lists of suggested people"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowGuestLookup; + [Write, Description("Guest users can access Microsoft Fabric"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowGuestUserToAccessSharedContent; + [Write, Description("Allow DirectQuery connections to Power BI semantic models"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowPowerBIASDQOnTenant; + [Write, Description("Data sent to Azure OpenAI can be processed outside your capacity's geographic region, compliance boundary, or national cloud instance"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowSendAOAIDataToOtherRegions; + [Write, Description("Allow user data to leave their geography"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowSendNLToDaxDataToOtherRegions; + [Write, Description("Allow service principals to create and use profiles"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowServicePrincipalsCreateAndUseProfiles; + [Write, Description("Service principals can access read-only admin APIs"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AllowServicePrincipalsUseReadAdminAPIs; + [Write, Description("Push apps to end users"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AppPush; + [Write, Description("Use global search for Power BI"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ArtifactSearchTenant; + [Write, Description("Microsoft can store query text to aid in support investigations"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ASCollectQueryTextTelemetryTenantSwitch; + [Write, Description("Enable granular access control for all data connections"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ASShareableCloudConnectionBindingSecurityModeTenant; + [Write, Description("Semantic models can export data to OneLake (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ASWritethruContinuousExportTenantSwitch; + [Write, Description("Users can store semantic model tables in OneLake (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ASWritethruTenantSwitch; + [Write, Description("Install Power BI app for Microsoft Teams automatically"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AutoInstallPowerBIAppInTeamsTenant; + [Write, Description("Show entry points for insights (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AutomatedInsightsEntryPoints; + [Write, Description("Receive notifications for top insights (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AutomatedInsightsTenant; + [Write, Description("Use Azure Maps visual"), EmbeddedInstance("MSFT_FabricTenantSetting")] string AzureMap; + [Write, Description("Map and filled map visuals"), EmbeddedInstance("MSFT_FabricTenantSetting")] string BingMap; + [Write, Description("Block Public Internet Access"), EmbeddedInstance("MSFT_FabricTenantSetting")] string BlockAccessFromPublicNetworks; + [Write, Description("Block republish and disable package refresh"), EmbeddedInstance("MSFT_FabricTenantSetting")] string BlockAutoDiscoverAndPackageRefresh; + [Write, Description("Restrict content with protected labels from being shared via link with everyone in your organization"), EmbeddedInstance("MSFT_FabricTenantSetting")] string BlockProtectedLabelSharingToEntireOrg; + [Write, Description("Block ResourceKey Authentication"), EmbeddedInstance("MSFT_FabricTenantSetting")] string BlockResourceKeyAuthentication; + [Write, Description("Create and use Gen1 dataflows"), EmbeddedInstance("MSFT_FabricTenantSetting")] string CDSAManagement; + [Write, Description("Add and use certified visuals only (block uncertified)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string CertifiedCustomVisualsTenant; + [Write, Description("Certification"), EmbeddedInstance("MSFT_FabricTenantSetting")] string CertifyDatasets; + [Write, Description("Define workspace retention period"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ConfigureFolderRetentionPeriod; + [Write, Description("Create workspaces"), EmbeddedInstance("MSFT_FabricTenantSetting")] string CreateAppWorkspaces; + [Write, Description("Allow visuals created using the Power BI SDK"), EmbeddedInstance("MSFT_FabricTenantSetting")] string CustomVisualsTenant; + [Write, Description("Create Datamarts (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DatamartTenant; + [Write, Description("Semantic Model Execute Queries REST API"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DatasetExecuteQueries; + [Write, Description("Publish template apps"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DevelopServiceApps; + [Write, Description("Discover content"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DiscoverDatasetsConsumption; + [Write, Description("Make certified content discoverable "), EmbeddedInstance("MSFT_FabricTenantSetting")] string DiscoverDatasetsSettingsCertified; + [Write, Description("Make promoted content discoverable"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DiscoverDatasetsSettingsPromoted; + [Write, Description("Dremio SSO"), EmbeddedInstance("MSFT_FabricTenantSetting")] string DremioSSO; + [Write, Description("Apply sensitivity labels from data sources to their data in Power BI"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EimInformationProtectionDataSourceInheritanceSetting; + [Write, Description("Automatically apply sensitivity labels to downstream content"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EimInformationProtectionDownstreamInheritanceSetting; + [Write, Description("Allow users to apply sensitivity labels for content"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EimInformationProtectionEdit; + [Write, Description("Increase the number of users who can edit and republish encrypted PBIX files (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EimInformationProtectionLessElevated; + [Write, Description("Allow workspace admins to override automatically applied sensitivity labels"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting; + [Write, Description("Guest users can browse and access Fabric content"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ElevatedGuestsTenant; + [Write, Description("Receive email notifications for service outages or incidents"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EmailSecurityGroupsOnOutage; + [Write, Description("Guest users can set up and subscribe to email subscriptions"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EmailSubscriptionsToB2BUsers; + [Write, Description("Users can send email subscriptions to guest users"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EmailSubscriptionsToExternalUsers; + [Write, Description("Users can set up email subscriptions"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EmailSubscriptionTenant; + [Write, Description("Embed content in apps"), EmbeddedInstance("MSFT_FabricTenantSetting")] string Embedding; + [Write, Description("Users can use Copilot and other features powered by Azure OpenAI"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableAOAI; + [Write, Description("Allow specific users to turn on external data sharing"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableDatasetInPlaceSharing; + [Write, Description("Allow connections to featured tables"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableExcelYellowIntegration; + [Write, Description("Users can create and use data workflows (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableFabricAirflow; + [Write, Description("Allow quick measure suggestions (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableNLToDax; + [Write, Description("Allow tenant and domain admins to override workspace assignments (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EnableReassignDataDomainSwitch; + [Write, Description("Use ArcGIS Maps for Power BI"), EmbeddedInstance("MSFT_FabricTenantSetting")] string EsriVisual; + [Write, Description("Help Power BI optimize your experience"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExpFlightingTenant; + [Write, Description("Download reports"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportReport; + [Write, Description("Export to .csv"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToCsv; + [Write, Description("Export to Excel"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToExcelSetting; + [Write, Description("Export reports as image files"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToImage; + [Write, Description("Export reports as MHTML documents"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToMHTML; + [Write, Description("Export reports as PowerPoint presentations or PDF documents"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToPowerPoint; + [Write, Description("Export reports as Word documents"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToWord; + [Write, Description("Export reports as XML documents"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportToXML; + [Write, Description("Copy and paste visuals"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExportVisualImageTenant; + [Write, Description("Guest users can work with shared semantic models in their own tenants"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExternalDatasetSharingTenant; + [Write, Description("Users can invite guest users to collaborate through item sharing and permissions"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ExternalSharingV2; + [Write, Description("Capacity admins and contributors can add and remove additional workloads"), EmbeddedInstance("MSFT_FabricTenantSetting")] string FabricAddPartnerWorkload; + [Write, Description("Product Feedback"), EmbeddedInstance("MSFT_FabricTenantSetting")] string FabricFeedbackTenantSwitch; + [Write, Description("Users can create Fabric items"), EmbeddedInstance("MSFT_FabricTenantSetting")] string FabricGAWorkloads; + [Write, Description("Capacity admins can develop additional workloads"), EmbeddedInstance("MSFT_FabricTenantSetting")] string FabricThirdPartyWorkloads; + [Write, Description("Users can sync workspace items with GitHub repositories "), EmbeddedInstance("MSFT_FabricTenantSetting")] string GitHubTenantSettings; + [Write, Description("Users can export items to Git repositories in other geographical locations (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string GitIntegrationCrossGeoTenantSwitch; + [Write, Description("Users can export workspace items with applied sensitivity labels to Git repositories (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string GitIntegrationSensitivityLabelsTenantSwitch; + [Write, Description("Users can synchronize workspace items with their Git repositories (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string GitIntegrationTenantSwitch; + [Write, Description("Google BigQuery SSO"), EmbeddedInstance("MSFT_FabricTenantSetting")] string GoogleBigQuerySSO; + [Write, Description("API for GraphQL (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string GraphQLTenant; + [Write, Description("Healthcare data solutions (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string HealthcareSolutionsTenantSwitch; + [Write, Description("Install template apps not listed in AppSource"), EmbeddedInstance("MSFT_FabricTenantSetting")] string InstallNonvalidatedTemplateApps; + [Write, Description("Install template apps"), EmbeddedInstance("MSFT_FabricTenantSetting")] string InstallServiceApps; + [Write, Description("Users can create Real-Time Dashboards (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string KustoDashboardTenantSwitch; + [Write, Description("Users can work with semantic models in Excel using a live connection"), EmbeddedInstance("MSFT_FabricTenantSetting")] string LiveConnection; + [Write, Description("Azure Log Analytics connections for workspace administrators"), EmbeddedInstance("MSFT_FabricTenantSetting")] string LogAnalyticsAttachForWorkspaceAdmins; + [Write, Description("Users can see Microsoft Fabric metadata in Microsoft 365"), EmbeddedInstance("MSFT_FabricTenantSetting")] string M365DataSharing; + [Write, Description("Database Mirroring (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string Mirroring; + [Write, Description("Semantic model owners can choose to automatically update semantic models from files imported from OneDrive or SharePoint"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ODSPRefreshEnforcementTenantAllowAutomaticUpdate; + [Write, Description("Users can share links to Power BI files stored in OneDrive and SharePoint through Power BI Desktop (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string OneDriveSharePointAllowSharingTenantSetting; + [Write, Description("Users can view Power BI files saved in OneDrive and SharePoint (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string OneDriveSharePointViewerIntegrationTenantSettingV2; + [Write, Description("Users can sync data in OneLake with the OneLake File Explorer app"), EmbeddedInstance("MSFT_FabricTenantSetting")] string OneLakeFileExplorer; + [Write, Description("Users can access data stored in OneLake with apps external to Fabric"), EmbeddedInstance("MSFT_FabricTenantSetting")] string OneLakeForThirdParty; + [Write, Description("Allow XMLA endpoints and Analyze in Excel with on-premises semantic models"), EmbeddedInstance("MSFT_FabricTenantSetting")] string OnPremAnalyzeInExcel; + [Write, Description("Create and use Metrics"), EmbeddedInstance("MSFT_FabricTenantSetting")] string PowerBIGoalsTenant; + [Write, Description("Power Platform Solutions Integration (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string PowerPlatformSolutionsIntegrationTenant; + [Write, Description("Print dashboards and reports"), EmbeddedInstance("MSFT_FabricTenantSetting")] string Printing; + [Write, Description("Featured content"), EmbeddedInstance("MSFT_FabricTenantSetting")] string PromoteContent; + [Write, Description("Publish apps to the entire organization"), EmbeddedInstance("MSFT_FabricTenantSetting")] string PublishContentPack; + [Write, Description("Publish to web"), EmbeddedInstance("MSFT_FabricTenantSetting")] string PublishToWeb; + [Write, Description("Review questions"), EmbeddedInstance("MSFT_FabricTenantSetting")] string QnaFeedbackLoop; + [Write, Description("Synonym sharing"), EmbeddedInstance("MSFT_FabricTenantSetting")] string QnaLsdlSharing; + [Write, Description("Scale out queries for large semantic models"), EmbeddedInstance("MSFT_FabricTenantSetting")] string QueryScaleOutTenant; + [Write, Description("Redshift SSO"), EmbeddedInstance("MSFT_FabricTenantSetting")] string RedshiftSSO; + [Write, Description("Block users from reassigning personal workspaces (My Workspace)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string RestrictMyFolderCapacity; + [Write, Description("Retail data solutions (preview) "), EmbeddedInstance("MSFT_FabricTenantSetting")] string RetailSolutionsTenantSwitch; + [Write, Description("Interact with and share R and Python visuals"), EmbeddedInstance("MSFT_FabricTenantSetting")] string RScriptVisual; + [Write, Description("Service principals can use Fabric APIs"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ServicePrincipalAccess; + [Write, Description("Allow shareable links to grant access to everyone in your organization"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ShareLinkToEntireOrg; + [Write, Description("Enable Microsoft Teams integration"), EmbeddedInstance("MSFT_FabricTenantSetting")] string ShareToTeamsTenant; + [Write, Description("Snowflake SSO"), EmbeddedInstance("MSFT_FabricTenantSetting")] string SnowflakeSSO; + [Write, Description("Enable Power BI add-in for PowerPoint"), EmbeddedInstance("MSFT_FabricTenantSetting")] string StorytellingTenant; + [Write, Description("Sustainability solutions (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string SustainabilitySolutionsTenantSwitch; + [Write, Description("Create template organizational apps"), EmbeddedInstance("MSFT_FabricTenantSetting")] string TemplatePublish; + [Write, Description("Publish Get Help information"), EmbeddedInstance("MSFT_FabricTenantSetting")] string TenantSettingPublishGetHelpInfo; + [Write, Description("Data Activator (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string TridentPrivatePreview; + [Write, Description("Usage metrics for content creators"), EmbeddedInstance("MSFT_FabricTenantSetting")] string UsageMetrics; + [Write, Description("Per-user data in usage metrics for content creators"), EmbeddedInstance("MSFT_FabricTenantSetting")] string UsageMetricsTrackUserLevelInfo; + [Write, Description("Use semantic models across workspaces"), EmbeddedInstance("MSFT_FabricTenantSetting")] string UseDatasetsAcrossWorkspaces; + [Write, Description("Integration with SharePoint and Microsoft Lists"), EmbeddedInstance("MSFT_FabricTenantSetting")] string VisualizeListInPowerBI; + [Write, Description("Web content on dashboard tiles"), EmbeddedInstance("MSFT_FabricTenantSetting")] string WebContentTilesTenant; + [Write, Description("Users can edit data models in the Power BI service (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string WebModelingTenantSwitch; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/readme.md new file mode 100644 index 0000000000..f4ea4850a7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/readme.md @@ -0,0 +1,6 @@ + +# FabricAdminTenantSettings + +## Description + +This resource configures the tenant settings for Microsoft Fabric. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/settings.json new file mode 100644 index 0000000000..f2e3b8aade --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "FabricAdminTenantSettings", + "description": "This resource configures the tenant settings for Microsoft Fabric.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index e3f1d08163..717197df8f 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -90,7 +90,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.19" + RequiredVersion = "1.1.20" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 b/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 new file mode 100644 index 0000000000..3bb328f122 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 @@ -0,0 +1,45 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IsSingleInstance = 'Yes' + AADSSOForGateway = MSFT_FabricTenantSetting { + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }; + AdminApisIncludeDetailedMetadata = MSFT_FabricTenantSetting { + settingName = 'AdminApisIncludeDetailedMetadata' + canSpecifySecurityGroups = $True + enabled = $True + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @('MyExcludedGroup') + enabledSecurityGroups = @('Group1','Group2') + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index afbbe21dd2..cd94876636 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -79,6 +79,7 @@ 'Modules/M365DSCDRGUtil.psm1', 'Modules/EncodingHelpers/M365DSCEmojis.psm1', 'Modules/EncodingHelpers/M365DSCStringEncoding.psm1', + 'Modules/WorkloadHelpers/M365DSCFabricHelper.psm1', 'Modules/M365DSCConfigurationHelper.psm1' ) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index be090cf9a6..61ed490d9b 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -41,7 +41,7 @@ function Start-M365DSCConfigurationExtract $MaxProcesses = 16, [Parameter()] - [ValidateSet('AAD', 'SPO', 'EXO', 'INTUNE', 'SC', 'OD', 'O365', 'TEAMS', 'PP', 'PLANNER')] + [ValidateSet('AAD', 'FABRIC', 'SPO', 'EXO', 'INTUNE', 'SC', 'OD', 'O365', 'TEAMS', 'PP', 'PLANNER')] [System.String[]] $Workloads, diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 7fad40386a..5dec239d62 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1161,7 +1161,7 @@ function Export-M365DSCConfiguration $Components, [Parameter(ParameterSetName = 'Export')] - [ValidateSet('AAD', 'SPO', 'EXO', 'INTUNE', 'SC', 'OD', 'O365', 'PLANNER', 'PP', 'TEAMS')] + [ValidateSet('AAD', 'FABRIC', 'SPO', 'EXO', 'INTUNE', 'SC', 'OD', 'O365', 'PLANNER', 'PP', 'TEAMS')] [System.String[]] $Workloads, @@ -1708,7 +1708,7 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('ExchangeOnline', 'Intune', ` + [ValidateSet('AzureDevOPS', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` 'MicrosoftTeams', 'MicrosoftGraph', 'Tasks')] [System.String] diff --git a/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCFabricHelper.psm1 b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCFabricHelper.psm1 new file mode 100644 index 0000000000..ca390ae10c --- /dev/null +++ b/Modules/Microsoft365DSC/Modules/WorkloadHelpers/M365DSCFabricHelper.psm1 @@ -0,0 +1,26 @@ +function Invoke-M365DSCFabricWebRequest +{ + [OutputType([PSCustomObject])] + [CmdletBinding()] + param( + [Parameter(Mandatory = $true)] + [System.String] + $Uri, + + [Parameter()] + [System.String] + $Method = 'GET', + + [Parameter()] + [System.Collections.Hashtable] + $Body + ) + + $headers = @{ + Authorization = $global:MsCloudLoginConnectionProfile.Fabric.AccessToken + } + + $response = Invoke-WebRequest -Method $Method -Uri $Uri -Headers $headers -Body $Body + $result = ConvertFrom-Json $response.Content + return $result +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.FabricAdminTenantSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.FabricAdminTenantSettings.Tests.ps1 new file mode 100644 index 0000000000..da1e78d7ae --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.FabricAdminTenantSettings.Tests.ps1 @@ -0,0 +1,220 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "ServicePrincipalWithThumbprint" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + AADSSOForGateway = (New-CimInstance -ClassName MSFT_FabricTenantSetting -Property @{ + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + } -ClientOnly); + AdminApisIncludeDetailedMetadata = (New-CimInstance -ClassName MSFT_FabricTenantSetting -Property @{ + settingName = 'AdminApisIncludeDetailedMetadata' + canSpecifySecurityGroups = $True + enabled = $True + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @('MyExcludedGroup') + enabledSecurityGroups = @('Group1','Group2') + } -ClientOnly) + ApplicationId = (New-GUID).ToString() + TenantId = 'Contoso.com' + CertificateThumbprint = (New-GUID).ToString() + } + + Mock -CommandName Invoke-M365DSCFabricWebRequest -MockWith { + return @{ + tenantSettings = @( + @{ + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }, + @{ + settingName = 'AdminApisIncludeDetailedMetadata' + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + canSpecifySecurityGroups = $True + enabled = $True + excludedSecurityGroups = @( + @{ + Name = "MyExcludedGroup" + } + ) + enabledSecurityGroups = @( + @{ + Name = "Group1" + }, + @{ + Name = "Group2" + } + ) + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + AADSSOForGateway = (New-CimInstance -ClassName MSFT_FabricTenantSetting -Property @{ + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + } -ClientOnly); + AdminApisIncludeDetailedMetadata = (New-CimInstance -ClassName MSFT_FabricTenantSetting -Property @{ + settingName = 'AdminApisIncludeDetailedMetadata' + canSpecifySecurityGroups = $True + enabled = $True + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @('MyExcludedGroup') + enabledSecurityGroups = @('Group1','Group4') # Drift + } -ClientOnly) + ApplicationId = (New-GUID).ToString() + TenantId = 'Contoso.com' + CertificateThumbprint = (New-GUID).ToString() + } + + Mock -CommandName Invoke-M365DSCFabricWebRequest -MockWith { + return @{ + tenantSettings = @( + @{ + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }, + @{ + settingName = 'AdminApisIncludeDetailedMetadata' + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @( + @{ + Name = "MyExcludedGroup" + } + ) + enabledSecurityGroups = @( + @{ + Name = "Group1" + }, + @{ + Name = "Group2" + } + ) + } + ) + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + ApplicationId = (New-GUID).ToString() + TenantId = 'Contoso.com' + CertificateThumbprint = (New-GUID).ToString() + } + + Mock -CommandName Invoke-M365DSCFabricWebRequest -MockWith { + return @{ + tenantSettings = @( + @{ + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }, + @{ + settingName = 'AdminApisIncludeDetailedMetadata' + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @( + @{ + Name = "MyExcludedGroup" + } + ) + enabledSecurityGroups = @( + @{ + Name = "Group1" + }, + @{ + Name = "Group4" # Drift + } + ) + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 2776a433cd499f65158b85d919a38f777995d080 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 4 Sep 2024 13:27:09 -0400 Subject: [PATCH 16/47] Update Generic.psm1 --- Tests/Unit/Stubs/Generic.psm1 | 3 --- 1 file changed, 3 deletions(-) diff --git a/Tests/Unit/Stubs/Generic.psm1 b/Tests/Unit/Stubs/Generic.psm1 index a18029efcf..6ebc93dda5 100644 --- a/Tests/Unit/Stubs/Generic.psm1 +++ b/Tests/Unit/Stubs/Generic.psm1 @@ -356,9 +356,6 @@ function New-M365DSCConnection [CmdletBinding()] param( [Parameter(Mandatory = $true)] - [ValidateSet('ExchangeOnline', 'Intune', ` - 'SecurityComplianceCenter', 'MSOnline', 'PnP', 'PowerPlatforms', ` - 'MicrosoftTeams', 'MicrosoftGraph', 'Tasks')] [System.String] $Workload, From 975a3a74f89f65ca3e4cc5c4b6e020dd5189883d Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 4 Sep 2024 14:25:33 -0400 Subject: [PATCH 17/47] Fixed Example --- .../4-MonitorOnly.ps1 | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 b/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 index 3bb328f122..21984dd722 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/FabricAdminTenantSettings/4-MonitorOnly.ps1 @@ -21,25 +21,28 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - IsSingleInstance = 'Yes' - AADSSOForGateway = MSFT_FabricTenantSetting { - settingName = 'AADSSOForGateway' - canSpecifySecurityGroups = $False - enabled = $True - tenantSettingGroup = 'Integration settings' - title = 'Microsoft Entra single sign-on for data gateway' - }; - AdminApisIncludeDetailedMetadata = MSFT_FabricTenantSetting { - settingName = 'AdminApisIncludeDetailedMetadata' - canSpecifySecurityGroups = $True - enabled = $True - tenantSettingGroup = 'Admin API settings' - title = 'Enhance admin APIs responses with detailed metadata' - excludedSecurityGroups = @('MyExcludedGroup') - enabledSecurityGroups = @('Group1','Group2') - }; - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint + FabricAdminTenantSettings "FabricAdminTenantSettings" + { + IsSingleInstance = 'Yes' + AADSSOForGateway = MSFT_FabricTenantSetting { + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }; + AdminApisIncludeDetailedMetadata = MSFT_FabricTenantSetting { + settingName = 'AdminApisIncludeDetailedMetadata' + canSpecifySecurityGroups = $True + enabled = $True + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @('MyExcludedGroup') + enabledSecurityGroups = @('Group1','Group2') + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } } } From 568d901f5105ce4fa0f6b3a6b912166bdb3d531f Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 4 Sep 2024 14:37:12 -0400 Subject: [PATCH 18/47] Update MSFT_FabricAdminTenantSettings.schema.mof --- .../MSFT_FabricAdminTenantSettings.schema.mof | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof index 4b91816f4a..d52886c0bd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.schema.mof @@ -163,7 +163,6 @@ class MSFT_FabricAdminTenantSettings : OMI_BaseResource [Write, Description("Integration with SharePoint and Microsoft Lists"), EmbeddedInstance("MSFT_FabricTenantSetting")] string VisualizeListInPowerBI; [Write, Description("Web content on dashboard tiles"), EmbeddedInstance("MSFT_FabricTenantSetting")] string WebContentTilesTenant; [Write, Description("Users can edit data models in the Power BI service (preview)"), EmbeddedInstance("MSFT_FabricTenantSetting")] string WebModelingTenantSwitch; - [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Secret of the Azure Active Directory application to authenticate with."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; From fe00c158ae9c69607c8ca4159a4f825cedd1b0bd Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 4 Sep 2024 19:39:08 -0400 Subject: [PATCH 19/47] Update MSFT_FabricAdminTenantSettings.psm1 --- .../MSFT_FabricAdminTenantSettings.psm1 | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 index 482c9524c7..52a0e3bea4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_FabricAdminTenantSettings/MSFT_FabricAdminTenantSettings.psm1 @@ -1854,7 +1854,6 @@ function Test-TargetResource $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" @@ -1874,12 +1873,13 @@ function Test-TargetResource if (-Not $testResult) { Write-Verbose -Message "Difference found for $key" + Write-Verbose -Message "Current Values: $($source | Out-String)" + Write-Verbose -Message "Desired Values: $($target | Out-String)" $testResult = $false break } $ValuesToCheck.Remove($key) | Out-Null - } } @@ -1975,14 +1975,23 @@ function Export-TargetResource -ModulePath $PSScriptRoot ` -Results $newResults ` -Credential $Credential + $fixQuotes = $false foreach ($key in $Results.Keys) { if ($null -ne $Results.$key -and $key -notin $params.Keys) { + if ($currentDSCBlock.Contains('`"')) + { + $fixQuotes = $true + } $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` - -ParameterName $key + -ParameterName $key } } + if ($fixQuotes) + { + $currentDSCBlock = $currentDSCBlock.Replace('`', '"') + } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -2032,7 +2041,7 @@ function Get-M365DSCFabricTenantSettingAsString { $StringContent += " tenantSettingGroup = '" + $setting.tenantSettingGroup + "'`r`n" } - $StringContent += " title = '" + $setting.title + "'`r`n" + $StringContent += " title = '" + $setting.title.Replace("'", "''") + "'`r`n" if (-not [System.String]::IsNullOrEmpty($setting.properties)) { $StringContent += " properties = @(" @@ -2040,7 +2049,7 @@ function Get-M365DSCFabricTenantSettingAsString { $StringContent += " MSFT_FabricTenantSettingProperty{`r`n" $StringContent += " name = '$($property.name)'`r`n" - $StringContent += " value = '$($property.value)'`r`n" + $StringContent += " value = '$($property.value.Replace("'", "''"))'`r`n" $StringContent += " type = '$($property.type)'`r`n" $StringContent += " }`r`n" } @@ -2049,20 +2058,11 @@ function Get-M365DSCFabricTenantSettingAsString if (-not [System.String]::IsNullOrEmpty($setting.excludedSecurityGroups)) { $excludedSecurityGroupsValue = $setting.excludedSecurityGroups -join "','" - if ($setting.excludedSecurityGroups.Length -gt 1) - { - $excludedSecurityGroupsValue = $excludedSecurityGroupsValue.Substring(0, $excludedSecurityGroupsValue.Length -3) - } $StringContent += " excludedSecurityGroups = @('" + $excludedSecurityGroupsValue + "')`r`n" } if (-not [System.String]::IsNullOrEmpty($setting.enabledSecurityGroups)) { $enabledSecurityGroupsValue = $setting.enabledSecurityGroups -join "','" - if ($setting.enabledSecurityGroups.Length -gt 1) - { - $enabledSecurityGroupsValue = $setting.enabledSecurityGroups -join "','" - $enabledSecurityGroupsValue = $enabledSecurityGroupsValue.Substring(0, $enabledSecurityGroupsValue.Length -3) - } $StringContent += " enabledSecurityGroups = @('" + $enabledSecurityGroupsValue + "')`r`n" } $StringContent += " }`r`n" @@ -2088,7 +2088,7 @@ function Get-M365DSCFabricTenantSettingObject $values = @{ settingName = $Setting.settingName enabled = [Boolean]$Setting.enabled - title = $Setting.title.Replace("'", "''") + title = $Setting.title } if (-not [System.String]::IsNullOrEmpty($Setting.canSpecifySecurityGroups)) { @@ -2113,7 +2113,7 @@ function Get-M365DSCFabricTenantSettingObject { $curProperty = @{ name = $property.name - value = $property.value.Replace("'", "''") + value = $property.value type = $property.type } $propertiesValue += $curProperty From 42197206627a07a81831aa373adca8b2bc830b39 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 10:53:12 +0000 Subject: [PATCH 20/47] Updated Resources and Cmdlet documentation pages --- .../exchange/FabricAdminTenantSettings.md | 264 ++++++++++++++++++ .../cmdlets/Export-M365DSCConfiguration.md | 2 +- 2 files changed, 265 insertions(+), 1 deletion(-) create mode 100644 docs/docs/resources/exchange/FabricAdminTenantSettings.md diff --git a/docs/docs/resources/exchange/FabricAdminTenantSettings.md b/docs/docs/resources/exchange/FabricAdminTenantSettings.md new file mode 100644 index 0000000000..01041f2bb0 --- /dev/null +++ b/docs/docs/resources/exchange/FabricAdminTenantSettings.md @@ -0,0 +1,264 @@ +# FabricAdminTenantSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Specifies the resource is a single instance, the value must be 'Yes'. | `Yes` | +| **AADSSOForGateway** | Write | MSFT_FabricTenantSetting | Microsoft Entra single sign-on for data gateway | | +| **AdminApisIncludeDetailedMetadata** | Write | MSFT_FabricTenantSetting | Enhance admin APIs responses with detailed metadata | | +| **AdminApisIncludeExpressions** | Write | MSFT_FabricTenantSetting | Enhance admin APIs responses with DAX and mashup expressions | | +| **AdminCustomDisclaimer** | Write | MSFT_FabricTenantSetting | Show a custom message before publishing reports | | +| **AISkillArtifactTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can create and share AI skill item types (preview) | | +| **AllowAccessOverPrivateLinks** | Write | MSFT_FabricTenantSetting | Azure Private Link | | +| **AllowCVAuthenticationTenant** | Write | MSFT_FabricTenantSetting | AppSource Custom Visuals SSO | | +| **AllowCVLocalStorageV2Tenant** | Write | MSFT_FabricTenantSetting | Allow access to the browser's local storage | | +| **AllowCVToExportDataToFileTenant** | Write | MSFT_FabricTenantSetting | Allow downloads from custom visuals | | +| **AllowEndorsementMasterDataSwitch** | Write | MSFT_FabricTenantSetting | Endorse master data (preview) | | +| **AllowExternalDataSharingReceiverSwitch** | Write | MSFT_FabricTenantSetting | Users can accept external data shares (preview) | | +| **AllowExternalDataSharingSwitch** | Write | MSFT_FabricTenantSetting | External data sharing (preview) | | +| **AllowFreeTrial** | Write | MSFT_FabricTenantSetting | Users can try Microsoft Fabric paid features | | +| **AllowGuestLookup** | Write | MSFT_FabricTenantSetting | Users can see guest users in lists of suggested people | | +| **AllowGuestUserToAccessSharedContent** | Write | MSFT_FabricTenantSetting | Guest users can access Microsoft Fabric | | +| **AllowPowerBIASDQOnTenant** | Write | MSFT_FabricTenantSetting | Allow DirectQuery connections to Power BI semantic models | | +| **AllowSendAOAIDataToOtherRegions** | Write | MSFT_FabricTenantSetting | Data sent to Azure OpenAI can be processed outside your capacity's geographic region, compliance boundary, or national cloud instance | | +| **AllowSendNLToDaxDataToOtherRegions** | Write | MSFT_FabricTenantSetting | Allow user data to leave their geography | | +| **AllowServicePrincipalsCreateAndUseProfiles** | Write | MSFT_FabricTenantSetting | Allow service principals to create and use profiles | | +| **AllowServicePrincipalsUseReadAdminAPIs** | Write | MSFT_FabricTenantSetting | Service principals can access read-only admin APIs | | +| **AppPush** | Write | MSFT_FabricTenantSetting | Push apps to end users | | +| **ArtifactSearchTenant** | Write | MSFT_FabricTenantSetting | Use global search for Power BI | | +| **ASCollectQueryTextTelemetryTenantSwitch** | Write | MSFT_FabricTenantSetting | Microsoft can store query text to aid in support investigations | | +| **ASShareableCloudConnectionBindingSecurityModeTenant** | Write | MSFT_FabricTenantSetting | Enable granular access control for all data connections | | +| **ASWritethruContinuousExportTenantSwitch** | Write | MSFT_FabricTenantSetting | Semantic models can export data to OneLake (preview) | | +| **ASWritethruTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can store semantic model tables in OneLake (preview) | | +| **AutoInstallPowerBIAppInTeamsTenant** | Write | MSFT_FabricTenantSetting | Install Power BI app for Microsoft Teams automatically | | +| **AutomatedInsightsEntryPoints** | Write | MSFT_FabricTenantSetting | Show entry points for insights (preview) | | +| **AutomatedInsightsTenant** | Write | MSFT_FabricTenantSetting | Receive notifications for top insights (preview) | | +| **AzureMap** | Write | MSFT_FabricTenantSetting | Use Azure Maps visual | | +| **BingMap** | Write | MSFT_FabricTenantSetting | Map and filled map visuals | | +| **BlockAccessFromPublicNetworks** | Write | MSFT_FabricTenantSetting | Block Public Internet Access | | +| **BlockAutoDiscoverAndPackageRefresh** | Write | MSFT_FabricTenantSetting | Block republish and disable package refresh | | +| **BlockProtectedLabelSharingToEntireOrg** | Write | MSFT_FabricTenantSetting | Restrict content with protected labels from being shared via link with everyone in your organization | | +| **BlockResourceKeyAuthentication** | Write | MSFT_FabricTenantSetting | Block ResourceKey Authentication | | +| **CDSAManagement** | Write | MSFT_FabricTenantSetting | Create and use Gen1 dataflows | | +| **CertifiedCustomVisualsTenant** | Write | MSFT_FabricTenantSetting | Add and use certified visuals only (block uncertified) | | +| **CertifyDatasets** | Write | MSFT_FabricTenantSetting | Certification | | +| **ConfigureFolderRetentionPeriod** | Write | MSFT_FabricTenantSetting | Define workspace retention period | | +| **CreateAppWorkspaces** | Write | MSFT_FabricTenantSetting | Create workspaces | | +| **CustomVisualsTenant** | Write | MSFT_FabricTenantSetting | Allow visuals created using the Power BI SDK | | +| **DatamartTenant** | Write | MSFT_FabricTenantSetting | Create Datamarts (preview) | | +| **DatasetExecuteQueries** | Write | MSFT_FabricTenantSetting | Semantic Model Execute Queries REST API | | +| **DevelopServiceApps** | Write | MSFT_FabricTenantSetting | Publish template apps | | +| **DiscoverDatasetsConsumption** | Write | MSFT_FabricTenantSetting | Discover content | | +| **DiscoverDatasetsSettingsCertified** | Write | MSFT_FabricTenantSetting | Make certified content discoverable | | +| **DiscoverDatasetsSettingsPromoted** | Write | MSFT_FabricTenantSetting | Make promoted content discoverable | | +| **DremioSSO** | Write | MSFT_FabricTenantSetting | Dremio SSO | | +| **EimInformationProtectionDataSourceInheritanceSetting** | Write | MSFT_FabricTenantSetting | Apply sensitivity labels from data sources to their data in Power BI | | +| **EimInformationProtectionDownstreamInheritanceSetting** | Write | MSFT_FabricTenantSetting | Automatically apply sensitivity labels to downstream content | | +| **EimInformationProtectionEdit** | Write | MSFT_FabricTenantSetting | Allow users to apply sensitivity labels for content | | +| **EimInformationProtectionLessElevated** | Write | MSFT_FabricTenantSetting | Increase the number of users who can edit and republish encrypted PBIX files (preview) | | +| **EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting** | Write | MSFT_FabricTenantSetting | Allow workspace admins to override automatically applied sensitivity labels | | +| **ElevatedGuestsTenant** | Write | MSFT_FabricTenantSetting | Guest users can browse and access Fabric content | | +| **EmailSecurityGroupsOnOutage** | Write | MSFT_FabricTenantSetting | Receive email notifications for service outages or incidents | | +| **EmailSubscriptionsToB2BUsers** | Write | MSFT_FabricTenantSetting | Guest users can set up and subscribe to email subscriptions | | +| **EmailSubscriptionsToExternalUsers** | Write | MSFT_FabricTenantSetting | Users can send email subscriptions to guest users | | +| **EmailSubscriptionTenant** | Write | MSFT_FabricTenantSetting | Users can set up email subscriptions | | +| **Embedding** | Write | MSFT_FabricTenantSetting | Embed content in apps | | +| **EnableAOAI** | Write | MSFT_FabricTenantSetting | Users can use Copilot and other features powered by Azure OpenAI | | +| **EnableDatasetInPlaceSharing** | Write | MSFT_FabricTenantSetting | Allow specific users to turn on external data sharing | | +| **EnableExcelYellowIntegration** | Write | MSFT_FabricTenantSetting | Allow connections to featured tables | | +| **EnableFabricAirflow** | Write | MSFT_FabricTenantSetting | Users can create and use data workflows (preview) | | +| **EnableNLToDax** | Write | MSFT_FabricTenantSetting | Allow quick measure suggestions (preview) | | +| **EnableReassignDataDomainSwitch** | Write | MSFT_FabricTenantSetting | Allow tenant and domain admins to override workspace assignments (preview) | | +| **EsriVisual** | Write | MSFT_FabricTenantSetting | Use ArcGIS Maps for Power BI | | +| **ExpFlightingTenant** | Write | MSFT_FabricTenantSetting | Help Power BI optimize your experience | | +| **ExportReport** | Write | MSFT_FabricTenantSetting | Download reports | | +| **ExportToCsv** | Write | MSFT_FabricTenantSetting | Export to .csv | | +| **ExportToExcelSetting** | Write | MSFT_FabricTenantSetting | Export to Excel | | +| **ExportToImage** | Write | MSFT_FabricTenantSetting | Export reports as image files | | +| **ExportToMHTML** | Write | MSFT_FabricTenantSetting | Export reports as MHTML documents | | +| **ExportToPowerPoint** | Write | MSFT_FabricTenantSetting | Export reports as PowerPoint presentations or PDF documents | | +| **ExportToWord** | Write | MSFT_FabricTenantSetting | Export reports as Word documents | | +| **ExportToXML** | Write | MSFT_FabricTenantSetting | Export reports as XML documents | | +| **ExportVisualImageTenant** | Write | MSFT_FabricTenantSetting | Copy and paste visuals | | +| **ExternalDatasetSharingTenant** | Write | MSFT_FabricTenantSetting | Guest users can work with shared semantic models in their own tenants | | +| **ExternalSharingV2** | Write | MSFT_FabricTenantSetting | Users can invite guest users to collaborate through item sharing and permissions | | +| **FabricAddPartnerWorkload** | Write | MSFT_FabricTenantSetting | Capacity admins and contributors can add and remove additional workloads | | +| **FabricFeedbackTenantSwitch** | Write | MSFT_FabricTenantSetting | Product Feedback | | +| **FabricGAWorkloads** | Write | MSFT_FabricTenantSetting | Users can create Fabric items | | +| **FabricThirdPartyWorkloads** | Write | MSFT_FabricTenantSetting | Capacity admins can develop additional workloads | | +| **GitHubTenantSettings** | Write | MSFT_FabricTenantSetting | Users can sync workspace items with GitHub repositories | | +| **GitIntegrationCrossGeoTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can export items to Git repositories in other geographical locations (preview) | | +| **GitIntegrationSensitivityLabelsTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can export workspace items with applied sensitivity labels to Git repositories (preview) | | +| **GitIntegrationTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can synchronize workspace items with their Git repositories (preview) | | +| **GoogleBigQuerySSO** | Write | MSFT_FabricTenantSetting | Google BigQuery SSO | | +| **GraphQLTenant** | Write | MSFT_FabricTenantSetting | API for GraphQL (preview) | | +| **HealthcareSolutionsTenantSwitch** | Write | MSFT_FabricTenantSetting | Healthcare data solutions (preview) | | +| **InstallNonvalidatedTemplateApps** | Write | MSFT_FabricTenantSetting | Install template apps not listed in AppSource | | +| **InstallServiceApps** | Write | MSFT_FabricTenantSetting | Install template apps | | +| **KustoDashboardTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can create Real-Time Dashboards (preview) | | +| **LiveConnection** | Write | MSFT_FabricTenantSetting | Users can work with semantic models in Excel using a live connection | | +| **LogAnalyticsAttachForWorkspaceAdmins** | Write | MSFT_FabricTenantSetting | Azure Log Analytics connections for workspace administrators | | +| **M365DataSharing** | Write | MSFT_FabricTenantSetting | Users can see Microsoft Fabric metadata in Microsoft 365 | | +| **Mirroring** | Write | MSFT_FabricTenantSetting | Database Mirroring (preview) | | +| **ODSPRefreshEnforcementTenantAllowAutomaticUpdate** | Write | MSFT_FabricTenantSetting | Semantic model owners can choose to automatically update semantic models from files imported from OneDrive or SharePoint | | +| **OneDriveSharePointAllowSharingTenantSetting** | Write | MSFT_FabricTenantSetting | Users can share links to Power BI files stored in OneDrive and SharePoint through Power BI Desktop (preview) | | +| **OneDriveSharePointViewerIntegrationTenantSettingV2** | Write | MSFT_FabricTenantSetting | Users can view Power BI files saved in OneDrive and SharePoint (preview) | | +| **OneLakeFileExplorer** | Write | MSFT_FabricTenantSetting | Users can sync data in OneLake with the OneLake File Explorer app | | +| **OneLakeForThirdParty** | Write | MSFT_FabricTenantSetting | Users can access data stored in OneLake with apps external to Fabric | | +| **OnPremAnalyzeInExcel** | Write | MSFT_FabricTenantSetting | Allow XMLA endpoints and Analyze in Excel with on-premises semantic models | | +| **PowerBIGoalsTenant** | Write | MSFT_FabricTenantSetting | Create and use Metrics | | +| **PowerPlatformSolutionsIntegrationTenant** | Write | MSFT_FabricTenantSetting | Power Platform Solutions Integration (preview) | | +| **Printing** | Write | MSFT_FabricTenantSetting | Print dashboards and reports | | +| **PromoteContent** | Write | MSFT_FabricTenantSetting | Featured content | | +| **PublishContentPack** | Write | MSFT_FabricTenantSetting | Publish apps to the entire organization | | +| **PublishToWeb** | Write | MSFT_FabricTenantSetting | Publish to web | | +| **QnaFeedbackLoop** | Write | MSFT_FabricTenantSetting | Review questions | | +| **QnaLsdlSharing** | Write | MSFT_FabricTenantSetting | Synonym sharing | | +| **QueryScaleOutTenant** | Write | MSFT_FabricTenantSetting | Scale out queries for large semantic models | | +| **RedshiftSSO** | Write | MSFT_FabricTenantSetting | Redshift SSO | | +| **RestrictMyFolderCapacity** | Write | MSFT_FabricTenantSetting | Block users from reassigning personal workspaces (My Workspace) | | +| **RetailSolutionsTenantSwitch** | Write | MSFT_FabricTenantSetting | Retail data solutions (preview) | | +| **RScriptVisual** | Write | MSFT_FabricTenantSetting | Interact with and share R and Python visuals | | +| **ServicePrincipalAccess** | Write | MSFT_FabricTenantSetting | Service principals can use Fabric APIs | | +| **ShareLinkToEntireOrg** | Write | MSFT_FabricTenantSetting | Allow shareable links to grant access to everyone in your organization | | +| **ShareToTeamsTenant** | Write | MSFT_FabricTenantSetting | Enable Microsoft Teams integration | | +| **SnowflakeSSO** | Write | MSFT_FabricTenantSetting | Snowflake SSO | | +| **StorytellingTenant** | Write | MSFT_FabricTenantSetting | Enable Power BI add-in for PowerPoint | | +| **SustainabilitySolutionsTenantSwitch** | Write | MSFT_FabricTenantSetting | Sustainability solutions (preview) | | +| **TemplatePublish** | Write | MSFT_FabricTenantSetting | Create template organizational apps | | +| **TenantSettingPublishGetHelpInfo** | Write | MSFT_FabricTenantSetting | Publish Get Help information | | +| **TridentPrivatePreview** | Write | MSFT_FabricTenantSetting | Data Activator (preview) | | +| **UsageMetrics** | Write | MSFT_FabricTenantSetting | Usage metrics for content creators | | +| **UsageMetricsTrackUserLevelInfo** | Write | MSFT_FabricTenantSetting | Per-user data in usage metrics for content creators | | +| **UseDatasetsAcrossWorkspaces** | Write | MSFT_FabricTenantSetting | Use semantic models across workspaces | | +| **VisualizeListInPowerBI** | Write | MSFT_FabricTenantSetting | Integration with SharePoint and Microsoft Lists | | +| **WebContentTilesTenant** | Write | MSFT_FabricTenantSetting | Web content on dashboard tiles | | +| **WebModelingTenantSwitch** | Write | MSFT_FabricTenantSetting | Users can edit data models in the Power BI service (preview) | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_FabricDelegatedFrom + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Capacity** | Write | String | The setting is delegated from a capacity. | | +| **Domain** | Write | String | The setting is delegated from a domain. | | +| **Tenant** | Write | String | The setting is delegated from a tenant. | | + +### MSFT_FabricTenantSettingProperty + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **name** | Write | String | The name of the property. | | +| **type** | Write | String | The type of the property. | | +| **value** | Write | String | The value of the property. | | + +### MSFT_FabricTenantSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **canSpecifySecurityGroups** | Write | Boolean | Indicates if the tenant setting is enabled for a security group. 0 - The tenant setting is enabled for the entire organization. | | +| **delegateToWorkspace** | Write | Boolean | Indicates whether the tenant setting can be delegated to a workspace admin. False - Workspace admin cannot override the tenant setting. | | +| **delegatedFrom** | Write | MSFT_FabricDelegatedFrom | Tenant setting delegated from tenant, capacity or domain. | | +| **settingName** | Write | String | The name of the tenant setting. | | +| **enabled** | Write | Boolean | The status of the tenant setting. | | +| **tenantSettingGroup** | Write | String | Tenant setting group name. | | +| **title** | Write | String | The title of the tenant setting. | | +| **properties** | Write | MSFT_FabricTenantSettingProperty[] | Tenant setting properties. | | +| **excludedSecurityGroups** | Write | StringArray[] | A list of excluded security groups. | | +| **enabledSecurityGroups** | Write | StringArray[] | A list of enabled security groups. | | + + +## Description + +This resource configures the tenant settings for Microsoft Fabric. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + FabricAdminTenantSettings "FabricAdminTenantSettings" + { + IsSingleInstance = 'Yes' + AADSSOForGateway = MSFT_FabricTenantSetting { + settingName = 'AADSSOForGateway' + canSpecifySecurityGroups = $False + enabled = $True + tenantSettingGroup = 'Integration settings' + title = 'Microsoft Entra single sign-on for data gateway' + }; + AdminApisIncludeDetailedMetadata = MSFT_FabricTenantSetting { + settingName = 'AdminApisIncludeDetailedMetadata' + canSpecifySecurityGroups = $True + enabled = $True + tenantSettingGroup = 'Admin API settings' + title = 'Enhance admin APIs responses with detailed metadata' + excludedSecurityGroups = @('MyExcludedGroup') + enabledSecurityGroups = @('Group1','Group2') + }; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/user-guide/cmdlets/Export-M365DSCConfiguration.md b/docs/docs/user-guide/cmdlets/Export-M365DSCConfiguration.md index d9129c936a..2bef8f6002 100644 --- a/docs/docs/user-guide/cmdlets/Export-M365DSCConfiguration.md +++ b/docs/docs/user-guide/cmdlets/Export-M365DSCConfiguration.md @@ -17,7 +17,7 @@ This function does not generate any output. | FileName | False | String | | | Specifies the name of the file in which the exported DSC configuration should be stored. | | ConfigurationName | False | String | | | Specifies the name of the configuration that will be generated. | | Components | False | String[] | | | Specifies the components for which an export should be created. | -| Workloads | False | String[] | | AAD, SPO, EXO, INTUNE, SC, OD, O365, PLANNER, PP, TEAMS | Specifies the workload for which an export should be created for all resources. | +| Workloads | False | String[] | | AAD, FABRIC, SPO, EXO, INTUNE, SC, OD, O365, PLANNER, PP, TEAMS | Specifies the workload for which an export should be created for all resources. | | Mode | False | String | Default | Lite, Default, Full | Specifies the mode of the export: Lite, Default or Full. | | MaxProcesses | False | Object | | | Specifies the maximum number of processes that should run simultanious. | | GenerateInfo | False | Boolean | | | Specifies if each exported resource should get a link to the Wiki article of the resource. | From fa8ea8a372884a8b901422ee452dc4500fb7b47d Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 10:55:34 +0000 Subject: [PATCH 21/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 780 ++++++++++++++++++ 1 file changed, 780 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 5b60cd625d..4c7d37b508 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -15389,6 +15389,786 @@ } ] }, + { + "ClassName": "MSFT_FabricDelegatedFrom", + "Parameters": [ + { + "CIMType": "String", + "Name": "Capacity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Domain", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Tenant", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricTenantSettingProperty", + "Parameters": [ + { + "CIMType": "String", + "Name": "name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricTenantSetting", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "canSpecifySecurityGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "delegateToWorkspace", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricDelegatedFrom", + "Name": "delegatedFrom", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "settingName", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "enabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "tenantSettingGroup", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "title", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSettingProperty[]", + "Name": "properties", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "excludedSecurityGroups", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "enabledSecurityGroups", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_FabricAdminTenantSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AADSSOForGateway", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminApisIncludeDetailedMetadata", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminApisIncludeExpressions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AdminCustomDisclaimer", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AISkillArtifactTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowAccessOverPrivateLinks", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVAuthenticationTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVLocalStorageV2Tenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowCVToExportDataToFileTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowEndorsementMasterDataSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowExternalDataSharingReceiverSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowExternalDataSharingSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowFreeTrial", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowGuestLookup", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowGuestUserToAccessSharedContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowPowerBIASDQOnTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowSendAOAIDataToOtherRegions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowSendNLToDaxDataToOtherRegions", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowServicePrincipalsCreateAndUseProfiles", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AllowServicePrincipalsUseReadAdminAPIs", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AppPush", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ArtifactSearchTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASCollectQueryTextTelemetryTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASShareableCloudConnectionBindingSecurityModeTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASWritethruContinuousExportTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ASWritethruTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutoInstallPowerBIAppInTeamsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutomatedInsightsEntryPoints", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AutomatedInsightsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "AzureMap", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BingMap", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockAccessFromPublicNetworks", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockAutoDiscoverAndPackageRefresh", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockProtectedLabelSharingToEntireOrg", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "BlockResourceKeyAuthentication", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CDSAManagement", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CertifiedCustomVisualsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CertifyDatasets", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ConfigureFolderRetentionPeriod", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CreateAppWorkspaces", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "CustomVisualsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DatamartTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DatasetExecuteQueries", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DevelopServiceApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsConsumption", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsSettingsCertified", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DiscoverDatasetsSettingsPromoted", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "DremioSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionDataSourceInheritanceSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionDownstreamInheritanceSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionEdit", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionLessElevated", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EimInformationProtectionWorkspaceAdminsOverrideAutomaticLabelsSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ElevatedGuestsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSecurityGroupsOnOutage", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionsToB2BUsers", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionsToExternalUsers", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EmailSubscriptionTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Embedding", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableAOAI", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableDatasetInPlaceSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableExcelYellowIntegration", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableFabricAirflow", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableNLToDax", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EnableReassignDataDomainSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "EsriVisual", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExpFlightingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportReport", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToCsv", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToExcelSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToImage", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToMHTML", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToPowerPoint", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToWord", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportToXML", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExportVisualImageTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExternalDatasetSharingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ExternalSharingV2", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricAddPartnerWorkload", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricFeedbackTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricGAWorkloads", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "FabricThirdPartyWorkloads", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitHubTenantSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationCrossGeoTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationSensitivityLabelsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GitIntegrationTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GoogleBigQuerySSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "GraphQLTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "HealthcareSolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "InstallNonvalidatedTemplateApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "InstallServiceApps", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "KustoDashboardTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "LiveConnection", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "LogAnalyticsAttachForWorkspaceAdmins", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "M365DataSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Mirroring", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ODSPRefreshEnforcementTenantAllowAutomaticUpdate", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneDriveSharePointAllowSharingTenantSetting", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneDriveSharePointViewerIntegrationTenantSettingV2", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneLakeFileExplorer", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OneLakeForThirdParty", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "OnPremAnalyzeInExcel", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PowerBIGoalsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PowerPlatformSolutionsIntegrationTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "Printing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PromoteContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PublishContentPack", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "PublishToWeb", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QnaFeedbackLoop", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QnaLsdlSharing", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "QueryScaleOutTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RedshiftSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RestrictMyFolderCapacity", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RetailSolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "RScriptVisual", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ServicePrincipalAccess", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ShareLinkToEntireOrg", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "ShareToTeamsTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "SnowflakeSSO", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "StorytellingTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "SustainabilitySolutionsTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TemplatePublish", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TenantSettingPublishGetHelpInfo", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "TridentPrivatePreview", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UsageMetrics", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UsageMetricsTrackUserLevelInfo", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "UseDatasetsAcrossWorkspaces", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "VisualizeListInPowerBI", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "WebContentTilesTenant", + "Option": "Write" + }, + { + "CIMType": "MSFT_FabricTenantSetting", + "Name": "WebModelingTenantSwitch", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments", "Parameters": [ From a36970eece2d558bccb474a859132d9cd3e2b1dc Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 14:55:59 +0000 Subject: [PATCH 22/47] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/exchange/EXOOwaMailboxPolicy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/exchange/EXOOwaMailboxPolicy.md b/docs/docs/resources/exchange/EXOOwaMailboxPolicy.md index b5b36683c3..2804f2d078 100644 --- a/docs/docs/resources/exchange/EXOOwaMailboxPolicy.md +++ b/docs/docs/resources/exchange/EXOOwaMailboxPolicy.md @@ -5,6 +5,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **Name** | Key | String | The Name parameter specifies the unique name for the policy. The maximum length is 64 characters. | | +| **AccountTransferEnabled** | Write | Boolean | The AccountTransferEnabled parameter specifies whether to enable or disable QR code sign-in. By default, QR code sign-in is enabled. | | | **ActionForUnknownFileAndMIMETypes** | Write | String | The ActionForUnknownFileAndMIMETypes parameter specifies how to handle file types that aren't specified in the Allow, Block, and Force Save lists for file types and MIME types | `Allow`, `ForceSave`, `Block` | | **ActiveSyncIntegrationEnabled** | Write | Boolean | The ActiveSyncIntegrationEnabled parameter specifies whether to enable or disable Exchange ActiveSync settings in Outlook on the web. | | | **AdditionalAccountsEnabled** | Write | Boolean | No description available. | | From a2a12bc4a57f989ce1306d1720b44973391f0c3a Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 14:58:54 +0000 Subject: [PATCH 23/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 4c7d37b508..1ed0315464 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -12032,6 +12032,11 @@ "Name": "Name", "Option": "Key" }, + { + "CIMType": "Boolean", + "Name": "AccountTransferEnabled", + "Option": "Write" + }, { "CIMType": "String", "Name": "ActionForUnknownFileAndMIMETypes", From fa5fce7c0a84eb530f482500dba39268cf089240 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 15:07:45 +0000 Subject: [PATCH 24/47] Updated Resources and Cmdlet documentation pages --- .../IntuneDeviceControlPolicyWindows10.md | 293 ++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md diff --git a/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md new file mode 100644 index 0000000000..39762924d8 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceControlPolicyWindows10.md @@ -0,0 +1,293 @@ +# IntuneDeviceControlPolicyWindows10 + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **PolicyRule** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule[] | The list of policy rules to apply. | | +| **DeviceInstall_Allow_Deny_Layered** | Write | String | Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_IDs_Allow** | Write | String | Allow installation of devices that match any of these device IDs (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_IDs_Allow_List** | Write | StringArray[] | Allowed device IDs | | +| **DeviceInstall_Instance_IDs_Allow** | Write | String | Allow installation of devices that match any of these device instance IDs (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Instance_IDs_Allow_List** | Write | StringArray[] | Allowed Instance IDs | | +| **DeviceInstall_Classes_Allow** | Write | String | Allow installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Classes_Allow_List** | Write | StringArray[] | Allowed classes | | +| **DeviceInstall_Unspecified_Deny** | Write | String | Prevent installation of devices not described by other policy settings (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_IDs_Deny** | Write | String | Prevent installation of devices that match any of these device IDs (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_IDs_Deny_List** | Write | StringArray[] | Prevented device IDs | | +| **DeviceInstall_IDs_Deny_Retroactive** | Write | String | Also apply to matching devices that are already installed. (0: False, 1: True) | `0`, `1` | +| **DeviceInstall_Instance_IDs_Deny** | Write | String | Prevent installation of devices that match any of these device instance IDs (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Instance_IDs_Deny_Retroactive** | Write | String | Also apply to matching devices that are already installed. (Device) (0: False, 1: True) | `0`, `1` | +| **DeviceInstall_Instance_IDs_Deny_List** | Write | StringArray[] | Prevented Instance IDs | | +| **DeviceInstall_Classes_Deny** | Write | String | Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled) | `0`, `1` | +| **DeviceInstall_Classes_Deny_List** | Write | StringArray[] | Prevented Classes | | +| **DeviceInstall_Classes_Deny_Retroactive** | Write | String | Also apply to matching devices that are already installed. (0: False, 1: True) | `0`, `1` | +| **DeviceInstall_Removable_Deny** | Write | String | Prevent installation of removable devices (0: Disabled, 1: Enabled) | `0`, `1` | +| **WPDDevices_DenyRead_Access_2** | Write | String | WPD Devices: Deny read access (0: Disabled, 1: Enabled) | `0`, `1` | +| **WPDDevices_DenyRead_Access_1** | Write | String | WPD Devices: Deny read access (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **WPDDevices_DenyWrite_Access_2** | Write | String | WPD Devices: Deny write access (0: Disabled, 1: Enabled) | `0`, `1` | +| **WPDDevices_DenyWrite_Access_1** | Write | String | WPD Devices: Deny write access (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **AllowFullScanRemovableDriveScanning** | Write | String | Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.) | `0`, `1` | +| **AllowDirectMemoryAccess** | Write | String | Allow Direct Memory Access (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **DeviceEnumerationPolicy** | Write | String | Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive)) | `0`, `1`, `2` | +| **RemovableDiskDenyWriteAccess** | Write | String | Removable Disk Deny Write Access (0: Disabled., 1: Enabled.) | `0`, `1` | +| **AllowUSBConnection** | Write | String | Allow USB Connection (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowBluetooth** | Write | String | Allow Bluetooth (0: Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on., 1: Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on., 2: Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on.) | `0`, `1`, `2` | +| **AllowAdvertising** | Write | String | Allow Advertising (0: Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral., 1: Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral.) | `0`, `1` | +| **AllowDiscoverableMode** | Write | String | Allow Discoverable Mode (0: Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device., 1: Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it.) | `0`, `1` | +| **AllowPrepairing** | Write | String | Allow Prepairing (0: Not allowed., 1: Allowed.) | `0`, `1` | +| **AllowPromptedProximalConnections** | Write | String | Allow Prompted Proximal Connections (0: Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios, 1: Allow. Allow users on these managed devices to use Swift Pair and other proximity based scenarios) | `0`, `1` | +| **ServicesAllowedList** | Write | StringArray[] | Services Allowed List | | +| **AllowStorageCard** | Write | String | Allow Storage Card (0: SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card., 1: Allow a storage card.) | `0`, `1` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Entry** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry[] | Entry | | +| **Name** | Write | String | Name | | +| **ExcludedIdList_GroupId** | Write | StringArray[] | Excluded ID | | +| **IncludedIdList_GroupId** | Write | StringArray[] | Included ID | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Type** | Write | String | Type (allow: Allow, deny: Deny, auditallowed: AuditAllowed, auditdenied: AuditDenied) | `allow`, `deny`, `auditallowed`, `auditdenied` | +| **Options** | Write | String | Options (0: None, 1: ShowNotification, 2: SendEvent, 3: SendNotificationAndEvent, 4: Disable) | `0`, `1`, `2`, `3`, `4` | +| **Sid** | Write | String | Sid | | +| **AccessMask** | Write | SInt32Array[] | Access mask (1: WDD_READ_ACCESS, 2: WDD_WRITE_ACCESS, 4: WDD_EXECUTE_ACCESS, 8: WDD_FS_READ_ACCESS, 16: WDD_FS_WRITE_ACCESS, 32: WDD_FS_EXECUTE_ACCESS, 64: WDD_PRINT_ACCESS) | `1`, `2`, `4`, `8`, `16`, `32`, `64` | +| **ComputerSid** | Write | String | Computer Sid | | + + +## Description + +Intune Device Control Policy for Windows10 + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example creates a new Device Control Policy. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + AllowStorageCard = "1"; + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + Description = 'Description' + DisplayName = "Device Control"; + DeviceInstall_IDs_Allow = "1"; + DeviceInstall_IDs_Allow_List = @("1234"); + PolicyRule = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule{ + Name = 'asdf' + Entry = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry{ + AccessMask = @( + '1' + '2' + ) + Sid = '1234' + ComputerSid = '1234' + Type = 'allow' + Options = '4' + } + ) + } + ); + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example updates a Device Control Policy. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + AllowStorageCard = "1"; + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + Description = 'Description' + DisplayName = "Device Control"; + DeviceInstall_IDs_Allow = "1"; + DeviceInstall_IDs_Allow_List = @("1234"); + PolicyRule = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule{ + Name = 'asdf' + Entry = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry{ + AccessMask = @( + '1' + '2' + ) + Sid = '1234' + ComputerSid = '1234' + Type = 'deny' # Updated property + Options = '4' + } + ) + } + ); + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example removes a Device Control Policy. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'Device Control' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + From 4a78048ee6bca292537cface74142ea01b1bab6d Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 15:10:13 +0000 Subject: [PATCH 25/47] Updated {Create} Intune Integration Tests --- ...M365DSCIntegration.INTUNE.Create.Tests.ps1 | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 375dd122e6..09a05d0878 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -2054,6 +2054,44 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneDeviceControlPolicyWindows10 'ConfigureDeviceControlPolicy' + { + AllowStorageCard = "1"; + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + Description = 'Description' + DisplayName = "Device Control"; + DeviceInstall_IDs_Allow = "1"; + DeviceInstall_IDs_Allow_List = @("1234"); + PolicyRule = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule{ + Name = 'asdf' + Entry = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry{ + AccessMask = @( + '1' + '2' + ) + Sid = '1234' + ComputerSid = '1234' + Type = 'allow' + Options = '4' + } + ) + } + ); + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneDeviceEnrollmentLimitRestriction 'DeviceEnrollmentLimitRestriction' { DisplayName = 'My DSC Limit' From e0f2cbf773e2158f14a232a3c9079a093944d8ba Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Thu, 5 Sep 2024 15:10:32 +0000 Subject: [PATCH 26/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 300 ++++++++++++++++++ 1 file changed, 300 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 1ed0315464..ff560fdb1f 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -29974,6 +29974,306 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule", + "Parameters": [ + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry[]", + "Name": "Entry", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExcludedIdList_GroupId", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "IncludedIdList_GroupId", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRuleEntry", + "Parameters": [ + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Options", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Sid", + "Option": "Write" + }, + { + "CIMType": "SInt32[]", + "Name": "AccessMask", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ComputerSid", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceControlPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogPolicyRule[]", + "Name": "PolicyRule", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Allow_Deny_Layered", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_IDs_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_IDs_Allow_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Instance_IDs_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Instance_IDs_Allow_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Allow", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Allow_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Unspecified_Deny", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_IDs_Deny", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_IDs_Deny_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_IDs_Deny_Retroactive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Instance_IDs_Deny", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Instance_IDs_Deny_Retroactive", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Instance_IDs_Deny_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "DeviceInstall_Classes_Deny_List", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Classes_Deny_Retroactive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceInstall_Removable_Deny", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WPDDevices_DenyRead_Access_2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WPDDevices_DenyRead_Access_1", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WPDDevices_DenyWrite_Access_2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WPDDevices_DenyWrite_Access_1", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowFullScanRemovableDriveScanning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowDirectMemoryAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceEnumerationPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RemovableDiskDenyWriteAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowUSBConnection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowBluetooth", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowAdvertising", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowDiscoverableMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowPrepairing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowPromptedProximalConnections", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ServicesAllowedList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowStorageCard", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneDeviceEnrollmentLimitRestriction", "Parameters": [ From 76490b998b04ebfd1493957423610252cc39058a Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 5 Sep 2024 11:15:44 -0400 Subject: [PATCH 27/47] Release 1.24.904.1 --- CHANGELOG.md | 2 +- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 86 ++++---------------- 2 files changed, 17 insertions(+), 71 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90a1121bd1..2c2ad6918c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.24.904.1 * EXOOwaMailboxPolicy * Add support for AccountTransferEnabled parameter diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index cd94876636..829a2cef89 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-08-28 +# Generated on: 2024-09-05 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.828.1' + ModuleVersion = '1.24.904.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -143,76 +143,22 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADAdministrativeUnit - * Fix Properties for Dynamic Administrative Units in Graph have moved -* AADConditionalAccessPolicy - * Fixing issue where the resource crashed when trying to retrieve groups - and users from Entra ID which no longer existed - * Fixes an issue where the `AuthenticationFlows` property changed in Graph - and updates on the documentation for the possible values of `TransferMethods`. - FIXES [#4961](https://github.com/microsoft/Microsoft365DSC/issues/4961) - FIXES [#4960](https://github.com/microsoft/Microsoft365DSC/issues/4960) - FIXES [#4734](https://github.com/microsoft/Microsoft365DSC/issues/4734) - FIXES [#4725](https://github.com/microsoft/Microsoft365DSC/issues/4725) -* AADGroup - * FIXES [#4994](https://github.com/microsoft/Microsoft365DSC/issues/4994) -* EXOAuthenticationPolicyAssignment - * Removes the 1000 user limit when exporting authentication policy assignments - FIXES [#4956](https://github.com/microsoft/Microsoft365DSC/issues/4956) -* EXOHostedContentFilterRule - * Dont check if associated `EXOHostedContentFilterPolicy` is present - while removing resource since its not required - * EXORoleGroup - * Fix an issue where roles that have empty members cannot be compared - FIXES [#4977] (https://github.com/microsoft/Microsoft365DSC/issues/4977) -* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy - * Fixed issue if `PasswordComplexity` was set to 5 by allowing that value - FIXES [#4963](https://github.com/microsoft/Microsoft365DSC/issues/4963) -* IntuneDeviceCompliancePolicyWindows10 - * Fix extraction of property `TpmRequired` -* IntuneDeviceConfigurationCustomPolicyWindows10 - * Change app and delegated permissions for reading to - DeviceManagementConfiguration.ReadWrite.All to cope with - getOmaSettingPlainTextValue which is only working if RW is granted - FIXES [#4412](https://github.com/microsoft/Microsoft365DSC/issues/4412) -* IntuneDeviceRemediation - * Add export of global remediation scripts. -* O365OrgSettings - * FIXES [#4741](https://github.com/microsoft/Microsoft365DSC/issues/4741) -* SCAutoSensitivityLabelPolicy - * Fixes issue where Mode=Enabled is not supported for SP and OD. Changing - property to TestWithoutNotifications in those instances. - FIXES [#4990](https://github.com/microsoft/Microsoft365DSC/issues/4990) -* SCAutoSensitivityLabelRule - * Fixes issue where the export was looping through all possible workloads - instead of the actually targeted workload - FIXES [#4989](https://github.com/microsoft/Microsoft365DSC/issues/4989) -* SCSensitivityLabel - * Corrected issue where ExternalAccess properties were configured inverted - FIXES [#3782](https://github.com/microsoft/Microsoft365DSC/issues/3782) + ReleaseNotes = '* EXOOwaMailboxPolicy + * Add support for AccountTransferEnabled parameter +* EXOSweepRule + * Initial Release. +* FabricAdminTenantSettings + * Initial Release. +* IntuneDeviceControlPolicyWindows10 + * Initial Release * M365DSCDRGUtil - * Update Intune Settings Catalog Handling. - * Fixes an issue where the `MSFT_IntuneDeviceRemediationPolicyAssignments` - type would trigger an incorrect comparison in `Compare-M365DSCComplexObject`. -* M365DSCResourceGenerator - * Update Intune resource generation for the Settings Catalog. -* M365DSCUtil - * Fix `Compare-PSCustomObjectArrays` by allowing empty arrays as input - FIXES [#4952](https://github.com/microsoft/Microsoft365DSC/issues/4952) -* O365OrgSettings - * FIXES [#4741](https://github.com/microsoft/Microsoft365DSC/issues/4741) -* MISC - * Improve module updates and PowerShell Core support across the DSC - resources. - FIXES [#4941](https://github.com/microsoft/Microsoft365DSC/issues/4941) - * Replace some `Write-Host` occurrences in core engine with - appropriate alternatives. - FIXES [#4943](https://github.com/microsoft/Microsoft365DSC/issues/4943) - * Fixed a typo within M365DSCReport.psm1 related to a .png file - FIXES [#4983](https://github.com/microsoft/Microsoft365DSC/pull/4983) + * Fixes an issue where a Intune settings catalog DSC param was not handled + correctly when it was not specified. + FIXES [#5000](https://github.com/microsoft/Microsoft365DSC/issues/5000) + * Fixes an issue where the exported nested CIM instances had too many line breaks. + * Fixes an issue where Settings Catalog properties were not correctly handled. * DEPENDENCIES - * Updated MicrosoftTeams to version 6.5.0. - * Updated MSCloudLoginAssistant to version 1.1.19.' + * Updated MSCloudLoginAssistant to version 1.1.20.' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false From f39e646b41a9817c7dd627b25934358665229ff1 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 6 Sep 2024 11:31:17 -0400 Subject: [PATCH 28/47] SPOAccessControlSettings added property EnableRestrictedAccessControl --- .../MSFT_SPOAccessControlSettings.psm1 | 59 ++++++++++++------- .../MSFT_SPOAccessControlSettings.schema.mof | 1 + .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 2 +- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 index ea35a596ee..1a29f5f30b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 @@ -45,6 +45,10 @@ function Get-TargetResource [System.UInt32] $EmailAttestationReAuthDays, + [Parameter()] + [System.Boolean] + $EnableRestrictedAccessControl, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -117,27 +121,28 @@ function Get-TargetResource $SPOAccessControlSettings = Get-PnPTenant -ErrorAction Stop return @{ - IsSingleInstance = 'Yes' - DisplayStartASiteOption = $SPOAccessControlSettings.DisplayStartASiteOption - StartASiteFormUrl = $SPOAccessControlSettings.StartASiteFormUrl - IPAddressEnforcement = $SPOAccessControlSettings.IPAddressEnforcement - IPAddressAllowList = $SPOAccessControlSettings.IPAddressAllowList - IPAddressWACTokenLifetime = $SPOAccessControlSettings.IPAddressWACTokenLifetime - DisallowInfectedFileDownload = $SPOAccessControlSettings.DisallowInfectedFileDownload - ExternalServicesEnabled = $SPOAccessControlSettings.ExternalServicesEnabled - EmailAttestationRequired = $SPOAccessControlSettings.EmailAttestationRequired - EmailAttestationReAuthDays = $SPOAccessControlSettings.EmailAttestationReAuthDays - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificatePassword = $CertificatePassword - CertificatePath = $CertificatePath - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - Ensure = 'Present' - ConditionalAccessPolicy = $SPOAccessControlSettings.ConditionalAccessPolicy - AccessTokens = $AccessTokens + IsSingleInstance = 'Yes' + DisplayStartASiteOption = $SPOAccessControlSettings.DisplayStartASiteOption + StartASiteFormUrl = $SPOAccessControlSettings.StartASiteFormUrl + IPAddressEnforcement = $SPOAccessControlSettings.IPAddressEnforcement + IPAddressAllowList = $SPOAccessControlSettings.IPAddressAllowList + IPAddressWACTokenLifetime = $SPOAccessControlSettings.IPAddressWACTokenLifetime + DisallowInfectedFileDownload = $SPOAccessControlSettings.DisallowInfectedFileDownload + ExternalServicesEnabled = $SPOAccessControlSettings.ExternalServicesEnabled + EmailAttestationRequired = $SPOAccessControlSettings.EmailAttestationRequired + EmailAttestationReAuthDays = $SPOAccessControlSettings.EmailAttestationReAuthDays + EnableRestrictedAccessControl = $SPOAccessControlSettings.RestrictedAccessControl + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificatePassword = $CertificatePassword + CertificatePath = $CertificatePath + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + Ensure = 'Present' + ConditionalAccessPolicy = $SPOAccessControlSettings.ConditionalAccessPolicy + AccessTokens = $AccessTokens } } catch @@ -203,6 +208,10 @@ function Set-TargetResource [System.UInt32] $EmailAttestationReAuthDays, + [Parameter()] + [System.Boolean] + $EnableRestrictedAccessControl, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -286,6 +295,7 @@ function Set-TargetResource $CurrentParameters.Remove('IPAddressEnforcement') $CurrentParameters.Remove('IPAddressAllowList') } + $tenant = Set-PnPTenant @CurrentParameters } @@ -336,6 +346,10 @@ function Test-TargetResource [System.UInt32] $EmailAttestationReAuthDays, + [Parameter()] + [System.Boolean] + $EnableRestrictedAccessControl, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -414,7 +428,8 @@ function Test-TargetResource 'ExternalServicesEnabled', ` 'EmailAttestationRequired', ` 'EmailAttestationReAuthDays', - 'ConditionalAccessPolicy') + 'ConditionalAccessPolicy', ` + 'EnableRestrictedAccessControl') Write-Verbose -Message "Test-TargetResource returned $TestResult" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.schema.mof index c3ca2476c9..f999384424 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.schema.mof @@ -11,6 +11,7 @@ class MSFT_SPOAccessControlSettings : OMI_BaseResource [Write, Description("Enables external services for a tenant. External services are defined as services that are not in the Office 365 datacenters.")] boolean ExternalServicesEnabled; [Write, Description("Sets email attestation to required")] boolean EmailAttestationRequired; [Write, Description("Sets email attestation re-auth days")] uint32 EmailAttestationReAuthDays; + [Write, Description("Enables or disables the restricted access control.")] boolean EnableRestrictedAccessControl; [Write, Description("Only value accepted is 'Present'"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 5dec239d62..97782f27e6 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1710,7 +1710,7 @@ function New-M365DSCConnection [Parameter(Mandatory = $true)] [ValidateSet('AzureDevOPS', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` - 'MicrosoftTeams', 'MicrosoftGraph', 'Tasks')] + 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks')] [System.String] $Workload, From 64d697b22209df9ed11c91ad226c181b3f24acb8 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Fri, 6 Sep 2024 14:18:41 -0400 Subject: [PATCH 29/47] Updates --- CHANGELOG.md | 5 ++++ .../MSFT_SPOAccessControlSettings.psm1 | 25 ++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c2ad6918c..bccd8aa9c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* SPOAccessControlSettings + * Added support for property EnableRestrictedAccessControl. + # 1.24.904.1 * EXOOwaMailboxPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 index 1a29f5f30b..687543a436 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 @@ -296,7 +296,30 @@ function Set-TargetResource $CurrentParameters.Remove('IPAddressAllowList') } - $tenant = Set-PnPTenant @CurrentParameters + $EnableRestrictedAccessControlValue = $null + if ($null -ne $EnableRestrictedAccessControl) + { + $EnableRestrictedAccessControlValue = $EnableRestrictedAccessControl + $CurrentParameters.Remove('EnableRestrictedAccessControl') | Out-Null + } + + Set-PnPTenant @CurrentParameters | Out-Null + + try + { + Set-PnPTenant -EnableRestrictedAccessControl $EnableRestrictedAccessControlValue -ErrorAction Stop | Out-Null + } + catch + { + if ($_.ErrorDetails.Message.Contains("This operation can't be performed as the tenant doesn't have the required license")) + { + Write-Warning -Message "The tenant doesn't have the required license to configure Restrcited Access Control." + } + else + { + Write-Error $_.ErrorDetails.Message + } + } } function Test-TargetResource From b80e5acb9104b8268aa51dee78d3ac3d7646ef49 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 6 Sep 2024 18:34:39 +0000 Subject: [PATCH 30/47] Updated Resources and Cmdlet documentation pages --- docs/docs/resources/sharepoint/SPOAccessControlSettings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/sharepoint/SPOAccessControlSettings.md b/docs/docs/resources/sharepoint/SPOAccessControlSettings.md index cc24a9a375..bcfe8f4ad9 100644 --- a/docs/docs/resources/sharepoint/SPOAccessControlSettings.md +++ b/docs/docs/resources/sharepoint/SPOAccessControlSettings.md @@ -14,6 +14,7 @@ | **ExternalServicesEnabled** | Write | Boolean | Enables external services for a tenant. External services are defined as services that are not in the Office 365 datacenters. | | | **EmailAttestationRequired** | Write | Boolean | Sets email attestation to required | | | **EmailAttestationReAuthDays** | Write | UInt32 | Sets email attestation re-auth days | | +| **EnableRestrictedAccessControl** | Write | Boolean | Enables or disables the restricted access control. | | | **Ensure** | Write | String | Only value accepted is 'Present' | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the account to authenticate with. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | From 008dc64b5ac65a081039be17afd572907979e64a Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Fri, 6 Sep 2024 18:36:48 +0000 Subject: [PATCH 31/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index ff560fdb1f..c093f98711 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -39042,6 +39042,11 @@ "Name": "EmailAttestationReAuthDays", "Option": "Write" }, + { + "CIMType": "boolean", + "Name": "EnableRestrictedAccessControl", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", From 1e92c12703b05aeb6feaaec31a8846784c6d21dc Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sun, 8 Sep 2024 12:18:45 +0200 Subject: [PATCH 32/47] Fix invalid parameter definition --- CHANGELOG.md | 3 +++ ...IntuneAntivirusPolicyWindows10SettingCatalog.psm1 | 12 ++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bccd8aa9c8..c01d2ac4f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* IntuneAntivirusPolicyWindows10SettingCatalog + * Fixes an issue with invalid parameter definition. + FIXES [#5015](https://github.com/microsoft/Microsoft365DSC/issues/5015) * SPOAccessControlSettings * Added support for property EnableRestrictedAccessControl. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index ee80cfb92b..79cd8949f8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -90,11 +90,11 @@ function Get-TargetResource [System.int32] $avgcpuloadfactor, - [Parameter] + [Parameter()] [System.Int32] $archivemaxdepth, - [Parameter] + [Parameter()] [System.Int32] $archivemaxsize, @@ -601,11 +601,11 @@ function Set-TargetResource [System.int32] $avgcpuloadfactor, - [Parameter] + [Parameter()] [System.Int32] $archivemaxdepth, - [Parameter] + [Parameter()] [System.Int32] $archivemaxsize, @@ -1095,11 +1095,11 @@ function Test-TargetResource [System.int32] $avgcpuloadfactor, - [Parameter] + [Parameter()] [System.Int32] $archivemaxdepth, - [Parameter] + [Parameter()] [System.Int32] $archivemaxsize, From e431c5e6c4c97a5269764b883ed3abc65b64af61 Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Mon, 9 Sep 2024 10:31:21 +0200 Subject: [PATCH 33/47] updated changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bccd8aa9c8..cc7285ea30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ # UNRELEASED +* AADPasswordRuleSettings + * Initial release * SPOAccessControlSettings * Added support for property EnableRestrictedAccessControl. From a6ffb794512d7ab4f61e99c471922b88a7b999fd Mon Sep 17 00:00:00 2001 From: salbeck-sit Date: Mon, 9 Sep 2024 14:55:18 +0200 Subject: [PATCH 34/47] fixed verbose messages --- .../MSFT_AADPasswordRuleSettings.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 index 2f293f01f6..4c4d286efe 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADPasswordRuleSettings/MSFT_AADPasswordRuleSettings.psm1 @@ -68,7 +68,7 @@ function Get-TargetResource $AccessTokens ) - Write-Verbose -Message 'Getting configuration of AzureAD Groups Settings' + Write-Verbose -Message 'Getting configuration of AzureAD Password Rule Settings' $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters @@ -207,7 +207,7 @@ function Set-TargetResource $AccessTokens ) - Write-Verbose -Message 'Setting configuration of Azure AD Groups Settings' + Write-Verbose -Message 'Setting configuration of Azure AD Password Rule Settings' #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies From 66442b6123fe426d23e3657111dce9b6ea7a4232 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 9 Sep 2024 13:14:39 +0000 Subject: [PATCH 35/47] Updated Resources and Cmdlet documentation pages --- .../azure-ad/AADPasswordRuleSettings.md | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 docs/docs/resources/azure-ad/AADPasswordRuleSettings.md diff --git a/docs/docs/resources/azure-ad/AADPasswordRuleSettings.md b/docs/docs/resources/azure-ad/AADPasswordRuleSettings.md new file mode 100644 index 0000000000..66ff3a0bfb --- /dev/null +++ b/docs/docs/resources/azure-ad/AADPasswordRuleSettings.md @@ -0,0 +1,97 @@ +# AADPasswordRuleSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **LockoutThreshold** | Write | UInt32 | The number of failed login attempts before the first lockout period begins. | | +| **LockoutDurationInSeconds** | Write | UInt32 | The duration in seconds of the initial lockout period. | | +| **EnableBannedPasswordCheck** | Write | Boolean | Boolean indicating if the banned password check for tenant specific banned password list is turned on or not. | | +| **BannedPasswordList** | Write | StringArray[] | A list of banned words in passwords. | | +| **BannedPasswordCheckOnPremisesMode** | Write | String | How should we enforce password policy check in on-premises system. | | +| **EnableBannedPasswordCheckOnPremises** | Write | Boolean | Boolean indicating if the banned password check is turned on or not for on-premises system. | | +| **Ensure** | Write | String | Specify if the Azure AD Password Rule Settings should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +## Description + +This resource configures the Azure Active Directory Password Rule Settings. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Directory.Read.All, Group.Read.All + +- **Update** + + - Directory.Read.All, Directory.ReadWrite.All + +#### Application permissions + +- **Read** + + - Directory.Read.All + +- **Update** + + - Directory.Read.All, Directory.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADPasswordRuleSettings 'GeneralPasswordRuleSettings' + { + IsSingleInstance = "Yes" + LockoutThreshold = 6 + LockoutDurationInSeconds = 30 + BannedPasswordCheckOnPremisesMode = 'Audit' + EnableBannedPasswordCheckOnPremises = $false + EnableBannedPasswordCheck = $false + BannedPasswordList = $null + Ensure = "Present" + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + From ebf2730d8b966945c0f70e3735130684dbb456a1 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Mon, 9 Sep 2024 13:16:46 +0000 Subject: [PATCH 36/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index c093f98711..39576dcab5 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -3919,6 +3919,86 @@ } ] }, + { + "ClassName": "MSFT_AADPasswordRuleSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "UInt32", + "Name": "LockoutThreshold", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "LockoutDurationInSeconds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableBannedPasswordCheck", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "BannedPasswordList", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BannedPasswordCheckOnPremisesMode", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnableBannedPasswordCheckOnPremises", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADRoleDefinition", "Parameters": [ From bdb2b7e5da235d7f06c93f87b707c69ee5431b21 Mon Sep 17 00:00:00 2001 From: Piyush Dubey Date: Tue, 10 Sep 2024 10:06:28 +0530 Subject: [PATCH 37/47] resolving comments --- .../MSFT_EXOManagementScope.psm1 | 11 +---------- .../MSFT_EXOManagementScope.schema.mof | 4 ++-- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 index 33a84bd0b3..bd19cc11f4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.psm1 @@ -54,7 +54,6 @@ function Get-TargetResource $AccessTokens ) - ##TODO - Replace the workload by the one associated to your resource New-M365DSCConnection -Workload 'ExchangeOnline' ` -InboundParameters $PSBoundParameters | Out-Null @@ -76,12 +75,10 @@ function Get-TargetResource { if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { - ##TODO - Replace the PrimaryKey in the Filter by the one for the resource $ManagementScope = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} } else { - ##TODO - Replace the cmdlet by the one to retrieve a specific instance. $ManagementScope = Get-ManagementScope -Identity $Identity -ErrorAction Stop } if ($null -eq $ManagementScope) @@ -90,7 +87,6 @@ function Get-TargetResource } $results = @{ - ##TODO - Add the list of parameters to be returned Identity = $Identity Name = $ManagementScope.Name RecipientRestrictionFilter = $ManagementScope.RecipientFilter @@ -210,7 +206,6 @@ function Set-TargetResource # REMOVE elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - ## should I just send identity to the remove cmdlet? Remove-ManagementScope -Identity $Identity } } @@ -334,7 +329,6 @@ function Export-TargetResource $AccessTokens ) - ##TODO - Replace workload $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` -InboundParameters $PSBoundParameters @@ -353,7 +347,6 @@ function Export-TargetResource try { $Script:ExportMode = $true - ##TODO - Replace Get-Cmdlet by the cmdlet to retrieve all instances [array] $Script:exportedInstances = Get-ManagementScope -ErrorAction Stop $i = 1 @@ -368,11 +361,9 @@ function Export-TargetResource } foreach ($config in $Script:exportedInstances) { - $displayedKey = $config.Id + $displayedKey = $config.Identity Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline $params = @{ - ##TODO - Specify the Primary Key - #PrimaryKey = $config.PrimaryKey Identity = $config.Identity Credential = $Credential ApplicationId = $ApplicationId diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof index 9c6726ec14..4fbc6b845d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOManagementScope/MSFT_EXOManagementScope.schema.mof @@ -6,11 +6,11 @@ class MSFT_EXOManagementScope : OMI_BaseResource [Write, Description("The RecipientRestrictionFilter parameter uses OPATH filter syntax to specify the recipients that are included in the scope.")] String RecipientRestrictionFilter; [Write, Description("The RecipientRoot parameter specifies the organizational unit (OU) under which the filter specified with the RecipientRestrictionFilter parameter should be applied.")] String RecipientRoot; [Write, Description("The Exclusive switch specifies that the role should be an exclusive scope.")] Boolean Exclusive; - [Write, Description("")] String Ensure; + [Write, Description("Specifies if this Outbound connector should exist."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; -}; \ No newline at end of file +}; From 46474a1f678ec4b2089c925a47e6dea148b9cbd6 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 13:00:10 +0000 Subject: [PATCH 38/47] Updated Resources and Cmdlet documentation pages --- .../resources/exchange/EXOManagementScope.md | 154 ++++++++++++++++++ 1 file changed, 154 insertions(+) create mode 100644 docs/docs/resources/exchange/EXOManagementScope.md diff --git a/docs/docs/resources/exchange/EXOManagementScope.md b/docs/docs/resources/exchange/EXOManagementScope.md new file mode 100644 index 0000000000..873248793d --- /dev/null +++ b/docs/docs/resources/exchange/EXOManagementScope.md @@ -0,0 +1,154 @@ +# EXOManagementScope + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter specifies the name of the management scope to modify. | | +| **Name** | Write | String | The Name parameter specifies the name of the management scope. | | +| **RecipientRestrictionFilter** | Write | String | The RecipientRestrictionFilter parameter uses OPATH filter syntax to specify the recipients that are included in the scope. | | +| **RecipientRoot** | Write | String | The RecipientRoot parameter specifies the organizational unit (OU) under which the filter specified with the RecipientRestrictionFilter parameter should be applied. | | +| **Exclusive** | Write | Boolean | The Exclusive switch specifies that the role should be an exclusive scope. | | +| **Ensure** | Write | String | Specifies if this Outbound connector should exist. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to create ManagementScopes. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Hygiene Management, Compliance Management, Organization Management, View-Only Organization Management + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'Test*'"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOManagementScope "EXOManagementScope-Test New DGs" + { + Credential = $Credscredential; + Ensure = "Absent"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } + + } +} +``` + From 2783b3d24155eea70c2ddfcbb5e91016a6046a9b Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 13:03:03 +0000 Subject: [PATCH 39/47] Updated {Create} EXO Integration Tests --- .../M365DSCIntegration.EXO.Create.Tests.ps1 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index f8f29f2774..dbdfbb1fd7 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -467,6 +467,15 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOManagementScope 'EXOManagementScope-Test New DGs' + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'Test*'"; + } EXOMessageClassification 'ConfigureMessageClassification' { Identity = "Contoso Message Classification" From 2b313849ef1ef97e12b35acbb3c155c89b0c8c62 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 13:03:24 +0000 Subject: [PATCH 40/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 39576dcab5..90e653682a 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -10544,6 +10544,71 @@ } ] }, + { + "ClassName": "MSFT_EXOManagementScope", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecipientRestrictionFilter", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RecipientRoot", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Exclusive", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOMessageClassification", "Parameters": [ From 12212d3c0d36ad0ae6c3599dc3083fe4af7dac04 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 13:03:27 +0000 Subject: [PATCH 41/47] Updated {Update} EXO Integration Tests --- .../M365DSCIntegration.EXO.Update.Tests.ps1 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index fb92ed7632..1187fe3ade 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -705,6 +705,15 @@ Identity = "Information Rights Management\Get-BookingMailbox" Parameters = @("ANR","RecipientTypeDetails", "ResultSize") } + EXOManagementScope 'EXOManagementScope-Test New DGs' + { + Credential = $Credscredential; + Ensure = "Present"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } EXOMessageClassification 'ConfigureMessageClassification' { Identity = "Contoso Message Classification" From 1b3319d06ede378bc0a68cecfe9574be214c5891 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 13:03:46 +0000 Subject: [PATCH 42/47] Updated {Update} EXO Integration Tests --- .../M365DSCIntegration.EXO.Remove.Tests.ps1 | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index e192eb32a3..915a099176 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -330,6 +330,15 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOManagementScope 'EXOManagementScope-Test New DGs' + { + Credential = $Credscredential; + Ensure = "Absent"; + Exclusive = $False; + Identity = "Test New DGs"; + Name = "Test New DGs"; + RecipientRestrictionFilter = "Name -like 'NewTest*'"; + } EXOMessageClassification 'ConfigureMessageClassification' { Identity = "Contoso Message Classification" From e44834c7a39f7517b12cad8d83225a3588486e1d Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 10 Sep 2024 12:30:51 -0400 Subject: [PATCH 43/47] SentinelSetting - Initial Release --- CHANGELOG.md | 5 + .../MSFT_SentinelSetting.psm1 | 477 ++++++++++++++++++ .../MSFT_SentinelSetting.schema.mof | 17 + .../MSFT_SentinelSetting/readme.md | 6 + .../MSFT_SentinelSetting/settings.json | 20 + .../Dependencies/Manifest.psd1 | 46 +- .../Resources/SentinelSetting/2-Update.ps1 | 26 + .../Modules/M365DSCReverse.psm1 | 2 +- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 9 +- .../Microsoft365DSC.SentinelSetting.Tests.ps1 | 130 +++++ Tests/Unit/Stubs/Microsoft365.psm1 | 54 +- .../MSFT_ResourceName/MSFT_ResourceName.psm1 | 1 + 12 files changed, 771 insertions(+), 22 deletions(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/SentinelSetting/2-Update.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelSetting.Tests.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index c48faf0849..f545d61404 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,13 @@ * IntuneAntivirusPolicyWindows10SettingCatalog * Fixes an issue with invalid parameter definition. FIXES [#5015](https://github.com/microsoft/Microsoft365DSC/issues/5015) +* SentinelSetting + * Initial release. * SPOAccessControlSettings * Added support for property EnableRestrictedAccessControl. +* DEPENDENCIES + * Added dependencies on Az.Accounts and Az.SecurityInsights + * Updated MSCloudLoginAssistant to version 1.1.21. # 1.24.904.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 new file mode 100644 index 0000000000..7939a6a80c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 @@ -0,0 +1,477 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.Boolean] + $AnomaliesIsEnabled, + + [Parameter()] + [System.Boolean] + $EntityAnalyticsIsEnabled, + + [Parameter()] + [System.Boolean] + $EyesOnIsEnabled, + + [Parameter()] + [System.String[]] + $UebaDataSource, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $ResourceGroupNameValue = $ResourceGroupName + $WorkspaceNameValue = $WorkspaceName + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $entry = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $WorkspaceName} + $instance = Get-AzSentinelSetting -ResourceGroupName $entry.ResourceGroupName -WorkspaceName $entry.Name -ErrorAction SilentlyContinue + $ResourceGroupNameValue = $entry.ResourceGroupName + $WorkspaceNameValue = $entry.Name + } + else + { + Write-Verbose -Message "Retrieving Sentinel Settings for {$WorkspaceName}" + $instance = Get-AzSentinelSetting -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + throw "Could not find Sentinel Workspace {$WorkspaceName} in Resource Group {$ResourceGroupName}" + } + + Write-Verbose -Message "Found an instance of Sentinel Workspace {$Workspace}" + $Anomalies = $instance | Where-Object -FilterScript {$_.Name -eq 'Anomalies'} + $AnomaliesIsEnabledValue = $false + if ($null -ne $Anomalies) + { + Write-Verbose -Message "Anomalies instance found." + $AnomaliesIsEnabledValue = $Anomalies.IsEnabled + } + + $EntityAnalytics = $instance | Where-Object -FilterScript {$_.Name -eq 'EntityAnalytics'} + $EntityAnalyticsIsEnabledValue = $false + if ($null -ne $EntityAnalytics) + { + Write-Verbose -Message "EntityAnalytics instance found." + $EntityAnalyticsIsEnabledValue = $EntityAnalytics.IsEnabled + } + + $EyesOn = $instance | Where-Object -FilterScript {$_.Name -eq 'EyesOn'} + $EyesOnIsEnabledValue = $false + if ($null -ne $EyesOn) + { + Write-Verbose -Message "EyesOn instance found." + $EyesOnIsEnabledValue = $EyesOn.IsEnabled + } + + $Ueba = $instance | Where-Object -FilterScript {$_.Name -eq 'Ueba'} + $UebaDataSourceValue = $null + if ($null -ne $Ueba) + { + Write-Verbose -Message "UEBA Data source instance found." + $UebaDataSourceValue = $Ueba.DataSource + } + + $results = @{ + AnomaliesIsEnabled = [Boolean]$AnomaliesIsEnabledValue + EntityAnalyticsIsEnabled = [Boolean]$EntityAnalyticsIsEnabledValue + EyesOnIsEnabled = [Boolean]$EyesOnIsEnabledValue + UebaDataSource = $UebaDataSourceValue + ResourceGroupName = $ResourceGroupNameValue + WorkspaceName = $WorkspaceNameValue + SubscriptionId = $SubscriptionId + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.Boolean] + $AnomaliesIsEnabled, + + [Parameter()] + [System.Boolean] + $EntityAnalyticsIsEnabled, + + [Parameter()] + [System.Boolean] + $EyesOnIsEnabled, + + [Parameter()] + [System.String[]] + $UebaDataSource, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + if ($PSBoundParameters.ContainsKey('AnomaliesIsEnabled')) + { + Write-Verbose -Message "Updating Anomalies IsEnabled value to {$AnomaliesIsEnabled}" + Update-AzSentinelSetting -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -SettingsName "Anomalies" ` + -Enabled $AnomaliesIsEnabled | Out-Null + } + if ($PSBoundParameters.ContainsKey('EntityAnalyticsIsEnabled')) + { + Write-Verbose -Message "Updating Entity Analytics IsEnabled value to {$EntityAnalyticsIsEnabled}" + Update-AzSentinelSetting -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -SettingsName "EntityAnalytics" ` + -Enabled $EntityAnalyticsIsEnabled | Out-Null + } + if ($PSBoundParameters.ContainsKey('EyesOnIsEnabled')) + { + Write-Verbose -Message "Updating Eyes On IsEnabled value to {$EyesOnIsEnabled}" + Update-AzSentinelSetting -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -SettingsName "EyesOn" ` + -Enabled $EyesOnIsEnabled | Out-Null + } + if ($PSBoundParameters.ContainsKey('UebaDataSource')) + { + Write-Verbose -Message "Updating UEBA Data Source value to {$UebaDataSource}" + Update-AzSentinelSetting -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -SettingsName "Ueba" ` + -DataSource $UebaDataSource | Out-Null + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $ResourceGroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.String] + $SubscriptionId, + + [Parameter()] + [System.Boolean] + $AnomaliesIsEnabled, + + [Parameter()] + [System.Boolean] + $EntityAnalyticsIsEnabled, + + [Parameter()] + [System.Boolean] + $EyesOnIsEnabled, + + [Parameter()] + [System.String[]] + $UebaDataSource, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'Azure' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + [array] $Script:exportedInstances = Get-AzResource -ResourceType 'Microsoft.OperationalInsights/workspaces' + + $dscContent = '' + $i = 1 + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $displayedKey = $config.Name + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + ResourceGroupName = $config.ResourceGroupName + WorkspaceName = $config.Name + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.schema.mof new file mode 100644 index 0000000000..495b1e4330 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("SentinelSetting")] +class MSFT_SentinelSetting : OMI_BaseResource +{ + [Key, Description("The Resource Group Name")] String ResourceGroupName; + [Required, Description("The name of the workspace.")] String WorkspaceName; + [Write, Description("Gets subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.")] String SubscriptionId; + [Write, Description("Specififies if Anomaly detection should be enabled or not.")] Boolean AnomaliesIsEnabled; + [Write, Description("Specififies if Entity Analyticsshould be enabled or not.")] Boolean EntityAnalyticsIsEnabled; + [Write, Description("Specififies if Auditing and Health Monitoring should be enabled or not.")] Boolean EyesOnIsEnabled; + [Write, Description("The list of Data sources associated with the UEBA.")] String UebaDataSource[]; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/readme.md new file mode 100644 index 0000000000..3886ec78ee --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/readme.md @@ -0,0 +1,6 @@ + +# SentinelSetting + +## Description + +Configures settings for a Sentinel instance. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/settings.json new file mode 100644 index 0000000000..eea41c3e86 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "SentinelSetting", + "description": "Configures settings for a Sentinel instance.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 717197df8f..2743394cbf 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -1,5 +1,13 @@ @{ Dependencies = @( + @{ + ModuleName = 'Az.Accounts' + RequiredVersion = '3.0.2' + }, + @{ + ModuleName = 'Az.SecurityInsights' + RequiredVersion = '3.1.2' + }, @{ ModuleName = 'DSCParser' RequiredVersion = '2.0.0.8' @@ -10,75 +18,75 @@ }, @{ ModuleName = 'Microsoft.Graph.Applications' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Authentication' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Devices.CorporateManagement' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Administration' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.DirectoryManagement' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.Governance' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Identity.SignIns' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Reports' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.Teams' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.DeviceManagement.Administration' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Beta.DirectoryObjects' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Groups' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Planner' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Sites' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Users' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.Graph.Users.Actions' - RequiredVersion = '2.20.0' + RequiredVersion = '2.23.0' }, @{ ModuleName = 'Microsoft.PowerApps.Administration.PowerShell' @@ -90,7 +98,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.20" + RequiredVersion = "1.1.21" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/SentinelSetting/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/SentinelSetting/2-Update.ps1 new file mode 100644 index 0000000000..b516274848 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/SentinelSetting/2-Update.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index 61ed490d9b..2b124e6da7 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -41,7 +41,7 @@ function Start-M365DSCConfigurationExtract $MaxProcesses = 16, [Parameter()] - [ValidateSet('AAD', 'FABRIC', 'SPO', 'EXO', 'INTUNE', 'SC', 'OD', 'O365', 'TEAMS', 'PP', 'PLANNER')] + [ValidateSet('AAD', 'FABRIC', 'SPO', 'EXO', 'INTUNE', 'SC', 'SENTINEL', 'OD', 'O365', 'TEAMS', 'PP', 'PLANNER')] [System.String[]] $Workloads, diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 97782f27e6..9397159c76 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1708,7 +1708,7 @@ function New-M365DSCConnection param ( [Parameter(Mandatory = $true)] - [ValidateSet('AzureDevOPS', 'ExchangeOnline', 'Fabric', 'Intune', ` + [ValidateSet('Azure', 'AzureDevOPS', 'ExchangeOnline', 'Fabric', 'Intune', ` 'SecurityComplianceCenter', 'PnP', 'PowerPlatforms', ` 'MicrosoftTeams', 'MicrosoftGraph', 'SharePointOnlineREST', 'Tasks')] [System.String] @@ -1771,6 +1771,7 @@ function New-M365DSCConnection [System.Boolean] $SkipModuleReload = $false ) + $verbosepreference = 'Continue' $Global:MaximumFunctionCount = 32767 if ($Workload -eq 'MicrosoftTeams') { @@ -2193,12 +2194,14 @@ function New-M365DSCConnection { $Global:M365DSCTelemetryConnectionToGraphParams.Add('CertificateThumbprint', $InboundParameters.CertificateThumbprint) } + Write-Verbose -Message "Calling into Connect-M365Tenant" Connect-M365Tenant -Workload $Workload ` -ApplicationId $InboundParameters.ApplicationId ` -TenantId $InboundParameters.TenantId ` -CertificateThumbprint $InboundParameters.CertificateThumbprint ` -SkipModuleReload $Global:CurrentModeIsExport ` -Url $Url + Write-Verbose -Message "Connection initiated." if (-not $Script:M365ConnectedToWorkloads -contains "$Workload-ServicePrincipalWithThumbprint") { $data.Add('ConnectionMode', 'ServicePrincipalWithThumbprint') @@ -3690,6 +3693,10 @@ function Get-M365DSCExportContentForResource { $primaryKey = $Results.CDNType } + elseif ($Keys.Contains('WorkspaceName')) + { + $primaryKey = $Results.WorkspaceName + } if ([String]::IsNullOrEmpty($primaryKey) -and ` -not $Keys.Contains('IsSingleInstance')) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelSetting.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelSetting.Tests.ps1 new file mode 100644 index 0000000000..54e5f57ef4 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.SentinelSetting.Tests.ps1 @@ -0,0 +1,130 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-AzSentinelSetting -MockWith { + } + + Mock -CommandName Get-AzResource -MockWith { + return @{ + ResourceGroupName = "MyResourceGroup" + Name = 'MySentinelWorkspace' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ResourceGroupName = 'MyResourceGroup' + WorkspaceName = 'MySentinelWorkspace' + AnomaliesIsEnabled = $true + Credential = $Credential; + } + + Mock -CommandName Get-AzSentinelSetting -MockWith { + return @{ + Name = 'Anomalies' + IsEnabled = $true + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ResourceGroupName = 'MyResourceGroup' + WorkspaceName = 'MySentinelWorkspace' + AnomaliesIsEnabled = $true + Credential = $Credential; + } + + Mock -CommandName Get-AzSentinelSetting -MockWith { + return @{ + Name = 'Anomalies' + IsEnabled = $false #drift + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-AzSentinelSetting -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + BeforeAll { + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-AzSentinelSetting -MockWith { + return @{ + Name = 'Anomalies' + IsEnabled = $true + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index d8d8db6694..17668db78c 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1,3 +1,56 @@ +#region Azure +function Get-AzSentinel +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName + + ) +} + +function Update-AzSentinel +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ResourceGroupName, + + [Parameter()] + [System.String] + $WorkspaceName, + + [Parameter()] + [System.Boolean] + $Enabled, + + [Parameter()] + [System.String] + $SettingsName, + + [Parameter()] + [System.String] + $DataSource + ) +} + +function Get-AzResource +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ResourceType + ) +} +#endregion + # region ExchangeOnlineManagement function Get-SweepRule { @@ -28,7 +81,6 @@ function Get-SweepRule $ResultSize ) } - function New-SweepRule { [CmdletBinding()] diff --git a/dev-package/Modules/Microsoft365DSC/DSCResources/MSFT_ResourceName/MSFT_ResourceName.psm1 b/dev-package/Modules/Microsoft365DSC/DSCResources/MSFT_ResourceName/MSFT_ResourceName.psm1 index 7d42466c4c..c6f63d3927 100644 --- a/dev-package/Modules/Microsoft365DSC/DSCResources/MSFT_ResourceName/MSFT_ResourceName.psm1 +++ b/dev-package/Modules/Microsoft365DSC/DSCResources/MSFT_ResourceName/MSFT_ResourceName.psm1 @@ -85,6 +85,7 @@ function Get-TargetResource } catch { + Write-Verbose -Message $_ New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` From dca6f4fbe6f51cc47fe019e19b2ad471f7ee8777 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 10 Sep 2024 13:59:42 -0400 Subject: [PATCH 44/47] Fixes to the auth --- CHANGELOG.md | 4 ++-- .../MSFT_SentinelSetting.psm1 | 15 ++++++++------- .../Microsoft365DSC/Dependencies/Manifest.psd1 | 6 +++++- Tests/Unit/Stubs/Microsoft365.psm1 | 4 ++-- 4 files changed, 17 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f545d61404..5fcba5cd30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,8 +12,8 @@ * SPOAccessControlSettings * Added support for property EnableRestrictedAccessControl. * DEPENDENCIES - * Added dependencies on Az.Accounts and Az.SecurityInsights - * Updated MSCloudLoginAssistant to version 1.1.21. + * Added dependencies on Az.Accounts, Az.Resources and Az.SecurityInsights + * Updated MSCloudLoginAssistant to version 1.1.22. # 1.24.904.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 index 7939a6a80c..21c39097df 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SentinelSetting/MSFT_SentinelSetting.psm1 @@ -85,14 +85,20 @@ function Get-TargetResource if ($null -ne $Script:exportedInstances -and $Script:ExportMode) { $entry = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $WorkspaceName} - $instance = Get-AzSentinelSetting -ResourceGroupName $entry.ResourceGroupName -WorkspaceName $entry.Name -ErrorAction SilentlyContinue + $instance = Get-AzSentinelSetting -ResourceGroupName $entry.ResourceGroupName ` + -WorkspaceName $entry.Name ` + -SubscriptionId $SubscriptionId ` + -ErrorAction SilentlyContinue $ResourceGroupNameValue = $entry.ResourceGroupName $WorkspaceNameValue = $entry.Name } else { Write-Verbose -Message "Retrieving Sentinel Settings for {$WorkspaceName}" - $instance = Get-AzSentinelSetting -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -ErrorAction SilentlyContinue + $instance = Get-AzSentinelSetting -ResourceGroupName $ResourceGroupName ` + -WorkspaceName $WorkspaceName ` + -ErrorAction SilentlyContinue ` + -SubscriptionId $SubscriptionId } if ($null -eq $instance) { @@ -195,11 +201,6 @@ function Set-TargetResource [System.String[]] $UebaDataSource, - [Parameter()] - [ValidateSet('Present', 'Absent')] - [System.String] - $Ensure = 'Present', - [Parameter()] [System.Management.Automation.PSCredential] $Credential, diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 2743394cbf..54b3565d09 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -4,6 +4,10 @@ ModuleName = 'Az.Accounts' RequiredVersion = '3.0.2' }, + @{ + ModuleName = 'Az.Resources' + RequiredVersion = '7.2.0' + }, @{ ModuleName = 'Az.SecurityInsights' RequiredVersion = '3.1.2' @@ -98,7 +102,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.21" + RequiredVersion = "1.1.22" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 17668db78c..67bd3f160f 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -1,5 +1,5 @@ #region Azure -function Get-AzSentinel +function Get-AzSentinelSetting { [CmdletBinding()] param( @@ -14,7 +14,7 @@ function Get-AzSentinel ) } -function Update-AzSentinel +function Update-AzSentinelSetting { [CmdletBinding()] param( From 9a7253ed6f7055f66183e2a670640e70a0af5f20 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 10 Sep 2024 14:53:04 -0400 Subject: [PATCH 45/47] Update Microsoft365.psm1 --- Tests/Unit/Stubs/Microsoft365.psm1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 67bd3f160f..d9daa50d7f 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -9,8 +9,11 @@ function Get-AzSentinelSetting [Parameter()] [System.String] - $WorkspaceName + $WorkspaceName, + [Parameter()] + [System.String] + $SubscriptionId ) } From 1c0e3df8cdb6743a8c7c9f47b020bcc1aef1c709 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 19:14:28 +0000 Subject: [PATCH 46/47] Updated Resources and Cmdlet documentation pages --- .../security-compliance/SentinelSetting.md | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 docs/docs/resources/security-compliance/SentinelSetting.md diff --git a/docs/docs/resources/security-compliance/SentinelSetting.md b/docs/docs/resources/security-compliance/SentinelSetting.md new file mode 100644 index 0000000000..d2ee71451a --- /dev/null +++ b/docs/docs/resources/security-compliance/SentinelSetting.md @@ -0,0 +1,82 @@ +# SentinelSetting + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ResourceGroupName** | Key | String | The Resource Group Name | | +| **WorkspaceName** | Required | String | The name of the workspace. | | +| **SubscriptionId** | Write | String | Gets subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. | | +| **AnomaliesIsEnabled** | Write | Boolean | Specififies if Anomaly detection should be enabled or not. | | +| **EntityAnalyticsIsEnabled** | Write | Boolean | Specififies if Entity Analyticsshould be enabled or not. | | +| **EyesOnIsEnabled** | Write | Boolean | Specififies if Auditing and Health Monitoring should be enabled or not. | | +| **UebaDataSource** | Write | StringArray[] | The list of Data sources associated with the UEBA. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures settings for a Sentinel instance. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + + } +} +``` + From d34b49df36aab550e9a873d9b5883538bb0a0d55 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 10 Sep 2024 19:16:57 +0000 Subject: [PATCH 47/47] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 90e653682a..922b858773 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -39134,6 +39134,76 @@ } ] }, + { + "ClassName": "MSFT_SentinelSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "ResourceGroupName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "WorkspaceName", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "SubscriptionId", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AnomaliesIsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EntityAnalyticsIsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EyesOnIsEnabled", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "UebaDataSource", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_SPOAccessControlSettings", "Parameters": [