From 10d17cdb30e22dc2fc4a2752a95b69351f044f26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 19 Jul 2023 21:01:49 +0200 Subject: [PATCH 01/20] documentation Update-M365DSCAzureAdApp #3487 --- CHANGELOG.md | 2 +- .../Modules/M365DSCPermissions.psm1 | 68 +++++++++++++++++++ .../Update-M365DSCAzureAdApplication.md | 55 +++++++++++---- 3 files changed, 109 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 634764ccdf..409dedd71e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -110,7 +110,7 @@ FIXES #3417 * Update-M365DSCModule now forces a reload of the latest version of the Microsoft365DSC module. FIXES [#3326](https://github.com/microsoft/Microsoft365DSC/issues/3326) - * Update-M365DSCAyureADApplication + * Update-M365DSCAzureADApplication Added retry logic to catch the "Key credential end date is invalid" error when updating the application certificate. FIXES [#3426](https://github.com/microsoft/Microsoft365DSC/issues/3426) * DEPENDENCIES diff --git a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 index 660191a418..d044d0dadb 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 @@ -1191,6 +1191,19 @@ This application can then be used for Application Authentication. The provided permissions have to be as an array of hashtables, with Api=Graph, SharePoint or Exchange and PermissionsName set to a list of permissions. See examples for more information. +NOTE: +Please make sure you have the following permissions for the 'Microsoft Graph Command Line Tools' +Enterprise Application in your tenant: + +- Application.ReadWrite.All + +You can add this scope to the 'Microsoft Graph Command Line Tools' Enterprise Application by running +the following command: + +```powershell +Connect-MgGraph -Scopes 'Application.ReadWrite.All' +``` + NOTE: If consent cannot be given for whatever reason, make sure all these permissions are given Admin Consent by browsing to the App Registration in Azure AD > API Permissions @@ -1205,6 +1218,57 @@ If you want to configure App-Only permission for Exchange, as described here: https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application Using the following permission will achieve exactly that: @{Api='Exchange';PermissionsName='Exchange.ManageAsApp'} +Note 2: +If you want to configure App-Only permission for Security and compliance, please refer to this information on how to setup the permissions: +https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#security-and-compliance-center-permissions + +Note 3: +If you want to configure App-Only permission for Power Platform, please refer to this information on how to setup the permissions: +https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#power-apps-permissions + + +.Parameter ApplicationName +The name of the application to create or update. Default value is 'Microsoft365DSC'. + +.Parameter Permissions +The permissions to assign to the application. This has to be an array of hashtables, with Api=Graph, SharePoint or Exchange and PermissionsName set to a list of permissions. See examples for more information. + +.Parameter Type +The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. + +.Parameter MonthsValid +The number of months the certificate should be valid. Default value is 12. + +.Parameter CreateNewSecret +If specified, a new secret will be created for the application. -CreateNewSecret or -CertificatePath can be used, not both. + +.Parameter CertificatePath +The path to the certificate to use for the application. -CreateNewSecret or -CertificatePath can be used, not both. + +.Parameter CreateSelfSignedCertificate +If specified, a self-signed certificate will be created for the application. -CreateSelfSignedCertificate or -CertificatePath can be used, not both. + +.Parameter AdminConsent +If specified, admin consent will be granted for the application. + +.Parameter Credential +The credential to use for authenticating the request. + +.Parameter ApplicationId +The ApplicationId to use for authenticating the request. -Credential or -ApplicationId can be used, not both. + +.Parameter TenantId +The TenantId to use for the request. The TenantId needs to be in the form of contoso.onmicrosoft.com. -Credential or -TenantId can be used, not both. + +.Parameter ApplicationSecret +The ApplicationSecret to use for authenticating the request. -Credential or -ApplicationSecret can be used, not both. + +.Parameter CertificateThumbprint +The CertificateThumbprint to use for authenticating the request. -Credential or -CertificateThumbprint can be used, not both. + +.Parameter ManagedIdentity +If specified, Managed Identity will be used for authenticating the request. -Credential or -ApplicationId or -ManagedIdentity can be used, only one of them. + .Example Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'}) -AdminConsent -Type Secret -Credential $creds @@ -1214,6 +1278,10 @@ Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions .Example Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'},@{Api='Graph';PermissionName='Group.ReadWrite.All'},@{Api='Exchange';PermissionName='Exchange.ManageAsApp'}) -AdminConsent -Credential $creds -Type Certificate -CertificatePath c:\Temp\M365DSC.cer +.Example +Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer + + .Functionality Public #> diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index 47bf7e2bf1..b0c9581ef1 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -10,6 +10,19 @@ This application can then be used for Application Authentication. The provided permissions have to be as an array of hashtables, with Api=Graph, SharePoint or Exchange and PermissionsName set to a list of permissions. See examples for more information. +NOTE: +Please make sure you have the following permissions for the 'Microsoft Graph Command Line Tools' +Enterprise Application in your tenant: + +- Application.ReadWrite.All + +You can add this scope to the 'Microsoft Graph Command Line Tools' Enterprise Application by running +the following command: + +```powershell +Connect-MgGraph -Scopes 'Application.ReadWrite.All' +``` + NOTE: If consent cannot be given for whatever reason, make sure all these permissions are given Admin Consent by browsing to the App Registration in Azure AD > API Permissions @@ -24,6 +37,14 @@ If you want to configure App-Only permission for Exchange, as described here: https://docs.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#step-2-assign-api-permissions-to-the-application Using the following permission will achieve exactly that: @{Api='Exchange';PermissionsName='Exchange.ManageAsApp'} +Note 2: +If you want to configure App-Only permission for Security and compliance, please refer to this information on how to setup the permissions: +https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#security-and-compliance-center-permissions + +Note 3: +If you want to configure App-Only permission for Power Platform, please refer to this information on how to setup the permissions: +https://microsoft365dsc.com/user-guide/get-started/authentication-and-permissions/#power-apps-permissions + ## Output This function does not generate any output. @@ -32,22 +53,22 @@ This function does not generate any output. | Parameter | Required | DataType | Default Value | Allowed Values | Description | | --- | --- | --- | --- | --- | --- | -| ApplicationName | False | String | Microsoft365DSC | | | -| Permissions | True True | Hashtable[] | | | | -| Type | False | String | Secret | Secret, Certificate | | -| MonthsValid | False | Int32 | 12 | | | -| CreateNewSecret | False | SwitchParameter | | | | -| CertificatePath | False | String | | | | -| CreateSelfSignedCertificate | False | SwitchParameter | | | | -| AdminConsent | False | SwitchParameter | | | | -| Credential | False | PSCredential | | | | -| ApplicationId | False | String | | | | -| TenantId | False | String | | | | -| ApplicationSecret | False | PSCredential | | | | -| CertificateThumbprint | False | String | | | | -| ManagedIdentity | False | SwitchParameter | | | | +| ApplicationName | False | String | Microsoft365DSC | | The name of the application to create or update. Default value is 'Microsoft365DSC'. | +| Permissions | True True | Hashtable[] | | | The permissions to assign to the application. This has to be an array of hashtables, with Api=Graph, SharePoint or Exchange and PermissionsName set to a list of permissions. See examples for more information. | +| Type | False | String | Secret | Secret, Certificate | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | +| MonthsValid | False | Int32 | 12 | | The number of months the certificate should be valid. Default value is 12. | +| CreateNewSecret | False | SwitchParameter | | | If specified, a new secret will be created for the application. -CreateNewSecret or -CertificatePath can be used, not both. | +| CertificatePath | False | String | | | The path to the certificate to use for the application. -CreateNewSecret or -CertificatePath can be used, not both. | +| CreateSelfSignedCertificate | False | SwitchParameter | | | If specified, a self-signed certificate will be created for the application. -CreateSelfSignedCertificate or -CertificatePath can be used, not both. | +| AdminConsent | False | SwitchParameter | | | If specified, admin consent will be granted for the application. | +| Credential | False | PSCredential | | | The credential to use for authenticating the request. | +| ApplicationId | False | String | | | The ApplicationId to use for authenticating the request. -Credential or -ApplicationId can be used, not both. | +| TenantId | False | String | | | The TenantId to use for the request. The TenantId needs to be in the form of contoso.onmicrosoft.com. -Credential or -TenantId can be used, not both. | +| ApplicationSecret | False | PSCredential | | | The ApplicationSecret to use for authenticating the request. -Credential or -ApplicationSecret can be used, not both. | +| CertificateThumbprint | False | String | | | The CertificateThumbprint to use for authenticating the request. -Credential or -CertificateThumbprint can be used, not both. | +| ManagedIdentity | False | SwitchParameter | | | If specified, Managed Identity will be used for authenticating the request. -Credential or -ApplicationId or -ManagedIdentity can be used, only one of them. | | Message | True | String | | | | -| Type | False | String | Info | Error, Warning, Info | | +| Type | False | String | Info | Error, Warning, Info | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | ## Examples @@ -63,4 +84,8 @@ This function does not generate any output. `Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'},@{Api='Graph';PermissionName='Group.ReadWrite.All'},@{Api='Exchange';PermissionName='Exchange.ManageAsApp'}) -AdminConsent -Credential $creds -Type Certificate -CertificatePath c:\Temp\M365DSC.cer` +-------------------------- EXAMPLE 4 -------------------------- + +`Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` + From 130a1af715bfcd2852d1f8c5736c747ccbe6c23b Mon Sep 17 00:00:00 2001 From: Alik Agarwala Date: Mon, 24 Jul 2023 00:05:28 +0530 Subject: [PATCH 02/20] Fix: Remove redundant initialization of reactPlugin The variable 'reactPlugin' was being redundantly initialized twice in the code. This commit removes the redundant assignment inside the 'createTelemetryService' function, as the variable is already initialized at the beginning of the file. The code now runs efficiently without any redundancy. --- generator/src/services/TelemetryService.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/generator/src/services/TelemetryService.ts b/generator/src/services/TelemetryService.ts index e815579f14..e01480b2c6 100644 --- a/generator/src/services/TelemetryService.ts +++ b/generator/src/services/TelemetryService.ts @@ -25,8 +25,6 @@ const createTelemetryService = () => { throw new Error('Instrumentation key not provided in ./src/telemetry-provider.jsx') } - reactPlugin = new ReactPlugin(); - appInsights = new ApplicationInsights({ config: { instrumentationKey: instrumentationKey, From 81f94846e06ee1e99b57b55d0161fc08c18c3abf Mon Sep 17 00:00:00 2001 From: Mario Date: Tue, 25 Jul 2023 18:03:47 +0200 Subject: [PATCH 03/20] Fix bug --- CHANGELOG.md | 5 +++++ .../DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 634764ccdf..27317655b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED +* AADGroup + * Fix issue setting MemberOf property. + FIXES [#3496](https://github.com/microsoft/Microsoft365DSC/issues/3496) + # 1.23.719.1 * EXOSharedMailbox diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index 808c7b1202..cb2620a714 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -398,7 +398,7 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $currentParameters = $PSBoundParameters + $currentParameters = [hashtable]$PSBoundParameters $currentGroup = Get-TargetResource @PSBoundParameters $currentParameters.Remove('ApplicationId') | Out-Null $currentParameters.Remove('TenantId') | Out-Null From 0b19f5a5db25c779dde340a378e5d7c5af02d4ff Mon Sep 17 00:00:00 2001 From: Tayhall <4ndrewhall@gmail.com> Date: Wed, 26 Jul 2023 10:55:48 +0100 Subject: [PATCH 04/20] Fresh Changes --- CHANGELOG.md | 3 +- ...enantAccessPolicyConfigurationPartner.psm1 | 120 ++++++++++++++---- ...ccessPolicyConfigurationPartner.schema.mof | 7 + 3 files changed, 106 insertions(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 634764ccdf..9e5f674810 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ # Change log for Microsoft365DSC # 1.23.719.1 - +* AADCrossTenant + * Added Automatic Consent for inbound and Outbound trust settings * EXOSharedMailbox * Added capability to change the PrimarySMTPAddress of a Shared Mailbox * SPOExternalUserExpireInDays diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 index 9f56db415e..8894c8eac5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 @@ -28,6 +28,10 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $InboundTrust, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomaticUserConsentSettings, + [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] @@ -79,7 +83,7 @@ function Get-TargetResource $nullResult.Ensure = 'Absent' $getValue = Get-MgBetaPolicyCrossTenantAccessPolicyPartner -CrossTenantAccessPolicyConfigurationPartnerTenantId $PartnerTenantId ` - -ErrorAction SilentlyContinue + -ErrorAction SilentlyContinue if ($null -eq $getValue) { @@ -104,24 +108,29 @@ function Get-TargetResource { $B2BDirectConnectOutboundValue = $getValue.B2BDirectConnectOutbound } + if ($null -ne $getValue.AutomaticUserConsentSettings) + { + $AutomaticUserConsentSettingsValue = $getValue.AutomaticUserConsentSettings + } if ($null -ne $getValue.InboundTrust) { $InboundTrustValue = $getValue.InboundTrust } $results = @{ - PartnerTenantId = $getValue.TenantId - B2BCollaborationInbound = $B2BCollaborationInboundValue - B2BCollaborationOutbound = $B2BCollaborationOutboundValue - B2BDirectConnectInbound = $B2BDirectConnectInboundValue - B2BDirectConnectOutbound = $B2BDirectConnectOutboundValue - InboundTrust = $InboundTrustValue - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity.IsPresent + PartnerTenantId = $getValue.TenantId + B2BCollaborationInbound = $B2BCollaborationInboundValue + B2BCollaborationOutbound = $B2BCollaborationOutboundValue + B2BDirectConnectInbound = $B2BDirectConnectInboundValue + B2BDirectConnectOutbound = $B2BDirectConnectOutboundValue + AutomaticUserConsentSettings = $AutomaticUserConsentSettingsValue + InboundTrust = $InboundTrustValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent } return [System.Collections.Hashtable] $results @@ -163,6 +172,9 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $B2BDirectConnectOutbound, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomaticUserConsentSettings, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $InboundTrust, @@ -212,13 +224,13 @@ function Set-TargetResource $currentInstance = Get-TargetResource @PSBoundParameters $OperationParams = ([Hashtable]$PSBoundParameters).Clone() - $OperationParams.Remove("Credential") | Out-Null - $OperationParams.Remove("ManagedIdentity") | Out-Null - $OperationParams.Remove("ApplicationId") | Out-Null - $OperationParams.Remove("TenantId") | Out-Null - $OperationParams.Remove("CertificateThumbprint") | Out-Null - $OperationParams.Remove("ApplicationSecret") | Out-Null - $OperationParams.Remove("Ensure") | Out-Null + $OperationParams.Remove('Credential') | Out-Null + $OperationParams.Remove('ManagedIdentity') | Out-Null + $OperationParams.Remove('ApplicationId') | Out-Null + $OperationParams.Remove('TenantId') | Out-Null + $OperationParams.Remove('CertificateThumbprint') | Out-Null + $OperationParams.Remove('ApplicationSecret') | Out-Null + $OperationParams.Remove('Ensure') | Out-Null if ($null -ne $OperationParams.B2BCollaborationInbound) { @@ -240,6 +252,10 @@ function Set-TargetResource $OperationParams.B2BDirectConnectOutbound = (Get-M365DSCAADCrossTenantAccessPolicyB2BSetting -Setting $OperationParams.B2BDirectConnectOutbound) $OperationParams.B2BDirectConnectOutbound = (Update-M365DSCSettingUserIdFromUPN -Setting $OperationParams.B2BDirectConnectOutbound) } + if ($null -ne $OperationParams.AutomaticUserConsentSettings) + { + $OperationParams.AutomaticUserConsentSettings = (Get-M365DSCAADCrossTenantAccessPolicyAutomaticUserConsentSettings -Setting $OperationParams.AutomaticUserConsentSettings) + } if ($null -ne $OperationParams.InboundTrust) { $OperationParams.InboundTrust = (Get-M365DSCAADCrossTenantAccessPolicyInboundTrust -Setting $OperationParams.InboundTrust) @@ -297,6 +313,10 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance] $InboundTrust, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $AutomaticUserConsentSettings, + [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] @@ -477,6 +497,10 @@ function Export-TargetResource { $Results.B2BDirectConnectOutbound = Get-M365DSCAADCrossTenantAccessPolicyB2BSettingAsString -Setting $Results.B2BDirectConnectOutbound } + if ($null -ne $Results.AutomaticUserConsentSettings) + { + $Results.AutomaticUserConsentSettings = Get-M365DSCAADCrossTenantAccessPolicyAutomaticUserConsentSettingsAsString -Setting $Results.AutomaticUserConsentSettings + } if ($null -ne $Results.InboundTrust) { $Results.InboundTrust = Get-M365DSCAADCrossTenantAccessPolicyInboundTrustAsString -Setting $Results.InboundTrust @@ -508,6 +532,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'B2BDirectConnectOutbound' } + if ($null -ne $Results.AutomaticUserConsentSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'AutomaticUserConsentSettings' + } if ($null -ne $Results.InboundTrust) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` @@ -702,13 +731,58 @@ function Get-M365DSCAADCrossTenantAccessPolicyB2BSetting } #endregion $results = @{ - Applications = $applications + Applications = $applications UsersAndGroups = $usersAndGroups } return $results } +function Get-M365DSCAADCrossTenantAccessPolicyAutomaticUserConsentSettings +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.Object] + $Setting + ) + + $result = @{ + InboundAllowed = $Setting.InboundAllowed + OutboundAllowed = $Setting.OutboundAllowed + } + + return $result +} + +function Get-M365DSCAADCrossTenantAccessPolicyAutomaticUserConsentSettingsAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + $Setting + ) + + $StringContent = $null + if ($null -ne $Setting.InboundAllowed -or $null -ne $Setting.OutboundAllowed) + { + $StringContent = "MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings {`r`n" + if ($null -ne $Setting.InboundAllowed) + { + $StringContent += " InboundAllowed = `$" + $Setting.InboundAllowed.ToString() + "`r`n" + } + if ($null -ne $Setting.OutboundAllowed) + { + $StringContent += " OutboundAllowed = `$" + $Setting.OutboundAllowed.ToString() + "`r`n" + } + $StringContent += " }`r`n" + } + + return $StringContent +} + function Get-M365DSCAADCrossTenantAccessPolicyInboundTrust { [CmdletBinding()] @@ -739,7 +813,7 @@ function Get-M365DSCAADCrossTenantAccessPolicyInboundTrustAsString $StringContent = $null if ($null -ne $Setting.IsCompliantDeviceAccepted -or $null -ne $Setting.IsHybridAzureADJoinedDeviceAccepted -or ` - $null -ne $Setting.IsMfaAccepted) + $null -ne $Setting.IsMfaAccepted) { $StringContent = "MSFT_AADCrossTenantAccessPolicyInboundTrust {`r`n" if ($null -ne $Setting.IsCompliantDeviceAccepted) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof index 4ea3485bc2..f0f669a3f3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof @@ -19,6 +19,13 @@ class MSFT_AADCrossTenantAccessPolicyB2BSetting [Write, Description("The list of users and groups targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String UsersAndGroups; }; +[ClassVersion("1.0.0")] +class MSFT_AADCrossTenantAccessPolicyB2BSetting +{ + [Write, Description("The list of applications targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String Applications; + [Write, Description("The list of users and groups targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String UsersAndGroups; +}; + [ClassVersion("1.0.0")] class MSFT_AADCrossTenantAccessPolicyInboundTrust { From de81fc89caaea167f6cd076a265c5dbaf88a6729 Mon Sep 17 00:00:00 2001 From: Tayhall <4ndrewhall@gmail.com> Date: Wed, 26 Jul 2023 11:03:28 +0100 Subject: [PATCH 05/20] schema update --- ...SFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof index f0f669a3f3..c18a60003f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof @@ -42,6 +42,7 @@ class MSFT_AADCrossTenantAccessPolicyConfigurationPartner : OMI_BaseResource [Write, Description("Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyB2BSetting")] String B2BCollaborationOutbound; [Write, Description("Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B direct connect."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyB2BSetting")] String B2BDirectConnectInbound; [Write, Description("Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyB2BSetting")] String B2BDirectConnectOutbound; + [Write, Description("Determines the partner-specific configuration for accepting trust claims from other tenant invitations."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings")] String AutomaticUserConsentSettings; [Write, Description("Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyInboundTrust")] String InboundTrust; [Write, Description("Specify if the policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; From ea51685be3a57466c5cca193f432a132373e91f0 Mon Sep 17 00:00:00 2001 From: Tayhall <4ndrewhall@gmail.com> Date: Wed, 26 Jul 2023 11:09:51 +0100 Subject: [PATCH 06/20] updates mof --- ...SFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 | 2 +- ...DCrossTenantAccessPolicyConfigurationPartner.schema.mof | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 index 8894c8eac5..008e94eac6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.psm1 @@ -775,7 +775,7 @@ function Get-M365DSCAADCrossTenantAccessPolicyAutomaticUserConsentSettingsAsStri } if ($null -ne $Setting.OutboundAllowed) { - $StringContent += " OutboundAllowed = `$" + $Setting.OutboundAllowed.ToString() + "`r`n" + $StringContent += " OutboundAllowed = `$" + $Setting.OutboundAllowed.ToString() + "`r`n" } $StringContent += " }`r`n" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof index c18a60003f..e9fb6e76da 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof @@ -26,6 +26,13 @@ class MSFT_AADCrossTenantAccessPolicyB2BSetting [Write, Description("The list of users and groups targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String UsersAndGroups; }; +[ClassVersion("1.0.0")] +class MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings +{ + [Write, Description("Specifies whether you want to automatically trust Inbound invitations..")] Boolean InboundAllowed; + [Write, Description("Specifies whether you want to automatically trust Outbound invitations.")] Boolean OutboundAllowed; +}; + [ClassVersion("1.0.0")] class MSFT_AADCrossTenantAccessPolicyInboundTrust { From 129173ed9c872ae0f91cd13e3d2f66e792c8a732 Mon Sep 17 00:00:00 2001 From: Tayhall <4ndrewhall@gmail.com> Date: Wed, 26 Jul 2023 11:12:59 +0100 Subject: [PATCH 07/20] duplicate declare --- ...DCrossTenantAccessPolicyConfigurationPartner.schema.mof | 7 ------- 1 file changed, 7 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof index e9fb6e76da..58b35a2707 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof @@ -19,13 +19,6 @@ class MSFT_AADCrossTenantAccessPolicyB2BSetting [Write, Description("The list of users and groups targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String UsersAndGroups; }; -[ClassVersion("1.0.0")] -class MSFT_AADCrossTenantAccessPolicyB2BSetting -{ - [Write, Description("The list of applications targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String Applications; - [Write, Description("The list of users and groups targeted with your cross-tenant access policy."), EmbeddedInstance("MSFT_AADCrossTenantAccessPolicyTargetConfiguration")] String UsersAndGroups; -}; - [ClassVersion("1.0.0")] class MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings { From 9dbebb4b02a7bfca4a741b7684dbae2d51cf8422 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 26 Jul 2023 14:39:04 +0200 Subject: [PATCH 08/20] Additional changes --- .../Modules/M365DSCPermissions.psm1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 index d044d0dadb..e84f7bc0e8 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCPermissions.psm1 @@ -1243,7 +1243,7 @@ The number of months the certificate should be valid. Default value is 12. If specified, a new secret will be created for the application. -CreateNewSecret or -CertificatePath can be used, not both. .Parameter CertificatePath -The path to the certificate to use for the application. -CreateNewSecret or -CertificatePath can be used, not both. +The path to the certificate to be uploaded for the app registration. If using with -CreateSelfSignedCertificate - a file with this name will be created and uploaded (file must not exist). Otherwise the file must already exist. Cannot be used with -CreateNewSecret simultaneously. .Parameter CreateSelfSignedCertificate If specified, a self-signed certificate will be created for the application. -CreateSelfSignedCertificate or -CertificatePath can be used, not both. @@ -1252,19 +1252,19 @@ If specified, a self-signed certificate will be created for the application. -Cr If specified, admin consent will be granted for the application. .Parameter Credential -The credential to use for authenticating the request. +The credential to use for authenticating the request. Mutually exclusive with -TenantId. .Parameter ApplicationId The ApplicationId to use for authenticating the request. -Credential or -ApplicationId can be used, not both. .Parameter TenantId -The TenantId to use for the request. The TenantId needs to be in the form of contoso.onmicrosoft.com. -Credential or -TenantId can be used, not both. +The name of the tenant to use for the request. Must be in the form of contoso.onmicrosoft.com. Mutually exclusive with -Credential. .Parameter ApplicationSecret The ApplicationSecret to use for authenticating the request. -Credential or -ApplicationSecret can be used, not both. .Parameter CertificateThumbprint -The CertificateThumbprint to use for authenticating the request. -Credential or -CertificateThumbprint can be used, not both. +Thumbprint of an existing auth certificate to use for authenticating the request. Mutually exclusive with -Credential. .Parameter ManagedIdentity If specified, Managed Identity will be used for authenticating the request. -Credential or -ApplicationId or -ManagedIdentity can be used, only one of them. @@ -1272,13 +1272,13 @@ If specified, Managed Identity will be used for authenticating the request. -Cre .Example Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'}) -AdminConsent -Type Secret -Credential $creds -.Example +.EXAMPLE Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='Graph';PermissionName='Domain.Read.All'}) -AdminConsent -Credential $creds -Type Certificate -CreateSelfSignedCertificate -CertificatePath c:\Temp\M365DSC.cer -.Example +.EXAMPLE Update-M365DSCAzureAdApplication -ApplicationName 'Microsoft365DSC' -Permissions @(@{Api='SharePoint';PermissionName='Sites.FullControl.All'},@{Api='Graph';PermissionName='Group.ReadWrite.All'},@{Api='Exchange';PermissionName='Exchange.ManageAsApp'}) -AdminConsent -Credential $creds -Type Certificate -CertificatePath c:\Temp\M365DSC.cer -.Example +.EXAMPLE Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer From 9f9fab5432d7321b23396d23f262b1a1b0c18485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 26 Jul 2023 14:42:56 +0200 Subject: [PATCH 09/20] changed type to be of dropdown --- .../ISSUE_TEMPLATE/ProblemWithResource.yml | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/ProblemWithResource.yml b/.github/ISSUE_TEMPLATE/ProblemWithResource.yml index c9c1cb6572..a990ec4ce9 100644 --- a/.github/ISSUE_TEMPLATE/ProblemWithResource.yml +++ b/.github/ISSUE_TEMPLATE/ProblemWithResource.yml @@ -35,21 +35,23 @@ body: validations: required: true - - type: checkboxes + - type: dropdown + id: Workload attributes: - label: "Workload" + label: "Which workloads are affected" description: The workload of the resource you are having an issue with. options: - - label: "Azure Active Directory" - - label: "Exchange Online" - - label: "Office 365 Admin" - - label: "OneDrive for Business" - - label: "Planner" - - label: "Power Platform" - - label: "Security & Compliance Center" - - label: "SharePoint Online" - - label: "Teams" - - label: "other" + - "Azure Active Directory" + - "Exchange Online" + - "Office 365 Admin" + - "OneDrive for Business" + - "Planner" + - "Power Platform" + - "Security & Compliance Center" + - "SharePoint Online" + - "Teams" + - "other" + multiple: true validations: required: true From b3d465b681851ad243b8dc7e7d98c81cbfbd384a Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 08:58:04 -0400 Subject: [PATCH 10/20] Update Microsoft365DSC.SettingsJson.Tests.ps1 --- Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 b/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 index 10e8a1da41..e25ede1b54 100644 --- a/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 +++ b/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 @@ -29,7 +29,9 @@ Describe -Name 'Successfully validate all used permissions in Settings.json file { # Only validate non-GUID (hidden) permissions. $ObjectGuid = [System.Guid]::empty - if (-not [System.Guid]::TryParse($permission.Name ,[System.Management.Automation.PSReference]$ObjectGuid)) + # There is an issue where the GUI shows Tasks.Read.All but the OAuth value is actually Tasks.Read + if (-not [System.Guid]::TryParse($permission.Name ,[System.Management.Automation.PSReference]$ObjectGuid) -and + $permission.Name -ne 'Tasks.Read.All') { $permission.Name | Should -BeIn $roles } From a8dd605a2738ce45f8a9a52077ca01b844764e86 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 13:06:57 +0000 Subject: [PATCH 11/20] Updated Resources and Cmdlet documentation pages --- .../cmdlets/Update-M365DSCAzureAdApplication.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index b0c9581ef1..77ddc22059 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -58,14 +58,14 @@ This function does not generate any output. | Type | False | String | Secret | Secret, Certificate | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | | MonthsValid | False | Int32 | 12 | | The number of months the certificate should be valid. Default value is 12. | | CreateNewSecret | False | SwitchParameter | | | If specified, a new secret will be created for the application. -CreateNewSecret or -CertificatePath can be used, not both. | -| CertificatePath | False | String | | | The path to the certificate to use for the application. -CreateNewSecret or -CertificatePath can be used, not both. | +| CertificatePath | False | String | | | The path to the certificate to be uploaded for the app registration. If using with -CreateSelfSignedCertificate - a file with this name will be created and uploaded (file must not exist). Otherwise the file must already exist. Cannot be used with -CreateNewSecret simultaneously. | | CreateSelfSignedCertificate | False | SwitchParameter | | | If specified, a self-signed certificate will be created for the application. -CreateSelfSignedCertificate or -CertificatePath can be used, not both. | | AdminConsent | False | SwitchParameter | | | If specified, admin consent will be granted for the application. | -| Credential | False | PSCredential | | | The credential to use for authenticating the request. | +| Credential | False | PSCredential | | | The credential to use for authenticating the request. Mutually exclusive with -TenantId. | | ApplicationId | False | String | | | The ApplicationId to use for authenticating the request. -Credential or -ApplicationId can be used, not both. | -| TenantId | False | String | | | The TenantId to use for the request. The TenantId needs to be in the form of contoso.onmicrosoft.com. -Credential or -TenantId can be used, not both. | +| TenantId | False | String | | | The name of the tenant to use for the request. Must be in the form of contoso.onmicrosoft.com. Mutually exclusive with -Credential. | | ApplicationSecret | False | PSCredential | | | The ApplicationSecret to use for authenticating the request. -Credential or -ApplicationSecret can be used, not both. | -| CertificateThumbprint | False | String | | | The CertificateThumbprint to use for authenticating the request. -Credential or -CertificateThumbprint can be used, not both. | +| CertificateThumbprint | False | String | | | Thumbprint of an existing auth certificate to use for authenticating the request. Mutually exclusive with -Credential. | | ManagedIdentity | False | SwitchParameter | | | If specified, Managed Identity will be used for authenticating the request. -Credential or -ApplicationId or -ManagedIdentity can be used, only one of them. | | Message | True | String | | | | | Type | False | String | Info | Error, Warning, Info | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | From bde0e4bb6d1e804f773a1150f4229288090b47f8 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 14:00:05 +0000 Subject: [PATCH 12/20] Updated Resources and Cmdlet documentation pages --- .../AADCrossTenantAccessPolicyConfigurationPartner.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md index 9ae3b63b20..e45def23a3 100644 --- a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md +++ b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md @@ -9,6 +9,7 @@ | **B2BCollaborationOutbound** | Write | MSFT_AADCrossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. | | | **B2BDirectConnectInbound** | Write | MSFT_AADCrossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. | | | **B2BDirectConnectOutbound** | Write | MSFT_AADCrossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. | | +| **AutomaticUserConsentSettings** | Write | MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings | Determines the partner-specific configuration for accepting trust claims from other tenant invitations. | | | **InboundTrust** | Write | MSFT_AADCrossTenantAccessPolicyInboundTrust | Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations. | | | **Ensure** | Write | String | Specify if the policy should exist or not. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Admin | | @@ -45,6 +46,15 @@ | **Applications** | Write | MSFT_AADCrossTenantAccessPolicyTargetConfiguration | The list of applications targeted with your cross-tenant access policy. | | | **UsersAndGroups** | Write | MSFT_AADCrossTenantAccessPolicyTargetConfiguration | The list of users and groups targeted with your cross-tenant access policy. | | +### MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **InboundAllowed** | Write | Boolean | Specifies whether you want to automatically trust Inbound invitations.. | | +| **OutboundAllowed** | Write | Boolean | Specifies whether you want to automatically trust Outbound invitations. | | + ### MSFT_AADCrossTenantAccessPolicyInboundTrust #### Parameters From 2dfbc1e9cccffd8703e87210b35e97526b021bee Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 10:01:51 -0400 Subject: [PATCH 13/20] Fixes typos --- ...FT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof | 2 +- .../MSFT_SCDLPComplianceRule.schema.mof | 2 +- .../DSCResources/MSFT_TeamsCallParkPolicy/settings.json | 2 +- .../MSFT_TeamsComplianceRecordingPolicy/settings.json | 2 +- .../DSCResources/MSFT_TeamsCortanaPolicy/settings.json | 2 +- .../DSCResources/MSFT_TeamsIPPhonePolicy/settings.json | 2 +- .../DSCResources/MSFT_TeamsNetworkRoamingPolicy/settings.json | 2 +- .../DSCResources/MSFT_TeamsShiftsPolicy/settings.json | 2 +- .../DSCResources/MSFT_TeamsTenantNetworkRegion/settings.json | 2 +- .../DSCResources/MSFT_TeamsTenantNetworkSite/settings.json | 2 +- .../DSCResources/MSFT_TeamsTenantNetworkSubnet/settings.json | 2 +- .../DSCResources/MSFT_TeamsTenantTrustedIPAddress/settings.json | 2 +- .../MSFT_TeamsUnassignedNumberTreatment/settings.json | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof index 58b35a2707..031e44fedb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCrossTenantAccessPolicyConfigurationPartner/MSFT_AADCrossTenantAccessPolicyConfigurationPartner.schema.mof @@ -22,7 +22,7 @@ class MSFT_AADCrossTenantAccessPolicyB2BSetting [ClassVersion("1.0.0")] class MSFT_AADCrossTenantAccessPolicyAutomaticUserConsentSettings { - [Write, Description("Specifies whether you want to automatically trust Inbound invitations..")] Boolean InboundAllowed; + [Write, Description("Specifies whether you want to automatically trust Inbound invitations.")] Boolean InboundAllowed; [Write, Description("Specifies whether you want to automatically trust Outbound invitations.")] Boolean OutboundAllowed; }; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof index 8e6be324e3..2202e3c6c5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SCDLPComplianceRule/MSFT_SCDLPComplianceRule.schema.mof @@ -61,7 +61,7 @@ class MSFT_SCDLPComplianceRule : OMI_BaseResource [Write, Description("Username can be made up to anything but password will be used for CertificatePassword"), EmbeddedInstance("MSFT_Credential")] String CertificatePassword; [Write, Description("Path to certificate used in service principal usually a PFX file.")] String CertificatePath; [Write, Description("The AnyOfRecipientAddressContainsWords parameter specifies a condition for the DLP rule that looks for words or phrases in recipient email addresses.")] String AnyOfRecipientAddressContainsWords[]; - [Write, Description("The AnyOfRecipientAddressMatchesPatterns parameter specifies a condition for the DLP rule that looks for text patterns in recipient email addresses by using regular expressions..")] String AnyOfRecipientAddressMatchesPatterns[]; + [Write, Description("The AnyOfRecipientAddressMatchesPatterns parameter specifies a condition for the DLP rule that looks for text patterns in recipient email addresses by using regular expressions.")] String AnyOfRecipientAddressMatchesPatterns[]; [Write, Description("The RemoveRMSTemplate parameter specifies an action for the DLP rule that removes Office 365 Message Encryption from messages and their attachments.")] Boolean RemoveRMSTemplate; [Write, Description("The StopPolicyProcessing parameter specifies an action that stops processing more DLP policy rules.")] Boolean StopPolicyProcessing; [Write, Description("The DocumentIsUnsupported parameter specifies a condition for the DLP rule that looks for files that can't be scanned.")] Boolean DocumentIsUnsupported; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCallParkPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCallParkPolicy/settings.json index 3a8566070e..6740f367ef 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCallParkPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCallParkPolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsCallParkPolicy", - "description": "The TeamsCallParkPolicy controls whether or not users are able to leverage the call park feature in Microsoft Teams. Call park allows enterprise voice customers to place a call on hold and then perform a number of actions on that call: transfer to another department, retrieve via the same phone, or retrieve via a different Teams phone. The New-CsTeamsCallParkPolicy resource lets you create a new custom policy that can then be assigned to one or more specific users..", + "description": "The TeamsCallParkPolicy controls whether or not users are able to leverage the call park feature in Microsoft Teams. Call park allows enterprise voice customers to place a call on hold and then perform a number of actions on that call: transfer to another department, retrieve via the same phone, or retrieve via a different Teams phone. The New-CsTeamsCallParkPolicy resource lets you create a new custom policy that can then be assigned to one or more specific users.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/settings.json index eec9a71a21..93d00a00ad 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsComplianceRecordingPolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsComplianceRecordingPolicy", - "description": "This resource configures an Creates a new Teams recording policy for governing automatic policy-based recording in your tenant. Automatic policy-based recording is only applicable to Microsoft Teams users..", + "description": "This resource configures an Creates a new Teams recording policy for governing automatic policy-based recording in your tenant. Automatic policy-based recording is only applicable to Microsoft Teams users.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCortanaPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCortanaPolicy/settings.json index a220ac29d5..5751ac389c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCortanaPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsCortanaPolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsCortanaPolicy", - "description": "This resource configures an The CsTeamsCortanaPolicy resources enable administrators to control settings for Cortana voice assistant in Microsoft Teams..", + "description": "This resource configures an The CsTeamsCortanaPolicy resources enable administrators to control settings for Cortana voice assistant in Microsoft Teams.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsIPPhonePolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsIPPhonePolicy/settings.json index 2f41c5812b..60e07fed7c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsIPPhonePolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsIPPhonePolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsIPPhonePolicy", - "description": "This resource configures an New-CsTeamsIPPhonePolicy allows you to create a policy to manage features related to Teams phone experiences. Teams phone policies determine the features that are available to users..", + "description": "This resource configures an New-CsTeamsIPPhonePolicy allows you to create a policy to manage features related to Teams phone experiences. Teams phone policies determine the features that are available to users.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsNetworkRoamingPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsNetworkRoamingPolicy/settings.json index cbe46270da..b9f4fee0ec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsNetworkRoamingPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsNetworkRoamingPolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsNetworkRoamingPolicy", - "description": "This resource configures an New-CsTeamsNetworkRoamingPolicy allows IT Admins to create policies for Network Roaming and Bandwidth Control experiences in Microsoft Teams..", + "description": "This resource configures an New-CsTeamsNetworkRoamingPolicy allows IT Admins to create policies for Network Roaming and Bandwidth Control experiences in Microsoft Teams.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsShiftsPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsShiftsPolicy/settings.json index c3a10898f3..e123113879 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsShiftsPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsShiftsPolicy/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsShiftsPolicy", - "description": "This resource configures an This resource allows you to create a new TeamsShiftPolicy instance and set it\u0027s properties..", + "description": "This resource configures an This resource allows you to create a new TeamsShiftPolicy instance and set it's properties.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkRegion/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkRegion/settings.json index e3377ffd22..a15ecdb7ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkRegion/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkRegion/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsTenantNetworkRegion", - "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkRegion to define network regions. A network region interconnects various parts of a network across multiple geographic areas. The RegionID parameter is a logical name that represents the geography of the region, and has no dependencies or restrictions. Tenant network region is used for Location Based Routing..", + "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkRegion to define network regions. A network region interconnects various parts of a network across multiple geographic areas. The RegionID parameter is a logical name that represents the geography of the region, and has no dependencies or restrictions. Tenant network region is used for Location Based Routing.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSite/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSite/settings.json index 40737ba0d2..5744117c04 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSite/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSite/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsTenantNetworkSite", - "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkSite to define network sites. Network sites are defined as a collection of IP subnets. Each network site must be associated with a network region. Tenant network site is used for Location Based Routing..", + "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkSite to define network sites. Network sites are defined as a collection of IP subnets. Each network site must be associated with a network region. Tenant network site is used for Location Based Routing.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSubnet/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSubnet/settings.json index d0eaaaf0c1..91cd91a901 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSubnet/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantNetworkSubnet/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsTenantNetworkSubnet", - "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkSubnet to define network subnets and assign them to network sites. Each internal subnet may only be associated with one site. Tenant network subnet is used for Location Based Routing..", + "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantNetworkSubnet to define network subnets and assign them to network sites. Each internal subnet may only be associated with one site. Tenant network subnet is used for Location Based Routing.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantTrustedIPAddress/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantTrustedIPAddress/settings.json index d4ed3442d5..3e5b195cdd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantTrustedIPAddress/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsTenantTrustedIPAddress/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsTenantTrustedIPAddress", - "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantTrustedIPAddress to define external subnets and assign them to the tenant. You can define an unlimited number of external subnets for a tenant..", + "description": "As an Admin, you can use the Windows PowerShell command, New-CsTenantTrustedIPAddress to define external subnets and assign them to the tenant. You can define an unlimited number of external subnets for a tenant.", "roles": { "read": [ "Global Reader" diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUnassignedNumberTreatment/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUnassignedNumberTreatment/settings.json index ed9727b7c5..dd94199bdc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUnassignedNumberTreatment/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUnassignedNumberTreatment/settings.json @@ -1,6 +1,6 @@ { "resourceName": "TeamsUnassignedNumberTreatment", - "description": "This resource configures an Creates a new treatment for how calls to an unassigned number range should be routed. The call can be routed to a user, an application or to an announcement service where a custom message will be played to the caller..", + "description": "This resource configures an Creates a new treatment for how calls to an unassigned number range should be routed. The call can be routed to a user, an application or to an announcement service where a custom message will be played to the caller.", "roles": { "read": [ "Global Reader" From 9f415a0633d97975121c0738798c9cddaebb67a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 26 Jul 2023 16:44:18 +0200 Subject: [PATCH 14/20] Updated Resources and Cmdlet documentation pages #### Pull Request (PR) description Fixes issues due to MaxFunctionCount in PS5.1 #### This Pull Request (PR) fixes the following issues - Fixes #3454 --- .github/workflows/CodeCoverage.yml | 8 ++++---- .github/workflows/Unit Tests.yml | 8 ++++---- CHANGELOG.md | 4 ++++ Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 12 +++++++++--- Tests/TestHarness.psm1 | 2 +- 5 files changed, 22 insertions(+), 12 deletions(-) diff --git a/.github/workflows/CodeCoverage.yml b/.github/workflows/CodeCoverage.yml index 656062ed9f..12de9e7d3b 100644 --- a/.github/workflows/CodeCoverage.yml +++ b/.github/workflows/CodeCoverage.yml @@ -25,7 +25,7 @@ jobs: shell: pwsh run: | Import-Module './Tests/TestHarness.psm1' -Force; - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 try { @@ -33,7 +33,7 @@ jobs: } catch { - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 Import-Module './Tests/TestHarness.psm1' -Force; $results = Invoke-QualityChecksHarness } @@ -45,7 +45,7 @@ jobs: shell: pwsh run: | Import-Module './Tests/TestHarness.psm1' -Force; - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 try { @@ -53,7 +53,7 @@ jobs: } catch { - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 Import-Module './Tests/TestHarness.psm1' -Force; $results = Invoke-TestHarness } diff --git a/.github/workflows/Unit Tests.yml b/.github/workflows/Unit Tests.yml index 21ba42fd4b..5276499448 100644 --- a/.github/workflows/Unit Tests.yml +++ b/.github/workflows/Unit Tests.yml @@ -27,7 +27,7 @@ jobs: shell: pwsh run: | Import-Module './Tests/TestHarness.psm1' -Force; - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 try { @@ -35,7 +35,7 @@ jobs: } catch { - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 Import-Module './Tests/TestHarness.psm1' -Force; $results = Invoke-QualityChecksHarness } @@ -47,7 +47,7 @@ jobs: shell: pwsh run: | Import-Module './Tests/TestHarness.psm1' -Force; - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 try { @@ -55,7 +55,7 @@ jobs: } catch { - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 Import-Module './Tests/TestHarness.psm1' -Force; $results = Invoke-TestHarness -IgnoreCodeCoverage } diff --git a/CHANGELOG.md b/CHANGELOG.md index f3e7f7d3a2..bb2367b54a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,13 @@ # Change log for Microsoft365DSC # UNRELEASED + * AADGroup * Fix issue setting MemberOf property. FIXES [#3496](https://github.com/microsoft/Microsoft365DSC/issues/3496) +* MISC + * Improved Update-M365DSCDependencies function to properly install all Microsoft.Graph.*M modules. + FIXES [#3454](https://github.com/microsoft/Microsoft365DSC/issues/3454) # 1.23.719.1 diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 9c98de1707..d28556058d 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -1155,7 +1155,7 @@ function Export-M365DSCConfiguration $Validate ) - $Global:MaximumFunctionCount = 16000 + $Global:MaximumFunctionCount = 32767 # Define the exported resource instances' names Global variable $Global:M365DSCExportedResourceInstancesNames = @() @@ -1661,7 +1661,7 @@ function New-M365DSCConnection $SkipModuleReload = $false ) - $Global:MaximumFunctionCount = 16000 + $Global:MaximumFunctionCount = 32767 if ($Workload -eq 'MicrosoftTeams') { @@ -2757,6 +2757,7 @@ function Update-M365DSCDependencies $ValidateOnly ) + $Global:MaximumFunctionCount = 32767 $InformationPreference = 'Continue' $currentPath = Join-Path -Path $PSScriptRoot -ChildPath '..\' -Resolve @@ -2782,8 +2783,12 @@ function Update-M365DSCDependencies { Write-Information -MessageData "Installing $($dependency.ModuleName) version {$($dependency.RequiredVersion)}" Remove-Module $dependency.ModuleName -Force -ErrorAction SilentlyContinue + if ($dependency.ModuleName -like 'Microsoft.Graph*') + { + Remove-Module 'Microsoft.Graph.Authentication' -Force -ErrorAction SilentlyContinue + } + Remove-Module $dependency.ModuleName -Force -ErrorAction SilentlyContinue Install-Module $dependency.ModuleName -RequiredVersion $dependency.RequiredVersion -AllowClobber -Force -Scope 'AllUsers' - Import-Module $dependency.ModuleName -Force } else { @@ -2801,6 +2806,7 @@ function Update-M365DSCDependencies Write-Host "Could not update or import {$($dependency.ModuleName)}" Write-Host "Error-Mesage: $($_.Exception.Message)" } + $i++ } diff --git a/Tests/TestHarness.psm1 b/Tests/TestHarness.psm1 index 36222dc7f9..0d93e4c7f9 100644 --- a/Tests/TestHarness.psm1 +++ b/Tests/TestHarness.psm1 @@ -18,7 +18,7 @@ function Invoke-TestHarness $sw = [System.Diagnostics.StopWatch]::startnew() - $MaximumFunctionCount = 9999 + $MaximumFunctionCount = 32767 Write-Host -Object 'Running all Microsoft365DSC Unit Tests' $repoDir = Join-Path -Path $PSScriptRoot -ChildPath '..\' -Resolve From 2f1b56228ceb4427c7fedad56852c825f00995d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 26 Jul 2023 16:47:26 +0200 Subject: [PATCH 15/20] typo --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bb2367b54a..6048fe6082 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ * Fix issue setting MemberOf property. FIXES [#3496](https://github.com/microsoft/Microsoft365DSC/issues/3496) * MISC - * Improved Update-M365DSCDependencies function to properly install all Microsoft.Graph.*M modules. + * Improved Update-M365DSCDependencies function to properly install all Microsoft.Graph.* modules. FIXES [#3454](https://github.com/microsoft/Microsoft365DSC/issues/3454) # 1.23.719.1 From f04d4e41d5f11219deb4c201fa0c04360623ca3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andi=20Kr=C3=BCger?= <15608729+andikrueger@users.noreply.github.com> Date: Wed, 26 Jul 2023 16:50:24 +0200 Subject: [PATCH 16/20] Update docs page with latest changes --- .../cmdlets/Update-M365DSCAzureAdApplication.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index b0c9581ef1..81d4291bbf 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -58,14 +58,14 @@ This function does not generate any output. | Type | False | String | Secret | Secret, Certificate | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | | MonthsValid | False | Int32 | 12 | | The number of months the certificate should be valid. Default value is 12. | | CreateNewSecret | False | SwitchParameter | | | If specified, a new secret will be created for the application. -CreateNewSecret or -CertificatePath can be used, not both. | -| CertificatePath | False | String | | | The path to the certificate to use for the application. -CreateNewSecret or -CertificatePath can be used, not both. | +| CertificatePath | False | String | | | The path to the certificate to be uploaded for the app registration. If using with -CreateSelfSignedCertificate - a file with this name will be created and uploaded (file must not exist). Otherwise the file must already exist. Cannot be used with -CreateNewSecret simultaneously. | | CreateSelfSignedCertificate | False | SwitchParameter | | | If specified, a self-signed certificate will be created for the application. -CreateSelfSignedCertificate or -CertificatePath can be used, not both. | | AdminConsent | False | SwitchParameter | | | If specified, admin consent will be granted for the application. | -| Credential | False | PSCredential | | | The credential to use for authenticating the request. | +| Credential | False | PSCredential | | | The credential to use for authenticating the request. Mutually exclusive with -TenantId. | | ApplicationId | False | String | | | The ApplicationId to use for authenticating the request. -Credential or -ApplicationId can be used, not both. | -| TenantId | False | String | | | The TenantId to use for the request. The TenantId needs to be in the form of contoso.onmicrosoft.com. -Credential or -TenantId can be used, not both. | +| TenantId | False | String | | | The name of the tenant to use for the request. Must be in the form of contoso.onmicrosoft.com. Mutually exclusive with -Credential. | | ApplicationSecret | False | PSCredential | | | The ApplicationSecret to use for authenticating the request. -Credential or -ApplicationSecret can be used, not both. | -| CertificateThumbprint | False | String | | | The CertificateThumbprint to use for authenticating the request. -Credential or -CertificateThumbprint can be used, not both. | +| CertificateThumbprint | False | String | | | Thumbprint of an existing auth certificate to use for authenticating the request. Mutually exclusive with -Credential. | | ManagedIdentity | False | SwitchParameter | | | If specified, Managed Identity will be used for authenticating the request. -Credential or -ApplicationId or -ManagedIdentity can be used, only one of them. | | Message | True | String | | | | | Type | False | String | Info | Error, Warning, Info | The type of credential to create. Default value is 'Secret'. Valid values are 'Secret' and 'Certificate'. | @@ -87,5 +87,3 @@ This function does not generate any output. -------------------------- EXAMPLE 4 -------------------------- `Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` - - From 278eee3cd5f2ca86326c8cf24a905555b7a278e4 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 18:00:18 +0000 Subject: [PATCH 17/20] Updated Resources and Cmdlet documentation pages --- .../docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md index 81d4291bbf..77ddc22059 100644 --- a/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md +++ b/docs/docs/user-guide/cmdlets/Update-M365DSCAzureAdApplication.md @@ -87,3 +87,5 @@ This function does not generate any output. -------------------------- EXAMPLE 4 -------------------------- `Update-M365DSCAzureAdApplication -ApplicationName $Microsoft365DSC -Permissions $(Get-M365DSCCompiledPermissionList -ResourceNameList Get-M365DSCAllResources -PermissionType Application -AccessType Read) -Type Certificate -CreateSelfSignedCertificate -AdminConsent -MonthsValid 12 -Credential $creds -CertificatePath c:\Temp\M365DSC.cer` + + From 92d27fe068526f994460cdc7c8c1f6a0f8f047ab Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 14:11:07 -0400 Subject: [PATCH 18/20] Release 1.23.726.1 --- CHANGELOG.md | 8 ++- .../MSFT_TeamsOrgWideAppSettings.psm1 | 65 ++----------------- .../MSFT_TeamsOrgWideAppSettings.schema.mof | 3 - .../settings.json | 54 +-------------- .../Dependencies/Manifest.psd1 | 2 +- .../Microsoft365DSC.AADGroup.Tests.ps1 | 8 ++- 6 files changed, 20 insertions(+), 120 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd75269b82..73dc6fee9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,15 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.23.726.1 + * AADGroup * Fix issue setting MemberOf property. FIXES [#3496](https://github.com/microsoft/Microsoft365DSC/issues/3496) +* TeamsOrgWideAppSettings + * Removed support for app authentication since the underlying cmdlets aren't + supporting it yet. +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.0.118. # 1.23.719.1 * AADCrossTenant diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 index 5467c55ba0..c5f862d125 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 @@ -15,19 +15,7 @@ function Get-TargetResource [Parameter()] [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.String] - $CertificateThumbprint + $Credential ) Write-Verbose -Message 'Checking the Teams Upgrade Configuration' @@ -57,9 +45,6 @@ function Get-TargetResource IsSingleInstance = 'Yes' IsSideloadedAppsInteractionEnabled = $settings.IsSideloadedAppsInteractionEnabled Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint } } catch @@ -92,19 +77,7 @@ function Set-TargetResource [Parameter()] [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.String] - $CertificateThumbprint + $Credential ) Write-Verbose -Message 'Setting Teams Upgrade Configuration' @@ -127,9 +100,6 @@ function Set-TargetResource $SetParameters = $PSBoundParameters $SetParameters.Remove('IsSingleInstance') | Out-Null $SetParameters.Remove('Credential') | Out-Null - $SetParameters.Remove('ApplicationId') | Out-Null - $SetParameters.Remove('TenantId') | Out-Null - $SetParameters.Remove('CertificateThumbprint') | Out-Null Set-CsTeamsSettingsCustomApp @SetParameters } @@ -151,19 +121,7 @@ function Test-TargetResource [Parameter()] [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.String] - $CertificateThumbprint + $Credential ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -204,19 +162,7 @@ function Export-TargetResource ( [Parameter()] [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.String] - $CertificateThumbprint + $Credential ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' ` @@ -240,9 +186,6 @@ function Export-TargetResource $params = @{ IsSingleInstance = 'Yes' Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint } $Results = Get-TargetResource @Params diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.schema.mof index cfb9a3d15c..761c82cf5c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.schema.mof @@ -4,8 +4,5 @@ class MSFT_TeamsOrgWideAppSettings : OMI_BaseResource [Key, Description("Specifies the resource is a single instance, the value must be 'Yes'"),ValueMap{"Yes"},Values{"Yes"}] String IsSingleInstance; [Write, Description("Determines whether or not to allow interaction with custom apps.")] Boolean IsSideloadedAppsInteractionEnabled; [Write, Description("Credentials of the Teams Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; }; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/settings.json index 5e06cb2af3..c98543bb2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/settings.json @@ -16,58 +16,8 @@ "update": [] }, "application": { - "read": [ - { - "name": "Organization.Read.All" - }, - { - "name": "User.Read.All" - }, - { - "name": "Group.ReadWrite.All" - }, - { - "name": "AppCatalog.ReadWrite.All" - }, - { - "name": "TeamSettings.ReadWrite.All" - }, - { - "name": "Channel.Delete.All" - }, - { - "name": "ChannelSettings.ReadWrite.All" - }, - { - "name": "ChannelMember.ReadWrite.All" - } - ], - "update": [ - { - "name": "Organization.Read.All" - }, - { - "name": "User.Read.All" - }, - { - "name": "Group.ReadWrite.All" - }, - { - "name": "AppCatalog.ReadWrite.All" - }, - { - "name": "TeamSettings.ReadWrite.All" - }, - { - "name": "Channel.Delete.All" - }, - { - "name": "ChannelSettings.ReadWrite.All" - }, - { - "name": "ChannelMember.ReadWrite.All" - } - ] + "read": [], + "update": [] } } } diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 07722d01a7..044d74486b 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -82,7 +82,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.0.117" + RequiredVersion = "1.0.118" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 index b6994e6b0b..be6fd42cef 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 @@ -386,7 +386,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } Mock -CommandName Get-MgGroup -ParameterFilter { $Id -eq '12345-12345-12345-12345' -or $Filter -eq "DisplayName eq 'DSCGroup'" } -MockWith { - return @{ + $returnData = @{ DisplayName = 'DSCGroup' ID = '12345-12345-12345-12345' Description = 'Microsoft DSC Group' @@ -395,6 +395,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { MailNickname = 'M365DSC' GroupTypes = @() } + + # Set-TargetResource expects object-type of answer to contain 'group' + $returnData.psobject.TypeNames.insert(0, 'Group') + return $returnData } Mock -CommandName Get-MgGroup -ParameterFilter { $Id -eq '67890-67890-67890-67890' -or $Filter -eq "DisplayName -eq 'DSCMemberOfGroup'" } -MockWith { $returnData = @{ @@ -424,7 +428,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName 'Get-MgGroup' -Exactly 1 + Should -Invoke -CommandName 'Get-MgGroup' -Exactly 2 } } From b072cba7120a1b8475eb1de81fa544a4027a420a Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 14:11:59 -0400 Subject: [PATCH 19/20] Update Microsoft365DSC.psd1 --- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 27 +++++++------------- 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index bd452a6b99..b172d61a95 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2023-07-19 +# Generated on: 2023-07-26 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.23.719.1' + ModuleVersion = '1.23.726.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -140,23 +140,14 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* EXOSharedMailbox - * Added capability to change the PrimarySMTPAddress of a Shared Mailbox - * SPOExternalUserExpireInDays - * Added the External User Expiration setting in the config. - * MISC - * Updated AAD, EXO and Teams settings file to describe required roles. - * Added a new personas documentation page to describe the targeted personas - for the project. - * Added a more meaningful exception message to Update-M365DSCDependencies if - the module is not installed or imported successfully - * Fixes an issue with the reporting where the wrong key parameter was sometimes - used when a component was missing in the source tenant. + ReleaseNotes = '* AADGroup + * Fix issue setting MemberOf property. + FIXES [#3496](https://github.com/microsoft/Microsoft365DSC/issues/3496) + * TeamsOrgWideAppSettings + * Removed support for app authentication since the underlying cmdlets arent + supporting it yet. * DEPENDENCIES - * Updated the Microsoft.Graph.* dependencies to version 2.1.0. - * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.168. - * Updated MicrosoftTeams to version 5.4.0. - * Updated MSCloudLoginAssistant to version 1.0.117.' + * Updated MSCloudLoginAssistant to version 1.0.118.' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false From 80d77f03a7f5bd7ad8a3ebdc2f4ea89d0c5fd098 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jul 2023 18:26:09 +0000 Subject: [PATCH 20/20] Updated Resources and Cmdlet documentation pages --- .../AADCrossTenantAccessPolicyConfigurationPartner.md | 2 +- .../resources/security-compliance/SCDLPComplianceRule.md | 2 +- docs/docs/resources/teams/TeamsOrgWideAppSettings.md | 7 ++----- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md index e45def23a3..be458deb45 100644 --- a/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md +++ b/docs/docs/resources/azure-ad/AADCrossTenantAccessPolicyConfigurationPartner.md @@ -52,7 +52,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **InboundAllowed** | Write | Boolean | Specifies whether you want to automatically trust Inbound invitations.. | | +| **InboundAllowed** | Write | Boolean | Specifies whether you want to automatically trust Inbound invitations. | | | **OutboundAllowed** | Write | Boolean | Specifies whether you want to automatically trust Outbound invitations. | | ### MSFT_AADCrossTenantAccessPolicyInboundTrust diff --git a/docs/docs/resources/security-compliance/SCDLPComplianceRule.md b/docs/docs/resources/security-compliance/SCDLPComplianceRule.md index 878cf6e12c..81e1505645 100644 --- a/docs/docs/resources/security-compliance/SCDLPComplianceRule.md +++ b/docs/docs/resources/security-compliance/SCDLPComplianceRule.md @@ -31,7 +31,7 @@ | **CertificatePassword** | Write | PSCredential | Username can be made up to anything but password will be used for CertificatePassword | | | **CertificatePath** | Write | String | Path to certificate used in service principal usually a PFX file. | | | **AnyOfRecipientAddressContainsWords** | Write | StringArray[] | The AnyOfRecipientAddressContainsWords parameter specifies a condition for the DLP rule that looks for words or phrases in recipient email addresses. | | -| **AnyOfRecipientAddressMatchesPatterns** | Write | StringArray[] | The AnyOfRecipientAddressMatchesPatterns parameter specifies a condition for the DLP rule that looks for text patterns in recipient email addresses by using regular expressions.. | | +| **AnyOfRecipientAddressMatchesPatterns** | Write | StringArray[] | The AnyOfRecipientAddressMatchesPatterns parameter specifies a condition for the DLP rule that looks for text patterns in recipient email addresses by using regular expressions. | | | **RemoveRMSTemplate** | Write | Boolean | The RemoveRMSTemplate parameter specifies an action for the DLP rule that removes Office 365 Message Encryption from messages and their attachments. | | | **StopPolicyProcessing** | Write | Boolean | The StopPolicyProcessing parameter specifies an action that stops processing more DLP policy rules. | | | **DocumentIsUnsupported** | Write | Boolean | The DocumentIsUnsupported parameter specifies a condition for the DLP rule that looks for files that can't be scanned. | | diff --git a/docs/docs/resources/teams/TeamsOrgWideAppSettings.md b/docs/docs/resources/teams/TeamsOrgWideAppSettings.md index 2d333b72b2..74a36a0688 100644 --- a/docs/docs/resources/teams/TeamsOrgWideAppSettings.md +++ b/docs/docs/resources/teams/TeamsOrgWideAppSettings.md @@ -7,9 +7,6 @@ | **IsSingleInstance** | Key | String | Specifies the resource is a single instance, the value must be 'Yes' | `Yes` | | **IsSideloadedAppsInteractionEnabled** | Write | Boolean | Determines whether or not to allow interaction with custom apps. | | | **Credential** | Write | PSCredential | Credentials of the Teams Admin | | -| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | -| **TenantId** | Write | String | Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com | | -| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | # TeamsOgWideAppSettings @@ -38,11 +35,11 @@ To authenticate with the Microsoft Graph API, this resource required the followi - **Read** - - Organization.Read.All, User.Read.All, Group.ReadWrite.All, AppCatalog.ReadWrite.All, TeamSettings.ReadWrite.All, Channel.Delete.All, ChannelSettings.ReadWrite.All, ChannelMember.ReadWrite.All + - None - **Update** - - Organization.Read.All, User.Read.All, Group.ReadWrite.All, AppCatalog.ReadWrite.All, TeamSettings.ReadWrite.All, Channel.Delete.All, ChannelSettings.ReadWrite.All, ChannelMember.ReadWrite.All + - None ## Examples