diff --git a/.github/workflows/Scheduled - Generate Permission List.yml b/.github/workflows/Scheduled - Generate Permission List.yml deleted file mode 100644 index 9a918fa9fa..0000000000 --- a/.github/workflows/Scheduled - Generate Permission List.yml +++ /dev/null @@ -1,237 +0,0 @@ -function Invoke-TestHarness -{ - [CmdletBinding()] - param - ( - [Parameter()] - [System.String] - $TestResultsFile, - - [Parameter()] - [System.String] - $DscTestsPath, - - [Parameter()] - [Switch] - $IgnoreCodeCoverage - ) - - $sw = [System.Diagnostics.StopWatch]::startnew() - - $MaximumFunctionCount = 32767 - Write-Host -Object 'Running all Microsoft365DSC Unit Tests' - - $repoDir = Join-Path -Path $PSScriptRoot -ChildPath '..\' -Resolve - - $oldModPath = $env:PSModulePath - $env:PSModulePath = $env:PSModulePath + [System.IO.Path]::PathSeparator + (Join-Path -Path $repoDir -ChildPath 'Modules\Microsoft365DSC') - - $testCoverageFiles = @() - if ($IgnoreCodeCoverage.IsPresent -eq $false) - { - Get-ChildItem -Path "$repoDir\Modules\Microsoft365DSC\DSCResources\**\*.psm1" -Recurse | ForEach-Object { - if ($_.FullName -notlike '*\DSCResource.Tests\*') - { - $testCoverageFiles += $_.FullName - } - } - } - - Import-Module -Name "$repoDir/Modules/Microsoft365DSC/Microsoft365DSC.psd1" - Import-Module -Name PSDesiredStateConfiguration -Global -Prefix 'Pwsh' -Force - $testsToRun = @() - - # Run Unit Tests - $versionsPath = Join-Path -Path $repoDir -ChildPath '\Tests\Unit\Stubs\' - # Import the first stub found so that there is a base module loaded before the tests start - $firstStub = Join-Path -Path $repoDir ` - -ChildPath '\Tests\Unit\Stubs\Microsoft365.psm1' - Import-Module $firstStub -WarningAction SilentlyContinue - - $stubPath = Join-Path -Path $repoDir ` - -ChildPath '\Tests\Unit\Stubs\Microsoft365.psm1' - - # DSC Common Tests - $getChildItemParameters = @{ - Path = (Join-Path -Path $repoDir -ChildPath '\Tests\Unit') - Recurse = $true - Filter = '*.Tests.ps1' - } - - # Get all tests '*.Tests.ps1'. - $commonTestFiles = Get-ChildItem @getChildItemParameters - - # Remove DscResource.Tests unit tests. - $commonTestFiles = $commonTestFiles | Where-Object -FilterScript { - $_.FullName -notmatch 'DSCResource.Tests\\Tests' - } - - $testsToRun += @( $commonTestFiles.FullName ) - - $filesToExecute = @() - if ($DscTestsPath -ne '') - { - $filesToExecute += $DscTestsPath - } - else - { - foreach ($testToRun in $testsToRun) - { - $filesToExecute += $testToRun - } - } - - $Params = [ordered]@{ - Path = $filesToExecute - } - - $Container = New-PesterContainer @Params - - $Configuration = [PesterConfiguration]@{ - Run = @{ - Container = $Container - PassThru = $true - } - Output = @{ - Verbosity = 'Normal' - } - Should = @{ - ErrorAction = 'Continue' - } - } - - if ([String]::IsNullOrEmpty($TestResultsFile) -eq $false) - { - $Configuration.Output.Enabled = $true - $Configuration.Output.OutputFormat = 'NUnitXml' - $Configuration.Output.OutputFile = $TestResultsFile - } - - if ($IgnoreCodeCoverage.IsPresent -eq $false) - { - $Configuration.CodeCoverage.Enabled = $true - $Configuration.CodeCoverage.Path = $testCoverageFiles - $Configuration.CodeCoverage.OutputPath = 'CodeCov.xml' - $Configuration.CodeCoverage.OutputFormat = 'JaCoCo' - $Configuration.CodeCoverage.UseBreakpoints = $false - } - - $results = Invoke-Pester -Configuration $Configuration - - $message = 'Running the tests took {0} hours, {1} minutes, {2} seconds' -f $sw.Elapsed.Hours, $sw.Elapsed.Minutes, $sw.Elapsed.Seconds - Write-Host -Object $message - - $env:PSModulePath = $oldModPath - Write-Host -Object 'Completed running all Microsoft365DSC Unit Tests' - - return $results -} - -function Get-M365DSCAllGraphPermissionsList -{ - [CmdletBinding()] - [OutputType([System.String[]])] - param() - - $allModules = Get-module Microsoft.graph.* -ListAvailable - $allPermissions = @() - foreach ($module in $allModules) - { - $cmds = Get-Command -Module $module.Name - foreach ($cmd in $cmds) - { - $graphInfo = Find-MgGraphCommand -Command $cmd.Name -ErrorAction SilentlyContinue - if ($null -ne $graphInfo) - { - $permissions = $graphInfo.Permissions | Where-Object -FilterScript {$_.PermissionType -eq 'Application'} - $allPermissions += $permissions.Name - } - } - } - - $allPermissions+= @('OrgSettings-Microsoft365Install.Read.All', ` - 'OrgSettings-Forms.Read.All', ` - 'OrgSettings-Todo.Read.All', ` - 'OrgSettings-AppsAndServices.Read.All', ` - 'OrgSettings-DynamicsVoice.Read.All', ` - 'ReportSettings.Read.All', ` - 'RoleManagementPolicy.Read.Directory', ` - 'RoleEligibilitySchedule.Read.Directory', ` - 'Agreement.Read.All', ` - 'Policy.ReadWrite.ConditionalAccess', ` - 'Policy.Read.ConditionalAccess', ` - 'Policy.ReadWrite.AuthenticationMethod', ` - 'SharePointTenantSettings.Read.All', ` - 'AppCatalog.ReadWrite.All', ` - 'TeamSettings.ReadWrite.All', ` - 'Channel.Delete.All', ` - 'ChannelSettings.ReadWrite.All', ` - 'ChannelMember.ReadWrite.All', ` - 'ChannelSettings.Read.All', - 'EntitlementManagement.Read.All', - 'ExternalConnection.Read.All') - $roles = $allPermissions | Select-Object -Unique | Sort-Object -Descending:$false - return $roles -} - -function Invoke-QualityChecksHarness -{ - [CmdletBinding()] - param () - - $sw = [System.Diagnostics.StopWatch]::startnew() - - Write-Host -Object 'Running all Quality Check Tests' - - $repoDir = Join-Path -Path $PSScriptRoot -ChildPath '..\' -Resolve - - $oldModPath = $env:PSModulePath - $env:PSModulePath = $env:PSModulePath + [System.IO.Path]::PathSeparator + (Join-Path -Path $repoDir -ChildPath 'modules\Microsoft365DSC') - - # DSC Common Tests - $getChildItemParameters = @{ - Path = (Join-Path -Path $repoDir -ChildPath '\Tests\QA') - Filter = '*.Tests.ps1' - } - - # Get all tests '*.Tests.ps1'. - $commonTestFiles = Get-ChildItem @getChildItemParameters - - $testsToRun = @() - $testsToRun += @( $commonTestFiles.FullName ) - - $filesToExecute = @() - foreach ($testToRun in $testsToRun) - { - $filesToExecute += $testToRun - } - - $Params = [ordered]@{ - Path = $filesToExecute - } - - $Container = New-PesterContainer @Params - - $Configuration = [PesterConfiguration]@{ - Run = @{ - Container = $Container - PassThru = $true - } - Output = @{ - Verbosity = 'Detailed' - } - Should = @{ - ErrorAction = 'Continue' - } - } - - $results = Invoke-Pester -Configuration $Configuration - - $message = 'Running the tests took {0} hours, {1} minutes, {2} seconds' -f $sw.Hours, $sw.Minutes, $sw.Seconds - Write-Host -Object $message - - $env:PSModulePath = $oldModPath - Write-Host -Object 'Completed running all Quality Check Tests' - - return $results -} diff --git a/CHANGELOG.md b/CHANGELOG.md index 2196377267..c4ed21867f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,84 @@ # Change log for Microsoft365DSC +# 1.24.1016.1 + +* AADAdminConsentRequestPolicy + * Initial release. +* AADApplication + * Fixed an issue trying to retrieve the beta instance. + * Added support for OnPremisesPublishing. + * Added support for ApplicationTemplate. + * Fixes an issue where trying to apply permissions complained about + duplicate entries. +* AADAuthenticationRequirement + * Initial release. +* AADConnectorGroupApplicationProxy + * Initial release. +* AADCustomSecurityAttributeDefinition + * Initial release. +* AADDeviceRegistrationPolicy + * Initial release. +* AADEntitlementManagementSettings + * Added support for ApplicationSecret +* AADIdentityGovernanceLifecycleWorkflow + * Initial release. +* AADLifecycleWorkflowSettings + * Initial release. +* AADServicePrincipal + * Adding Delegated Permission Classification Property +* ADOPermissionGroupSettings + * Initial release. +* EXOATPBuiltInProtectionRule + * Initial release. +* EXOMigrationEndpoint + * Initial Release +* IntuneAccountProtectionPolicy + * Added deprecation notice. +* IntuneAccountProtectionPolicyWindows10 + * Initial Release + FIXES [#5073](https://github.com/microsoft/Microsoft365DSC/issues/5073) +* IntuneAppAndBrowserIsolationPolicyWindows10 + * Initial release. + FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* IntuneDerivedCredential + * Initial release. +* IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 + * Added deprecation notice. +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Migrate to new Settings Catalog cmdlets. +* IntuneMobileAppsMacOSLobApp + * Initial release +* IntuneMobileAppsWindowsOfficeSuiteApp + * Initial release +* IntuneSecurityBaselineMicrosoft365AppsForEnterprise + * Initial release +* IntuneSecurityBaselineMicrosoftEdge + * Initial release +* PPAdminDLPPolicy + * Initial release. +* PPDLPPolicyConnectorConfigurations + * Initial release. +* PPPowerAppPolicyUrlPatterns + * Initial release. +* TeamsClientConfiguration + * Fixed bug where RestrictedSenderList was always empty in the MSFT_TeamsClientConfiguration resource + FIXES [#5190](https://github.com/microsoft/Microsoft365DSC/issues/5190) + * Changed Set-TargetResource to always use semicolon as separator as mentioned in the MS documentation +* TeamsUpgradePolicy + * Added support for tenant wide changes using the * value for users. + FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) +* M365DSCDRGUtil + * Fixes an issue for the handling of skipped one-property elements in the + Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) + * Add Set support for secret Settings Catalog values + * Removed unused functions + * Add support for device / user scoped settings. +* ResourceGenerator + * Add support for device / user scoped settings. +* DEPENDENCIES + * Updated DSCParser to version 2.0.0.11 + * Updated ReverseDSC to version 2.0.0.21 + # 1.24.1002.1 * AADAdministrativeUnit diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 new file mode 100644 index 0000000000..317ea07cd2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.psm1 @@ -0,0 +1,505 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $NotifyReviewers, + + [Parameter()] + [System.Boolean] + $RemindersEnabled, + + [Parameter()] + [System.UInt32] + $RequestDurationInDays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Reviewers, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaPolicyAdminConsentRequestPolicy -ErrorAction Stop + if ($null -eq $instance) + { + throw 'Could not retrieve the Admin Consent Request Policy' + } + + $reviewersValue = @() + foreach ($reviewer in $instance.Reviewers) + { + if ($reviewer.Query.Contains('/users/')) + { + $userId = $reviewer.Query.Split('/')[3] + $userInfo = Get-MgUser -UserId $userId + + $entry = @{ + ReviewerType = 'User' + ReviewerId = $userInfo.UserPrincipalName + } + } + elseif ($reviewer.Query.Contains('/groups/')) + { + $groupId = $reviewer.Query.Split('/')[3] + $groupInfo = Get-MgGroup -GroupId $groupId + $entry = @{ + ReviewerType = 'Group' + ReviewerId = $groupInfo.DisplayName + } + } + elseif ($reviewer.Query.Contains('directory/roleAssignments?$')) + { + $roleId = $reviewer.Query.Replace("/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq ", "").Replace("'", '') + $roleInfo = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $roleId + $entry = @{ + ReviewerType = 'Role' + ReviewerId = $roleInfo.DisplayName + } + } + $reviewersValue += $entry + } + + $results = @{ + IsSingleInstance = 'Yes' + IsEnabled = $instance.IsEnabled + NotifyReviewers = $instance.NotifyReviewers + RemindersEnabled = $instance.RemindersEnabled + RequestDurationInDays = $instance.RequestDurationInDays + Reviewers = $reviewersValue + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $NotifyReviewers, + + [Parameter()] + [System.Boolean] + $RemindersEnabled, + + [Parameter()] + [System.UInt32] + $RequestDurationInDays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Reviewers, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $reviewerValues = @() + foreach ($reviewer in $Reviewers) + { + if ($reviewer.ReviewerType -eq 'User') + { + $userInfo = Get-MgUser -Filter "UserPrincipalName eq '$($reviewer.ReviewerId)'" + $entry = @{ + query = "/users/$($userInfo.Id)" + queryType = 'MicrosoftGraph' + } + $reviewerValues += $entry + } + elseif ($reviewer.ReviewerType -eq 'Group') + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$($reviewer.ReviewerId)'" + $entry = @{ + query = "/groups/$($groupInfo.Id)/transitiveMembers/microsoft.graph.user" + queryType = 'MicrosoftGraph' + } + $reviewerValues += $entry + } + elseif ($reviewer.ReviewerType -eq 'Role') + { + $roleInfo = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$($reviewer.ReviewerId)'" + $entry = @{ + query = "/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$($roleInfo.Id.Replace('\u0027', ''))'" + queryType = 'MicrosoftGraph' + } + $reviewerValues += $entry + } + } + + $updateParameters = @{ + isEnabled = $IsEnabled + reviewers = $reviewerValues + notifyReviewers = $NotifyReviewers + remindersEnabled = $RemindersEnabled + requestDurationInDays = $RequestDurationInDays + } + + $updateJSON = ConvertTo-Json $updateParameters + Write-Verbose -Message "Updating the Entra Id Admin Consent Request Policy with values: $updateJSON" + Invoke-MgGraphRequest -Method 'PUT' ` + -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' ` + -Body $updateJSON | Out-Null +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $NotifyReviewers, + + [Parameter()] + [System.Boolean] + $RemindersEnabled, + + [Parameter()] + [System.UInt32] + $RequestDurationInDays, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Reviewers, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = $true + foreach ($reviewer in $Reviewers) + { + $currentEquivalent = $CurrentValues.Reviewers | Where-Object -FilterScript {$_.ReviewerId -eq $reviewer.ReviewerId -and $_.ReviewerType -eq $reviewer.ReviewerType} + if ($null -eq $currentEquivalent) + { + $testResult = $false + Write-Verbose -Message "Couldn't find current reviewer {$($reviewer.ReviewerId)}" + } + } + + if ($testResult) + { + $ValuesToCheck.Remove('Reviewers') | Out-Null + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaPolicyAdminConsentRequestPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = 'Policy' + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Reviewers.Count -gt 0) + { + $Results.Reviewers = Get-M365DSCAzureADAAdminConsentPolicyReviewerAsString $Results.Reviewers + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Reviewers) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Reviewers" -IsCIMArray:$true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCAzureADAAdminConsentPolicyReviewerAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [Array] + $Reviewers + ) + + $result = " @(`r`n" + foreach ($reviewer in $reviewers) + { + $result += " MSFT_AADAdminConsentRequestPolicyReviewer {`r`n" + $result += " ReviewerType = '$($reviewer.ReviewerType)'`r`n" + $result += " ReviewerId = '$($reviewer.ReviewerId)'`r`n" + $result += " QueryRoot = '$($reviewer.QueryRoot)'`r`n" + $result += " }`r`n" + } + $result += ' )' + return $result +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof new file mode 100644 index 0000000000..d9c7b838fc --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/MSFT_AADAdminConsentRequestPolicy.schema.mof @@ -0,0 +1,25 @@ +[ClassVersion("1.0.0")] +class MSFT_AADAdminConsentRequestPolicyReviewer +{ + [Write, Description("Type of reviewwer. Can be User, Group or Role")] String ReviewerType; + [Write, Description("Identifier for the reviewer instance.")] String ReviewerId; + [Write, Description("Associated query.")] String QueryRoot; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADAdminConsentRequestPolicy")] +class MSFT_AADAdminConsentRequestPolicy : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Determines if the policy is enabled or not.")] Boolean IsEnabled; + [Write, Description("Specifies whether reviewers will receive notifications.")] Boolean NotifyReviewers; + [Write, Description("Specifies whether reviewers will receive reminder emails.")] Boolean RemindersEnabled; + [Write, Description("Specifies the duration the request is active before it automatically expires if no decision is applied.")] UInt32 RequestDurationInDays; + [Write, Description("The list of reviewers for the admin consent."), EmbeddedInstance("MSFT_AADAdminConsentRequestPolicyReviewer")] String Reviewers[]; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/readme.md new file mode 100644 index 0000000000..bf9bf28b72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADAdminConsentRequestPolicy + +## Description + +Configures the Admin Consent Request Policy in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/settings.json new file mode 100644 index 0000000000..ccd7e87b95 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAdminConsentRequestPolicy/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADAdminConsentRequestPolicy", + "description": "Configures the Admin Consent Request Policy in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Policy.Read.All" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.ConsentRequest" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 index 636e27a4db..c8e33c5291 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 @@ -88,6 +88,14 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Permissions, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremisesPublishing, + + [Parameter()] + [System.String] + $ApplicationTemplateId, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -153,7 +161,7 @@ function Get-TargetResource } else { - $AADApp = Get-MgApplication -Filter "AppId eq '$AppId'" + $AADApp = Get-MgBetaApplication -Filter "AppId eq '$AppId'" } } } @@ -172,7 +180,7 @@ function Get-TargetResource } else { - $AADApp = Get-MgApplication -Filter "DisplayName eq '$($DisplayName)'" + $AADApp = [Array](Get-MgBetaApplication -Filter "DisplayName eq '$($DisplayName)'") } } if ($null -ne $AADApp -and $AADApp.Count -gt 1) @@ -188,9 +196,8 @@ function Get-TargetResource { Write-Verbose -Message 'An instance of Azure AD App was retrieved.' - - $AADBetaApp= Get-MgBetaApplication -Property "id,displayName,appId,authenticationBehaviors" -ApplicationId $ObjectID -ErrorAction SilentlyContinue - $AADAppKeyCredentials = Get-MgApplication -Property "keyCredentials" -ApplicationId $ObjectID -ErrorAction SilentlyContinue + $AADBetaApp= Get-MgBetaApplication -Property "id,displayName,appId,authenticationBehaviors,additionalProperties" -ApplicationId $AADApp.Id -ErrorAction SilentlyContinue + $AADAppKeyCredentials = Get-MgBetaApplication -Property "keyCredentials" -ApplicationId $AADApp.Id -ErrorAction SilentlyContinue $complexAuthenticationBehaviors = @{} if ($null -ne $AADBetaApp.authenticationBehaviors.blockAzureADGraphAccess) @@ -274,7 +281,6 @@ function Get-TargetResource $complexApi = $null } - $complexKeyCredentials = @() foreach ($currentkeyCredentials in $AADAppKeyCredentials.keyCredentials) { @@ -291,7 +297,7 @@ function Get-TargetResource $mykeyCredentials.Add('KeyId', $currentkeyCredentials.keyId) - if($null -ne $currentkeyCredentials.Key) + if($null -ne $currentkeyCredentials.Key) { $mykeyCredentials.Add('Key', [convert]::ToBase64String($currentkeyCredentials.key)) } @@ -379,6 +385,77 @@ function Get-TargetResource $IsFallbackPublicClientValue = $AADApp.IsFallbackPublicClient } + #region OnPremisesPublishing + $onPremisesPublishingValue = @{} + $oppInfo = $null + + try + { + $oppInfo = Invoke-MgGraphRequest -Method GET ` + -Uri "https://graph.microsoft.com/beta/applications/$($AADBetaApp.Id)/onPremisesPublishing" ` + -ErrorAction SilentlyContinue + } + catch + { + Write-Verbose -Message "On-premises publishing is not enabled for App {$($AADBetaApp.DisplayName)}" + } + + if ($null -ne $oppInfo) + { + $onPremisesPublishingValue = @{ + alternateUrl = $oppInfo.alternateUrl + applicationServerTimeout = $oppInfo.applicationServerTimeout + externalAuthenticationType = $oppInfo.externalAuthenticationType + externalUrl = $oppInfo.externalUrl + internalUrl = $oppInfo.internalUrl + isBackendCertificateValidationEnabled = $oppInfo.isBackendCertificateValidationEnabled + isHttpOnlyCookieEnabled = $oppInfo.isHttpOnlyCookieEnabled + isPersistentCookieEnabled = $oppInfo.isPersistentCookieEnabled + isSecureCookieEnabled = $oppInfo.isSecureCookieEnabled + isStateSessionEnabled = $oppInfo.isStateSessionEnabled + isTranslateHostHeaderEnabled = $oppInfo.isTranslateHostHeaderEnabled + isTranslateLinksInBodyEnabled = $oppInfo.isTranslateLinksInBodyEnabled + } + + # onPremisesApplicationSegments + $segmentValues = @() + foreach ($segment in $oppInfo.onPremisesApplicationSegments) + { + $entry = @{ + alternateUrl = $segment.AlternateUrl + externalUrl = $segment.externalUrl + internalUrl = $segment.internalUrl + } + + $corsConfigurationValues = @() + foreach ($cors in $segment.corsConfigurations) + { + $corsEntry = @{ + allowedHeaders = [Array]($cors.allowedHeaders) + allowedMethods = [Array]($cors.allowedMethods) + allowedOrigins = [Array]($cors.allowedOrigins) + maxAgeInSeconds = $cors.maxAgeInSeconds + resource = $cors.resource + } + $corsConfigurationValues += $corsEntry + } + $entry.Add('corsConfigurations', $corsConfigurationValues) + $segmentValues += $entry + } + $onPremisesPublishingValue.Add('onPremisesApplicationSegments', $segmentValues) + + # singleSignOnSettings + $singleSignOnValues = @{ + kerberosSignOnSettings = @{ + kerberosServicePrincipalName = $oppInfo.singleSignOnSettings.kerberosSignOnSettings.kerberosServicePrincipalName + kerberosSignOnMappingAttributeType = $oppInfo.singleSignOnSettings.kerberosSignOnSettings.kerberosSignOnMappingAttributeType + } + singleSignOnMode = $oppInfo.singleSignOnSettings.singleSignOnMode + } + $onPremisesPublishingValue.Add('singleSignOnSettings', $singleSignOnValues) + } + #endregion + $result = @{ DisplayName = $AADApp.DisplayName AvailableToOtherTenants = $AvailableToOtherTenantsValue @@ -401,6 +478,8 @@ function Get-TargetResource PasswordCredentials = $complexPasswordCredentials AppRoles = $complexAppRoles Permissions = $permissionsObj + OnPremisesPublishing = $onPremisesPublishingValue + ApplicationTemplateId = $AADApp.AdditionalProperties.applicationTemplateId Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -522,6 +601,14 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Permissions, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremisesPublishing, + + [Parameter()] + [System.String] + $ApplicationTemplateId, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -629,7 +716,7 @@ function Set-TargetResource if ($PasswordCredentials) { Write-Warning -Message "PasswordCredentials is a readonly property and cannot be configured." - + } if ($currentParameters.AvailableToOtherTenants) @@ -678,6 +765,7 @@ function Set-TargetResource $currentParameters.Remove('ReplyURLs') | Out-Null $currentParameters.Remove('LogoutURL') | Out-Null $currentParameters.Remove('Homepage') | Out-Null + $currentParameters.Remove('OnPremisesPublishing') | Out-Null $keys = (([Hashtable]$currentParameters).clone()).Keys @@ -726,10 +814,44 @@ function Set-TargetResource Write-Verbose -Message "Multiple instances of a deleted application with name {$DisplayName} wehre found. Creating a new instance since we can't determine what instance to restore." } } + + # Create from Template + $createdFromTemplate = $false + if ($Ensure -eq 'Present' -and $currentAADApp.Ensure -eq 'Absent' -and -not $skipToUpdate -and ` + -not [System.String]::IsNullOrEmpty($ApplicationTemplateId) -and ` + $ApplicationTemplateId -ne '8adf8e6e-67b2-4cf2-a259-e3dc5476c621') + { + $skipToUpdate = $true + Write-Verbose -Message "Creating application {$DisplayName} from Application Template {$ApplicationTemplateId}" + $newApp = Invoke-MgBetaInstantiateApplicationTemplate -DisplayName $DisplayName ` + -ApplicationTemplateId $ApplicationTemplateId + $currentAADApp = @{ + AppId = $newApp.Application.AppId + Id = $newApp.Application.AppId + DisplayName = $newApp.Application.DisplayName + ObjectId = $newApp.Application.AdditionalProperties.objectId + } + + $createdFromTemplate = $true + + do + { + Write-Verbose -Message 'Waiting for 10 seconds' + Start-Sleep -Seconds 10 + $appEntity = Get-MgApplication -ApplicationId $currentAADApp.AppId -ErrorAction SilentlyContinue + $tries++ + } until ($null -eq $appEntity -or $tries -le 12) + } + Write-Host "Ensure = $Ensure" + Write-Host "ApplicationTemplateId = $ApplicationTemplateId" + Write-Host "skipToUpdate = $skipToUpdate" + Write-Host "currentAADApp.Ensure = $($currentAADApp.Ensure))" if ($Ensure -eq 'Present' -and $currentAADApp.Ensure -eq 'Absent' -and -not $skipToUpdate) { - Write-Verbose -Message "Creating New AzureAD Application {$DisplayName} with values:`r`n$($currentParameters | Out-String)" $currentParameters.Remove('ObjectId') | Out-Null + $currentParameters.Remove('ApplicationTemplateId') | Out-Null + Write-Verbose -Message "Creating New AzureAD Application {$DisplayName} with values:`r`n$($currentParameters | Out-String)" + $currentAADApp = New-MgApplication @currentParameters Write-Verbose -Message "Azure AD Application {$DisplayName} was successfully created" $needToUpdatePermissions = $true @@ -751,15 +873,21 @@ function Set-TargetResource elseif (($Ensure -eq 'Present' -and $currentAADApp.Ensure -eq 'Present') -or $skipToUpdate) { $currentParameters.Remove('ObjectId') | Out-Null + $currentParameters.Remove('ApplicationTemplateId') | Out-Null - if (-not $skipToUpdate) + if (-not $skipToUpdate -or $createdFromTemplate) { $AppIdValue = $currentAADApp.ObjectId } + $currentParameters.Add('ApplicationId', $AppIdValue) Write-Verbose -Message "Updating existing AzureAD Application {$DisplayName} with values:`r`n$($currentParameters | Out-String)" Update-MgApplication @currentParameters - $currentAADApp.Add('ID', $AppIdValue) + + if (-not $currentAADApp.ContainsKey('ID')) + { + $currentAADApp.Add('ID', $AppIdValue) + } $needToUpdatePermissions = $true $needToUpdateAuthenticationBehaviors = $true $needToUpdateKeyCredentials = $true @@ -843,7 +971,7 @@ function Set-TargetResource if ($needToUpdatePermissions -and -not [System.String]::IsNullOrEmpty($Permissions) -and $Permissions.Length -gt 0) { Write-Verbose -Message "Will update permissions for Azure AD Application {$($currentAADApp.DisplayName)}" - $allSourceAPIs = $Permissions.SourceAPI | Get-Unique + $allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique $allRequiredAccess = @() foreach ($sourceAPI in $allSourceAPIs) @@ -933,8 +1061,85 @@ function Set-TargetResource if($needToUpdateKeyCredentials -and $KeyCredentials) { - Write-Warning -Message "KeyCredentials is a readonly property and cannot be configured." + Write-Verbose -Message "Updating for Azure AD Application {$($currentAADApp.DisplayName)} with KeyCredentials:`r`n$($KeyCredentials| Out-String)" + + if((currentAADApp.KeyCredentials.Length -eq 0 -and $KeyCredentials.Length -eq 1) -or (currentAADApp.KeyCredentials.Length -eq 1 -and $KeyCredentials.Length -eq 0)) + { + Update-MgApplication -ApplicationId $currentAADApp.Id -KeyCredentials $KeyCredentials | Out-Null + } + else + { + Write-Warning -Message "KeyCredentials cannot be updated for AAD Applications with more than one KeyCredentials due to technical limitation of Update-MgApplication Cmdlet. Learn more at: https://learn.microsoft.com/en-us/graph/api/application-addkey" + } } + + #region OnPremisesPublishing + if ($null -ne $OnPremisesPublishing) + { + $oppInfo = $OnPremisesPublishing + $onPremisesPublishingValue = @{ + alternateUrl = $oppInfo.alternateUrl + applicationServerTimeout = $oppInfo.applicationServerTimeout + externalAuthenticationType = $oppInfo.externalAuthenticationType + #externalUrl = $oppInfo.externalUrl + internalUrl = $oppInfo.internalUrl + isBackendCertificateValidationEnabled = $oppInfo.isBackendCertificateValidationEnabled + isHttpOnlyCookieEnabled = $oppInfo.isHttpOnlyCookieEnabled + isPersistentCookieEnabled = $oppInfo.isPersistentCookieEnabled + isSecureCookieEnabled = $oppInfo.isSecureCookieEnabled + isStateSessionEnabled = $oppInfo.isStateSessionEnabled + isTranslateHostHeaderEnabled = $oppInfo.isTranslateHostHeaderEnabled + isTranslateLinksInBodyEnabled = $oppInfo.isTranslateLinksInBodyEnabled + } + + # onPremisesApplicationSegments + $segmentValues = @() + foreach ($segment in $oppInfo.onPremisesApplicationSegments) + { + $entry = @{ + alternateUrl = $segment.AlternateUrl + externalUrl = $segment.externalUrl + internalUrl = $segment.internalUrl + } + + $corsConfigurationValues = @() + foreach ($cors in $segment.corsConfigurations) + { + $corsEntry = @{ + allowedHeaders = [Array]($cors.allowedHeaders) + allowedMethods = [Array]($cors.allowedMethods) + allowedOrigins = [Array]($cors.allowedOrigins) + maxAgeInSeconds = $cors.maxAgeInSeconds + resource = $cors.resource + } + $corsConfigurationValues += $corsEntry + } + $entry.Add('corsConfigurations', $corsConfigurationValues) + $segmentValues += $entry + } + $onPremisesPublishingValue.Add('onPremisesApplicationSegments', $segmentValues) + + # singleSignOnSettings + $singleSignOnValues = @{ + kerberosSignOnSettings = @{ + kerberosServicePrincipalName = $oppInfo.singleSignOnSettings.kerberosSignOnSettings.kerberosServicePrincipalName + kerberosSignOnMappingAttributeType = $oppInfo.singleSignOnSettings.kerberosSignOnSettings.kerberosSignOnMappingAttributeType + } + singleSignOnMode = $oppInfo.singleSignOnSettings.singleSignOnMode + } + if ($null -eq $singleSignOnValues.kerberosSignOnSettings.kerberosServicePrincipalName) + { + $singleSignOnValues.Remove('kerberosSignOnSettings') | Out-Null + } + + $onPremisesPublishingValue.Add('singleSignOnSettings', $singleSignOnValues) + $onPremisesPayload = ConvertTo-Json $onPremisesPublishingValue -Depth 10 -Compress + Write-Verbose -Message "Updating the OnPremisesPublishing settings for application {$($currentAADApp.DisplayName)} with payload: $onPremisesPayload" + Invoke-MgGraphRequest -Method 'PATCH' ` + -Uri "https://graph.microsoft.com/beta/applications/$($currentAADApp.Id)/onPremisesPublishing" ` + -Body $onPremisesPayload + } + #endregion } function Test-TargetResource @@ -1027,6 +1232,14 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Permissions, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $OnPremisesPublishing, + + [Parameter()] + [System.String] + $ApplicationTemplateId, + [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] @@ -1112,7 +1325,7 @@ function Test-TargetResource } $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - + $testTargetResource = $true #Compare Cim instances @@ -1125,13 +1338,13 @@ function Test-TargetResource $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - + if (-not $testResult) { Write-Verbose "TestResult returned False for $source" $testTargetResource = $false } - else { + else { $ValuesToCheck.Remove($key) | Out-Null } } @@ -1144,7 +1357,6 @@ function Test-TargetResource $ValuesToCheck.Remove('AppId') | Out-Null $ValuesToCheck.Remove('Permissions') | Out-Null - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` @@ -1222,7 +1434,7 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-MgApplication -Filter $Filter -All -ErrorAction Stop + [array] $Script:exportedInstances = Get-MgBetaApplication -Filter $Filter -All -ErrorAction Stop foreach ($AADApp in $Script:exportedInstances) { if ($null -ne $Global:M365DSCExportResourceInstancesCount) @@ -1300,6 +1512,47 @@ function Export-TargetResource } } + if ($null -ne $Results.OnPremisesPublishing.singleSignOnSettings) + { + $complexMapping = @( + @{ + Name = 'singleSignOnSettings' + CimInstanceName = 'AADApplicationOnPremisesPublishingSingleSignOnSetting' + IsRequired = $False + }, + @{ + Name = 'onPremisesApplicationSegments' + CimInstanceName = 'AADApplicationOnPremisesPublishingSegment' + IsRequired = $False + }, + @{ + Name = 'kerberosSignOnSettings' + CimInstanceName = 'AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos' + IsRequired = $False + }, + @{ + Name = 'corsConfigurations' + CimInstanceName = 'AADApplicationOnPremisesPublishingSegmentCORS' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.OnPremisesPublishing ` + -CIMInstanceName 'AADApplicationOnPremisesPublishing' ` + -ComplexTypeMapping $complexMapping + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.OnPremisesPublishing = $complexTypeStringResult + } + else + { + $Results.Remove('OnPremisesPublishing') | Out-Null + } + } + else + { + $Results.Remove('OnPremisesPublishing') | Out-Null + } if ($null -ne $Results.OptionalClaims) { @@ -1406,6 +1659,10 @@ function Export-TargetResource { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "OptionalClaims" -IsCIMArray:$False } + if ($Results.OnPremisesPublishing) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "OnPremisesPublishing" -IsCIMArray:$False + } if ($Results.AuthenticationBehaviors) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "AuthenticationBehaviors" -IsCIMArray:$False diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof index c78c43016d..21e278cc40 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.schema.mof @@ -1,3 +1,55 @@ +[ClassVersion("1.0.0")] +class MSFT_AADApplicationOnPremisesPublishingSegmentCORS +{ + [Write, Description("The request headers that the origin domain may specify on the CORS request. The wildcard character * indicates that any header beginning with the specified prefix is allowed.")] String allowedHeaders[]; + [Write, Description("The maximum amount of time that a browser should cache the response to the preflight OPTIONS request.")] UInt32 maxAgeInSeconds; + [Write, Description("Resource within the application segment for which CORS permissions are granted. / grants permission for whole app segment.")] String resource; + [Write, Description("The HTTP request methods that the origin domain may use for a CORS request.")] String allowedMethods[]; + [Write, Description("The origin domains that are permitted to make a request against the service via CORS. The origin domain is the domain from which the request originates. The origin must be an exact case-sensitive match with the origin that the user age sends to the service.")] String allowedOrigins[]; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADApplicationOnPremisesPublishingSegment +{ + [Write, Description("If you're configuring a traffic manager in front of multiple App Proxy application segments, contains the user-friendly URL that will point to the traffic manager.")] String alternateUrl; + [Write, Description("CORS Rule definition for a particular application segment."), EmbeddedInstance("MSFT_AADApplicationOnPremisesPublishingSegmentCORS")] String corsConfigurations[]; + [Write, Description("The published external URL for the application segment; for example, https://intranet.contoso.com./")] String externalUrl; + [Write, Description("The internal URL of the application segment; for example, https://intranet/.")] String internalUrl; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos +{ + [Write, Description("The Internal Application SPN of the application server. This SPN needs to be in the list of services to which the connector can present delegated credentials.")] String kerberosServicePrincipalName; + [Write, Description("The Delegated Login Identity for the connector to use on behalf of your users. For more information, see Working with different on-premises and cloud identities . Possible values are: userPrincipalName, onPremisesUserPrincipalName, userPrincipalUsername, onPremisesUserPrincipalUsername, onPremisesSAMAccountName.")] String kerberosSignOnMappingAttributeType; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting +{ + [Write, Description("The preferred single-sign on mode for the application. Possible values are: none, onPremisesKerberos, aadHeaderBased,pingHeaderBased, oAuthToken.")] String singleSignOnMode; + [Write, Description("The Kerberos Constrained Delegation settings for applications that use Integrated Window Authentication."), EmbeddedInstance("MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos")] String kerberosSignOnSettings; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADApplicationOnPremisesPublishing +{ + [Write, Description("If you're configuring a traffic manager in front of multiple App Proxy applications, the alternateUrl is the user-friendly URL that points to the traffic manager.")] String alternateUrl; + [Write, Description("The duration the connector waits for a response from the backend application before closing the connection. Possible values are default, long.")] String applicationServerTimeout; + [Write, Description("Details the pre-authentication setting for the application. Pre-authentication enforces that users must authenticate before accessing the app. Pass through doesn't require authentication. Possible values are: passthru, aadPreAuthentication.")] String externalAuthenticationType; + [Write, Description("The published external url for the application. For example, https://intranet-contoso.msappproxy.net/.")] String externalUrl; + [Write, Description("The internal url of the application. For example, https://intranet/.")] String internalUrl; + [Write, Description("Indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property is set to true by default. For all existing apps, the property is set to false.")] Boolean isBackendCertificateValidationEnabled; + [Write, Description("Indicates if the HTTPOnly cookie flag should be set in the HTTP response headers. Set this value to true to have Application Proxy cookies include the HTTPOnly flag in the HTTP response headers. If using Remote Desktop Services, set this value to False. Default value is false.")] Boolean isHttpOnlyCookieEnabled; + [Write, Description("Indicates if the Persistent cookie flag should be set in the HTTP response headers. Keep this value set to false. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see Cookie settings for accessing on-premises applications in Microsoft Entra ID. Default value is false.")] Boolean isPersistentCookieEnabled; + [Write, Description("Indicates if the Secure cookie flag should be set in the HTTP response headers. Set this value to true to transmit cookies over a secure channel such as an encrypted HTTPS request. Default value is true.")] Boolean isSecureCookieEnabled; + [Write, Description("Indicates whether validation of the state parameter when the client uses the OAuth 2.0 authorization code grant flow is enabled. This setting allows admins to specify whether they want to enable CSRF protection for their apps.")] Boolean isStateSessionEnabled; + [Write, Description("Indicates if the application should translate urls in the response headers. Keep this value as true unless your application required the original host header in the authentication request. Default value is true.")] Boolean isTranslateHostHeaderEnabled; + [Write, Description("Indicates if the application should translate urls in the application body. Keep this value as false unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see Link translation with Application Proxy. Default value is false.")] Boolean isTranslateLinksInBodyEnabled; + [Write, Description("Represents the collection of application segments for an on-premises wildcard application that's published through Microsoft Entra application proxy."), EmbeddedInstance("MSFT_AADApplicationOnPremisesPublishingSegment")] String onPremisesApplicationSegments[]; + [Write, Description("Represents the single sign-on configuration for the on-premises application."), EmbeddedInstance("MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting")] String singleSignOnSettings; +}; + [ClassVersion("1.0.0")] class MSFT_AADApplicationPermission { @@ -102,6 +154,8 @@ class MSFT_AADApplication : OMI_BaseResource [Write, Description("Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false.")] Boolean PublicClient; [Write, Description("Specifies the URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.")] String ReplyURLs[]; [Write, Description("UPN or ObjectID values of the app's owners.")] String Owners[]; + [Write, Description("Represents the set of properties required for configuring Application Proxy for this application. Configuring these properties allows you to publish your on-premises application for secure remote access."), EmbeddedInstance("MSFT_AADApplicationOnPremisesPublishing")] String OnPremisesPublishing; + [Write, Description("Identifier of the associated Application Template.")] String ApplicationTemplateId; [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.psm1 new file mode 100644 index 0000000000..d78d5bfbf1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.psm1 @@ -0,0 +1,382 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $PerUserMfaState, + + [Parameter(Mandatory = $true)] + [System.String] + $UserPrincipalName, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + + $getValue = $null + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements" + $getValue = Invoke-MgGraphRequest -Method Get -Uri $url + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Authentication Requirement for user with UPN {$UserPrincipalName}" + return $nullResult + } + + Write-Verbose -Message "An Azure AD Authentication Method Policy Requirement for a user with UPN {$UserPrincipalName} was found." + + $results = @{ + PerUserMfaState = $getValue.perUserMfaState + UserPrincipalName = $UserPrincipalName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $PerUserMfaState, + + [Parameter(Mandatory = $true)] + [System.String] + $UserPrincipalName, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/users/$UserPrincipalName/authentication/requirements" + + $params = @{} + if ($PerUserMfaState -eq 'enabled' -and $currentInstance.PerUserMfaState -eq 'disabled') + { + $params = @{ + "perUserMfaState" = "enabled" + } + } + elseif ($PerUserMfaState -eq 'disabled' -and $currentInstance.PerUserMfaState -eq 'enabled') + { + $params = @{ + "perUserMfaState" = "disabled" + } + } + + $jsonParams = $params | ConvertTo-Json + + Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $jsonParams +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter()] + [ValidateSet('enabled', 'disabled')] + [System.String] + $PerUserMfaState, + + [Parameter(Mandatory = $true)] + [System.String] + $UserPrincipalName, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Authentication Requirement for a user with UPN {$UserPrincipalName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + $testResult = $true + + $CurrentValues.remove('Id') | Out-Null + $ValuesToCheck.remove('Id') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + [array]$getValue = Get-MgUser -ErrorAction Stop | Where-Object -FilterScript {$null -ne $_.Id} + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.DisplayName)) + { + $displayedKey = $config.DisplayName + } + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + UserPrincipalName = $config.UserPrincipalName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.schema.mof new file mode 100644 index 0000000000..f1182e0ff3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/MSFT_AADAuthenticationRequirement.schema.mof @@ -0,0 +1,14 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADAuthenticationRequirement")] +class MSFT_AADAuthenticationRequirement : OMI_BaseResource +{ + [Write, Description("The state of the MFA enablement for the user. Possible values are: enabled, disabled."), ValueMap{"enabled","disabled"}, Values{"enabled","disabled"}] String PerUserMfaState; + [Key, Description("The unique identifier for an entity. Read-only.")] String UserPrincipalName; + + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/readme.md new file mode 100644 index 0000000000..8495f479ee --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/readme.md @@ -0,0 +1,6 @@ + +# AADAuthenticationRequirement + +## Description + +Azure AD Authentication Requirement Resource to set up Per-User MFA settings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/settings.json new file mode 100644 index 0000000000..e56d74c0d4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADAuthenticationRequirement/settings.json @@ -0,0 +1,40 @@ +{ + "resourceName": "AADAuthenticationRequirement", + "description": "This resource configures Azure AD Authentication MFA Requirements for a user.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": + [ + { + "name": "UserAuthenticationMethod.Read.All" + } + ], + "update": + [ + { + "name": "UserAuthenticationMethod.ReadWrite.All" + } + ] + }, + "application": { + "read": + [ + { + "name": "UserAuthenticationMethod.Read.All" + } + ], + "update": + [ + { + "name": "UserAuthenticationMethod.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.psm1 new file mode 100644 index 0000000000..d77e4aa571 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.psm1 @@ -0,0 +1,475 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [ValidateSet('nam','eur','aus','asia','ind','unknownFutureValue')] + [System.String] + $Region, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + if (-not [string]::IsNullOrEmpty($Id)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + else + { + $getValue = Get-MgBetaOnPremisePublishingProfileConnectorGroup -ConnectorGroupId $Id -OnPremisesPublishingProfileId 'applicationProxy' -ErrorAction SilentlyContinue + } + } + + if ($null -eq $getValue -and -not [string]::IsNullOrEmpty($Id)) + { + Write-Verbose -Message "Could not find an Azure AD Connector Group Application Proxy with Name {$Name}" + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + else + { + $getValue = Get-MgBetaOnPremisePublishingProfileConnectorGroup -OnPremisesPublishingProfileId 'applicationProxy' -Filter "Name eq '$Name'" -ErrorAction Stop + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Azure AD Connector Group Application Proxy with Name {$Name}" + return $nullResult + } + + $Id = $getValue.Id + Write-Verbose -Message "An Azure AD Connector Group Application Proxy with Id {$Id} and Name {$Name} was found" + + $enumRegion = $null + if ($null -ne $getValue.Region) + { + $enumRegion = $getValue.Region.ToString() + } + #endregion + + $results = @{ + #region resource generator code + Name = $getValue.Name + Region = $enumRegion + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [ValidateSet('nam','eur','aus','asia','ind','unknownFutureValue')] + [System.String] + $Region, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $OnPremisesPublishingProfileId = "applicationProxy" + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Azure AD Connector Group Application Proxy with Name {$DisplayName}" + + $createParameters = ([Hashtable]$BoundParameters).Clone() + $createParameters = Rename-M365DSCCimInstanceParameter -Properties $createParameters + $createParameters.Remove('Id') | Out-Null + + #region resource generator code + $policy = New-MgBetaOnPremisePublishingProfileConnectorGroup ` + -OnPremisesPublishingProfileId $OnPremisesPublishingProfileId ` + -BodyParameter $createParameters + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Azure AD Connector Group Application Proxy with Id {$($currentInstance.Id)}" + + $updateParameters = ([Hashtable]$BoundParameters).Clone() + $updateParameters.Remove('Id') | Out-Null + + Update-MgBetaOnPremisePublishingProfileConnectorGroup ` + -ConnectorGroupId $currentInstance.Id ` + -OnPremisesPublishingProfileId $OnPremisesPublishingProfileId ` + -BodyParameter $UpdateParameters + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Azure AD Connector Group Application Proxy with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaOnPremisePublishingProfileConnectorGroup ` + -ConnectorGroupId $currentInstance.Id ` + -OnPremisesPublishingProfileId $OnPremisesPublishingProfileId + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter()] + [ValidateSet('nam','eur','aus','asia','ind','unknownFutureValue')] + [System.String] + $Region, + + [Parameter()] + [System.String] + $Id, + + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Azure AD Connector Group Application Proxy with Id {$Id} and Name {$Name}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaOnPremisePublishingProfileConnectorGroup -OnPremisesPublishingProfileId 'applicationProxy' -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Name = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.schema.mof new file mode 100644 index 0000000000..f38974f6d8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/MSFT_AADConnectorGroupApplicationProxy.schema.mof @@ -0,0 +1,16 @@ + +[ClassVersion("1.0.0.0"), FriendlyName("AADConnectorGroupApplicationProxy")] +class MSFT_AADConnectorGroupApplicationProxy : OMI_BaseResource +{ + [Key, Description("The name associated with the connectorGroup.")] String Name; + [Write, Description("The region the connectorGroup is assigned to and will optimize traffic for. This region can only be set if no connectors or applications are assigned to the connectorGroup. The possible values are: nam (for North America), eur (for Europe), aus (for Australia), asia (for Asia), ind (for India), and unknownFutureValue."), ValueMap{"nam","eur","aus","asia","ind","unknownFutureValue"}, Values{"nam","eur","aus","asia","ind","unknownFutureValue"}] String Region; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/readme.md new file mode 100644 index 0000000000..8067eb666a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/readme.md @@ -0,0 +1,6 @@ + +# AADConnectorGroupApplicationProxy + +## Description + +Azure AD Connector Group Application Proxy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/settings.json new file mode 100644 index 0000000000..aa6b7ca3b9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConnectorGroupApplicationProxy/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "AADConnectorGroupApplicationProxy", + "description": "This resource configures an Azure AD Connector Group Application Proxy.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Directory.Read.All" + } + ], + "update": [ + { + "name": "Directory.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Directory.Read.All" + } + ], + "update": [ + { + "name": "Directory.ReadWrite.All" + } + ] + } + } + } +} + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 new file mode 100644 index 0000000000..e8090ba85e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.psm1 @@ -0,0 +1,486 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $AttributeSet, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsCollection, + + [Parameter()] + [System.Boolean] + $IsSearchable, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $Type, + + [Parameter()] + [System.Boolean] + $UsePreDefinedValuesOnly, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Name -eq $Name} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($Id)) + { + $instance = Get-MgBetaDirectoryCustomSecurityAttributeDefinition -CustomSecurityAttributeDefinitionId $Id ` + -ErrorAction SilentlyContinue + } + if ($null -eq $instance) + { + $instance = Get-MgBetaDirectoryCustomSecurityAttributeDefinition -Filter "Name eq '$Name'" ` + -ErrorAction SilentlyContinue + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Name = $instance.Name + AttributeSet = $instance.AttributeSet + Id = $instance.Id + Description = $instance.Description + IsCollection = $instance.IsCollection + IsSearchable = $instance.IsSearchable + Status = $instance.Status + Type = $instance.Type + UsePreDefinedValuesOnly = $instance.UsePreDefinedValuesOnly + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $AttributeSet, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsCollection, + + [Parameter()] + [System.Boolean] + $IsSearchable, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $Type, + + [Parameter()] + [System.Boolean] + $UsePreDefinedValuesOnly, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $setParameters.Remove('Id') | Out-Null + Write-Verbose -Message "Creating new Atribute Definition {$Name}" + New-MgBetaDirectoryCustomSecurityAttributeDefinition @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Atribute Definition {$Name}" + $setParameters.Add('CustomSecurityAttributeDefinitionId', $currentInstance.Id) + $setParameters.Remove('Id') | Out-Null + $setParameters.Remove('AttributeSet') | Out-Null + $setParameters.Remove('IsCollection') | Out-Null + $setParameters.Remove('IsSearchable') | Out-Null + $setParameters.Remove('Name') | Out-Null + $setParameters.Remove('Type') | Out-Null + Update-MgBetaDirectoryCustomSecurityAttributeDefinition @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Atribute Definition {$Name}. Setting its status to 'Deprecated'" + Update-MgBetaDirectoryCustomSecurityAttributeDefinition -CustomSecurityAttributeDefinitionId $currentInstance.Id ` + -Status 'Deprecated' + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Name, + + [Parameter(Mandatory = $true)] + [System.String] + $AttributeSet, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsCollection, + + [Parameter()] + [System.Boolean] + $IsSearchable, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $Type, + + [Parameter()] + [System.Boolean] + $UsePreDefinedValuesOnly, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDirectoryCustomSecurityAttributeDefinition -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Name = $config.Name + AttributeSet = $config.AttributeSet + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof new file mode 100644 index 0000000000..f440bccc52 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/MSFT_AADCustomSecurityAttributeDefinition.schema.mof @@ -0,0 +1,21 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADCustomSecurityAttributeDefinition")] +class MSFT_AADCustomSecurityAttributeDefinition : OMI_BaseResource +{ + [Key, Description("Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive.")] String Name; + [Key, Description("Name of the attribute set. Case sensitive.")] String AttributeSet; + [Write, Description("Unique identifier of the Attribute Definition.")] String Id; + [Write, Description("Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. ")] String Description; + [Write, Description("Indicates whether multiple values can be assigned to the custom security attribute. Can't be changed later. If type is set to Boolean, isCollection can't be set to true.")] Boolean IsCollection; + [Write, Description("Indicates whether custom security attribute values are indexed for searching on objects that are assigned attribute values. Can't be changed later.")] Boolean IsSearchable; + [Write, Description("Specifies whether the custom security attribute is active or deactivated. Acceptable values are Available and Deprecated. Can be changed later.")] String Status; + [Write, Description("Data type for the custom security attribute values. Supported types are: Boolean, Integer, and String. Can't be changed later.")] String Type; + [Write, Description("Indicates whether only predefined values can be assigned to the custom security attribute. If set to false, free-form values are allowed. Can later be changed from true to false, but can't be changed from false to true. If type is set to Boolean, usePreDefinedValuesOnly can't be set to true.")] Boolean UsePreDefinedValuesOnly; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/readme.md new file mode 100644 index 0000000000..79eaf29c71 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/readme.md @@ -0,0 +1,6 @@ + +# AADCustomSecurityAttributeDefinition + +## Description + +Configures custom security attribute definitions in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json new file mode 100644 index 0000000000..9381adbf42 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADCustomSecurityAttributeDefinition/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "AADCustomSecurityAttributeDefinition", + "description": "Configures custom security attribute definitions in Entra Id.", + "roles": { + "read": [ + "Attribute Definition Reader" + ], + "update": [ + "Attribute Definition Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "CustomSecAttributeDefinition.Read.All" + } + ], + "update": [ + { + "name": "CustomSecAttributeDefinition.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.psm1 new file mode 100644 index 0000000000..c6d32acefa --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.psm1 @@ -0,0 +1,603 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Boolean] + $AzureADJoinIsAdminConfigurable, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureADAllowedToJoin, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinUsers, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinGroups, + + [Parameter()] + [System.Boolean] + $MultiFactorAuthConfiguration, + + [Parameter()] + [System.Boolean] + $LocalAdminsEnableGlobalAdmins, + + [Parameter()] + [System.Boolean] + $LocalAdminPasswordIsEnabled, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureAdJoinLocalAdminsRegisteringMode, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringGroups, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringUsers, + + [Parameter()] + [System.UInt32] + $UserDeviceQuota, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $getValue = Get-MgBetaPolicyDeviceRegistrationPolicy -ErrorAction Stop + + $AzureADAllowedToJoin = 'None' + $AzureADAllowedToJoinUsers = @() + $AzureADAllowedToJoinGroups = @() + if ($getValue.AzureADJoin.AllowedToJoin.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.allDeviceRegistrationMembership') + { + $AzureADAllowedToJoin = 'All' + } + elseif ($getValue.AzureADJoin.AllowedToJoin.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.enumeratedDeviceRegistrationMembership') + { + $AzureADAllowedToJoin = 'Selected' + + foreach ($userId in $getValue.AzureAdJoin.AllowedToJoin.AdditionalProperties.users) + { + $userInfo = Get-MgUser -UserId $userId + $AzureADAllowedToJoinUsers += $userInfo.UserPrincipalName + } + + foreach ($groupId in $getValue.AzureAdJoin.AllowedToJoin.AdditionalProperties.groups) + { + $groupInfo = Get-MgGroup -GroupId $groupId + $AzureADAllowedToJoinGroups += $groupInfo.DisplayName + } + } + + $AzureAdJoinLocalAdminsRegisteringUsers = @() + $AzureAdJoinLocalAdminsRegisteringGroups = @() + $AzureAdJoinLocalAdminsRegisteringMode = 'All' + + if ($getValue.AzureAdJoin.LocalAdmins.RegisteringUsers.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.noDeviceRegistrationMembership') + { + $AzureAdJoinLocalAdminsRegisteringMode = 'None' + } + elseif ($getValue.AzureAdJoin.LocalAdmins.RegisteringUsers.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.enumeratedDeviceRegistrationMembership') + { + $AzureAdJoinLocalAdminsRegisteringMode = 'Selected' + foreach ($userId in $getValue.AzureAdJoin.LocalAdmins.RegisteringUsers.AdditionalProperties.users) + { + $userInfo = Get-MgUser -UserId $userId + $AzureAdJoinLocalAdminsRegisteringUsers += $userInfo.UserPrincipalName + } + + foreach ($groupId in $getValue.AzureAdJoin.LocalAdmins.RegisteringUsers.AdditionalProperties.groups) + { + $groupInfo = Get-MgGroup -GroupId $groupId + $AzureAdJoinLocalAdminsRegisteringGroups += $groupInfo.DisplayName + } + } + + $MultiFactorAuthConfiguration = $false + if ($getValue.MultiFactorAuthConfiguration -eq 'required') + { + $MultiFactorAuthConfiguration = $true + } + $LocalAdminsEnableGlobalAdmins = $true + if (-not $getValue.AzureAdJoin.LocalAdmins.EnableGlobalAdmins) + { + $LocalAdminsEnableGlobalAdmins = $false + } + $results = @{ + IsSingleInstance = 'Yes' + AzureADAllowedToJoin = $AzureADAllowedToJoin + AzureADAllowedToJoinGroups = $AzureADAllowedToJoinGroups + AzureADAllowedToJoinUsers = $AzureADAllowedToJoinUsers + UserDeviceQuota = $getValue.UserDeviceQuota + MultiFactorAuthConfiguration = $MultiFactorAuthConfiguration + LocalAdminsEnableGlobalAdmins = $LocalAdminsEnableGlobalAdmins + LocalAdminPasswordIsEnabled = [Boolean]$getValue.LocalAdminPassword.IsEnabled + AzureAdJoinLocalAdminsRegisteringMode = $AzureAdJoinLocalAdminsRegisteringMode + AzureAdJoinLocalAdminsRegisteringGroups = $AzureAdJoinLocalAdminsRegisteringGroups + AzureAdJoinLocalAdminsRegisteringUsers = $AzureAdJoinLocalAdminsRegisteringUsers + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Boolean] + $AzureADJoinIsAdminConfigurable, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureADAllowedToJoin, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinUsers, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinGroups, + + [Parameter()] + [System.Boolean] + $MultiFactorAuthConfiguration, + + [Parameter()] + [System.Boolean] + $LocalAdminsEnableGlobalAdmins, + + [Parameter()] + [System.Boolean] + $LocalAdminPasswordIsEnabled, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureAdJoinLocalAdminsRegisteringMode, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringGroups, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringUsers, + + [Parameter()] + [System.UInt32] + $UserDeviceQuota, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $MultiFactorAuthConfigurationValue = "notRequired" + if ($MultiFactorAuthConfiguration) + { + $MultiFactorAuthConfigurationValue = 'required' + } + + $azureADRegistrationAllowedToRegister = "#microsoft.graph.noDeviceRegistrationMembership" + if ($AzureAdJoinLocalAdminsRegisteringMode -eq 'All') + { + $azureADRegistrationAllowedToRegister = "#microsoft.graph.allDeviceRegistrationMembership" + } + elseif ($AzureAdJoinLocalAdminsRegisteringMode -eq 'Selected') + { + $azureADRegistrationAllowedToRegister = "#microsoft.graph.enumeratedDeviceRegistrationMembership" + + $azureADRegistrationAllowedUsers = @() + foreach ($user in $AzureAdJoinLocalAdminsRegisteringUsers) + { + $userInfo = Get-MgUser -UserId $user + $azureADRegistrationAllowedUsers += $userInfo.Id + } + + $azureADRegistrationAllowedGroups = @() + foreach ($group in $AzureAdJoinLocalAdminsRegisteringGroups) + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$group'" + $azureADRegistrationAllowedGroups += $groupInfo.Id + } + } + + $localAdminAllowedMode = "#microsoft.graph.noDeviceRegistrationMembership" + if ($AzureAdJoinLocalAdminsRegisteringMode -eq 'All') + { + $localAdminAllowedMode = "#microsoft.graph.allDeviceRegistrationMembership" + } + elseif ($AzureAdJoinLocalAdminsRegisteringMode -eq 'Selected') + { + $localAdminAllowedMode = "#microsoft.graph.enumeratedDeviceRegistrationMembership" + + $localAdminAllowedUsers = @() + foreach ($user in $AzureAdJoinLocalAdminsRegisteringUsers) + { + $userInfo = Get-MgUser -UserId $user + $localAdminAllowedUsers += $userInfo.Id + } + + $localAdminAllowedGroups = @() + foreach ($group in $AzureAdJoinLocalAdminsRegisteringGroups) + { + $groupInfo = Get-MgGroup -Filter "DisplayName eq '$group'" + $localAdminAllowedGroups += $groupInfo.Id + } + } + + $updateParameters = @{ + userDeviceQuota = $UserDeviceQuota + multiFactorAuthConfiguration = $MultiFactorAuthConfigurationValue + azureADJoin = @{ + isAdminConfigurable =$AzureADJoinIsAdminConfigurable + allowedToJoin = @{ + '@odata.type' = $azureADRegistrationAllowedToRegister + users = $AzureADAllowedToJoinUsers + groups = $AzureADAllowedToJoinGroups + } + localAdmins = @{ + enableGlobalAdmins = $LocalAdminsEnableGlobalAdmins + registeringUsers = @{ + '@odata.type' = $localAdminAllowedMode + users = $localAdminAllowedUsers + groups = $localAdminAllowedGroups + } + } + } + localAdminPassword = @{ + isEnabled = $LocalAdminPasswordIsEnabled + } + azureADRegistration = @{ + isAdminConfigurable = $false + allowedToRegister = @{ + '@odata.type' = "#microsoft.graph.allDeviceRegistrationMembership" + } + } + } + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/policies/deviceRegistrationPolicy' + Write-Verbose -Message "Updating Device Registration Policy with payload:`r`n$(ConvertTo-Json $updateParameters -Depth 10)" + Invoke-MgGraphRequest -Method PUT -Uri $uri -Body $updateParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [ValidateSet('Yes')] + [System.String] + $IsSingleInstance, + + [Parameter()] + [Boolean] + $AzureADJoinIsAdminConfigurable, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureADAllowedToJoin, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinUsers, + + [Parameter()] + [System.String[]] + $AzureADAllowedToJoinGroups, + + [Parameter()] + [System.Boolean] + $MultiFactorAuthConfiguration, + + [Parameter()] + [System.Boolean] + $LocalAdminsEnableGlobalAdmins, + + [Parameter()] + [System.Boolean] + $LocalAdminPasswordIsEnabled, + + [Parameter()] + [ValidateSet('All', 'Selected', 'None')] + [System.String] + $AzureAdJoinLocalAdminsRegisteringMode, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringGroups, + + [Parameter()] + [System.String[]] + $AzureAdJoinLocalAdminsRegisteringUsers, + + [Parameter()] + [System.UInt32] + $UserDeviceQuota, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Device Registration Policy" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + $dscContent = $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $dscContent + } + catch + { + if ($_.ErrorDetails.Message -like "*Insufficient privileges*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) Insufficient permissions or license to export Attribute Sets." + } + else + { + Write-Host $Global:M365DSCEmojiRedX + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.schema.mof new file mode 100644 index 0000000000..5096bb720f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.schema.mof @@ -0,0 +1,23 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADDeviceRegistrationPolicy")] +class MSFT_AADDeviceRegistrationPolicy : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Determines whether or not administrators can configure Azure AD Join.")] Boolean AzureADJoinIsAdminConfigurable; + [Write, Description("Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property isn't specified during the policy update operation, it's automatically reset to 0 to indicate that users aren't allowed to join any devices.")] UInt32 UserDeviceQuota; + [Write, Description("Scope that a device registration policy applies to."), ValueMap{"All", "Selected", "None"}, Values{"All", "Selected", "None"}] String AzureADAllowedToJoin; + [Write, Description("List of users that this policy applies to.")] String AzureADAllowedToJoinUsers[]; + [Write, Description("List of groups that this policy applies to.")] String AzureADAllowedToJoinGroups[]; + [Write, Description("Specifies the authentication policy for a user to complete registration using Microsoft Entra join or Microsoft Entra registered within your organization.")] Boolean MultiFactorAuthConfiguration; + [Write, Description("Indicates whether global administrators are local administrators on all Microsoft Entra-joined devices. This setting only applies to future registrations. Default is true.")] Boolean LocalAdminsEnableGlobalAdmins; + [Write, Description("Scope that a device registration policy applies to for local admins."), ValueMap{"All", "Selected", "None"}, Values{"All", "Selected", "None"}] String AzureAdJoinLocalAdminsRegisteringMode; + [Write, Description("List of groups that this policy applies to.")] String AzureAdJoinLocalAdminsRegisteringGroups[]; + [Write, Description("List of users that this policy applies to.")] String AzureAdJoinLocalAdminsRegisteringUsers[]; + [Write, Description("Specifies whether this policy scope is configurable by the admin. The default value is false. An admin can set it to true to enable Local Admin Password Solution (LAPS) within their organzation.")] Boolean LocalAdminPasswordIsEnabled; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/readme.md new file mode 100644 index 0000000000..740e58881b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/readme.md @@ -0,0 +1,6 @@ + +# AADDeviceRegistrationPolicy + +## Description + +Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/settings.json new file mode 100644 index 0000000000..3324b5f4e0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/settings.json @@ -0,0 +1,34 @@ +{ + "resourceName": "AADDeviceRegistrationPolicy", + "description": "Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization.", + "roles": { + "read": [ + "Security Reader" + ], + "update": [ + "Authentication Policy Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + ], + "update": [ + ] + }, + "application": { + "read": [ + { + "name": "Policy.Read.DeviceConfiguration" + } + ], + "update": [ + { + "name": "Policy.ReadWrite.DeviceConfiguration" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 new file mode 100644 index 0000000000..6237de9617 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.psm1 @@ -0,0 +1,501 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $AuthenticationType, + + [Parameter()] + [System.String] + $AvailabilityStatus, + + [Parameter()] + [System.Boolean] + $IsAdminManaged, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsRoot, + + [Parameter()] + [System.Boolean] + $IsVerified, + + [Parameter()] + [System.UInt32] + $PasswordNotificationWindowInDays, + + [Parameter()] + [System.UInt32] + $PasswordValidityPeriodInDays, + + [Parameter()] + [System.String[]] + $SupportedServices, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $instance = Get-MgBetaDomain -DomainId $Id -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Id = $instance.Id + AuthenticationType = $instance.AuthenticationType + AvailabilityStatus = $instance.AvailabilityStatus + IsAdminManaged = $instance.IsAdminManaged + IsDefault = $instance.IsDefault + IsRoot = $instance.IsRoot + IsVerified = $instance.IsVerified + PasswordNotificationWindowInDays = $instance.PasswordNotificationWindowInDays + PasswordValidityPeriodInDays = $instance.PasswordValidityPeriodInDays + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $AuthenticationType, + + [Parameter()] + [System.String] + $AvailabilityStatus, + + [Parameter()] + [System.Boolean] + $IsAdminManaged, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsRoot, + + [Parameter()] + [System.Boolean] + $IsVerified, + + [Parameter()] + [System.UInt32] + $PasswordNotificationWindowInDays, + + [Parameter()] + [System.UInt32] + $PasswordValidityPeriodInDays, + + [Parameter()] + [System.String[]] + $SupportedServices, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + $NeedAdditionalUpdate = $false + $UpdatePasswordNotificationWindowInDays = $false + if (-not [System.String]::IsNullOrEmpty('PasswordNotificationWindowInDays')) + { + $NeedAdditionalUpdate = $true + $UpdatePasswordNotificationWindowInDays = $true + $setParameters.Remove('PasswordNotificationWindowInDays') | Out-Null + } + $UpdatePasswordValidityPeriodInDays = $false + if (-not [System.String]::IsNullOrEmpty($PasswordValidityPeriodInDays)) + { + $NeedAdditionalUpdate = $true + $UpdatePasswordValidityPeriodInDays = $true + $setParameters.Remove('PasswordValidityPeriodInDays') | Out-Null + } + + $payload = ConvertTo-Json $setParameters -Depth 10 -Compress + Write-Verbose -Message "Creating new custom domain name {$Id} with payload: `r`n$payload" + $domain = New-MgBetaDomain @setParameters + + if ($NeedAdditionalUpdate) + { + $UpdateParams = @{} + if ($UpdatePasswordNotificationWindowInDays) + { + Write-Verbose -Message "Updating PasswordNotificationWindowInDays for domain {$Id}" + $UpdateParams.Add('PasswordNotificationWindowInDays', $PasswordNotificationWindowInDays) + } + if ($UpdatePasswordValidityPeriodInDays) + { + Write-Verbose -Message "Updating PasswordValidityPeriodInDays for domain {$Id}" + $UpdateParams.Add('PasswordValidityPeriodInDays', $PasswordValidityPeriodInDays) + } + + Update-MgBetaDomain -DomainId $domain.Id @UpdateParams + } + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating custom domain name {$Id}" + $setParameters.Add('DomainId', $Id) + $setParameters.Remove('Id') | Out-Null + Update-MgBetaDomain @SetParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing custom domain name {$Id}" + Invoke-MgBetaForceDomainDelete -DomainId $Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [System.String] + $AuthenticationType, + + [Parameter()] + [System.String] + $AvailabilityStatus, + + [Parameter()] + [System.Boolean] + $IsAdminManaged, + + [Parameter()] + [System.Boolean] + $IsDefault, + + [Parameter()] + [System.Boolean] + $IsRoot, + + [Parameter()] + [System.Boolean] + $IsVerified, + + [Parameter()] + [System.UInt32] + $PasswordNotificationWindowInDays, + + [Parameter()] + [System.UInt32] + $PasswordValidityPeriodInDays, + + [Parameter()] + [System.String[]] + $SupportedServices, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDomain -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof new file mode 100644 index 0000000000..bef859a557 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/MSFT_AADDomain.schema.mof @@ -0,0 +1,22 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADDomain")] +class MSFT_AADDomain : OMI_BaseResource +{ + [Key, Description("Custom domain name.")] String Id; + [Write, Description("Indicates the configured authentication type for the domain. The value is either Managed or Federated. Managed indicates a cloud managed domain where Microsoft Entra ID performs user authentication. Federated indicates authentication is federated with an identity provider such as the tenant's on-premises Active Directory via Active Directory Federation Services.")] String AuthenticationType; + [Write, Description("This property is always null except when the verify action is used. When the verify action is used, a domain entity is returned in the response. The availabilityStatus property of the domain entity in the response is either AvailableImmediately or EmailVerifiedDomainTakeoverScheduled.")] String AvailabilityStatus; + [Write, Description("The value of the property is false if the DNS record management of the domain is delegated to Microsoft 365. Otherwise, the value is true. Not nullable")] Boolean IsAdminManaged; + [Write, Description("True if this is the default domain that is used for user creation. There's only one default domain per company. Not nullable.")] Boolean IsDefault; + [Write, Description("True if the domain is a verified root domain. Otherwise, false if the domain is a subdomain or unverified. Not nullable.")] Boolean IsRoot; + [Write, Description("True if the domain completed domain ownership verification. Not nullable.")] Boolean IsVerified; + [Write, Description("Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.")] UInt32 PasswordNotificationWindowInDays; + [Write, Description("Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.")] UInt32 PasswordValidityPeriodInDays; + [Write, Description("The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.")] String SupportedServices[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/readme.md new file mode 100644 index 0000000000..73e2845fc6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/readme.md @@ -0,0 +1,6 @@ + +# AADDomain + +## Description + +Configures custom domain names in Entra Id. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/settings.json new file mode 100644 index 0000000000..b222367240 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADDomain/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADDomain", + "description": "Configures custom domain names in Entra Id.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "Domain.Read.All" + } + ], + "update": [ + { + "name": "Domain.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 index f145e6744d..7ffb6e65bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 @@ -28,6 +28,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -72,6 +76,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -120,6 +125,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -181,6 +190,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -281,6 +294,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 new file mode 100644 index 0000000000..1e3a213421 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.psm1 @@ -0,0 +1,724 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Category, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $IsSchedulingEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Tasks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExecutionConditions, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + else + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -Filter "DisplayName eq '$DisplayName'" + } + if ($null -eq $instance) + { + return $nullResult + } + + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -WorkflowId $instance.Id + if($null -ne $instance) { + $executionConditionsResults = Get-M365DSCIdentityGovernanceWorkflowExecutionConditions -WorkflowId $instance.Id + $taskResults = Get-M365DSCIdentityGovernanceTasks -WorkflowId $instance.Id + } + + $results = @{ + DisplayName = $DisplayName; + Description = $instance.Description; + Category = $instance.Category; + IsEnabled = $instance.IsEnabled; + IsSchedulingEnabled = $instance.IsSchedulingEnabled; + Tasks = [Array]$taskResults + ExecutionConditions = $executionConditionsResults + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Host -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Category, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $IsSchedulingEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Tasks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExecutionConditions, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($null -ne $ExecutionConditions){ + $executionConditionsResult = @{ + Scope = @{ + Rule = $ExecutionConditions.ScopeValue.Rule + "@odata.type" = $ExecutionConditions.ScopeValue.ODataType + } + Trigger = @{ + OffsetInDays = $ExecutionConditions.TriggerValue.OffsetInDays + TimeBasedAttribute = $ExecutionConditions.TriggerValue.TimeBasedAttribute + "@odata.type" = $ExecutionConditions.TriggerValue.ODataType + } + "@odata.type" = $ExecutionConditions.ODataType + } + + $setParameters.Remove('ExecutionConditions') + $setParameters.Add('executionConditions', $executionConditionsResult) + } + + if ($null -ne $Tasks) { + $taskList = @() + + # Loop through each task and create a hashtable + foreach ($task in $Tasks) { + [Array]$argumentsArray = @() + + if ($task.Arguments) { + foreach ($arg in $task.Arguments) { + # Create a hashtable for each argument + $argumentsArray += @{ + Name = $arg.Name.ToString() + Value = $arg.Value.ToString() + } + } + } + $taskHashtable = @{ + DisplayName = $task.DisplayName.ToString() + Description = $task.Description.ToString() + Category = $task.Category.ToString() + IsEnabled = $task.IsEnabled + ExecutionSequence = $task.ExecutionSequence + ContinueOnError = $task.ContinueOnError + TaskDefinitionId = $task.TaskDefinitionId + + # If Arguments exist, populate the hashtable + Arguments = [Array]$argumentsArray + } + + # Add the task hashtable to the task list + $taskList += $taskHashtable + } + + $setParameters.Remove('Tasks') + $setParameters.Add('Tasks', $taskList) + } + + $UpdateParameters = ([Hashtable]$setParameters).clone() + + $newParams = @{} + $newParams.Add('workflow', $UpdateParameters) + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MgBetaIdentityGovernanceLifecycleWorkflow @SetParameters + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -Filter "DisplayName eq '$DisplayName'" + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -WorkflowId $instance.Id + + New-MgBetaIdentityGovernanceLifecycleWorkflowNewVersion -WorkflowId $instance.Id -BodyParameter $newParams -ErrorAction Stop + + # the below implementation of Update cmdlet can't be used for updating parameters other than basic parameters like display name, + # description, isEnabled, isSchedulingEnabled. Hence using the new version cmdlet for exhaustive update scenarios. + # Update-MgBetaIdentityGovernanceLifecycleWorkflow @setParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -Filter "DisplayName eq '$DisplayName'" + Remove-MgBetaIdentityGovernanceLifecycleWorkflow -WorkflowId $instance.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Category, + + [Parameter()] + [System.Boolean] + $IsEnabled, + + [Parameter()] + [System.Boolean] + $IsSchedulingEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Tasks, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExecutionConditions, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $testTargetResource = $true + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } + + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" + + return $testTargetResource +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityGovernanceLifecycleWorkflow -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.Tasks) + { + $Results.Tasks = Get-M365DSCIdentityGovernanceTasksAsString $Results.Tasks + } + + if ($null -ne $Results.ExecutionConditions) + { + $Results.ExecutionConditions = Get-M365DSCIdentityGovernanceWorkflowExecutionConditionsAsString $Results.ExecutionConditions + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($null -ne $Results.Tasks) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'Tasks' + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'ExecutionConditions' + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCIdentityGovernanceTasks +{ + [CmdletBinding()] + [OutputType([Array])] + param( + [Parameter(Mandatory = $true)] + $WorkflowId + ) + + + # Get the tasks from the specified workflow + $tasks = Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -WorkflowId $WorkflowId + + # Initialize an array to hold the hashtables + $taskList = @() + + if($null -eq $tasks) + { + return $taskList + } + + # Loop through each task and create a hashtable + foreach ($task in $tasks) { + [Array]$argumentsArray = @() + + if ($task.Arguments) { + foreach ($arg in $task.Arguments) { + # Create a hashtable for each argument + $argumentsArray += @{ + Name = $arg.Name.ToString() + Value = $arg.Value.ToString() + } + } + } + $taskHashtable = @{ + DisplayName = $task.DisplayName.ToString() + Description = $task.Description.ToString() + Category = $task.Category.ToString() + IsEnabled = $task.IsEnabled + ExecutionSequence = $task.ExecutionSequence + ContinueOnError = $task.ContinueOnError + TaskDefinitionId = $task.TaskDefinitionId + + # If Arguments exist, populate the hashtable + Arguments = [Array]$argumentsArray + } + + # Add the task hashtable to the task list + $taskList += $taskHashtable + } + + return $taskList +} + +function Get-M365DSCIdentityGovernanceTasksAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Tasks + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + + foreach ($task in $Tasks) + { + $StringContent.Append("`n MSFT_AADIdentityGovernanceTask {`r`n") | Out-Null + $StringContent.Append(" DisplayName = '" + $task.DisplayName + "'`r`n") | Out-Null + $StringContent.Append(" Description = '" + $task.Description.replace("'","''") + "'`r`n") | Out-Null + $StringContent.Append(" Category = '" + $task.Category + "'`r`n") | Out-Null + $StringContent.Append(" IsEnabled = $" + $task.IsEnabled + "`r`n") | Out-Null + $StringContent.Append(" ExecutionSequence = " + $task.ExecutionSequence + "`r`n") | Out-Null + $StringContent.Append(" ContinueOnError = $" + $task.ContinueOnError + "`r`n") | Out-Null + $StringContent.Append(" TaskDefinitionId = '" + $task.TaskDefinitionId + "'`r`n") | Out-Null + + if ($task.Arguments.Length -gt 0) + { + $StringContent.Append(" Arguments = @(`r`n") | Out-Null + foreach ($argument in $task.Arguments) + { + $StringContent.Append(" MSFT_AADIdentityGovernanceTaskArguments {`r`n") | Out-Null + $StringContent.Append(" Name = '" + $argument.Name + "'`r`n") | Out-Null + $StringContent.Append(" Value = '" + $argument.Value + "'`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + $StringContent.Append(" )`r`n") | Out-Null + } + else + { + $StringContent.Append(" Arguments = @()`r`n") | Out-Null + } + + $StringContent.Append(" }`r`n") | Out-Null + } + + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + +function Get-M365DSCIdentityGovernanceWorkflowExecutionConditions +{ + [CmdletBinding()] + [OutputType([Hashtable])] + param( + [Parameter(Mandatory = $true)] + $WorkflowId + ) + + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflow -WorkflowId $WorkflowId + $executionConditionsResult = @{} + + if($null -ne $instance -and $null -ne $instance.ExecutionConditions){ + $executionConditions = $instance.ExecutionConditions.AdditionalProperties + $executionConditionsResult = @{ + ScopeValue = @{ + Rule = $ExecutionConditions['scope']['rule'] + OdataType = $ExecutionConditions['scope']['@odata.type'] + } + TriggerValue = @{ + OffsetInDays = $ExecutionConditions['trigger']['offsetInDays'] + TimeBasedAttribute = $ExecutionConditions['trigger']['timeBasedAttribute'] + ODataType = $ExecutionConditions['trigger']['@odata.type'] + } + OdataType = $ExecutionConditions['@odata.type'] + } + } + + return $executionConditionsResult +} + +function Get-M365DSCIdentityGovernanceWorkflowExecutionConditionsAsString { + [CmdletBinding()] + [OutputType([System.String])] + param ( + [Parameter(Mandatory = $true)] + [hashtable] $ExecutionConditions + ) + + $StringContent = [System.Text.StringBuilder]::new() + + # Start of execution conditions + $StringContent.Append("MSFT_IdentityGovernanceWorkflowExecutionConditions {`r`n") | Out-Null + + # Scope section + if ($null -ne $ExecutionConditions.ScopeValue) { + $StringContent.Append(" ScopeValue = MSFT_IdentityGovernanceScope {`r`n") | Out-Null + $StringContent.Append(" Rule = '" + $ExecutionConditions.ScopeValue.Rule.replace("'","''") + "'`r`n") | Out-Null + $StringContent.Append(" ODataType = '" + $ExecutionConditions.ScopeValue.ODataType + "'`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + # Trigger section + if ($null -ne $ExecutionConditions.TriggerValue) { + $StringContent.Append(" TriggerValue = MSFT_IdentityGovernanceTrigger {`r`n") | Out-Null + $StringContent.Append(" OffsetInDays = " + $ExecutionConditions.TriggerValue.OffsetInDays + "`r`n") | Out-Null + $StringContent.Append(" TimeBasedAttribute = '" + $ExecutionConditions.TriggerValue.TimeBasedAttribute + "'`r`n") | Out-Null + $StringContent.Append(" ODataType = '" + $ExecutionConditions.TriggerValue.OdataType + "'`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + + # OdataType for executionConditions + if ($null -ne $ExecutionConditions.ODataType) { + $StringContent.Append(" ODataType = '" + $ExecutionConditions.ODataType + "'`r`n") | Out-Null + } + + # End of execution conditions + $StringContent.Append(" }") | Out-Null + + return $StringContent.ToString() +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof new file mode 100644 index 0000000000..6af12f51bb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/MSFT_AADIdentityGovernanceLifecycleWorkflow.schema.mof @@ -0,0 +1,62 @@ +[ClassVersion("1.0.0")] +class MSFT_IdentityGovernanceScope +{ + [Write, Description("The @odata.type for the Scope.")] String OdataType; + [Write, Description("The rule associated with the Scope.")] String Rule; +}; + +[ClassVersion("1.0.0")] +class MSFT_IdentityGovernanceTrigger +{ + [Write, Description("The @odata.type for the Trigger.")] String OdataType; + [Write, Description("The time-based attribute for the Trigger.")] String TimeBasedAttribute; + [Write, Description("The offset in days for the Trigger.")] SInt32 OffsetInDays; +}; + +[ClassVersion("1.0.0")] +class MSFT_IdentityGovernanceWorkflowExecutionConditions +{ + [Write, Description("The @odata.type for the Workflow Execution Conditions.")] String OdataType; + [Write, Description("The scope for the Workflow Execution Conditions."), EmbeddedInstance("MSFT_IdentityGovernanceScope")] String ScopeValue; + [Write, Description("The trigger for the Workflow Execution Conditions."), EmbeddedInstance("MSFT_IdentityGovernanceTrigger")] String TriggerValue; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceTaskArguments +{ + [Key, Description("The name of the key")] String Name; + [Write, Description("The value associated with the key")] String Value; +}; + +[ClassVersion("1.0.0")] +class MSFT_AADIdentityGovernanceTask +{ + [Write, Description("Specifies the display name of the Workflow Task")] String DisplayName; + [Write, Description("Description of the Workflow Task")] String Description; + [Write, Description("Category of the Workflow Task")] String Category; + [Write, Description("Indicates if the Workflow Task is enabled or not")] Boolean IsEnabled; + [Write, Description("The sequence in which the task is executed")] SInt32 ExecutionSequence; + [Write, Description("Specifies whether the task should continue on error")] Boolean ContinueOnError; + [Write, Description("ID of the task definition associated with this Workflow Task")] String TaskDefinitionId; + [Write, Description("Arguments for the Workflow Task"), EmbeddedInstance("MSFT_AADIdentityGovernanceTaskArguments")] String Arguments[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("AADIdentityGovernanceLifecycleWorkflow")] +class MSFT_AADIdentityGovernanceLifecycleWorkflow : OMI_BaseResource +{ + [Key, Description("Specifies the Display Name of the Workflow")] String DisplayName; + [Write, Description("Description of the Workflow")] String Description; + [Write, Description("Category of the Workflow")] String Category; + [Write, Description("Indicates if the Workflow is enabled")] Boolean IsEnabled; + [Write, Description("Indicates if scheduling is enabled for the Workflow")] Boolean IsSchedulingEnabled; + [Write, Description("Tasks associated with this workflow"), EmbeddedInstance("MSFT_AADIdentityGovernanceTask")] String Tasks[]; + [Write, Description("ExecutionConditions for this workflow"), EmbeddedInstance("MSFT_IdentityGovernanceWorkflowExecutionConditions")] String ExecutionConditions; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/readme.md new file mode 100644 index 0000000000..37e7f8f0ac --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/readme.md @@ -0,0 +1,6 @@ + +# AADIdentityGovernanceLifecycleWorkflow + +## Description + +Use this resource to manage Lifecycle workflows. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/settings.json new file mode 100644 index 0000000000..927836ff9b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADIdentityGovernanceLifecycleWorkflow/settings.json @@ -0,0 +1,40 @@ +{ + "resourceName": "AADIdentityGovernanceLifecycleWorkflow", + "description": "Use this resource to manage Lifecycle workflows.", + "roles": { + "read": [ + "Security Reader" + ], + "update": [ + "Security Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "LifecycleWorkflows.Read.All" + } + ], + "update": [ + { + "name": "LifecycleWorkflows.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "LifecycleWorkflows.Read.All" + } + ], + "update": [ + { + "name": "LifecycleWorkflows.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.psm1 new file mode 100644 index 0000000000..94f4ab10ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.psm1 @@ -0,0 +1,368 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $WorkflowScheduleIntervalInHours, + + [Parameter()] + [System.String] + $SenderDomain, + + [Parameter()] + [System.Boolean] + $UseCompanyBranding, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $instance = Get-MgBetaIdentityGovernanceLifecycleWorkflowSetting -ErrorAction SilentlyContinue + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + IsSingleInstance = 'Yes' + WorkflowScheduleIntervalInHours = $instance.WorkflowScheduleIntervalInHours + SenderDomain = $instance.EmailSettings.SenderDomain + UseCompanyBranding = $instance.EmailSettings.UseCompanyBranding + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $WorkflowScheduleIntervalInHours, + + [Parameter()] + [System.String] + $SenderDomain, + + [Parameter()] + [System.Boolean] + $UseCompanyBranding, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $updateSettings = @{ + WorkflowScheduleIntervalInHours = $WorkflowScheduleIntervalInHours + EmailSettings = @{ + SenderDomain = $SenderDomain + UseCompanyBranding = $UseCompanyBranding + } + } + Write-Verbose -Message "Updating the lifecycle workflow settings with payload: $payload" + Update-MgBetaIdentityGovernanceLifecycleWorkflowSetting @updateSettings +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $WorkflowScheduleIntervalInHours, + + [Parameter()] + [System.String] + $SenderDomain, + + [Parameter()] + [System.Boolean] + $UseCompanyBranding, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaIdentityGovernanceLifecycleWorkflowSetting -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.schema.mof new file mode 100644 index 0000000000..aade973744 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/MSFT_AADLifecycleWorkflowSettings.schema.mof @@ -0,0 +1,15 @@ +[ClassVersion("1.0.0.0"), FriendlyName("AADLifecycleWorkflowSettings")] +class MSFT_AADLifecycleWorkflowSettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Specifies the domain that should be used when sending email notifications. This domain must be verified in order to be used. We recommend that you use a domain that has the appropriate DNS records to facilitate email validation, like SPF, DKIM, DMARC, and MX, because this then complies with the RFC compliance for sending and receiving email. For details, see Learn more about Exchange Online Email Routing.")] String SenderDomain; + [Write, Description("The interval in hours at which all workflows running in the tenant should be scheduled for execution. This interval has a minimum value of 1 and a maximum value of 24. The default value is 3 hours.")] UInt32 WorkflowScheduleIntervalInHours; + [Write, Description("Specifies if the organization's banner logo should be included in email notifications. The banner logo will replace the Microsoft logo at the top of the email notification. If true the banner logo will be taken from the tenant's branding settings. This value can only be set to true if the organizationalBranding bannerLogo property is set.")] Boolean UseCompanyBranding; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/readme.md new file mode 100644 index 0000000000..747af821a1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/readme.md @@ -0,0 +1,6 @@ + +# AADLifecycleWorkflowSettings + +## Description + +Update the properties of a lifecycleManagementSettings object. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/settings.json new file mode 100644 index 0000000000..ec4851eb0b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADLifecycleWorkflowSettings/settings.json @@ -0,0 +1,28 @@ +{ + "resourceName": "AADLifecycleWorkflowSettings", + "description": "Update the properties of a lifecycleManagementSettings object.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [ + { + "name": "LifecycleWorkflows.Read.All" + } + ], + "update": [ + { + "name": "LifecycleWorkflows.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index a32fd0d623..5640892910 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -212,32 +216,43 @@ function Get-TargetResource } } + [Array]$complexDelegatedPermissionClassifications = @() + $permissionClassifications = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$AppId')/delegatedPermissionClassifications" -Method Get + foreach ($permissionClassification in $permissionClassifications.Value){ + $hashtable = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + $complexDelegatedPermissionClassifications += $hashtable + } + $result = @{ - AppId = $AADServicePrincipal.AppId - AppRoleAssignedTo = $AppRoleAssignedToValues - ObjectID = $AADServicePrincipal.Id - DisplayName = $AADServicePrincipal.DisplayName - AlternativeNames = $AADServicePrincipal.AlternativeNames - AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled - AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired - ErrorUrl = $AADServicePrincipal.ErrorUrl - Homepage = $AADServicePrincipal.Homepage - LogoutUrl = $AADServicePrincipal.LogoutUrl - Owners = $ownersValues - PublisherName = $AADServicePrincipal.PublisherName - ReplyURLs = $AADServicePrincipal.ReplyURLs - SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL - ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames - ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType - Tags = $AADServicePrincipal.Tags - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - ApplicationSecret = $ApplicationSecret - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens + AppId = $AADServicePrincipal.AppId + AppRoleAssignedTo = $AppRoleAssignedToValues + ObjectID = $AADServicePrincipal.Id + DisplayName = $AADServicePrincipal.DisplayName + AlternativeNames = $AADServicePrincipal.AlternativeNames + AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled + AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired + DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications + ErrorUrl = $AADServicePrincipal.ErrorUrl + Homepage = $AADServicePrincipal.Homepage + LogoutUrl = $AADServicePrincipal.LogoutUrl + Owners = $ownersValues + PublisherName = $AADServicePrincipal.PublisherName + ReplyURLs = $AADServicePrincipal.ReplyURLs + SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL + ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames + ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType + Tags = $AADServicePrincipal.Tags + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + ApplicationSecret = $ApplicationSecret + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens } Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" return $result @@ -289,6 +304,10 @@ function Set-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -398,6 +417,8 @@ function Set-TargetResource { $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue } + # removing Delegated permission classifications from this new call, as adding below separately + $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null $ObjectGuid = [System.Guid]::empty if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid)) { @@ -419,6 +440,17 @@ function Set-TargetResource Write-Verbose -Message "Adding new owner {$owner}" $newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body } + + #adding delegated permissions classifications + if($null -ne $DelegatedPermissionClassifications){ + foreach ($permissionClassification in $DelegatedPermissionClassifications){ + $params = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + } + } } # ServicePrincipal should exist and will be configured to desired state elseif ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present') @@ -434,6 +466,7 @@ function Set-TargetResource Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)" $currentParameters.Remove('AppRoleAssignedTo') | Out-Null $currentParameters.Remove('Owners') | Out-Null + $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters if ($AppRoleAssignedTo) @@ -546,6 +579,26 @@ function Set-TargetResource -DirectoryObjectId $userInfo.Id | Out-Null } } + + Write-Verbose -Message "Checking if DelegatedPermissionClassifications need to be updated..." + + if ($null -ne $DelegatedPermissionClassifications) + { + # removing old perm classifications + $permissionClassificationList = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Get + foreach($permissionClassification in $permissionClassificationList.Value){ + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications/$($permissionClassification.Id)" -Method Delete + } + + # adding new perm classifications + foreach ($permissionClassification in $DelegatedPermissionClassifications){ + $params = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + } + } } # ServicePrincipal exists but should not elseif ($Ensure -eq 'Absent' -and $currentAADServicePrincipal.Ensure -eq 'Present') @@ -589,6 +642,10 @@ function Test-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -677,21 +734,48 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of Azure AD ServicePrincipal' + $testTargetResource = $true $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = $PSBoundParameters - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" - return $TestResult + return $testTargetResource } function Export-TargetResource @@ -785,6 +869,10 @@ function Export-TargetResource { $Results.AppRoleAssignedTo = Get-M365DSCAzureADServicePrincipalAssignmentAsString -Assignments $Results.AppRoleAssignedTo } + if ($Results.DelegatedPermissionClassifications.Count -gt 0) + { + $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -795,6 +883,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'AppRoleAssignedTo' } + if ($null -ne $Results.DelegatedPermissionClassifications) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DelegatedPermissionClassifications' + } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -841,4 +934,26 @@ function Get-M365DSCAzureADServicePrincipalAssignmentAsString return $StringContent } +function Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PermissionClassifications + ) + + $StringContent = "@(`r`n" + foreach ($permissionClassification in $PermissionClassifications) + { + $StringContent += " MSFT_AADServicePrincipalDelegatedPermissionClassification {`r`n" + $StringContent += " Classification = '" + $PermissionClassification.Classification + "'`r`n" + $StringContent += " PermissionName = '" + $PermissionClassification.PermissionName + "'`r`n" + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 3d4c507c12..717b2e569f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -5,6 +5,13 @@ class MSFT_AADServicePrincipalRoleAssignment [Write, Description("Unique identity representing the principal.")] String Identity; }; +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalDelegatedPermissionClassification +{ + [Write, Description("Classification of the delegated permission"), ValueMap{"low", "medium", "high"}, Values{"low", "medium", "high"}] String Classification; + [Write, Description("Name of the permission")] String PermissionName; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")] class MSFT_AADServicePrincipal : OMI_BaseResource { @@ -25,6 +32,8 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[]; [Write, Description("The type of the service principal.")] String ServicePrincipalType; [Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[]; + [Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[]; + [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 index 1f9df20d61..1af5a2f77b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1 @@ -477,8 +477,8 @@ function Export-TargetResource { $Script:ExportMode = $true - $profile = Invoke-M365DSCAzureDevOPSWebRequest -Uri 'https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=5.1' - $accounts = Invoke-M365DSCAzureDevOPSWebRequest -Uri "https://app.vssps.visualstudio.com/_apis/accounts?api-version=7.1-preview.1&memberId=$($profile.id)" + $profileValue = Invoke-M365DSCAzureDevOPSWebRequest -Uri 'https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=5.1' + $accounts = Invoke-M365DSCAzureDevOPSWebRequest -Uri "https://app.vssps.visualstudio.com/_apis/accounts?api-version=7.1-preview.1&memberId=$($profileValue.id)" $i = 1 $dscContent = '' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.psm1 new file mode 100644 index 0000000000..c405642904 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.psm1 @@ -0,0 +1,680 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $GroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $OrganizationName, + + [Parameter()] + [System.String] + $Descriptor, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $AllowPermissions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DenyPermissions, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'AzureDevOPS' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($Descriptor)) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.descriptor -eq $Descriptor} + } + + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.principalName -eq $PrincipalName} + } + } + else + { + $uri = "https://vssps.dev.azure.com/$OrganizationName/_apis/graph/groups?api-version=7.1-preview.1" + $allInstances = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).value + if (-not [System.String]::IsNullOrEmpty($Descriptor)) + { + $instance = $allInstances | Where-Object -FilterScript {$_.descriptor -eq $Descriptor} + } + if ($null -eq $instance) + { + $instance = $allInstances | Where-Object -FilterScript {$_.principalName -eq $PrincipalName} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $groupPermissions = Get-M365DSCADOGroupPermission -GroupName $instance.principalName -OrganizationName $OrganizationName + + $results = @{ + OrganizationName = $OrganizationName + GroupName = $instance.principalName + Descriptor = $instance.Descriptor + AllowPermissions = $groupPermissions.Allow + DenyPermissions = $groupPermissions.Deny + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $GroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $OrganizationName, + + [Parameter()] + [System.String] + $Descriptor, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $AllowPermissions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DenyPermissions, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $uri = "https://vssps.dev.azure.com/$($OrganizationName)/_apis/identities?subjectDescriptors=$($currentInstance.Descriptor)&api-version=7.2-preview.1" + $info = Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri + $descriptor = $info.value.descriptor + + # Get all Namespaces from the Allow and Deny + $namespacesToUpdate = @() + foreach ($namespace in $AllowPermissions) + { + if ($namespacesToUpdate.Length -eq 0 -or -not $namespacesToUpdate.NameSpaceId.Contains($namespace.namespaceId)) + { + $namespacesToUpdate += $namespace + } + } + foreach ($namespace in $DenyPermissions) + { + if ($namespacesToUpdate.Length -eq 0 -or -not $namespacesToUpdate.NameSpaceId.Contains($namespace.namespaceId)) + { + $namespacesToUpdate += $namespace + } + } + + foreach ($namespace in $namespacesToUpdate) + { + $allowPermissionValue = 0 + $denyPermissionValue = 0 + $allowPermissionsEntries = $AllowPermissions | Where-Object -FilterScript {$_.NamespaceId -eq $namespace.namespaceId} + foreach ($entry in $allowPermissionsEntries) + { + $allowPermissionValue += [Uint32]::Parse($entry.Bit) + } + + $denyPermissionsEntries = $DenyPermissions | Where-Object -FilterScript {$_.NamespaceId -eq $namespace.namespaceId} + foreach ($entry in $denyPermissionsEntries) + { + $denyPermissionValue += [Uint32]::Parse($entry.Bit) + } + + $updateParams = @{ + merge = $false + token = $namespace.token + accessControlEntries = @( + @{ + descriptor = $descriptor + allow = $allowPermissionValue + deny = $denyPermissionValue + extendedInfo = @{} + } + ) + } + $uri = "https://dev.azure.com/$($OrganizationName)/_apis/accesscontrolentries/$($namespace.namespaceId)?api-version=7.1" + $body = ConvertTo-Json $updateParams -Depth 10 -Compress + Write-Verbose -Message "Updating with payload:`r`n$body" + Invoke-M365DSCAzureDevOPSWebRequest -Method POST ` + -Uri $uri ` + -Body $body ` + -ContentType 'application/json' + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $GroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $OrganizationName, + + [Parameter()] + [System.String] + $Descriptor, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $AllowPermissions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DenyPermissions, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + # Evaluate Permissions + $testResult = $true + foreach ($permission in $AllowPermissions) + { + $instance = $CurrentValues.AllowPermissions | Where-Object -FilterScript {$_.Token -eq $permission.Token -and ` + $_.DisplayName -eq $permission.DisplayName -and ` + $_.Bit -eq $permission.Bit -and ` + $_.NamespaceId -eq $permission.NamespaceId} + if ($null -eq $instance) + { + $testResult = $false + Write-Verbose -Message "Drift detected in AllowPermission: {$($permission.DisplayName)}" + } + } + + foreach ($permission in $DenyPermissions) + { + $instance = $CurrentValues.DenyPermissions | Where-Object -FilterScript {$_.Token -eq $permission.Token -and ` + $_.DisplayName -eq $permission.DisplayName -and ` + $_.Bit -eq $permission.Bit -and ` + $_.NamespaceId -eq $permission.NamespaceId} + if ($null -eq $instance) + { + $testResult = $false + Write-Verbose -Message "Drift detected in DenyPermission: {$($permission.DisplayName)}" + } + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $ValuesToCheck.Remove('AllowPermissions') | Out-Null + $ValuesToCheck.Remove('DenyPermissions') | Out-Null + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + $ConnectionMode = New-M365DSCConnection -Workload 'AzureDevOPS' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + + $profileValue = Invoke-M365DSCAzureDevOPSWebRequest -Uri 'https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=5.1' + $accounts = Invoke-M365DSCAzureDevOPSWebRequest -Uri "https://app.vssps.visualstudio.com/_apis/accounts?api-version=7.1-preview.1&memberId=$($profileValue.id)" + + $i = 1 + $dscContent = '' + if ($accounts.count -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + return '' + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($account in $accounts) + { + $organization = $account.Value.accountName + $uri = "https://vssps.dev.azure.com/$organization/_apis/graph/groups?api-version=7.1-preview.1" + + [array] $Script:exportedInstances = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.principalName + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + OrganizationName = $Organization + GroupName = $config.principalName + Descriptor = $config.descriptor + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + if (-not $config.principalName.StartsWith("[TEAM FOUNDATION]")) + { + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($results.AllowPermissions.Length -gt 0) + { + $Results.AllowPermissions = Get-M365DSCADOPermissionsAsString $Results.AllowPermissions + } + + if ($results.DenyPermissions.Length -gt 0) + { + $Results.DenyPermissions = Get-M365DSCADOPermissionsAsString $Results.DenyPermissions + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($null -ne $Results.AllowPermissions) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'AllowPermissions' + } + if ($null -ne $Results.DenyPermissions) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DenyPermissions' + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + } + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +function Get-M365DSCADOGroupPermission +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param( + [Parameter(Mandatory = $true)] + [System.String] + $GroupName, + + [Parameter(Mandatory = $true)] + [System.String] + $OrganizationName + ) + + $results = @{ + Allow = @() + Deny = @() + } + + try + { + $uri = "https://vssps.dev.azure.com/$($OrganizationName)/_apis/graph/groups?api-version=7.1-preview.1" + $groupInfo = Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri + $mygroup = $groupInfo.value | Where-Object -FilterScript {$_.principalName -eq $GroupName} + + $uri = "https://vssps.dev.azure.com/$($OrganizationName)/_apis/identities?subjectDescriptors=$($mygroup.descriptor)&api-version=7.2-preview.1" + $info = Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri + $descriptor = $info.value.descriptor + + $uri = "https://dev.azure.com/$($OrganizationName)/_apis/securitynamespaces?api-version=7.1-preview.1" + $responseSecurity = Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri + $securityNamespaces = $responseSecurity.Value + + foreach ($namespace in $securityNamespaces) + { + $uri = "https://dev.azure.com/$($OrganizationName)/_apis/accesscontrollists/$($namespace.namespaceId)?api-version=7.2-preview.1" + $response = Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri + + foreach ($entry in $response.value) + { + $token = $entry.token + foreach ($ace in $entry.acesDictionary) + { + if ($ace.$descriptor) + { + $allow = $ace.$descriptor.Allow + $allowBinary = [Convert]::ToString($allow, 2) + + $deny = $ace.$descriptor.Deny + $denyBinary = [Convert]::ToString($deny, 2) + + # Breakdown the allow bits + $position = -1 + $bitMaskPositionsFound = @() + do + { + $position = $allowBinary.IndexOf('1', $position + 1) + if ($position -ge 0) + { + $zerosToAdd = $allowBinary.Length - $position - 1 + $value = '1' + for ($i = 1; $i -le $zerosToAdd; $i++) + { + $value += '0' + } + + $bitMaskPositionsFound += $value + } + } while($position -ge 0 -and ($position+1) -le $allowBinary.Length) + + foreach ($bitmask in $bitMaskPositionsFound) + { + $associatedAction = $namespace.actions | Where-Object -FilterScript {[Convert]::ToString($_.bit,2) -eq $bitmask} + if (-not [System.String]::IsNullOrEmpty($associatedAction.displayName)) + { + $entry = @{ + DisplayName = $associatedAction.displayName + Bit = $associatedAction.bit + NamespaceId = $namespace.namespaceId + Token = $token + } + $results.Allow += $entry + } + } + + # Breakdown the deny bits + $position = -1 + $bitMaskPositionsFound = @() + do + { + $position = $denyBinary.IndexOf('1', $position + 1) + if ($position -ge 0) + { + $zerosToAdd = $denyBinary.Length - $position - 1 + $value = '1' + for ($i = 1; $i -le $zerosToAdd; $i++) + { + $value += '0' + } + + $bitMaskPositionsFound += $value + } + } while($position -ge 0 -and ($position+1) -le $denyBinary.Length) + + foreach ($bitmask in $bitMaskPositionsFound) + { + $associatedAction = $namespace.actions | Where-Object -FilterScript {[Convert]::ToString($_.bit,2) -eq $bitmask} + if (-not [System.String]::IsNullOrEmpty($associatedAction.displayName)) + { + $entry = @{ + DisplayName = $associatedAction.displayName + Bit = $associatedAction.bit + NamespaceId = $namespace.namespaceId + Token = $token + } + $results.Deny += $entry + } + } + } + } + } + } + } + catch + { + throw $_ + } + return $results +} + +function Get-M365DSCADOPermissionsAsString +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $Permissions + ) + + $StringContent = [System.Text.StringBuilder]::new() + $StringContent.Append('@(') | Out-Null + foreach ($permission in $Permissions) + { + $StringContent.Append(" MSFT_ADOPermission { `r`n") | Out-Null + $StringContent.Append(" NamespaceId = '$($permission.NamespaceId)'`r`n") | Out-Null + $StringContent.Append(" DisplayName = '$($permission.DisplayName.Replace("'", "''"))'`r`n") | Out-Null + $StringContent.Append(" Bit = '$($permission.Bit)'`r`n") | Out-Null + $StringContent.Append(" Token = '$($permission.Token)'`r`n") | Out-Null + $StringContent.Append(" }`r`n") | Out-Null + } + $StringContent.Append(' )') | Out-Null + return $StringContent.ToString() +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.schema.mof new file mode 100644 index 0000000000..e4c33762cb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/MSFT_ADOPermissionGroupSettings.schema.mof @@ -0,0 +1,25 @@ +[ClassVersion("1.0.0")] +class MSFT_ADOPermission +{ + [Write, Description("Id of the associate security namespace.")] String NamespaceId; + [Write, Description("Display name of the permission scope.")] String DisplayName; + [Write, Description("Bit mask for the permission")] UInt32 Bit; + [Write, Description("Token value")] String Token; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("ADOPermissionGroupSettings")] +class MSFT_ADOPermissionGroupSettings : OMI_BaseResource +{ + [Key, Description("Name of the group.")] String GroupName; + [Write, Description("Name of the DevOPS Organization.")] String OrganizationName; + [Write, Description("Descriptor for the group.")] String Descriptor; + [Write, Description("Allow permissions."), EmbeddedInstance("MSFT_ADOPermission")] string AllowPermissions[]; + [Write, Description("Deny permissions"), EmbeddedInstance("MSFT_ADOPermission")] string DenyPermissions[]; + + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/readme.md new file mode 100644 index 0000000000..5cb632a8b1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/readme.md @@ -0,0 +1,6 @@ + +# ADOPermissionGroupSettings + +## Description + +Manages permissions in Azure DevOPS. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/settings.json new file mode 100644 index 0000000000..6509ef6453 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroupSettings/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "ADOPermissionGroupSettings", + "description": "Manages permissions in Azure DevOPS.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 new file mode 100644 index 0000000000..81087e37ee --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 @@ -0,0 +1,378 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Comments, + + [Parameter()] + [System.String[]] + $ExceptIfRecipientDomainIs, + + [Parameter()] + [System.String[]] + $ExceptIfSentTo, + + [Parameter()] + [System.String[]] + $ExceptIfSentToMemberOf, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $instance = Get-ATPBuiltInProtectionRule -Identity $Id -ErrorAction SilentlyContinue + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + Identity = $instance.Identity + ExceptIfRecipientDomainIs = [Array]$instance.ExceptIfRecipientDomainIs + ExceptIfSentTo = [Array]$instance.ExceptIfSentTo + ExceptIfSentToMemberOf = [Array]$instance.ExceptIfSentToMemberOf + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Comments, + + [Parameter()] + [System.String[]] + $ExceptIfRecipientDomainIs, + + [Parameter()] + [System.String[]] + $ExceptIfSentTo, + + [Parameter()] + [System.String[]] + $ExceptIfSentToMemberOf, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + Write-Verbose -Message "Updating ATP Built-In Protection Rule {$Identity}" + Set-ATPBuiltInProtectionRule @setParameters +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.String] + $Comments, + + [Parameter()] + [System.String[]] + $ExceptIfRecipientDomainIs, + + [Parameter()] + [System.String[]] + $ExceptIfSentTo, + + [Parameter()] + [System.String[]] + $ExceptIfSentToMemberOf, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + ##TODO - Replace workload + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-ATPBuiltInProtectionRule -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.schema.mof new file mode 100644 index 0000000000..eaec047205 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.schema.mof @@ -0,0 +1,17 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOATPBuiltInProtectionRule")] +class MSFT_EXOATPBuiltInProtectionRule : OMI_BaseResource +{ + [Key, Description("The Identity parameter specifies the rule that you want to modify. You can use any value that uniquely identifies the rule. ")] String Identity; + [Write, Description("The Comments parameter specifies informative comments for the rule, such as what the rule is used for or how it has changed over time. The length of the comment can't exceed 1024 characters.")] String Comments; + [Write, Description("The ExceptIfRecipientDomainIs parameter specifies an exception that looks for recipients with email addresses in the specified domains. You can specify multiple domains separated by commas.")] String ExceptIfRecipientDomainIs[]; + [Write, Description("The ExceptIfSentTo parameter specifies an exception that looks for recipients in messages. You can use any value that uniquely identifies the recipient.")] String ExceptIfSentTo[]; + [Write, Description("The ExceptIfSentToMemberOf parameter specifies an exception that looks for messages sent to members of groups. You can use any value that uniquely identifies the group.")] String ExceptIfSentToMemberOf[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/readme.md new file mode 100644 index 0000000000..8d9c4188eb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/readme.md @@ -0,0 +1,6 @@ + +# EXOATPBuiltInProtectionRule + +## Description + +Configures Defender ATP built-in protection rules. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/settings.json new file mode 100644 index 0000000000..7ab1550394 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "EXOATPBuiltInProtectionRule", + "description": "Configures Defender ATP built-in protection rules.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.psm1 new file mode 100644 index 0000000000..8e8ef54b1a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.psm1 @@ -0,0 +1,603 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AcceptUntrustedCertificates, + + [Parameter()] + [System.String] + $AppID, + + [Parameter()] + [System.String] + $AppSecretKeyVaultUrl, + + [Parameter()] + [System.String] + $Authentication, + + [Parameter()] + [ValidateSet('IMAP')] + [System.String] + $EndpointType, + + [Parameter()] + [System.String] + $ExchangeServer, + + [Parameter()] + [System.String] + $MailboxPermission, + + [Parameter()] + [System.String] + $MaxConcurrentIncrementalSyncs, + + [Parameter()] + [System.String] + $MaxConcurrentMigrations, + + [Parameter()] + [System.String] + $NspiServer, + + [Parameter()] + [System.String] + $Port, + + [Parameter()] + [System.String] + $RemoteServer, + + [Parameter()] + [System.String] + $RemoteTenant, + + [Parameter()] + [System.String] + $RpcProxyServer, + + [Parameter()] + [ValidateSet('None', 'Tls', 'Ssl')] + [System.String] + $Security, + + [Parameter()] + [System.String] + $SourceMailboxLegacyDN, + + [Parameter()] + [System.String] + $UseAutoDiscover, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $migrationEndpoint = $Script:exportedInstances | Where-Object -FilterScript {$_.Identity -eq $Identity} + } + else + { + $migrationEndpoint = Get-MigrationEndpoint -Identity $Identity -ErrorAction Stop + } + if ($null -eq $migrationEndpoint) + { + return $nullResult + } + + $results = @{ + Identity = $Identity + AcceptUntrustedCertificates = $migrationEndpoint.AcceptUntrustedCertificates + AppID = $migrationEndpoint.AppID + AppSecretKeyVaultUrl = $migrationEndpoint.AppSecretKeyVaultUrl + Authentication = $migrationEndpoint.Authentication + EndpointType = $migrationEndpoint.EndpointType + ExchangeServer = $migrationEndpoint.ExchangeServer + MailboxPermission = $migrationEndpoint.MailboxPermission + MaxConcurrentIncrementalSyncs = $migrationEndpoint.MaxConcurrentIncrementalSyncs + MaxConcurrentMigrations = $migrationEndpoint.MaxConcurrentMigrations + NspiServer = $migrationEndpoint.NspiServer + Port = $migrationEndpoint.Port + RemoteServer = $migrationEndpoint.RemoteServer + RemoteTenant = $migrationEndpoint.RemoteTenant + RpcProxyServer = $migrationEndpoint.RpcProxyServer + Security = $migrationEndpoint.Security + SourceMailboxLegacyDN = $migrationEndpoint.SourceMailboxLegacyDN + UseAutoDiscover = $migrationEndpoint.UseAutoDiscover + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AcceptUntrustedCertificates, + + [Parameter()] + [System.String] + $AppID, + + [Parameter()] + [System.String] + $AppSecretKeyVaultUrl, + + [Parameter()] + [System.String] + $Authentication, + + [Parameter()] + [ValidateSet('IMAP')] + [System.String] + $EndpointType, + + [Parameter()] + [System.String] + $ExchangeServer, + + [Parameter()] + [System.String] + $MailboxPermission, + + [Parameter()] + [System.String] + $MaxConcurrentIncrementalSyncs, + + [Parameter()] + [System.String] + $MaxConcurrentMigrations, + + [Parameter()] + [System.String] + $NspiServer, + + [Parameter()] + [System.String] + $Port, + + [Parameter()] + [System.String] + $RemoteServer, + + [Parameter()] + [System.String] + $RemoteTenant, + + [Parameter()] + [System.String] + $RpcProxyServer, + + [Parameter()] + [ValidateSet('None', 'Tls', 'Ssl')] + [System.String] + $Security, + + [Parameter()] + [System.String] + $SourceMailboxLegacyDN, + + [Parameter()] + [System.String] + $UseAutoDiscover, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParams = [System.Collections.Hashtable]($PSBoundParameters) + $setParams = Remove-M365DSCAuthenticationParameter -BoundParameters $setParams + $setParams.Remove('RemoteTenant') + $setParams.Remove('EndpointType') + $setParams.Remove('UseAutoDiscover') + $setParams.Add('Confirm', $false) + + $newParams = [System.Collections.Hashtable]($PSBoundParameters) + $newParams = Remove-M365DSCAuthenticationParameter -BoundParameters $newParams + $newParams.Remove('EndpointType') + $newParams.Remove('Identity') + $newParams.Add('Name', $Identity) + $newParams.Add('Confirm', [Switch]$false) + + if ($EndpointType -eq "IMAP") + { + # Removing mailbox permission parameter as this is valid only for outlook anywhere migration + $setParams.Remove('MailboxPermission') + $newParams.Remove('MailboxPermission') + + # adding skip verification switch to skip verifying + # that the remote server is reachable when creating a migration endpoint. + $setParams.Add('SkipVerification', [Switch]$true) + $newParams.Add('SkipVerification', [Switch]$true) + + $newParams.Add('IMAP', [Switch]$true) + } + + # add the logic for other endpoint types ('Exchange Remote', 'Outlook Anywhere', 'Google Workspace') + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MigrationEndpoint @newParams + } + # UPDATE + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Set-MigrationEndpoint @setParams + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-MigrationEndpoint -Identity $Identity + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $Identity, + + [Parameter()] + [System.Boolean] + $AcceptUntrustedCertificates, + + [Parameter()] + [System.String] + $AppID, + + [Parameter()] + [System.String] + $AppSecretKeyVaultUrl, + + [Parameter()] + [System.String] + $Authentication, + + [Parameter()] + [ValidateSet('IMAP')] + [System.String] + $EndpointType, + + [Parameter()] + [System.String] + $ExchangeServer, + + [Parameter()] + [System.String] + $MailboxPermission, + + [Parameter()] + [System.String] + $MaxConcurrentIncrementalSyncs, + + [Parameter()] + [System.String] + $MaxConcurrentMigrations, + + [Parameter()] + [System.String] + $NspiServer, + + [Parameter()] + [System.String] + $Port, + + [Parameter()] + [System.String] + $RemoteServer, + + [Parameter()] + [System.String] + $RemoteTenant, + + [Parameter()] + [System.String] + $RpcProxyServer, + + [Parameter()] + [ValidateSet('None', 'Tls', 'Ssl')] + [System.String] + $Security, + + [Parameter()] + [System.String] + $SourceMailboxLegacyDN, + + [Parameter()] + [System.String] + $UseAutoDiscover, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'ExchangeOnline' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MigrationEndpoint -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Identity + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + Identity = $config.Identity + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.schema.mof new file mode 100644 index 0000000000..6f6e4c9692 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/MSFT_EXOMigrationEndpoint.schema.mof @@ -0,0 +1,30 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOMigrationEndpoint")] +class MSFT_EXOMigrationEndpoint : OMI_BaseResource +{ + [Key, Description("Identity of the migration endpoint.")] String Identity; + [Write, Description("Specifies whether to accept untrusted certificates.")] Boolean AcceptUntrustedCertificates; + [Write, Description("The Application ID used for authentication.")] String AppID; + [Write, Description("The URL of the Key Vault that stores the application secret.")] String AppSecretKeyVaultUrl; + [Write, Description("The authentication method for the migration endpoint.")] String Authentication; + [Write, Description("The type of migration endpoint."), ValueMap{"IMAP"}, Values{"IMAP"}] String EndpointType; + [Write, Description("The Exchange Server address for the migration endpoint.")] String ExchangeServer; + [Write, Description("The mailbox permission for the migration endpoint.")] String MailboxPermission; + [Write, Description("The maximum number of concurrent incremental syncs.")] String MaxConcurrentIncrementalSyncs; + [Write, Description("The maximum number of concurrent migrations.")] String MaxConcurrentMigrations; + [Write, Description("The NSPI server for the migration endpoint.")] String NspiServer; + [Write, Description("The port number for the migration endpoint.")] String Port; + [Write, Description("The remote server for the migration endpoint.")] String RemoteServer; + [Write, Description("The remote tenant for the migration endpoint.")] String RemoteTenant; + [Write, Description("The RPC proxy server for the migration endpoint.")] String RpcProxyServer; + [Write, Description("The security level for the migration endpoint."), ValueMap{"None", "Tls", "Ssl"}, Values{"None", "Tls", "Ssl"}] String Security; + [Write, Description("The legacy distinguished name of the source mailbox.")] String SourceMailboxLegacyDN; + [Write, Description("Specifies whether to use AutoDiscover.")] Boolean UseAutoDiscover; + + [Write, Description("Specifies if the migration endpoint should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/readme.md new file mode 100644 index 0000000000..a5d359017c --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/readme.md @@ -0,0 +1,6 @@ + +# EXOMigrationEndpoint + +## Description + +Use this resource to create and monitor migration endpoints in exchange. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/settings.json new file mode 100644 index 0000000000..d223f925cd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigrationEndpoint/settings.json @@ -0,0 +1,34 @@ +{ + "resourceName": "EXOMigrationEndpoint", + "description": "Use this resource to create and monitor migration endpoint in exchange", + "roles": { + "read": [ + "Global Reader" + ], + "update": [ + "Exchange Administrator" + ] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + }, + "exchange": { + "requiredroles": [ + "Recipient Policies", + "View-Only Recipients", + "Mail Recipient Creation", + "View-Only Configuration", + "Mail Recipients" + ], + "requiredrolegroups": "Organization Management" + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 467c65118e..510bddb1d7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -371,6 +371,9 @@ function Set-TargetResource $AccessTokens ) + Write-Warning -Message "The resource 'IntuneAccountProtectionPolicy' is deprecated. It will be removed in a future release. Please use 'IntuneAccountProtectionPolicyWindows10' instead." + Write-Warning -Message "For more information, please visit https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#consolidation-of-intune-profiles-for-identity-protection-and-account-protection-" + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 new file mode 100644 index 0000000000..8f3496d87e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 @@ -0,0 +1,764 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Account Protection Policy for Windows10 with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Account Protection Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Account Protection Policy for Windows10 with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + if ($null -ne $policySettings.deviceSettings.lsaCfgFlags) + { + $complexDeviceSettings.Add('LsaCfgFlags', $policySettings.deviceSettings.lsaCfgFlags) + } + if ($null -ne $policySettings.deviceSettings.facialFeaturesUseEnhancedAntiSpoofing) + { + $complexDeviceSettings.Add('FacialFeaturesUseEnhancedAntiSpoofing', $policySettings.deviceSettings.facialFeaturesUseEnhancedAntiSpoofing) + } + if ($null -ne $policySettings.deviceSettings.enablePinRecovery) + { + $complexDeviceSettings.Add('EnablePinRecovery', $policySettings.deviceSettings.enablePinRecovery) + } + if ($null -ne $policySettings.deviceSettings.expiration) + { + $complexDeviceSettings.Add('Expiration', $policySettings.deviceSettings.expiration) + } + if ($null -ne $policySettings.deviceSettings.history) + { + $complexDeviceSettings.Add('History', $policySettings.deviceSettings.history) + } + if ($null -ne $policySettings.deviceSettings.lowercaseLetters) + { + $complexDeviceSettings.Add('LowercaseLetters', $policySettings.deviceSettings.lowercaseLetters) + } + if ($null -ne $policySettings.deviceSettings.maximumPINLength) + { + $complexDeviceSettings.Add('MaximumPINLength', $policySettings.deviceSettings.maximumPINLength) + } + if ($null -ne $policySettings.deviceSettings.minimumPINLength) + { + $complexDeviceSettings.Add('MinimumPINLength', $policySettings.deviceSettings.minimumPINLength) + } + if ($null -ne $policySettings.deviceSettings.specialCharacters) + { + $complexDeviceSettings.Add('SpecialCharacters', $policySettings.deviceSettings.specialCharacters) + } + if ($null -ne $policySettings.deviceSettings.uppercaseLetters) + { + $complexDeviceSettings.Add('UppercaseLetters', $policySettings.deviceSettings.uppercaseLetters) + } + if ($null -ne $policySettings.deviceSettings.requireSecurityDevice) + { + $complexDeviceSettings.Add('RequireSecurityDevice', $policySettings.deviceSettings.requireSecurityDevice) + } + if ($null -ne $policySettings.deviceSettings.useCertificateForOnPremAuth) + { + $complexDeviceSettings.Add('UseCertificateForOnPremAuth', $policySettings.deviceSettings.useCertificateForOnPremAuth) + } + if ($null -ne $policySettings.deviceSettings.usePassportForWork) + { + $complexDeviceSettings.Add('UsePassportForWork', $policySettings.deviceSettings.usePassportForWork) + } + if ($complexDeviceSettings.Values.Where({ $_ -ne $null }).Count -eq 0) + { + $complexDeviceSettings = $null + } + + $complexUserSettings = @{} + if ($null -ne $policySettings.userSettings.enablePinRecovery) + { + $complexUserSettings.Add('EnablePinRecovery', $policySettings.userSettings.enablePinRecovery) + } + if ($null -ne $policySettings.userSettings.expiration) + { + $complexUserSettings.Add('Expiration', $policySettings.userSettings.expiration) + } + if ($null -ne $policySettings.userSettings.history) + { + $complexUserSettings.Add('History', $policySettings.userSettings.history) + } + if ($null -ne $policySettings.userSettings.lowercaseLetters) + { + $complexUserSettings.Add('LowercaseLetters', $policySettings.userSettings.lowercaseLetters) + } + if ($null -ne $policySettings.userSettings.maximumPINLength) + { + $complexUserSettings.Add('MaximumPINLength', $policySettings.userSettings.maximumPINLength) + } + if ($null -ne $policySettings.userSettings.minimumPINLength) + { + $complexUserSettings.Add('MinimumPINLength', $policySettings.userSettings.minimumPINLength) + } + if ($null -ne $policySettings.userSettings.specialCharacters) + { + $complexUserSettings.Add('SpecialCharacters', $policySettings.userSettings.specialCharacters) + } + if ($null -ne $policySettings.userSettings.uppercaseLetters) + { + $complexUserSettings.Add('UppercaseLetters', $policySettings.userSettings.uppercaseLetters) + } + if ($null -ne $policySettings.userSettings.requireSecurityDevice) + { + $complexUserSettings.Add('RequireSecurityDevice', $policySettings.userSettings.requireSecurityDevice) + } + if ($null -ne $policySettings.userSettings.usePassportForWork) + { + $complexUserSettings.Add('UsePassportForWork', $policySettings.userSettings.usePassportForWork) + } + if ($complexUserSettings.Values.Where({ $_ -ne $null }).Count -eq 0) + { + $complexUserSettings = $null + } + + $policySettings.Remove('deviceSettings') | Out-Null + $policySettings.Remove('userSettings') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = 'fcef01f2-439d-4c3f-9184-823fd6e97646_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Account Protection Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Account Protection Policy for Windows10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Account Protection Policy for Windows10 with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Account Protection Policy for Windows10 with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "fcef01f2-439d-4c3f-9184-823fd6e97646_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$True + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$True + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof new file mode 100644 index 0000000000..47f1cc08cd --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof @@ -0,0 +1,63 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 +{ + [Write, Description("Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LsaCfgFlags; + [Write, Description("Facial Features Use Enhanced Anti Spoofing (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String FacialFeaturesUseEnhancedAntiSpoofing; + [Write, Description("Enable Pin Recovery (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String EnablePinRecovery; + [Write, Description("Expiration")] SInt32 Expiration; + [Write, Description("PIN History")] SInt32 History; + [Write, Description("Lowercase Letters (0: Allows the use of lowercase letters in PIN., 1: Requires the use of at least one lowercase letters in PIN., 2: Does not allow the use of lowercase letters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LowercaseLetters; + [Write, Description("Maximum PIN Length")] SInt32 MaximumPINLength; + [Write, Description("Minimum PIN Length")] SInt32 MinimumPINLength; + [Write, Description("Special Characters (0: Allows the use of special characters in PIN., 1: Requires the use of at least one special characters in PIN., 2: Does not allow the use of special characters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String SpecialCharacters; + [Write, Description("Uppercase Letters (0: Allows the use of uppercase letters in PIN., 1: Requires the use of at least one uppercase letters in PIN., 2: Does not allow the use of uppercase letters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String UppercaseLetters; + [Write, Description("Require Security Device (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String RequireSecurityDevice; + [Write, Description("Use Certificate For On Prem Auth (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String UseCertificateForOnPremAuth; + [Write, Description("Use Windows Hello For Business (Device) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String UsePassportForWork; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 +{ + [Write, Description("Enable Pin Recovery (User) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String EnablePinRecovery; + [Write, Description("Expiration (User)")] SInt32 Expiration; + [Write, Description("PIN History (User)")] SInt32 History; + [Write, Description("Lowercase Letters (User) (0: Allows the use of lowercase letters in PIN., 1: Requires the use of at least one lowercase letters in PIN., 2: Does not allow the use of lowercase letters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LowercaseLetters; + [Write, Description("Maximum PIN Length (User)")] SInt32 MaximumPINLength; + [Write, Description("Minimum PIN Length (User)")] SInt32 MinimumPINLength; + [Write, Description("Special Characters (User) (0: Allows the use of special characters in PIN., 1: Requires the use of at least one special characters in PIN., 2: Does not allow the use of special characters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String SpecialCharacters; + [Write, Description("Uppercase Letters (User) (0: Allows the use of uppercase letters in PIN., 1: Requires the use of at least one uppercase letters in PIN., 2: Does not allow the use of uppercase letters in PIN.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String UppercaseLetters; + [Write, Description("Require Security Device (User) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String RequireSecurityDevice; + [Write, Description("Use Windows Hello For Business (User) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String UsePassportForWork; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAccountProtectionPolicyWindows10")] +class MSFT_IntuneAccountProtectionPolicyWindows10 : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The policy settings for the device scope."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10")] String DeviceSettings; + [Write, Description("The policy settings for the user scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10")] String UserSettings; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/readme.md new file mode 100644 index 0000000000..893c5522f1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/readme.md @@ -0,0 +1,6 @@ + +# IntuneAccountProtectionPolicyWindows10 + +## Description + +Intune Account Protection Policy for Windows10 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json new file mode 100644 index 0000000000..a20915a6b7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName":"IntuneAccountProtectionPolicyWindows10", + "description":"This resource configures an Intune Account Protection Policy for Windows10.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 new file mode 100644 index 0000000000..01d7114e5a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 @@ -0,0 +1,855 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune App And Browser Isolation Policy for Windows10 with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '9f667e40-8f3c-4f88-80d8-457f16906315_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune App And Browser Isolation Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune App And Browser Isolation Policy for Windows10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune App And Browser Isolation Policy for Windows10 with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune App And Browser Isolation Policy for Windows10 with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "9f667e40-8f3c-4f88-80d8-457f16906315_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof new file mode 100644 index 0000000000..834c947e27 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof @@ -0,0 +1,48 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppAndBrowserIsolationPolicyWindows10")] +class MSFT_IntuneAppAndBrowserIsolationPolicyWindows10 : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AllowWindowsDefenderApplicationGuard; + [Write, Description("Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ClipboardSettings; + [Write, Description("Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SaveFilesToHost; + [Write, Description("Install Windows defender application guard (install: Install)"), ValueMap{"install"}, Values{"install"}] String InstallWindowsDefenderApplicationGuard; + [Write, Description("Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String ClipboardFileType; + [Write, Description("Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPersistence; + [Write, Description("Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowVirtualGPU; + [Write, Description("Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.)"), ValueMap{"0", "1", "2", "4", "8"}, Values{"0", "1", "2", "4", "8"}] SInt32 PrintingSettings[]; + [Write, Description("Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCameraMicrophoneRedirection; + [Write, Description("Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AuditApplicationGuard; + [Write, Description("Certificate Thumbprints")] String CertificateThumbprints[]; + [Write, Description("Enterprise IP Range")] String EnterpriseIPRange[]; + [Write, Description("Enterprise Cloud Resources")] String EnterpriseCloudResources[]; + [Write, Description("Enterprise Network Domain Names")] String EnterpriseNetworkDomainNames[]; + [Write, Description("Enterprise Proxy Servers")] String EnterpriseProxyServers[]; + [Write, Description("Enterprise Internal Proxy Servers")] String EnterpriseInternalProxyServers[]; + [Write, Description("Neutral Resources")] String NeutralResources[]; + [Write, Description("Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseProxyServersAreAuthoritative; + [Write, Description("Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseIPRangesAreAuthoritative; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md new file mode 100644 index 0000000000..311864ce6b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md @@ -0,0 +1,6 @@ + +# IntuneAppAndBrowserIsolationPolicyWindows10 + +## Description + +Intune App And Browser Isolation Policy for Windows10 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json new file mode 100644 index 0000000000..fe0c097e79 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneAppAndBrowserIsolationPolicyWindows10", + "description": "This resource configures an Intune App And Browser Isolation Policy for Windows10.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.schema.mof index 676bc98242..c9d08b3067 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppCategory/MSFT_IntuneAppCategory.schema.mof @@ -1,7 +1,7 @@ [ClassVersion("1.0.0.0"), FriendlyName("IntuneAppCategory")] class MSFT_IntuneAppCategory : OMI_BaseResource { - [Key, Description("The name of the app category.")] String DisplayName; + [Key, Description("The name of the app.")] String DisplayName; [Write, Description("The unique identifier for an entity. Read-only.")] String Id; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] string Ensure; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 new file mode 100644 index 0000000000..af4ecd222e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.psm1 @@ -0,0 +1,499 @@ +function Get-TargetResource { + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param ( + + #region resource params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none', + + [Parameter()] + [System.Int32] + $RenewalThresholdPercentage, + + #endregion resource params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + try + { + $instance = $null + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id} + } + + if ($null -eq $instance) + { + $instance = Get-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $Id -ErrorAction Stop + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find Derived Credential by Id {$Id}." + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceManagementDerivedCredential ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find Derived Credential by DisplayName {$DisplayName}." + return $nullResult + } + } + } + } + + $results = @{ + Ensure = 'Present' + Id = $instance.Id + DisplayName = $instance.DisplayName + HelpUrl = $instance.HelpUrl + Issuer = $instance.Issuer.ToString() + NotificationType = $instance.NotificationType.ToString() + RenewalThresholdPercentage = $instance.RenewalThresholdPercentage + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource { + [CmdletBinding()] + param ( + + #region resource params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [System.Int32] + $RenewalThresholdPercentage, + + #endregion resource params + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none', + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure='Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + $setParameters.remove('Id') | Out-Null + $setParameters.remove('Ensure') | Out-Null + + # CREATE + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + New-MgBetaDeviceManagementDerivedCredential @SetParameters + } + # UPDATE is not supported API, it always creates a new Derived Credential instance + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Remove-MgBetaDeviceManagementDerivedCredential -DeviceManagementDerivedCredentialSettingsId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource { + [CmdletBinding()] + [OutputType([System.Boolean])] + param ( + + #region resource params + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none', + + [Parameter()] + [System.Int32] + $RenewalThresholdPercentage, + + #endregion resource params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource { + [CmdletBinding()] + [OutputType([System.String])] + param ( + + #region resource params + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none', + + [Parameter()] + [System.Int32] + $RenewalThresholdPercentage, + + #endregion resource params + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-MgBetaDeviceManagementDerivedCredential -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Ensure = 'Present' + Id = $config.Id + DisplayName = $config.DisplayName + HelpUrl = $config.HelpUrl + Issuer = $config.Issuer.ToString() + NotificationType = $config.NotificationType.ToString() + RenewalThresholdPercentage = $config.RenewalThresholdPercentage + Credential = $Credential + AccessTokens = $AccessTokens + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof new file mode 100644 index 0000000000..e893173409 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/MSFT_IntuneDerivedCredential.schema.mof @@ -0,0 +1,31 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDerivedCredential")] +class MSFT_IntuneDerivedCredential : OMI_BaseResource +{ + [Key, Description("The name of the app category.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + + [Write, Description("The URL that will be accessible to end users as they retrieve a derived credential using the Company Portal.")] String HelpUrl; + [Write, Description("The nominal percentage of time before certificate renewal is initiated by the client.")] Uint32 RenewalThresholdPercentage; + [Write, Description("Supported values for the derived credential issuer."), + ValueMap{"intercede", "entrustDatacard", "purebred"}, + Values{"intercede", "entrustDatacard", "purebred"}] + String Issuer; + + [Write, Description("Supported values for the notification type to use."), + ValueMap{"none", "email", "companyPortal"}, + Values{"none", "email", "companyPortal"}] + String NotificationType; + + [Write, Description("Supported values for the notification type to use."), + ValueMap{"Present", "Absent"}, + Values{"Present", "Absent"}] + String Ensure; + + [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/readme.md new file mode 100644 index 0000000000..124a837b06 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/readme.md @@ -0,0 +1,6 @@ + +# IntuneDerivedCredential + +## Description + +## Create new navigation property to derivedCredentials for deviceManagement for Intune. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/settings.json new file mode 100644 index 0000000000..488bd5b384 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDerivedCredential/settings.json @@ -0,0 +1,21 @@ +{ + "resourceName": "IntuneDerivedCredential", + "description": "Use this resource to create new navigation property to derivedCredentials for device Management in Intune.", + + "permissions": { + "graph": { + "delegated": { + "read": [ + ], + "update": [ + ] + }, + "application": { + "read": [ + ], + "update": [ + ] + } + } + } + } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 index 667a0789f3..ced6ab6e4d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 @@ -214,7 +214,7 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } - + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() if ($assignmentsValues.Count -gt 0) @@ -359,6 +359,9 @@ function Set-TargetResource $AccessTokens ) + Write-Warning -Message "The resource 'IntuneDeviceConfigurationIdentityProtectionPolicyWindows10' is deprecated. It will be removed in a future release. Please use 'IntuneAccountProtectionPolicyWindows10' instead." + Write-Warning -Message "For more information, please visit https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new#consolidation-of-intune-profiles-for-identity-protection-and-account-protection-" + #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index 047fb4e9e6..a7a6ad3a6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -12,6 +12,10 @@ function Get-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -96,106 +100,74 @@ function Get-TargetResource if ($null -eq $policy) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with Id {$Identity} was found" - $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue - if ($null -eq $policy) + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with displayName {$DisplayName} was found" - return $nullResult + $policy = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue } } - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty 'settings' -ErrorAction SilentlyContinue - + if ($null -eq $policy) + { + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } $Identity = $policy.Id + Write-Verbose -Message "An Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName} was found" - Write-Verbose -Message "Found Endpoint Detection And Response Policy with Id {$($policy.id)} and displayName {$($policy.Name)}" - - #Retrieve policy specific settings - $settings = @() - $settings += $policy.settings + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Identity ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop - $returnHashtable = @{} - $returnHashtable.Add('Identity', $Identity) - $returnHashtable.Add('DisplayName', $policy.name) - $returnHashtable.Add('Description', $policy.description) - - foreach ($setting in $settings.settingInstance) + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + if ($policySettings.ClientConfigurationPackageType -eq 'onboarding_fromconnector') { - $addToParameters = $true - $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 - - switch ($setting.AdditionalProperties.'@odata.type') - { - - '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - { - $settingValue = $setting.AdditionalProperties.simpleSettingValue.value - } - '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - { - $settingValue = $setting.AdditionalProperties.choiceSettingValue.value.split('_') | Select-Object -Last 1 - } - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.groupSettingCollectionValue.children) - { - $settingName = $value.settingDefinitionId.split('_') | Select-Object -Last 1 - $settingValue = $value.choiceSettingValue.value.split('_') | Select-Object -Last 1 - $returnHashtable.Add($settingName, $settingValue) - $addToParameters = $false - } - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.simpleSettingCollectionValue.value) - { - $values += $value - } - $settingValue = $values - } - Default - { - $settingValue = $setting.value - } - } - - if ($addToParameters) - { - $returnHashtable.Add($settingName, $settingValue) - } - + $policySettings.Add('ConfigurationType', 'AutoFromConnector') } - - #Removing telemetryreportingfrequency as deprecated and doen't need to be evaluated adn enforced - $returnHashtable.Remove('telemetryreportingfrequency') - - $returnAssignments = @() - $currentAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity -All - - if ($null -ne $currentAssignments -and $currentAssignments.count -gt 0 ) + else { - $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments ($currentAssignments) + $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) } + $policySettings.Remove('ClientConfigurationPackageType') + $policySettings.Remove('onboarding') + $policySettings.Remove('offboarding') + $policySettings.Remove('onboarding_fromconnector') + + # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced + $policySettings.Remove('telemetryreportingfrequency') + + $results = @{ + #region resource generator code + Description = $policy.Description + DisplayName = $policy.Name + RoleScopeTagIds = $policy.RoleScopeTagIds + Identity = $policy.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings - $returnHashtable.Add('Assignments', $returnAssignments) - - Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" - - $returnHashtable.Add('Ensure', 'Present') - $returnHashtable.Add('Credential', $Credential) - $returnHashtable.Add('ApplicationId', $ApplicationId) - $returnHashtable.Add('TenantId', $TenantId) - $returnHashtable.Add('ApplicationSecret', $ApplicationSecret) - $returnHashtable.Add('CertificateThumbprint', $CertificateThumbprint) - $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) - $returnHashtable.Add("AccessTokens", $AccessTokens) + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) - return $returnHashtable + return $results } catch { @@ -222,6 +194,10 @@ function Set-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -291,14 +267,35 @@ function Set-TargetResource #endregion $currentPolicy = Get-TargetResource @PSBoundParameters - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + switch ($ConfigurationType) + { + 'AutoFromConnector' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboarding_fromconnector') + $BoundParameters.Add('onboarding_fromconnector', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Onboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboard') + $BoundParameters.Add('onboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Offboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'offboard') + $BoundParameters.Add('offboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + } + + if ([System.String]::IsNullOrEmpty($ConfigurationBlob)) + { + throw "ConfigurationBlob is required for configurationType '$($DSCParams.ConfigurationType)'" + } + $BoundParameters.Remove('ConfigurationType') | Out-Null $templateReferenceId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' $platforms = 'windows10' @@ -306,82 +303,64 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new Endpoint Protection Policy {$DisplayName}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Creating an Intune Endpoint Protection And Response Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - $createParameters = @{ - name = $DisplayName - description = $Description - templateReference = @{templateId = $templateReferenceId } - platforms = $platforms - technologies = $technologies - settings = $settings + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings } - write-verbose ($createParameters|convertto-json -depth 100) + #region resource generator code $policy = New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) + if ($policy.Id) { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' } - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash - + #endregion } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Updating existing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Updating the Intune Endpoint Protection And Response Policy for Windows10 {$($currentPolicy.DisplayName)}" + $BoundParameters.Remove('Assignments') | Out-Null - #format settings from PSBoundParameters for update - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings - #region update policy assignments - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) - { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments - } - + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` - -Targets $assignmentsHash + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" + Write-Verbose -Message "Removing the Intune Endpoint Protection And Response Policy for Windows 10 with Id {$($currentPolicy.Identity)}" Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity } } @@ -400,6 +379,10 @@ function Test-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -467,34 +450,69 @@ function Test-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Endpoint Protection Policy {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Endpoint Protection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } - $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('ConfigurationBlob') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck - $source = $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $ValuesToCheck.Remove('Assignments') | Out-Null - - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" if ($testResult) { - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -558,9 +576,12 @@ function Export-TargetResource { $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' [array]$policies = Get-MgBetaDeviceManagementConfigurationPolicy ` - -All:$true ` + -All ` -Filter $Filter ` - -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateReference.TemplateId -eq $policyTemplateID } ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } if ($policies.Length -eq 0) { @@ -593,48 +614,38 @@ function Export-TargetResource } $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results - if ($Results.Ensure -eq 'Present') + if ($Results.Assignments) { - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - if ($Results.Assignments) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments - if ($complexTypeStringResult) - { - $Results.Assignments = $complexTypeStringResult - } - else - { - $Results.Remove('Assignments') | Out-Null - } + $Results.Assignments = $complexTypeStringResult } - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - - if ($Results.Assignments) + else { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $Results.Remove('Assignments') | Out-Null } + } - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential - Write-Host $Global:M365DSCEmojiGreenCheckMark - $i++ + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } @@ -661,278 +672,4 @@ function Export-TargetResource } } -function Get-IntuneSettingCatalogPolicySetting -{ - [CmdletBinding()] - [OutputType([System.Array])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - [Parameter(Mandatory = 'true')] - [System.String] - $TemplateId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - #Prepare setting definitions mapping - $settingDefinitions = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $TemplateId - $settingInstances = @() - foreach ($settingDefinition in $settingDefinitions.SettingInstanceTemplate) - { - - $settingInstance = @{} - $settingName = $settingDefinition.SettingDefinitionId.split('_') | Select-Object -Last 1 - $settingType = $settingDefinition.AdditionalProperties.'@odata.type'.replace('InstanceTemplate', 'Instance') - $settingInstance.Add('settingDefinitionId', $settingDefinition.settingDefinitionId) - $settingInstance.Add('@odata.type', $settingType) - if (-Not [string]::IsNullOrEmpty($settingDefinition.settingInstanceTemplateId)) - { - $settingInstance.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $settingDefinition.settingInstanceTemplateId }) - } - $settingValueName = $settingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $settingValueName = $settingValueName.Substring(0, 1).ToLower() + $settingValueName.Substring(1, $settingValueName.length - 1 ) - $settingValueType = $settingDefinition.AdditionalProperties."$($settingValueName)Template".'@odata.type' - if ($null -ne $settingValueType) - { - $settingValueType = $settingValueType.replace('ValueTemplate', 'Value') - } - $settingValueTemplateId = $settingDefinition.AdditionalProperties."$($settingValueName)Template".settingValueTemplateId - $settingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $settingDefinition ` - -SettingName $settingName ` - -SettingType $settingType ` - -SettingValueName $settingValueName ` - -SettingValueType $settingValueType ` - -SettingValueTemplateId $settingValueTemplateId - - if ($null -ne $settingValue) { - $childSettingType = "" - switch ($DSCParams['ConfigurationType']) - { - 'AutoFromConnector' - { - $childSettingType = 'onboarding_fromconnector' - } - 'Onboard' - { - $childSettingType = 'onboarding' - } - 'Offboard' - { - $childSettingType = 'offboarding' - } - } - - if ($settingName -eq 'configurationType') - { - if ([System.String]::IsNullOrEmpty($DSCParams['ConfigurationBlob'])) - { - throw "ConfigurationBlob is required for configurationType '$($DSCParams['ConfigurationType'])'" - } - - $children = @() - $children += @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_$($childSettingType)" - simpleSettingValue = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" - value = $DSCParams['ConfigurationBlob'] - valueState = "NotEncrypted" - } - } - $settingValue.choiceSettingValue.Add("children", $children) - } - $settingInstance += ($settingValue) - $settingInstances += @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - 'settingInstance' = $settingInstance - } - } else { - Continue - } - } - - return $settingInstances -} - -function Get-IntuneSettingCatalogPolicySettingInstanceValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter()] - $SettingDefinition, - - [Parameter()] - [System.String] - $SettingType, - - [Parameter()] - [System.String] - $SettingName, - - [Parameter()] - [System.String] - $SettingValueName, - - [Parameter()] - [System.String] - $SettingValueType, - - [Parameter()] - [System.String] - $SettingValueTemplateId - ) - - $settingValueReturn = @{} - switch ($settingType) - { - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $groupSettingCollectionValue = @{} - $groupSettingCollectionValueChildren = @() - - $groupSettingCollectionDefinitionChildren = $SettingDefinition.AdditionalProperties.groupSettingCollectionValueTemplate.children - foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) - { - $childSettingName = $childDefinition.settingDefinitionId.split('_') | Select-Object -Last 1 - $childSettingType = $childDefinition.'@odata.type'.replace('InstanceTemplate', 'Instance') - $childSettingValueName = $childSettingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - $childSettingValueTemplateId = $childDefinition.$childSettingValueName.settingValueTemplateId - $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $childDefinition ` - -SettingName $childSettingName ` - -SettingType $childDefinition.'@odata.type' ` - -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` - -SettingValueTemplateId $childSettingValueTemplateId - - if ($null -ne $childSettingValue) - { - $childSettingValue.add('settingDefinitionId', $childDefinition.settingDefinitionId) - $childSettingValue.add('@odata.type', $childSettingType ) - $groupSettingCollectionValueChildren += $childSettingValue - } - } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) - $settingValueReturn.Add('groupSettingCollectionValue', @($groupSettingCollectionValue)) - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $values = $DSCParams[$key] - break - } - } - $settingValueCollection = @() - foreach ($v in $values) - { - $settingValueCollection += @{ - value = $v - '@odata.type' = $settingValueType - } - } - $settingValueReturn.Add($settingValueName, $settingValueCollection) - } - Default - { - $value = $null - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $value = "$($SettingDefinition.settingDefinitionId)_$($DSCParams[$key])" - break - } - } - $settingValue = @{} - - if (-Not [string]::IsNullOrEmpty($settingValueType)) - { - $settingValue.add('@odata.type', $settingValueType) - } - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $settingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $settingValueTemplateId }) - } - $settingValue.add('value', $value) - if ($null -eq $value) - { - return $null - } - $settingValueReturn.Add($settingValueName, $settingValue) - } - } - return $settingValueReturn -} - -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - #write-verbose (($policy|ConvertTo-Json -Depth 20)) - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof index 6b2b758d61..f4dc9d7295 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof @@ -14,6 +14,7 @@ class MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 : OMI_BaseResource { [Write, Description("Identity of the endpoint detection and response policy for Windows 10.")] String Identity; [Key, Description("Display name of the endpoint detection and response policy for Windows 10.")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; [Write, Description("Description of the endpoint detection and response policy for Windows 10.")] String Description; [Write, Description("Assignments of the endpoint detection and response policy for Windows 10."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All"), ValueMap{"0", "1"}, Values{"0", "1"}] String SampleSharing; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 new file mode 100644 index 0000000000..739c2c80d7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 @@ -0,0 +1,967 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.Boolean] + $IgnoreVersionDetection, + + [Parameter()] + [System.Boolean] + $InstallAsManaged, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $MinimumSupportedOperatingSystem, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $BundleId, + + [Parameter()] + [System.String] + $BuildNumber, + + [Parameter()] + [System.String] + $VersionNumber, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ChildApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune MacOS Lob App with Id {$Id}." + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "(isof('microsoft.graph.macOSLobApp') and displayName eq '$DisplayName')" ` + -ErrorAction SilentlyContinue + } + + if ($null -ne $instance) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $instance.Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + $Id = $instance.Id + } + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune MacOS Lob App with DisplayName {$DisplayName} was found." + return $nullResult + } + + Write-Verbose "An Intune MacOS Lob App with Id {$Id} and DisplayName {$DisplayName} was found." + + #region complex types + $complexCategories = @() + foreach ($category in $instance.Categories) + { + $myCategory = @{} + $myCategory.Add('Id', $category.id) + $myCategory.Add('DisplayName', $category.displayName) + $complexCategories += $myCategory + } + + $complexChildApps = @() + foreach ($childApp in $instance.AdditionalProperties.childApps) + { + $myChildApp = @{} + $myChildApp.Add('BundleId', $childApp.bundleId) + $myChildApp.Add('BuildNumber', $childApp.buildNumber) + $myChildApp.Add('VersionNumber', $childApp.versionNumber) + $complexChildApps += $myChildApp + } + + $complexLargeIcon = @{} + if ($null -ne $instance.LargeIcon.Value) + { + $complexLargeIcon.Add('Value', [System.Convert]::ToBase64String($instance.LargeIcon.Value)) + $complexLargeIcon.Add('Type', $instance.LargeIcon.Type) + } + + $complexMinimumSupportedOperatingSystem = @{} + if ($null -ne $instance.AdditionalProperties.minimumSupportedOperatingSystem) + { + $instance.AdditionalProperties.minimumSupportedOperatingSystem.GetEnumerator() | Foreach-Object { + if ($_.Value) # Values are either true or false. Only export the true value. + { + $complexMinimumSupportedOperatingSystem.Add($_.Key, $_.Value) + } + } + } + + $results = @{ + Id = $instance.Id + BundleId = $instance.AdditionalProperties.bundleId + BuildNumber = $instance.AdditionalProperties.buildNumber + Categories = $complexCategories + ChildApps = $complexChildApps + Description = $instance.Description + Developer = $instance.Developer + DisplayName = $instance.DisplayName + IgnoreVersionDetection = $instance.AdditionalProperties.ignoreVersionDetection + InformationUrl = $instance.InformationUrl + IsFeatured = $instance.IsFeatured + InstallAsManaged = $instance.AdditionalProperties.installAsManaged + LargeIcon = $complexLargeIcon + MinimumSupportedOperatingSystem = $complexMinimumSupportedOperatingSystem + Notes = $instance.Notes + Owner = $instance.Owner + PrivacyInformationUrl = $instance.PrivacyInformationUrl + Publisher = $instance.Publisher + RoleScopeTagIds = $instance.RoleScopeTagIds + VersionNumber = $instance.AdditionalProperties.versionNumber + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + #Assignments + $resultAssignments = @() + $appAssignments = Get-MgBetaDeviceAppManagementMobileAppAssignment -MobileAppId $instance.Id + if ($null -ne $appAssignments -and $appAssignments.count -gt 0) + { + $resultAssignments += ConvertFrom-IntuneMobileAppAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($appAssignments) + } + $results.Add('Assignments', $resultAssignments) + + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune resource parameters + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.Boolean] + $IgnoreVersionDetection, + + [Parameter()] + [System.Boolean] + $InstallAsManaged, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $MinimumSupportedOperatingSystem, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $BundleId, + + [Parameter()] + [System.String] + $BuildNumber, + + [Parameter()] + [System.String] + $VersionNumber, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ChildApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune MacOS Lob App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).Clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Remove('Id') | Out-Null + $CreateParameters.Remove('Categories') | Out-Null + + foreach ($key in ($CreateParameters.Clone()).Keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*CimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + + $CreateParameters.Add('@odata.type', '#microsoft.graph.macOSLobApp') + $app = New-MgBetaDeviceAppManagementMobileApp -BodyParameter $CreateParameters + + foreach ($category in $Categories) + { + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -CategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + + #Assignments + if ($app.Id) + { + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $app.Id ` + -Assignments $assignmentsHash + } + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Updating the Intune MacOS Lob App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).Clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.Remove('Id') | Out-Null + $UpdateParameters.Remove('Categories') | Out-Null + + foreach ($key in ($UpdateParameters.Clone()).Keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.GetType().Name -like '*CimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + + $UpdateParameters.Add('@odata.type', '#microsoft.graph.macOSLobApp') + Update-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -BodyParameter $UpdateParameters + + [array]$referenceObject = if ($null -ne $currentInstance.Categories.DisplayName) { $currentInstance.Categories.DisplayName } else { ,@() } + [array]$differenceObject = if ($null -ne $Categories.DisplayName) { $Categories.DisplayName } else { ,@() } + $delta = Compare-Object -ReferenceObject $referenceObject -DifferenceObject $differenceObject -PassThru + foreach ($diff in $delta) + { + if ($diff.SideIndicator -eq '=>') + { + $category = $Categories | Where-Object { $_.DisplayName -eq $diff } + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + else + { + $category = $currentInstance.Categories | Where-Object { $_.DisplayName -eq $diff } + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/$($category.Id)/`$ref" -Method 'DELETE' + } + } + + #Assignments + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $currentInstance.Id ` + -Assignments $assignmentsHash + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove the Intune MacOS Lob App with Id {$($currentInstance.Id)}" + Remove-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Developer, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.Boolean] + $IgnoreVersionDetection, + + [Parameter()] + [System.Boolean] + $InstallAsManaged, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $MinimumSupportedOperatingSystem, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $BundleId, + + [Parameter()] + [System.String] + $BuildNumber, + + [Parameter()] + [System.String] + $VersionNumber, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ChildApps, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $LargeIcon, + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune MacOS Lob App with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + # Prevent screen from filling up with the LargeIcon value + # Comparison will already be done because it's a CimInstance + $CurrentValues.Remove('LargeIcon') | Out-Null + $PSBoundParameters.Remove('LargeIcon') | Out-Null + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:getInstances = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "isof('microsoft.graph.macOSLobApp')" ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:getInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:getInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:getInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + #region complex types + if ($null -ne $Results.Categories) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Categories ` + -CIMInstanceName 'DeviceManagementMobileAppCategory' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Categories = $complexTypeStringResult + } + else + { + $Results.Remove('Categories') | Out-Null + } + } + + if ($null -ne $Results.ChildApps) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ChildApps ` + -CIMInstanceName 'DeviceManagementMobileAppChildApp' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ChildApps = $complexTypeStringResult + } + else + { + $Results.Remove('ChildApps') | Out-Null + } + } + + if ($null -ne $Results.LargeIcon) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.LargeIcon ` + -CIMInstanceName 'DeviceManagementMimeContent' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.LargeIcon = $complexTypeStringResult + } + else + { + $Results.Remove('LargeIcon') | Out-Null + } + } + + if ($null -ne $Results.MinimumSupportedOperatingSystem) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.MinimumSupportedOperatingSystem ` + -CIMInstanceName 'DeviceManagementMinimumOperatingSystem' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.MinimumSupportedOperatingSystem = $complexTypeStringResult + } + else + { + $Results.Remove('MinimumSupportedOperatingSystem') | Out-Null + } + } + + if ($null -ne $Results.Assignments) + { + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Assignments ` + -CIMInstanceName DeviceManagementMobileAppAssignment + + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + } + #endregion complex types + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + #region complex types + if ($null -ne $Results.Categories) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Categories' -IsCIMArray:$true + } + + if ($null -ne $Results.ChildApps) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ChildApps' -IsCIMArray:$true + } + + if ($null -ne $Results.LargeIcon) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'LargeIcon' -IsCIMArray:$false + } + + if ($null -ne $Results.MinimumSupportedOperatingSystem) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'MinimumSupportedOperatingSystem' -IsCIMArray:$false + } + + if ($null -ne $Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + } + #endregion complex types + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof new file mode 100644 index 0000000000..ce7f2b865f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.schema.mof @@ -0,0 +1,79 @@ +class MSFT_DeviceManagementMobileAppAssignment +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}] String dataType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude."), ValueMap{"none", "include", "exclude"}, Values{"none", "include", "exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("Possible values for the install intent chosen by the admin."), ValueMap{"available", "required", "uninstall", "availableWithoutEnrollment"}, Values{"available", "required", "uninstall", "availableWithoutEnrollment"}] String intent; +}; + +class MSFT_DeviceManagementMinimumOperatingSystem +{ + [Write, Description("Indicates if Mac OS X 10.7 or later is required to install the app.")] Boolean v10_7; + [Write, Description("Indicates if Mac OS X 10.8 or later is required to install the app.")] Boolean v10_8; + [Write, Description("Indicates if Mac OS X 10.9 or later is required to install the app.")] Boolean v10_9; + [Write, Description("Indicates if Mac OS X 10.10 or later is required to install the app.")] Boolean v10_10; + [Write, Description("Indicates if Mac OS X 10.11 or later is required to install the app.")] Boolean v10_11; + [Write, Description("Indicates if Mac OS X 10.12 or later is required to install the app.")] Boolean v10_12; + [Write, Description("Indicates if Mac OS X 10.13 or later is required to install the app.")] Boolean v10_13; + [Write, Description("Indicates if Mac OS X 10.14 or later is required to install the app.")] Boolean v10_14; + [Write, Description("Indicates if Mac OS X 10.15 or later is required to install the app.")] Boolean v10_15; + [Write, Description("Indicates if Mac OS X 11.0 or later is required to install the app.")] Boolean v11_0; + [Write, Description("Indicates if Mac OS X 12.0 or later is required to install the app.")] Boolean v12_0; + [Write, Description("Indicates if Mac OS X 13.0 or later is required to install the app.")] Boolean v13_0; + [Write, Description("Indicates if Mac OS X 14.0 or later is required to install the app.")] Boolean v14_0; +}; + +class MSFT_DeviceManagementMimeContent +{ + [Write, Description("Indicates the type of content mime.")] String Type; + [Write, Description("The Base64 encoded string content.")] String Value; +}; + +class MSFT_DeviceManagementMobileAppCategory +{ + [Key, Description("The name of the app category.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; +}; + +class MSFT_DeviceManagementMobileAppChildApp +{ + [Write, Description("The bundleId of the app.")] String BundleId; + [Write, Description("The build number of the app.")] String BuildNumber; + [Write, Description("The version number of the app.")] String VersionNumber; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneMobileAppsMacOSLobApp")] +class MSFT_IntuneMobileAppsMacOSLobApp : OMI_BaseResource +{ + [Key, Description("The admin provided or imported title of the app. Inherited from mobileApp.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only. Inherited from mobileApp object.")] String Id; + [Write, Description("The description of the app. Inherited from mobileApp.")] String Description; + [Write, Description("The dewveloper of the app. Inherited from mobileApp.")] String Developer; + [Write, Description("The InformationUrl of the app. Inherited from mobileApp.")] String InformationUrl; + [Write, Description("The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp.")] Boolean IsFeatured; + [Write, Description("Notes for the app. Inherited from mobileApp.")] String Notes; + [Write, Description("The owner of the app. Inherited from mobileApp.")] String Owner; + [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; + [Write, Description("The publisher of the app. Inherited from mobileApp.")] String Publisher; + [Write, Description("The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp."), ValueMap{"notPublished", "processing","published"}, Values{"notPublished", "processing", "published"}] String PublishingState; + [Write, Description("The bundleId of the app.")] String BundleId; + [Write, Description("The build number of the app.")] String BuildNumber; + [Write, Description("The version number of the app.")] String VersionNumber; + [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; + [Write, Description("Whether to ignore the version of the app or not.")] Boolean IgnoreVersionDetection; + [Write, Description("The icon for this app."), EmbeddedInstance("MSFT_DeviceManagementMimeContent")] String LargeIcon; + [Write, Description("The minimum supported operating system to install the app."), EmbeddedInstance("MSFT_DeviceManagementMinimumOperatingSystem")] String MinimumSupportedOperatingSystem; + [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; + [Write, Description("The list of assignments for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppAssignment")] String Assignments[]; + [Write, Description("The list of child apps for this app package."), EmbeddedInstance("MSFT_DeviceManagementMobileAppChildApp")] String ChildApps[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] String Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/readme.md new file mode 100644 index 0000000000..821600b758 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileAppsMacOSLobApp + +## Description + +This resource configures an Intune mobile app of MacOSLobApp type for MacOS devices. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json new file mode 100644 index 0000000000..3e70ad560b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileAppsMacOSLobApp", + "description": "This resource configures an Intune mobile app.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 new file mode 100644 index 0000000000..f10634ed10 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 @@ -0,0 +1,1002 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune Windows Office Suite App with Id {$Id}." + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "(isof('microsoft.graph.officeSuiteApp') and displayName eq '$DisplayName')" ` + -ErrorAction SilentlyContinue + } + + if ($null -ne $instance) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $instance.Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + $Id = $instance.Id + } + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune Windows Office Suite App with DisplayName {$DisplayName} was found." + return $nullResult + } + + Write-Verbose "An Intune Windows Office Suite App with Id {$Id} and DisplayName {$DisplayName} was found." + + #region complex types + $complexCategories = @() + foreach ($category in $instance.Categories) + { + $myCategory = @{} + $myCategory.Add('Id', $category.id) + $myCategory.Add('DisplayName', $category.displayName) + $complexCategories += $myCategory + } + + $complexExcludedApps = @{} + if ($null -ne $instance.AdditionalProperties.excludedApps) + { + $instance.AdditionalProperties.excludedApps.GetEnumerator() | Foreach-Object { + $complexExcludedApps.Add($_.Key, $_.Value) + } + } + + # $complexLargeIcon = @{} + # if ($null -ne $instance.LargeIcon.Value) + # { + # $complexLargeIcon.Add('Value', [System.Convert]::ToBase64String($instance.LargeIcon.Value)) + # $complexLargeIcon.Add('Type', $instance.LargeIcon.Type) + # } + + $results = @{ + Id = $instance.Id + DisplayName = $instance.DisplayName + Description = $instance.Description + IsFeatured = $instance.IsFeatured + PrivacyInformationUrl = $instance.PrivacyInformationUrl + InformationUrl = $instance.InformationUrl + Notes = $instance.Notes + RoleScopeTagIds = $instance.RoleScopeTagIds + AutoAcceptEula = $instance.AdditionalProperties.autoAcceptEula + ProductIds = $instance.AdditionalProperties.productIds + UseSharedComputerActivation = $instance.AdditionalProperties.useSharedComputerActivation + UpdateChannel = $instance.AdditionalProperties.updateChannel + OfficeSuiteAppDefaultFileFormat = $instance.AdditionalProperties.officeSuiteAppDefaultFileFormat + OfficePlatformArchitecture = $instance.AdditionalProperties.officePlatformArchitecture + LocalesToInstall = $instance.AdditionalProperties.localesToInstall + InstallProgressDisplayLevel = $instance.AdditionalProperties.installProgressDisplayLevel + ShouldUninstallOlderVersionsOfOffice = $instance.AdditionalProperties.shouldUninstallOlderVersionsOfOffice + TargetVersion = $instance.AdditionalProperties.targetVersion + UpdateVersion = $instance.AdditionalProperties.updateVersion + OfficeConfigurationXml = $instance.AdditionalProperties.officeConfigurationXml + # LargeIcon = $complexLargeIcon + ExcludedApps = $complexExcludedApps + Categories = $complexCategories + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + #Assignments + $resultAssignments = @() + $appAssignments = Get-MgBetaDeviceAppManagementMobileAppAssignment -MobileAppId $instance.Id + if ($null -ne $appAssignments -and $appAssignments.count -gt 0) + { + $convertedAssignments = ConvertFrom-IntuneMobileAppAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($appAssignments) + + # Filter out 'source' from the assignment objects + foreach ($assignment in $convertedAssignments) { + if ($assignment.ContainsKey('source')) { + $assignment.Remove('source') + } + } + + $resultAssignments += $convertedAssignments + } + $results.Add('Assignments', $resultAssignments) + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Windows Office Suite App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).Clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Remove('Id') | Out-Null + $CreateParameters.Remove('Categories') | Out-Null + $CreateParameters.Add('Publisher', 'Microsoft') + $CreateParameters.Add('Developer', 'Microsoft') + $CreateParameters.Add('Owner', 'Microsoft') + + foreach ($key in ($CreateParameters.Clone()).Keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*CimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + + $CreateParameters.Add('@odata.type', '#microsoft.graph.officeSuiteApp') + $app = New-MgBetaDeviceAppManagementMobileApp -BodyParameter $CreateParameters + + foreach ($category in $Categories) + { + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + + #Assignments + if ($app.Id) + { + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $app.Id ` + -Assignments $assignmentsHash + } + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Updating the Intune Windows Office Suite App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).Clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.Remove('Id') | Out-Null + $UpdateParameters.Remove('Categories') | Out-Null + $UpdateParameters.Remove('OfficePlatformArchitecture') | Out-Null + + foreach ($key in ($UpdateParameters.Clone()).Keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.GetType().Name -like '*CimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + + $UpdateParameters.Add('@odata.type', '#microsoft.graph.officeSuiteApp') + Update-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -BodyParameter $UpdateParameters + + [array]$referenceObject = if ($null -ne $currentInstance.Categories.DisplayName) { $currentInstance.Categories.DisplayName } else { ,@() } + [array]$differenceObject = if ($null -ne $Categories.DisplayName) { $Categories.DisplayName } else { ,@() } + $delta = Compare-Object -ReferenceObject $referenceObject -DifferenceObject $differenceObject -PassThru + foreach ($diff in $delta) + { + if ($diff.SideIndicator -eq '=>') + { + $category = $Categories | Where-Object { $_.DisplayName -eq $diff } + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + else + { + $category = $currentInstance.Categories | Where-Object { $_.DisplayName -eq $diff } + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/$($category.Id)/`$ref" -Method 'DELETE' + } + } + + #Assignments + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $currentInstance.Id ` + -Assignments $assignmentsHash + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove the Intune Windows Office Suite App with Id {$($currentInstance.Id)}" + Remove-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Windows Suite App with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + # Prevent screen from filling up with the LargeIcon value + # Comparison will already be done because it's a CimInstance + # $CurrentValues.Remove('LargeIcon') | Out-Null + # $PSBoundParameters.Remove('LargeIcon') | Out-Null + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Remove('OfficePlatformArchitecture') | Out-Null # Cannot be changed after creation + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:getInstances = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "isof('microsoft.graph.officeSuiteApp')" ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:getInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:getInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:getInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + #region complex types + if ($null -ne $Results.Categories) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Categories ` + -CIMInstanceName 'DeviceManagementMobileAppCategory' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Categories = $complexTypeStringResult + } + else + { + $Results.Remove('Categories') | Out-Null + } + } + + if ($null -ne $Results.ExcludedApps) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ExcludedApps ` + -CIMInstanceName 'DeviceManagementMobileAppExcludedApp' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ExcludedApps = $complexTypeStringResult + } + else + { + $Results.Remove('ExcludedApps') | Out-Null + } + } + + # if ($null -ne $Results.LargeIcon) + # { + # $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + # -ComplexObject $Results.LargeIcon ` + # -CIMInstanceName 'DeviceManagementMimeContent' + + # if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + # { + # $Results.LargeIcon = $complexTypeStringResult + # } + # else + # { + # $Results.Remove('LargeIcon') | Out-Null + # } + # } + + if ($null -ne $Results.Assignments) + { + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Assignments ` + -CIMInstanceName DeviceManagementMobileAppAssignment + + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + } + #endregion complex types + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + #region complex types + if ($null -ne $Results.Categories) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Categories' -IsCIMArray:$true + } + + if ($null -ne $Results.ExcludedApps) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ExcludedApps' -IsCIMArray:$false + } + + # if ($null -ne $Results.LargeIcon) + # { + # $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'LargeIcon' -IsCIMArray:$false + # } + + if ($null -ne $Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + } + #endregion complex types + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof new file mode 100644 index 0000000000..9d07d216db --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof @@ -0,0 +1,78 @@ +class MSFT_DeviceManagementMobileAppAssignment +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}] String dataType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude."), ValueMap{"none", "include", "exclude"}, Values{"none", "include", "exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("Possible values for the install intent chosen by the admin."), ValueMap{"available", "required", "uninstall", "availableWithoutEnrollment"}, Values{"available", "required", "uninstall", "availableWithoutEnrollment"}] String intent; +}; + +class MSFT_DeviceManagementMimeContent +{ + [Write, Description("Indicates the type of content mime.")] String Type; + [Write, Description("The Base64 encoded string content.")] String Value; +}; + +class MSFT_DeviceManagementMobileAppCategory +{ + [Key, Description("The name of the app category.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; +}; + +class MSFT_DeviceManagementMobileAppExcludedApp +{ + [Write, Description("Specifies whether to exclude Microsoft Office Access from the installation.")] Boolean Access; + [Write, Description("Specifies whether to exclude Microsoft Search (Bing) as the default from the installation.")] Boolean Bing; + [Write, Description("Specifies whether to exclude Microsoft Office Excel from the installation.")] Boolean Excel; + [Write, Description("Specifies whether to exclude Microsoft Office OneDrive for Business (Groove) from the installation.")] Boolean Groove; + [Write, Description("Specifies whether to exclude Microsoft Office InfoPath from the installation.")] Boolean InfoPath; + [Write, Description("Specifies whether to exclude Microsoft Office Skype for Business (Lync) from the installation.")] Boolean Lync; + [Write, Description("Specifies whether to exclude Microsoft Office OneDrive from the installation.")] Boolean OneDrive; + [Write, Description("Specifies whether to exclude Microsoft Office OneNote from the installation.")] Boolean OneNote; + [Write, Description("Specifies whether to exclude Microsoft Office Outlook from the installation.")] Boolean Outlook; + [Write, Description("Specifies whether to exclude Microsoft Office PowerPoint from the installation.")] Boolean PowerPoint; + [Write, Description("Specifies whether to exclude Microsoft Office Publisher from the installation.")] Boolean Publisher; + [Write, Description("Specifies whether to exclude Microsoft Office SharePoint Designer from the installation.")] Boolean SharePointDesigner; + [Write, Description("Specifies whether to exclude Microsoft Office Teams from the installation.")] Boolean Teams; + [Write, Description("Specifies whether to exclude Microsoft Office Visio from the installation.")] Boolean Visio; + [Write, Description("Specifies whether to exclude Microsoft Office Word from the installation.")] Boolean Word; +}; + +[ClassVersion("1.0.0"), FriendlyName("IntuneMobileAppsWindowsOfficeSuiteApp")] +class MSFT_IntuneMobileAppsWindowsOfficeSuiteApp : OMI_BaseResource +{ + [Key, Description("The admin provided or imported title of the app. Inherited from mobileApp.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only. Inherited from mobileApp object.")] String Id; + + [Write, Description("The description of the app. Inherited from mobileApp.")] String Description; + [Write, Description("The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp.")] Boolean IsFeatured; + [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; + [Write, Description("The InformationUrl of the app. Inherited from mobileApp.")] String InformationUrl; + [Write, Description("Notes for the app. Inherited from mobileApp.")] String Notes; + [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; + [Write, Description("Specifies if the EULA is accepted automatically on the end user's device.")] Boolean AutoAcceptEula; + [Write, Description("The Product IDs that represent the Office 365 Suite SKU, such as 'O365ProPlusRetail' or 'VisioProRetail'.")] String ProductIds[]; + [Write, Description("Indicates whether shared computer activation is used for Office installations.")] Boolean UseSharedComputerActivation; + [Write, Description("Specifies the update channel for the Office 365 app suite, such as 'Current' or 'Deferred'.")] String UpdateChannel; + [Write, Description("Specifies the default file format type for Office apps, such as 'OfficeOpenXMLFormat' or 'OfficeOpenDocumentFormat'.")] String OfficeSuiteAppDefaultFileFormat; + [Write, Description("The architecture of the Office installation (e.g., 'X86', 'X64', or 'Arm64'). Cannot be changed after creation.")] String OfficePlatformArchitecture; + [Write, Description("Specifies the locales to be installed when the Office 365 apps are deployed. Uses the standard RFC 5646 format (e.g., 'en-US', 'fr-FR').")] String LocalesToInstall[]; + [Write, Description("Specifies the display level of the installation progress for Office apps. Use 'Full' to display the installation UI, or 'None' for a silent installation.")] String InstallProgressDisplayLevel; + [Write, Description("Indicates whether older versions of Office should be uninstalled when deploying the Office 365 app suite.")] Boolean ShouldUninstallOlderVersionsOfOffice; + [Write, Description("The specific target version of the Office 365 app suite to be deployed.")] String TargetVersion; + [Write, Description("The update version in which the target version is available for the Office 365 app suite.")] String UpdateVersion; + [Write, Description("A base64-encoded XML configuration file that specifies Office ProPlus installation settings. Takes precedence over all other properties. When present, this XML file will be used to create the app.")] String OfficeConfigurationXml; + [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; + [Write, Description("The list of assignments for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppAssignment")] String Assignments[]; + [Write, Description("The property that represents the apps excluded from the selected Office 365 Product ID."), EmbeddedInstance("MSFT_DeviceManagementMobileAppExcludedApp")] String ExcludedApps; + + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] String Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md new file mode 100644 index 0000000000..f35ec06360 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileAppsWindowsOfficeSuiteApp + +## Description + +This resource configures an Intune mobile app of OfficeSuiteApp type for Windows devices. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json new file mode 100644 index 0000000000..a9bd04b5fa --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileAppsWindowsOfficeSuiteApp", + "description": "This resource configures an Intune mobile app.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 new file mode 100644 index 0000000000..9958ba28ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 @@ -0,0 +1,1110 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft365 Apps For Enterprise with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + $complexDeviceSettings.Add('Pol_SecGuide_A001_Block_Flash', $policySettings.DeviceSettings.pol_SecGuide_A001_Block_Flash) + $complexDeviceSettings.Add('Pol_SecGuide_Block_Flash', $policySettings.DeviceSettings.pol_SecGuide_Block_Flash) + $complexDeviceSettings.Add('Pol_SecGuide_Legacy_JScript', $policySettings.DeviceSettings.pol_SecGuide_Legacy_JScript) + $complexDeviceSettings.Add('POL_SG_powerpnt', $policySettings.DeviceSettings.pOL_SG_powerpnt) + $complexDeviceSettings.Add('POL_SG_onenote', $policySettings.DeviceSettings.pOL_SG_onenote) + $complexDeviceSettings.Add('POL_SG_mspub', $policySettings.DeviceSettings.pOL_SG_mspub) + $complexDeviceSettings.Add('POL_SG_msaccess', $policySettings.DeviceSettings.pOL_SG_msaccess) + $complexDeviceSettings.Add('POL_SG_winproj', $policySettings.DeviceSettings.pOL_SG_winproj) + $complexDeviceSettings.Add('POL_SG_visio', $policySettings.DeviceSettings.pOL_SG_visio) + $complexDeviceSettings.Add('POL_SG_outlook', $policySettings.DeviceSettings.pOL_SG_outlook) + $complexDeviceSettings.Add('POL_SG_winword', $policySettings.DeviceSettings.pOL_SG_winword) + $complexDeviceSettings.Add('POL_SG_excel', $policySettings.DeviceSettings.pOL_SG_excel) + $complexDeviceSettings.Add('L_PolicyEnableSIPHighSecurityMode', $policySettings.DeviceSettings.l_PolicyEnableSIPHighSecurityMode) + $complexDeviceSettings.Add('L_PolicyDisableHttpConnect', $policySettings.DeviceSettings.l_PolicyDisableHttpConnect) + $complexDeviceSettings.Add('L_AddonManagement', $policySettings.DeviceSettings.l_AddonManagement) + $complexDeviceSettings.Add('L_powerpntexe17', $policySettings.DeviceSettings.l_powerpntexe17) + $complexDeviceSettings.Add('L_excelexe15', $policySettings.DeviceSettings.l_excelexe15) + $complexDeviceSettings.Add('L_visioexe19', $policySettings.DeviceSettings.l_visioexe19) + $complexDeviceSettings.Add('L_onenoteexe26', $policySettings.DeviceSettings.l_onenoteexe26) + $complexDeviceSettings.Add('L_outlookexe22', $policySettings.DeviceSettings.l_outlookexe22) + $complexDeviceSettings.Add('L_pptviewexe18', $policySettings.DeviceSettings.l_pptviewexe18) + $complexDeviceSettings.Add('L_winwordexe21', $policySettings.DeviceSettings.l_winwordexe21) + $complexDeviceSettings.Add('L_exprwdexe24', $policySettings.DeviceSettings.l_exprwdexe24) + $complexDeviceSettings.Add('L_spdesignexe23', $policySettings.DeviceSettings.l_spdesignexe23) + $complexDeviceSettings.Add('L_winprojexe20', $policySettings.DeviceSettings.l_winprojexe20) + $complexDeviceSettings.Add('L_grooveexe14', $policySettings.DeviceSettings.l_grooveexe14) + $complexDeviceSettings.Add('L_mspubexe16', $policySettings.DeviceSettings.l_mspubexe16) + $complexDeviceSettings.Add('L_mse7exe27', $policySettings.DeviceSettings.l_mse7exe27) + $complexDeviceSettings.Add('L_msaccessexe25', $policySettings.DeviceSettings.l_msaccessexe25) + $complexDeviceSettings.Add('L_ConsistentMimeHandling', $policySettings.DeviceSettings.l_ConsistentMimeHandling) + $complexDeviceSettings.Add('L_excelexe43', $policySettings.DeviceSettings.l_excelexe43) + $complexDeviceSettings.Add('L_spdesignexe51', $policySettings.DeviceSettings.l_spdesignexe51) + $complexDeviceSettings.Add('L_onenoteexe54', $policySettings.DeviceSettings.l_onenoteexe54) + $complexDeviceSettings.Add('L_outlookexe50', $policySettings.DeviceSettings.l_outlookexe50) + $complexDeviceSettings.Add('L_pptviewexe46', $policySettings.DeviceSettings.l_pptviewexe46) + $complexDeviceSettings.Add('L_mspubexe44', $policySettings.DeviceSettings.l_mspubexe44) + $complexDeviceSettings.Add('L_visioexe47', $policySettings.DeviceSettings.l_visioexe47) + $complexDeviceSettings.Add('L_winprojexe48', $policySettings.DeviceSettings.l_winprojexe48) + $complexDeviceSettings.Add('L_msaccessexe53', $policySettings.DeviceSettings.l_msaccessexe53) + $complexDeviceSettings.Add('L_powerpntexe45', $policySettings.DeviceSettings.l_powerpntexe45) + $complexDeviceSettings.Add('L_grooveexe42', $policySettings.DeviceSettings.l_grooveexe42) + $complexDeviceSettings.Add('L_mse7exe55', $policySettings.DeviceSettings.l_mse7exe55) + $complexDeviceSettings.Add('L_winwordexe49', $policySettings.DeviceSettings.l_winwordexe49) + $complexDeviceSettings.Add('L_exprwdexe52', $policySettings.DeviceSettings.l_exprwdexe52) + $complexDeviceSettings.Add('L_Disableusernameandpassword', $policySettings.DeviceSettings.l_Disableusernameandpassword) + $complexDeviceSettings.Add('L_excelexe127', $policySettings.DeviceSettings.l_excelexe127) + $complexDeviceSettings.Add('L_grooveexe126', $policySettings.DeviceSettings.l_grooveexe126) + $complexDeviceSettings.Add('L_onenoteexe138', $policySettings.DeviceSettings.l_onenoteexe138) + $complexDeviceSettings.Add('L_mse7exe139', $policySettings.DeviceSettings.l_mse7exe139) + $complexDeviceSettings.Add('L_mspubexe128', $policySettings.DeviceSettings.l_mspubexe128) + $complexDeviceSettings.Add('L_visioexe131', $policySettings.DeviceSettings.l_visioexe131) + $complexDeviceSettings.Add('L_exprwdexe136', $policySettings.DeviceSettings.l_exprwdexe136) + $complexDeviceSettings.Add('L_msaccessexe137', $policySettings.DeviceSettings.l_msaccessexe137) + $complexDeviceSettings.Add('L_spdesignexe135', $policySettings.DeviceSettings.l_spdesignexe135) + $complexDeviceSettings.Add('L_winwordexe133', $policySettings.DeviceSettings.l_winwordexe133) + $complexDeviceSettings.Add('L_powerpntexe129', $policySettings.DeviceSettings.l_powerpntexe129) + $complexDeviceSettings.Add('L_outlookexe134', $policySettings.DeviceSettings.l_outlookexe134) + $complexDeviceSettings.Add('L_winprojexe132', $policySettings.DeviceSettings.l_winprojexe132) + $complexDeviceSettings.Add('L_pptviewexe130', $policySettings.DeviceSettings.l_pptviewexe130) + $complexDeviceSettings.Add('L_Informationbar', $policySettings.DeviceSettings.l_Informationbar) + $complexDeviceSettings.Add('L_excelexe113', $policySettings.DeviceSettings.l_excelexe113) + $complexDeviceSettings.Add('L_mspubexe114', $policySettings.DeviceSettings.l_mspubexe114) + $complexDeviceSettings.Add('L_msaccessexe123', $policySettings.DeviceSettings.l_msaccessexe123) + $complexDeviceSettings.Add('L_onenoteexe124', $policySettings.DeviceSettings.l_onenoteexe124) + $complexDeviceSettings.Add('L_outlookexe120', $policySettings.DeviceSettings.l_outlookexe120) + $complexDeviceSettings.Add('L_winprojexe118', $policySettings.DeviceSettings.l_winprojexe118) + $complexDeviceSettings.Add('L_powerpntexe115', $policySettings.DeviceSettings.l_powerpntexe115) + $complexDeviceSettings.Add('L_spdesignexe121', $policySettings.DeviceSettings.l_spdesignexe121) + $complexDeviceSettings.Add('L_grooveexe112', $policySettings.DeviceSettings.l_grooveexe112) + $complexDeviceSettings.Add('L_visioexe117', $policySettings.DeviceSettings.l_visioexe117) + $complexDeviceSettings.Add('L_mse7exe125', $policySettings.DeviceSettings.l_mse7exe125) + $complexDeviceSettings.Add('L_winwordexe119', $policySettings.DeviceSettings.l_winwordexe119) + $complexDeviceSettings.Add('L_exprwdexe122', $policySettings.DeviceSettings.l_exprwdexe122) + $complexDeviceSettings.Add('L_pptviewexe116', $policySettings.DeviceSettings.l_pptviewexe116) + $complexDeviceSettings.Add('L_LocalMachineZoneLockdownSecurity', $policySettings.DeviceSettings.l_LocalMachineZoneLockdownSecurity) + $complexDeviceSettings.Add('L_mse7exe41', $policySettings.DeviceSettings.l_mse7exe41) + $complexDeviceSettings.Add('L_powerpntexe31', $policySettings.DeviceSettings.l_powerpntexe31) + $complexDeviceSettings.Add('L_mspubexe30', $policySettings.DeviceSettings.l_mspubexe30) + $complexDeviceSettings.Add('L_outlookexe36', $policySettings.DeviceSettings.l_outlookexe36) + $complexDeviceSettings.Add('L_pptviewexe32', $policySettings.DeviceSettings.l_pptviewexe32) + $complexDeviceSettings.Add('L_excelexe29', $policySettings.DeviceSettings.l_excelexe29) + $complexDeviceSettings.Add('L_exprwdexe38', $policySettings.DeviceSettings.l_exprwdexe38) + $complexDeviceSettings.Add('L_grooveexe28', $policySettings.DeviceSettings.l_grooveexe28) + $complexDeviceSettings.Add('L_winwordexe35', $policySettings.DeviceSettings.l_winwordexe35) + $complexDeviceSettings.Add('L_msaccessexe39', $policySettings.DeviceSettings.l_msaccessexe39) + $complexDeviceSettings.Add('L_spdesignexe37', $policySettings.DeviceSettings.l_spdesignexe37) + $complexDeviceSettings.Add('L_visioexe33', $policySettings.DeviceSettings.l_visioexe33) + $complexDeviceSettings.Add('L_onenoteexe40', $policySettings.DeviceSettings.l_onenoteexe40) + $complexDeviceSettings.Add('L_winprojexe34', $policySettings.DeviceSettings.l_winprojexe34) + $complexDeviceSettings.Add('L_MimeSniffingSafetyFature', $policySettings.DeviceSettings.l_MimeSniffingSafetyFature) + $complexDeviceSettings.Add('L_powerpntexe59', $policySettings.DeviceSettings.l_powerpntexe59) + $complexDeviceSettings.Add('L_exprwdexe66', $policySettings.DeviceSettings.l_exprwdexe66) + $complexDeviceSettings.Add('L_grooveexe56', $policySettings.DeviceSettings.l_grooveexe56) + $complexDeviceSettings.Add('L_visioexe61', $policySettings.DeviceSettings.l_visioexe61) + $complexDeviceSettings.Add('L_outlookexe64', $policySettings.DeviceSettings.l_outlookexe64) + $complexDeviceSettings.Add('L_mspubexe58', $policySettings.DeviceSettings.l_mspubexe58) + $complexDeviceSettings.Add('L_mse7exe69', $policySettings.DeviceSettings.l_mse7exe69) + $complexDeviceSettings.Add('L_msaccessexe67', $policySettings.DeviceSettings.l_msaccessexe67) + $complexDeviceSettings.Add('L_pptviewexe60', $policySettings.DeviceSettings.l_pptviewexe60) + $complexDeviceSettings.Add('L_winprojexe62', $policySettings.DeviceSettings.l_winprojexe62) + $complexDeviceSettings.Add('L_spdesignexe65', $policySettings.DeviceSettings.l_spdesignexe65) + $complexDeviceSettings.Add('L_onenoteexe68', $policySettings.DeviceSettings.l_onenoteexe68) + $complexDeviceSettings.Add('L_winwordexe63', $policySettings.DeviceSettings.l_winwordexe63) + $complexDeviceSettings.Add('L_excelexe57', $policySettings.DeviceSettings.l_excelexe57) + $complexDeviceSettings.Add('L_NavigateURL', $policySettings.DeviceSettings.l_NavigateURL) + $complexDeviceSettings.Add('L_spdesignexe177', $policySettings.DeviceSettings.l_spdesignexe177) + $complexDeviceSettings.Add('L_onenoteexe180', $policySettings.DeviceSettings.l_onenoteexe180) + $complexDeviceSettings.Add('L_pptviewexe172', $policySettings.DeviceSettings.l_pptviewexe172) + $complexDeviceSettings.Add('L_outlookexe176', $policySettings.DeviceSettings.l_outlookexe176) + $complexDeviceSettings.Add('L_winprojexe174', $policySettings.DeviceSettings.l_winprojexe174) + $complexDeviceSettings.Add('L_msaccessexe179', $policySettings.DeviceSettings.l_msaccessexe179) + $complexDeviceSettings.Add('L_winwordexe175', $policySettings.DeviceSettings.l_winwordexe175) + $complexDeviceSettings.Add('L_excelexe169', $policySettings.DeviceSettings.l_excelexe169) + $complexDeviceSettings.Add('L_mspubexe170', $policySettings.DeviceSettings.l_mspubexe170) + $complexDeviceSettings.Add('L_exprwdexe178', $policySettings.DeviceSettings.l_exprwdexe178) + $complexDeviceSettings.Add('L_powerpntexe171', $policySettings.DeviceSettings.l_powerpntexe171) + $complexDeviceSettings.Add('L_visioexe173', $policySettings.DeviceSettings.l_visioexe173) + $complexDeviceSettings.Add('L_mse7exe181', $policySettings.DeviceSettings.l_mse7exe181) + $complexDeviceSettings.Add('L_grooveexe168', $policySettings.DeviceSettings.l_grooveexe168) + $complexDeviceSettings.Add('L_ObjectCachingProtection', $policySettings.DeviceSettings.l_ObjectCachingProtection) + $complexDeviceSettings.Add('L_winwordexe77', $policySettings.DeviceSettings.l_winwordexe77) + $complexDeviceSettings.Add('L_powerpntexe73', $policySettings.DeviceSettings.l_powerpntexe73) + $complexDeviceSettings.Add('L_spdesignexe79', $policySettings.DeviceSettings.l_spdesignexe79) + $complexDeviceSettings.Add('L_mse7exe83', $policySettings.DeviceSettings.l_mse7exe83) + $complexDeviceSettings.Add('L_mspubexe72', $policySettings.DeviceSettings.l_mspubexe72) + $complexDeviceSettings.Add('L_msaccessexe81', $policySettings.DeviceSettings.l_msaccessexe81) + $complexDeviceSettings.Add('L_onenoteexe82', $policySettings.DeviceSettings.l_onenoteexe82) + $complexDeviceSettings.Add('L_outlookexe78', $policySettings.DeviceSettings.l_outlookexe78) + $complexDeviceSettings.Add('L_grooveexe70', $policySettings.DeviceSettings.l_grooveexe70) + $complexDeviceSettings.Add('L_excelexe71', $policySettings.DeviceSettings.l_excelexe71) + $complexDeviceSettings.Add('L_visioexe75', $policySettings.DeviceSettings.l_visioexe75) + $complexDeviceSettings.Add('L_pptviewexe74', $policySettings.DeviceSettings.l_pptviewexe74) + $complexDeviceSettings.Add('L_winprojexe76', $policySettings.DeviceSettings.l_winprojexe76) + $complexDeviceSettings.Add('L_exprwdexe80', $policySettings.DeviceSettings.l_exprwdexe80) + $complexDeviceSettings.Add('L_ProtectionFromZoneElevation', $policySettings.DeviceSettings.l_ProtectionFromZoneElevation) + $complexDeviceSettings.Add('L_mspubexe100', $policySettings.DeviceSettings.l_mspubexe100) + $complexDeviceSettings.Add('L_visioexe103', $policySettings.DeviceSettings.l_visioexe103) + $complexDeviceSettings.Add('L_powerpntexe101', $policySettings.DeviceSettings.l_powerpntexe101) + $complexDeviceSettings.Add('L_excelexe99', $policySettings.DeviceSettings.l_excelexe99) + $complexDeviceSettings.Add('L_mse7exe111', $policySettings.DeviceSettings.l_mse7exe111) + $complexDeviceSettings.Add('L_winwordexe105', $policySettings.DeviceSettings.l_winwordexe105) + $complexDeviceSettings.Add('L_exprwdexe108', $policySettings.DeviceSettings.l_exprwdexe108) + $complexDeviceSettings.Add('L_msaccessexe109', $policySettings.DeviceSettings.l_msaccessexe109) + $complexDeviceSettings.Add('L_spdesignexe107', $policySettings.DeviceSettings.l_spdesignexe107) + $complexDeviceSettings.Add('L_onenoteexe110', $policySettings.DeviceSettings.l_onenoteexe110) + $complexDeviceSettings.Add('L_pptviewexe102', $policySettings.DeviceSettings.l_pptviewexe102) + $complexDeviceSettings.Add('L_winprojexe104', $policySettings.DeviceSettings.l_winprojexe104) + $complexDeviceSettings.Add('L_grooveexe98', $policySettings.DeviceSettings.l_grooveexe98) + $complexDeviceSettings.Add('L_outlookexe106', $policySettings.DeviceSettings.l_outlookexe106) + $complexDeviceSettings.Add('L_RestrictActiveXInstall', $policySettings.DeviceSettings.l_RestrictActiveXInstall) + $complexDeviceSettings.Add('L_mse7exe', $policySettings.DeviceSettings.l_mse7exe) + $complexDeviceSettings.Add('L_powerpntexe', $policySettings.DeviceSettings.l_powerpntexe) + $complexDeviceSettings.Add('L_spDesignexe', $policySettings.DeviceSettings.l_spDesignexe) + $complexDeviceSettings.Add('L_onenoteexe', $policySettings.DeviceSettings.l_onenoteexe) + $complexDeviceSettings.Add('L_excelexe', $policySettings.DeviceSettings.l_excelexe) + $complexDeviceSettings.Add('L_mspubexe', $policySettings.DeviceSettings.l_mspubexe) + $complexDeviceSettings.Add('L_visioexe', $policySettings.DeviceSettings.l_visioexe) + $complexDeviceSettings.Add('L_exprwdexe', $policySettings.DeviceSettings.l_exprwdexe) + $complexDeviceSettings.Add('L_outlookexe', $policySettings.DeviceSettings.l_outlookexe) + $complexDeviceSettings.Add('L_pptviewexe', $policySettings.DeviceSettings.l_pptviewexe) + $complexDeviceSettings.Add('L_winprojexe', $policySettings.DeviceSettings.l_winprojexe) + $complexDeviceSettings.Add('L_winwordexe', $policySettings.DeviceSettings.l_winwordexe) + $complexDeviceSettings.Add('L_grooveexe', $policySettings.DeviceSettings.l_grooveexe) + $complexDeviceSettings.Add('L_msaccessexe', $policySettings.DeviceSettings.l_msaccessexe) + $complexDeviceSettings.Add('L_RestrictFileDownload', $policySettings.DeviceSettings.l_RestrictFileDownload) + $complexDeviceSettings.Add('L_visioexe5', $policySettings.DeviceSettings.l_visioexe5) + $complexDeviceSettings.Add('L_winprojexe6', $policySettings.DeviceSettings.l_winprojexe6) + $complexDeviceSettings.Add('L_msaccessexe11', $policySettings.DeviceSettings.l_msaccessexe11) + $complexDeviceSettings.Add('L_spdesignexe9', $policySettings.DeviceSettings.l_spdesignexe9) + $complexDeviceSettings.Add('L_excelexe1', $policySettings.DeviceSettings.l_excelexe1) + $complexDeviceSettings.Add('L_powerpntexe3', $policySettings.DeviceSettings.l_powerpntexe3) + $complexDeviceSettings.Add('L_mspubexe2', $policySettings.DeviceSettings.l_mspubexe2) + $complexDeviceSettings.Add('L_exprwdexe10', $policySettings.DeviceSettings.l_exprwdexe10) + $complexDeviceSettings.Add('L_outlookexe8', $policySettings.DeviceSettings.l_outlookexe8) + $complexDeviceSettings.Add('L_pptviewexe4', $policySettings.DeviceSettings.l_pptviewexe4) + $complexDeviceSettings.Add('L_winwordexe7', $policySettings.DeviceSettings.l_winwordexe7) + $complexDeviceSettings.Add('L_onenoteexe12', $policySettings.DeviceSettings.l_onenoteexe12) + $complexDeviceSettings.Add('L_mse7exe13', $policySettings.DeviceSettings.l_mse7exe13) + $complexDeviceSettings.Add('L_grooveexe0', $policySettings.DeviceSettings.l_grooveexe0) + $complexDeviceSettings.Add('L_SavedfromURL', $policySettings.DeviceSettings.l_SavedfromURL) + $complexDeviceSettings.Add('L_pptviewexe158', $policySettings.DeviceSettings.l_pptviewexe158) + $complexDeviceSettings.Add('L_exprwdexe164', $policySettings.DeviceSettings.l_exprwdexe164) + $complexDeviceSettings.Add('L_mse7exe167', $policySettings.DeviceSettings.l_mse7exe167) + $complexDeviceSettings.Add('L_spdesignexe163', $policySettings.DeviceSettings.l_spdesignexe163) + $complexDeviceSettings.Add('L_winprojexe160', $policySettings.DeviceSettings.l_winprojexe160) + $complexDeviceSettings.Add('L_mspubexe156', $policySettings.DeviceSettings.l_mspubexe156) + $complexDeviceSettings.Add('L_visioexe159', $policySettings.DeviceSettings.l_visioexe159) + $complexDeviceSettings.Add('L_winwordexe161', $policySettings.DeviceSettings.l_winwordexe161) + $complexDeviceSettings.Add('L_msaccessexe165', $policySettings.DeviceSettings.l_msaccessexe165) + $complexDeviceSettings.Add('L_onenoteexe166', $policySettings.DeviceSettings.l_onenoteexe166) + $complexDeviceSettings.Add('L_outlookexe162', $policySettings.DeviceSettings.l_outlookexe162) + $complexDeviceSettings.Add('L_grooveexe154', $policySettings.DeviceSettings.l_grooveexe154) + $complexDeviceSettings.Add('L_excelexe155', $policySettings.DeviceSettings.l_excelexe155) + $complexDeviceSettings.Add('L_powerpntexe157', $policySettings.DeviceSettings.l_powerpntexe157) + $complexDeviceSettings.Add('L_ScriptedWindowSecurityRestrictions', $policySettings.DeviceSettings.l_ScriptedWindowSecurityRestrictions) + $complexDeviceSettings.Add('L_exprwdexe94', $policySettings.DeviceSettings.l_exprwdexe94) + $complexDeviceSettings.Add('L_mse7exe97', $policySettings.DeviceSettings.l_mse7exe97) + $complexDeviceSettings.Add('L_mspubexe86', $policySettings.DeviceSettings.l_mspubexe86) + $complexDeviceSettings.Add('L_outlookexe92', $policySettings.DeviceSettings.l_outlookexe92) + $complexDeviceSettings.Add('L_msaccessexe95', $policySettings.DeviceSettings.l_msaccessexe95) + $complexDeviceSettings.Add('L_powerpntexe87', $policySettings.DeviceSettings.l_powerpntexe87) + $complexDeviceSettings.Add('L_grooveexe84', $policySettings.DeviceSettings.l_grooveexe84) + $complexDeviceSettings.Add('L_excelexe85', $policySettings.DeviceSettings.l_excelexe85) + $complexDeviceSettings.Add('L_pptviewexe88', $policySettings.DeviceSettings.l_pptviewexe88) + $complexDeviceSettings.Add('L_spdesignexe93', $policySettings.DeviceSettings.l_spdesignexe93) + $complexDeviceSettings.Add('L_visioexe89', $policySettings.DeviceSettings.l_visioexe89) + $complexDeviceSettings.Add('L_onenoteexe96', $policySettings.DeviceSettings.l_onenoteexe96) + $complexDeviceSettings.Add('L_winprojexe90', $policySettings.DeviceSettings.l_winprojexe90) + $complexDeviceSettings.Add('L_winwordexe91', $policySettings.DeviceSettings.l_winwordexe91) + if ($complexDeviceSettings.values.Where({$null -ne $_}).Count -eq 0) + { + $complexDeviceSettings = $null + } + $policySettings.Remove('DeviceSettings') | Out-Null + + $complexUserSettings = @{} + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks', $policySettings.UserSettings.l_Donotshowdataextractionoptionswhenopeningcorruptworkbooks) + $complexUserSettings.Add('L_Asktoupdateautomaticlinks', $policySettings.UserSettings.l_Asktoupdateautomaticlinks) + $complexUserSettings.Add('L_LoadpicturesfromWebpagesnotcreatedinExcel', $policySettings.UserSettings.l_LoadpicturesfromWebpagesnotcreatedinExcel) + $complexUserSettings.Add('L_DisableAutoRepublish', $policySettings.UserSettings.l_DisableAutoRepublish) + $complexUserSettings.Add('L_DoNotShowAutoRepublishWarningAlert', $policySettings.UserSettings.l_DoNotShowAutoRepublishWarningAlert) + $complexUserSettings.Add('L_Forcefileextenstionstomatch', $policySettings.UserSettings.l_Forcefileextenstionstomatch) + $complexUserSettings.Add('L_Forcefileextenstionstomatch_L_Empty', $policySettings.UserSettings.l_Forcefileextenstionstomatch_L_Empty) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedExcel', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedExcel) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedExcelDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedExcelDropID) + $complexUserSettings.Add('L_BlockXLLFromInternet', $policySettings.UserSettings.l_BlockXLLFromInternet) + $complexUserSettings.Add('L_BlockXLLFromInternetEnum', $policySettings.UserSettings.l_BlockXLLFromInternetEnum) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_EnableBlockUnsecureQueryFiles', $policySettings.UserSettings.l_EnableBlockUnsecureQueryFiles) + $complexUserSettings.Add('L_DBaseIIIANDIVFiles', $policySettings.UserSettings.l_DBaseIIIANDIVFiles) + $complexUserSettings.Add('L_DBaseIIIANDIVFilesDropID', $policySettings.UserSettings.l_DBaseIIIANDIVFilesDropID) + $complexUserSettings.Add('L_DifAndSylkFiles', $policySettings.UserSettings.l_DifAndSylkFiles) + $complexUserSettings.Add('L_DifAndSylkFilesDropID', $policySettings.UserSettings.l_DifAndSylkFilesDropID) + $complexUserSettings.Add('L_Excel2MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel2MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel2MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel2MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel2Worksheets', $policySettings.UserSettings.l_Excel2Worksheets) + $complexUserSettings.Add('L_Excel2WorksheetsDropID', $policySettings.UserSettings.l_Excel2WorksheetsDropID) + $complexUserSettings.Add('L_Excel3MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel3MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel3MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel3MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel3Worksheets', $policySettings.UserSettings.l_Excel3Worksheets) + $complexUserSettings.Add('L_Excel3WorksheetsDropID', $policySettings.UserSettings.l_Excel3WorksheetsDropID) + $complexUserSettings.Add('L_Excel4MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel4MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel4MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel4MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel4Workbooks', $policySettings.UserSettings.l_Excel4Workbooks) + $complexUserSettings.Add('L_Excel4WorkbooksDropID', $policySettings.UserSettings.l_Excel4WorkbooksDropID) + $complexUserSettings.Add('L_Excel4Worksheets', $policySettings.UserSettings.l_Excel4Worksheets) + $complexUserSettings.Add('L_Excel4WorksheetsDropID', $policySettings.UserSettings.l_Excel4WorksheetsDropID) + $complexUserSettings.Add('L_Excel95Workbooks', $policySettings.UserSettings.l_Excel95Workbooks) + $complexUserSettings.Add('L_Excel95WorkbooksDropID', $policySettings.UserSettings.l_Excel95WorkbooksDropID) + $complexUserSettings.Add('L_Excel9597WorkbooksAndTemplates', $policySettings.UserSettings.l_Excel9597WorkbooksAndTemplates) + $complexUserSettings.Add('L_Excel9597WorkbooksAndTemplatesDropID', $policySettings.UserSettings.l_Excel9597WorkbooksAndTemplatesDropID) + $complexUserSettings.Add('L_Excel972003WorkbooksAndTemplates', $policySettings.UserSettings.l_Excel972003WorkbooksAndTemplates) + $complexUserSettings.Add('L_Excel972003WorkbooksAndTemplatesDropID', $policySettings.UserSettings.l_Excel972003WorkbooksAndTemplatesDropID) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('L_WebPagesAndExcel2003XMLSpreadsheets', $policySettings.UserSettings.l_WebPagesAndExcel2003XMLSpreadsheets) + $complexUserSettings.Add('L_WebPagesAndExcel2003XMLSpreadsheetsDropID', $policySettings.UserSettings.l_WebPagesAndExcel2003XMLSpreadsheetsDropID) + $complexUserSettings.Add('L_XL4KillSwitchPolicy', $policySettings.UserSettings.l_XL4KillSwitchPolicy) + $complexUserSettings.Add('L_EnableDataBaseFileProtectedView', $policySettings.UserSettings.l_EnableDataBaseFileProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty4', $policySettings.UserSettings.l_empty4) + $complexUserSettings.Add('MicrosoftExcel_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftExcel_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('L_WebContentWarningLevel', $policySettings.UserSettings.l_WebContentWarningLevel) + $complexUserSettings.Add('L_WebContentWarningLevelValue', $policySettings.UserSettings.l_WebContentWarningLevelValue) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicy', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicy) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyWord', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyWord) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyExcel', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyExcel) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyVisio', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyVisio) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyPublisher', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyPublisher) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyOutlook', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyOutlook) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyProject', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyProject) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyAccess', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyAccess) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyInfoPath) + $complexUserSettings.Add('L_ActiveXControlInitialization', $policySettings.UserSettings.l_ActiveXControlInitialization) + $complexUserSettings.Add('L_ActiveXControlInitializationcolon', $policySettings.UserSettings.l_ActiveXControlInitializationcolon) + $complexUserSettings.Add('L_BasicAuthProxyBehavior', $policySettings.UserSettings.l_BasicAuthProxyBehavior) + $complexUserSettings.Add('L_AllowVbaIntranetRefs', $policySettings.UserSettings.l_AllowVbaIntranetRefs) + $complexUserSettings.Add('L_AutomationSecurity', $policySettings.UserSettings.l_AutomationSecurity) + $complexUserSettings.Add('L_SettheAutomationSecuritylevel', $policySettings.UserSettings.l_SettheAutomationSecuritylevel) + $complexUserSettings.Add('L_AuthenticationFBABehavior', $policySettings.UserSettings.l_AuthenticationFBABehavior) + $complexUserSettings.Add('L_AuthenticationFBAEnabledHostsID', $policySettings.UserSettings.l_AuthenticationFBAEnabledHostsID) + $complexUserSettings.Add('L_authenticationFBABehaviorEnum', $policySettings.UserSettings.l_authenticationFBABehaviorEnum) + $complexUserSettings.Add('L_DisableStrictVbaRefsSecurityPolicy', $policySettings.UserSettings.l_DisableStrictVbaRefsSecurityPolicy) + $complexUserSettings.Add('L_DisableallTrustBarnotificationsfor', $policySettings.UserSettings.l_DisableallTrustBarnotificationsfor) + $complexUserSettings.Add('L_Encryptiontypeforirm', $policySettings.UserSettings.l_Encryptiontypeforirm) + $complexUserSettings.Add('L_Encryptiontypeforirmcolon', $policySettings.UserSettings.l_Encryptiontypeforirmcolon) + $complexUserSettings.Add('L_Encryptiontypeforpasswordprotectedoffice972003', $policySettings.UserSettings.l_Encryptiontypeforpasswordprotectedoffice972003) + $complexUserSettings.Add('L_encryptiontypecolon318', $policySettings.UserSettings.l_encryptiontypecolon318) + $complexUserSettings.Add('L_Encryptiontypeforpasswordprotectedofficeopen', $policySettings.UserSettings.l_Encryptiontypeforpasswordprotectedofficeopen) + $complexUserSettings.Add('L_Encryptiontypecolon', $policySettings.UserSettings.l_Encryptiontypecolon) + $complexUserSettings.Add('L_LoadControlsinForms3', $policySettings.UserSettings.l_LoadControlsinForms3) + $complexUserSettings.Add('L_LoadControlsinForms3colon', $policySettings.UserSettings.l_LoadControlsinForms3colon) + $complexUserSettings.Add('L_MacroRuntimeScanScope', $policySettings.UserSettings.l_MacroRuntimeScanScope) + $complexUserSettings.Add('L_MacroRuntimeScanScopeEnum', $policySettings.UserSettings.l_MacroRuntimeScanScopeEnum) + $complexUserSettings.Add('L_Protectdocumentmetadataforrightsmanaged', $policySettings.UserSettings.l_Protectdocumentmetadataforrightsmanaged) + $complexUserSettings.Add('L_Allowmixofpolicyanduserlocations', $policySettings.UserSettings.l_Allowmixofpolicyanduserlocations) + $complexUserSettings.Add('L_DisabletheOfficeclientfrompolling', $policySettings.UserSettings.l_DisabletheOfficeclientfrompolling) + $complexUserSettings.Add('L_DisableSmartDocumentsuseofmanifests', $policySettings.UserSettings.l_DisableSmartDocumentsuseofmanifests) + $complexUserSettings.Add('L_OutlookSecurityMode', $policySettings.UserSettings.l_OutlookSecurityMode) + $complexUserSettings.Add('L_OOMAddressAccess', $policySettings.UserSettings.l_OOMAddressAccess) + $complexUserSettings.Add('L_OOMAddressAccess_Setting', $policySettings.UserSettings.l_OOMAddressAccess_Setting) + $complexUserSettings.Add('L_OOMMeetingTaskRequest', $policySettings.UserSettings.l_OOMMeetingTaskRequest) + $complexUserSettings.Add('L_OOMMeetingTaskRequest_Setting', $policySettings.UserSettings.l_OOMMeetingTaskRequest_Setting) + $complexUserSettings.Add('L_OOMSend', $policySettings.UserSettings.l_OOMSend) + $complexUserSettings.Add('L_OOMSend_Setting', $policySettings.UserSettings.l_OOMSend_Setting) + $complexUserSettings.Add('L_Preventusersfromcustomizingattachmentsecuritysettings', $policySettings.UserSettings.l_Preventusersfromcustomizingattachmentsecuritysettings) + $complexUserSettings.Add('L_RetrievingCRLsCertificateRevocationLists', $policySettings.UserSettings.l_RetrievingCRLsCertificateRevocationLists) + $complexUserSettings.Add('L_empty31', $policySettings.UserSettings.l_empty31) + $complexUserSettings.Add('L_OOMFormula', $policySettings.UserSettings.l_OOMFormula) + $complexUserSettings.Add('L_OOMFormula_Setting', $policySettings.UserSettings.l_OOMFormula_Setting) + $complexUserSettings.Add('L_AuthenticationwithExchangeServer', $policySettings.UserSettings.l_AuthenticationwithExchangeServer) + $complexUserSettings.Add('L_SelecttheauthenticationwithExchangeserver', $policySettings.UserSettings.l_SelecttheauthenticationwithExchangeserver) + $complexUserSettings.Add('L_EnableRPCEncryption', $policySettings.UserSettings.l_EnableRPCEncryption) + $complexUserSettings.Add('L_Enablelinksinemailmessages', $policySettings.UserSettings.l_Enablelinksinemailmessages) + $complexUserSettings.Add('L_OOMAddressBook', $policySettings.UserSettings.l_OOMAddressBook) + $complexUserSettings.Add('L_OOMAddressBook_Setting', $policySettings.UserSettings.l_OOMAddressBook_Setting) + $complexUserSettings.Add('L_OutlookSecurityPolicy', $policySettings.UserSettings.l_OutlookSecurityPolicy) + $complexUserSettings.Add('L_AllowUsersToLowerAttachments', $policySettings.UserSettings.l_AllowUsersToLowerAttachments) + $complexUserSettings.Add('L_AllowActiveXOneOffForms', $policySettings.UserSettings.l_AllowActiveXOneOffForms) + $complexUserSettings.Add('L_empty29', $policySettings.UserSettings.l_empty29) + $complexUserSettings.Add('L_EnableScriptsInOneOffForms', $policySettings.UserSettings.l_EnableScriptsInOneOffForms) + $complexUserSettings.Add('L_Level2RemoveFilePolicy', $policySettings.UserSettings.l_Level2RemoveFilePolicy) + $complexUserSettings.Add('L_removedextensions25', $policySettings.UserSettings.l_removedextensions25) + $complexUserSettings.Add('L_MSGUnicodeformatwhendraggingtofilesystem', $policySettings.UserSettings.l_MSGUnicodeformatwhendraggingtofilesystem) + $complexUserSettings.Add('L_OnExecuteCustomActionOOM', $policySettings.UserSettings.l_OnExecuteCustomActionOOM) + $complexUserSettings.Add('L_OnExecuteCustomActionOOM_Setting', $policySettings.UserSettings.l_OnExecuteCustomActionOOM_Setting) + $complexUserSettings.Add('L_DisableOutlookobjectmodelscriptsforpublicfolders', $policySettings.UserSettings.l_DisableOutlookobjectmodelscriptsforpublicfolders) + $complexUserSettings.Add('L_BlockInternet', $policySettings.UserSettings.l_BlockInternet) + $complexUserSettings.Add('L_SecurityLevelOutlook', $policySettings.UserSettings.l_SecurityLevelOutlook) + $complexUserSettings.Add('L_SecurityLevel', $policySettings.UserSettings.l_SecurityLevel) + $complexUserSettings.Add('L_Level1RemoveFilePolicy', $policySettings.UserSettings.l_Level1RemoveFilePolicy) + $complexUserSettings.Add('L_RemovedExtensions', $policySettings.UserSettings.l_RemovedExtensions) + $complexUserSettings.Add('L_SignatureWarning', $policySettings.UserSettings.l_SignatureWarning) + $complexUserSettings.Add('L_signaturewarning30', $policySettings.UserSettings.l_signaturewarning30) + $complexUserSettings.Add('L_Level1Attachments', $policySettings.UserSettings.l_Level1Attachments) + $complexUserSettings.Add('L_Minimumencryptionsettings', $policySettings.UserSettings.l_Minimumencryptionsettings) + $complexUserSettings.Add('L_Minimumkeysizeinbits', $policySettings.UserSettings.l_Minimumkeysizeinbits) + $complexUserSettings.Add('L_DisableOutlookobjectmodelscripts', $policySettings.UserSettings.l_DisableOutlookobjectmodelscripts) + $complexUserSettings.Add('L_OOMSaveAs', $policySettings.UserSettings.l_OOMSaveAs) + $complexUserSettings.Add('L_OOMSaveAs_Setting', $policySettings.UserSettings.l_OOMSaveAs_Setting) + $complexUserSettings.Add('L_JunkEmailprotectionlevel', $policySettings.UserSettings.l_JunkEmailprotectionlevel) + $complexUserSettings.Add('L_Selectlevel', $policySettings.UserSettings.l_Selectlevel) + $complexUserSettings.Add('L_RunPrograms', $policySettings.UserSettings.l_RunPrograms) + $complexUserSettings.Add('L_RunPrograms_L_Empty', $policySettings.UserSettings.l_RunPrograms_L_Empty) + $complexUserSettings.Add('L_Determinewhethertoforceencryptedppt', $policySettings.UserSettings.l_Determinewhethertoforceencryptedppt) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedpptDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedpptDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles', $policySettings.UserSettings.l_PowerPoint972003PresentationsShowsTemplatesandAddInFiles) + $complexUserSettings.Add('L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID', $policySettings.UserSettings.l_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty3', $policySettings.UserSettings.l_empty3) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftPowerPoint_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('L_PublisherAutomationSecurityLevel', $policySettings.UserSettings.l_PublisherAutomationSecurityLevel) + $complexUserSettings.Add('L_PublisherAutomationSecurityLevel_L_Empty', $policySettings.UserSettings.l_PublisherAutomationSecurityLevel_L_Empty) + $complexUserSettings.Add('MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty0', $policySettings.UserSettings.l_empty0) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_Visio2000Files', $policySettings.UserSettings.l_Visio2000Files) + $complexUserSettings.Add('L_Visio2000FilesDropID', $policySettings.UserSettings.l_Visio2000FilesDropID) + $complexUserSettings.Add('L_Visio2003Files', $policySettings.UserSettings.l_Visio2003Files) + $complexUserSettings.Add('L_Visio2003FilesDropID', $policySettings.UserSettings.l_Visio2003FilesDropID) + $complexUserSettings.Add('L_Visio50AndEarlierFiles', $policySettings.UserSettings.l_Visio50AndEarlierFiles) + $complexUserSettings.Add('L_Visio50AndEarlierFilesDropID', $policySettings.UserSettings.l_Visio50AndEarlierFilesDropID) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_AllowDDE', $policySettings.UserSettings.l_AllowDDE) + $complexUserSettings.Add('L_AllowDDEDropID', $policySettings.UserSettings.l_AllowDDEDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('L_Word2AndEarlierBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2AndEarlierBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2AndEarlierBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2000BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2000BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2000BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2000BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2003BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2003BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2003BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2003BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2007AndLaterBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2007AndLaterBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2007AndLaterBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word6Pt0BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word6Pt0BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word6Pt0BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word6Pt0BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word95BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word95BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word95BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word95BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word97BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word97BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word97BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word97BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_WordXPBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_WordXPBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_WordXPBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_WordXPBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedWord', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedWord) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedWordDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedWordDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty19', $policySettings.UserSettings.l_empty19) + $complexUserSettings.Add('MicrosoftWord_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftWord_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + if ($complexUserSettings.values.Where({$null -ne $_}).Count -eq 0) + { + $complexUserSettings = $null + } + $policySettings.Remove('UserSettings') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '90316f12-246d-44c6-a767-f87692e86083_2' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Microsoft365 Apps For Enterprise with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) -Verbose + + if (-not $testResult) + { + Write-Verbose "$key is different" -Verbose + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "90316f12-246d-44c6-a767-f87692e86083_2" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$False + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$False + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof new file mode 100644 index 0000000000..a7811bfc7d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof @@ -0,0 +1,476 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise +{ + [Write, Description("Block Flash activation in Office documents (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_A001_Block_Flash; + [Write, Description("Block Flash player in Office (Device) - Depends on Pol_SecGuide_A001_Block_Flash (block all flash activation: Block all activation, block embedded flash activation only: Block embedding/linking, allow other activation, allow all flash activation: Allow all activation)"), ValueMap{"block all flash activation", "block embedded flash activation only", "allow all flash activation"}, Values{"block all flash activation", "block embedded flash activation only", "allow all flash activation"}] String Pol_SecGuide_Block_Flash; + [Write, Description("Restrict legacy JScript execution for Office (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_Legacy_JScript; + [Write, Description("PowerPoint: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_powerpnt; + [Write, Description("OneNote: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_onenote; + [Write, Description("Publisher: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_mspub; + [Write, Description("Access: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_msaccess; + [Write, Description("Project: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_winproj; + [Write, Description("Visio: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_visio; + [Write, Description("Outlook: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_outlook; + [Write, Description("Word: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_winword; + [Write, Description("Excel: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_excel; + [Write, Description("Configure SIP security mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PolicyEnableSIPHighSecurityMode; + [Write, Description("Disable HTTP fallback for SIP connection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PolicyDisableHttpConnect; + [Write, Description("Add-on Management (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AddonManagement; + [Write, Description("powerpnt.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe17; + [Write, Description("excel.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe15; + [Write, Description("visio.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe19; + [Write, Description("onent.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe26; + [Write, Description("outlook.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe22; + [Write, Description("pptview.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe18; + [Write, Description("winword.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe21; + [Write, Description("exprwd.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe24; + [Write, Description("spDesign.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe23; + [Write, Description("winproj.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe20; + [Write, Description("groove.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe14; + [Write, Description("mspub.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe16; + [Write, Description("mse7.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe27; + [Write, Description("msaccess.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe25; + [Write, Description("Consistent Mime Handling (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ConsistentMimeHandling; + [Write, Description("excel.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe43; + [Write, Description("spDesign.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe51; + [Write, Description("onent.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe54; + [Write, Description("outlook.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe50; + [Write, Description("pptview.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe46; + [Write, Description("mspub.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe44; + [Write, Description("visio.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe47; + [Write, Description("winproj.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe48; + [Write, Description("msaccess.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe53; + [Write, Description("powerpnt.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe45; + [Write, Description("groove.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe42; + [Write, Description("mse7.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe55; + [Write, Description("winword.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe49; + [Write, Description("exprwd.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe52; + [Write, Description("Disable user name and password (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Disableusernameandpassword; + [Write, Description("excel.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe127; + [Write, Description("groove.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe126; + [Write, Description("onent.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe138; + [Write, Description("mse7.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe139; + [Write, Description("mspub.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe128; + [Write, Description("visio.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe131; + [Write, Description("exprwd.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe136; + [Write, Description("msaccess.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe137; + [Write, Description("spDesign.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe135; + [Write, Description("winword.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe133; + [Write, Description("powerpnt.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe129; + [Write, Description("outlook.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe134; + [Write, Description("winproj.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe132; + [Write, Description("pptview.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe130; + [Write, Description("Information Bar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Informationbar; + [Write, Description("excel.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe113; + [Write, Description("mspub.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe114; + [Write, Description("msaccess.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe123; + [Write, Description("onent.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe124; + [Write, Description("outlook.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe120; + [Write, Description("winproj.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe118; + [Write, Description("powerpnt.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe115; + [Write, Description("spDesign.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe121; + [Write, Description("groove.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe112; + [Write, Description("visio.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe117; + [Write, Description("mse7.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe125; + [Write, Description("winword.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe119; + [Write, Description("exprwd.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe122; + [Write, Description("pptview.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe116; + [Write, Description("Local Machine Zone Lockdown Security (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LocalMachineZoneLockdownSecurity; + [Write, Description("mse7.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe41; + [Write, Description("powerpnt.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe31; + [Write, Description("mspub.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe30; + [Write, Description("outlook.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe36; + [Write, Description("pptview.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe32; + [Write, Description("excel.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe29; + [Write, Description("exprwd.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe38; + [Write, Description("groove.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe28; + [Write, Description("winword.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe35; + [Write, Description("msaccess.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe39; + [Write, Description("spDesign.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe37; + [Write, Description("visio.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe33; + [Write, Description("onent.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe40; + [Write, Description("winproj.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe34; + [Write, Description("Mime Sniffing Safety Feature (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MimeSniffingSafetyFature; + [Write, Description("powerpnt.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe59; + [Write, Description("exprwd.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe66; + [Write, Description("groove.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe56; + [Write, Description("visio.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe61; + [Write, Description("outlook.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe64; + [Write, Description("mspub.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe58; + [Write, Description("mse7.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe69; + [Write, Description("msaccess.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe67; + [Write, Description("pptview.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe60; + [Write, Description("winproj.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe62; + [Write, Description("spDesign.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe65; + [Write, Description("onent.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe68; + [Write, Description("winword.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe63; + [Write, Description("excel.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe57; + [Write, Description("Navigate URL (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NavigateURL; + [Write, Description("spDesign.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe177; + [Write, Description("onent.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe180; + [Write, Description("pptview.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe172; + [Write, Description("outlook.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe176; + [Write, Description("winproj.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe174; + [Write, Description("msaccess.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe179; + [Write, Description("winword.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe175; + [Write, Description("excel.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe169; + [Write, Description("mspub.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe170; + [Write, Description("exprwd.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe178; + [Write, Description("powerpnt.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe171; + [Write, Description("visio.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe173; + [Write, Description("mse7.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe181; + [Write, Description("groove.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe168; + [Write, Description("Object Caching Protection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ObjectCachingProtection; + [Write, Description("winword.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe77; + [Write, Description("powerpnt.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe73; + [Write, Description("spDesign.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe79; + [Write, Description("mse7.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe83; + [Write, Description("mspub.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe72; + [Write, Description("msaccess.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe81; + [Write, Description("onent.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe82; + [Write, Description("outlook.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe78; + [Write, Description("groove.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe70; + [Write, Description("excel.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe71; + [Write, Description("visio.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe75; + [Write, Description("pptview.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe74; + [Write, Description("winproj.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe76; + [Write, Description("exprwd.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe80; + [Write, Description("Protection From Zone Elevation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ProtectionFromZoneElevation; + [Write, Description("mspub.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe100; + [Write, Description("visio.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe103; + [Write, Description("powerpnt.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe101; + [Write, Description("excel.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe99; + [Write, Description("mse7.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe111; + [Write, Description("winword.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe105; + [Write, Description("exprwd.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe108; + [Write, Description("msaccess.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe109; + [Write, Description("spDesign.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe107; + [Write, Description("onent.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe110; + [Write, Description("pptview.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe102; + [Write, Description("winproj.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe104; + [Write, Description("groove.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe98; + [Write, Description("outlook.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe106; + [Write, Description("Restrict ActiveX Install (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RestrictActiveXInstall; + [Write, Description("mse7.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe; + [Write, Description("powerpnt.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe; + [Write, Description("spDesign.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spDesignexe; + [Write, Description("onent.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe; + [Write, Description("excel.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe; + [Write, Description("mspub.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe; + [Write, Description("visio.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe; + [Write, Description("exprwd.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe; + [Write, Description("outlook.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe; + [Write, Description("pptview.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe; + [Write, Description("winproj.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe; + [Write, Description("winword.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe; + [Write, Description("groove.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe; + [Write, Description("msaccess.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe; + [Write, Description("Restrict File Download (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RestrictFileDownload; + [Write, Description("visio.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe5; + [Write, Description("winproj.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe6; + [Write, Description("msaccess.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe11; + [Write, Description("spDesign.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe9; + [Write, Description("excel.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe1; + [Write, Description("powerpnt.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe3; + [Write, Description("mspub.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe2; + [Write, Description("exprwd.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe10; + [Write, Description("outlook.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe8; + [Write, Description("pptview.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe4; + [Write, Description("winword.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe7; + [Write, Description("onent.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe12; + [Write, Description("mse7.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe13; + [Write, Description("groove.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe0; + [Write, Description("Saved from URL (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SavedfromURL; + [Write, Description("pptview.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe158; + [Write, Description("exprwd.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe164; + [Write, Description("mse7.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe167; + [Write, Description("spDesign.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe163; + [Write, Description("winproj.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe160; + [Write, Description("mspub.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe156; + [Write, Description("visio.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe159; + [Write, Description("winword.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe161; + [Write, Description("msaccess.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe165; + [Write, Description("onent.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe166; + [Write, Description("outlook.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe162; + [Write, Description("groove.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe154; + [Write, Description("excel.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe155; + [Write, Description("powerpnt.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe157; + [Write, Description("Scripted Window Security Restrictions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ScriptedWindowSecurityRestrictions; + [Write, Description("exprwd.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe94; + [Write, Description("mse7.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe97; + [Write, Description("mspub.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe86; + [Write, Description("outlook.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe92; + [Write, Description("msaccess.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe95; + [Write, Description("powerpnt.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe87; + [Write, Description("groove.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe84; + [Write, Description("excel.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe85; + [Write, Description("pptview.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe88; + [Write, Description("spDesign.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe93; + [Write, Description("visio.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe89; + [Write, Description("onent.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe96; + [Write, Description("winproj.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe90; + [Write, Description("winword.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe91; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise +{ + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Do not show data extraction options when opening corrupt workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks; + [Write, Description("Ask to update automatic links (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Asktoupdateautomaticlinks; + [Write, Description("Load pictures from Web pages not created in Excel (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LoadpicturesfromWebpagesnotcreatedinExcel; + [Write, Description("Disable AutoRepublish (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableAutoRepublish; + [Write, Description("Do not show AutoRepublish warning alert (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DoNotShowAutoRepublishWarningAlert; + [Write, Description("Force file extension to match file type (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Forcefileextenstionstomatch; + [Write, Description(" - Depends on L_Forcefileextenstionstomatch (0: Allow different, 1: Allow different, but warn, 2: Always match file type)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_Forcefileextenstionstomatch_L_Empty; + [Write, Description("Scan encrypted macros in Excel Open XML workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DeterminewhethertoforceencryptedExcel; + [Write, Description(" - Depends on L_DeterminewhethertoforceencryptedExcel (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedExcelDropID; + [Write, Description("Block Excel XLL Add-ins that come from an untrusted source (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BlockXLLFromInternet; + [Write, Description(" - Depends on L_BlockXLLFromInternet (1: Block, 0: Show Additional Warning, 2: Allow)"), ValueMap{"1", "0", "2"}, Values{"1", "0", "2"}] String L_BlockXLLFromInternetEnum; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Always prevent untrusted Microsoft Query files from opening (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableBlockUnsecureQueryFiles; + [Write, Description("dBase III / IV files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DBaseIIIANDIVFiles; + [Write, Description("File block setting: (User) - Depends on L_DBaseIIIANDIVFiles (0: Do not block, 2: Open/Save blocked, use open policy)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_DBaseIIIANDIVFilesDropID; + [Write, Description("Dif and Sylk files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DifAndSylkFiles; + [Write, Description("File block setting: (User) - Depends on L_DifAndSylkFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DifAndSylkFilesDropID; + [Write, Description("Excel 2 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel2MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel2MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel2MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 2 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel2Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel2Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel2WorksheetsDropID; + [Write, Description("Excel 3 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel3MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel3MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel3MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 3 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel3Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel3Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel3WorksheetsDropID; + [Write, Description("Excel 4 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel4MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 4 workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4Workbooks; + [Write, Description("File block setting: (User) - Depends on L_Excel4Workbooks (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4WorkbooksDropID; + [Write, Description("Excel 4 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel4Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4WorksheetsDropID; + [Write, Description("Excel 95 workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel95Workbooks; + [Write, Description("File block setting: (User) - Depends on L_Excel95Workbooks (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Excel95WorkbooksDropID; + [Write, Description("Excel 95-97 workbooks and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel9597WorkbooksAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Excel9597WorkbooksAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel9597WorkbooksAndTemplatesDropID; + [Write, Description("Excel 97-2003 workbooks and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel972003WorkbooksAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Excel972003WorkbooksAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Excel972003WorkbooksAndTemplatesDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Web pages and Excel 2003 XML spreadsheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WebPagesAndExcel2003XMLSpreadsheets; + [Write, Description("File block setting: (User) - Depends on L_WebPagesAndExcel2003XMLSpreadsheets (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_WebPagesAndExcel2003XMLSpreadsheetsDropID; + [Write, Description("Prevent Excel from running XLM macros (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_XL4KillSwitchPolicy; + [Write, Description("Always open untrusted database files in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableDataBaseFileProtectedView; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable VBA macros with notification, 3: Disable VBA macros except digitally signed macros, 4: Disable VBA macros without notification, 1: Enable VBA macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty4; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_L_TurnOffFileValidation; + [Write, Description("WEBSERVICE Function Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WebContentWarningLevel; + [Write, Description(" - Depends on L_WebContentWarningLevel (0: Enable all WEBSERVICE functions (not recommended), 1: Disable all with notification, 2: Disable all without notification)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_WebContentWarningLevelValue; + [Write, Description("Disable UI extending from documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicy; + [Write, Description("Disallow in Word (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyWord; + [Write, Description("Disallow in Excel (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyExcel; + [Write, Description("Disallow in Visio (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyVisio; + [Write, Description("Disallow in PowerPoint (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint; + [Write, Description("Disallow in Publisher (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyPublisher; + [Write, Description("Disallow in Outlook (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyOutlook; + [Write, Description("Disallow in Project (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyProject; + [Write, Description("Disallow in Access (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyAccess; + [Write, Description("Disallow in InfoPath (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath; + [Write, Description("ActiveX Control Initialization (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ActiveXControlInitialization; + [Write, Description("ActiveX Control Initialization: (User) - Depends on L_ActiveXControlInitialization (1: 1, 2: 2, 3: 3, 4: 4, 5: 5, 6: 6)"), ValueMap{"1", "2", "3", "4", "5", "6"}, Values{"1", "2", "3", "4", "5", "6"}] String L_ActiveXControlInitializationcolon; + [Write, Description("Allow Basic Authentication prompts from network proxies (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BasicAuthProxyBehavior; + [Write, Description("Allow VBA to load typelib references by path from untrusted intranet locations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowVbaIntranetRefs; + [Write, Description("Automation Security (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AutomationSecurity; + [Write, Description("Set the Automation Security level (User) - Depends on L_AutomationSecurity (3: Disable macros by default, 2: Use application macro security level, 1: Macros enabled (default))"), ValueMap{"3", "2", "1"}, Values{"3", "2", "1"}] String L_SettheAutomationSecuritylevel; + [Write, Description("Control how Office handles form-based sign-in prompts (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AuthenticationFBABehavior; + [Write, Description("Specify hosts allowed to show form-based sign-in prompts to users: (User) - Depends on L_AuthenticationFBABehavior")] String L_AuthenticationFBAEnabledHostsID; + [Write, Description("Behavior: (User) - Depends on L_AuthenticationFBABehavior (1: Block all prompts, 2: Ask the user what to do for each new host, 3: Show prompts only from allowed hosts)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String L_authenticationFBABehaviorEnum; + [Write, Description("Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableStrictVbaRefsSecurityPolicy; + [Write, Description("Disable all Trust Bar notifications for security issues (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableallTrustBarnotificationsfor; + [Write, Description("Encryption mode for Information Rights Management (IRM) (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforirm; + [Write, Description("IRM Encryption Mode: (User) - Depends on L_Encryptiontypeforirm (1: Cipher Block Chaining (CBC), 2: Electronic Codebook (ECB))"), ValueMap{"1", "2"}, Values{"1", "2"}] String L_Encryptiontypeforirmcolon; + [Write, Description("Encryption type for password protected Office 97-2003 files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforpasswordprotectedoffice972003; + [Write, Description("Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedoffice972003")] String L_encryptiontypecolon318; + [Write, Description("Encryption type for password protected Office Open XML files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforpasswordprotectedofficeopen; + [Write, Description("Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedofficeopen")] String L_Encryptiontypecolon; + [Write, Description("Load Controls in Forms3 (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LoadControlsinForms3; + [Write, Description("Load Controls in Forms3: (User) - Depends on L_LoadControlsinForms3 (1: 1, 2: 2, 3: 3, 4: 4)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String L_LoadControlsinForms3colon; + [Write, Description("Macro Runtime Scan Scope (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MacroRuntimeScanScope; + [Write, Description(" - Depends on L_MacroRuntimeScanScope (0: Disable for all documents, 1: Enable for low trust documents, 2: Enable for all documents)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_MacroRuntimeScanScopeEnum; + [Write, Description("Protect document metadata for rights managed Office Open XML Files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Protectdocumentmetadataforrightsmanaged; + [Write, Description("Allow mix of policy and user locations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Allowmixofpolicyanduserlocations; + [Write, Description("Disable the Office client from polling the SharePoint Server for published links (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisabletheOfficeclientfrompolling; + [Write, Description("Disable Smart Document's use of manifests (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableSmartDocumentsuseofmanifests; + [Write, Description("Outlook Security Mode (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OutlookSecurityMode; + [Write, Description("Configure Outlook object model prompt when reading address information (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMAddressAccess; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMAddressAccess_Setting; + [Write, Description("Configure Outlook object model prompt when responding to meeting and task requests (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMMeetingTaskRequest; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMMeetingTaskRequest_Setting; + [Write, Description("Configure Outlook object model prompt when sending mail (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMSend; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMSend_Setting; + [Write, Description("Prevent users from customizing attachment security settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Preventusersfromcustomizingattachmentsecuritysettings; + [Write, Description("Retrieving CRLs (Certificate Revocation Lists) (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RetrievingCRLsCertificateRevocationLists; + [Write, Description(" (0: Use system Default, 1: When online always retreive the CRL, 2: Never retreive the CRL)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_empty31; + [Write, Description("Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMFormula; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMFormula_Setting; + [Write, Description("Authentication with Exchange Server (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AuthenticationwithExchangeServer; + [Write, Description("Select the authentication with Exchange server. (User) (9: Kerberos/NTLM Password Authentication, 16: Kerberos Password Authentication, 10: NTLM Password Authentication, 2147545088: Insert a smart card)"), ValueMap{"9", "16", "10", "2147545088"}, Values{"9", "16", "10", "2147545088"}] String L_SelecttheauthenticationwithExchangeserver; + [Write, Description("Enable RPC encryption (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableRPCEncryption; + [Write, Description("Allow hyperlinks in suspected phishing e-mail messages (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Enablelinksinemailmessages; + [Write, Description("Configure Outlook object model prompt when accessing an address book (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMAddressBook; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMAddressBook_Setting; + [Write, Description("Outlook Security Policy: (User) - Depends on L_OutlookSecurityMode (0: Outlook Default Security, 1: Use Security Form from 'Outlook Security Settings' Public Folder, 2: Use Security Form from 'Outlook 10 Security Settings' Public Folder, 3: Use Outlook Security Group Policy)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String L_OutlookSecurityPolicy; + [Write, Description("Allow users to demote attachments to Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowUsersToLowerAttachments; + [Write, Description("Allow Active X One Off Forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowActiveXOneOffForms; + [Write, Description("Sets which ActiveX controls to allow. (0: Load only Outlook Controls, 1: Allows only Safe Controls, 2: Allows all ActiveX Controls)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_empty29; + [Write, Description("Allow scripts in one-off Outlook forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableScriptsInOneOffForms; + [Write, Description("Remove file extensions blocked as Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level2RemoveFilePolicy; + [Write, Description("Removed Extensions: (User)")] String L_removedextensions25; + [Write, Description("Use Unicode format when dragging e-mail message to file system (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MSGUnicodeformatwhendraggingtofilesystem; + [Write, Description("Set Outlook object model custom actions execution prompt (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OnExecuteCustomActionOOM; + [Write, Description("When executing a custom action: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OnExecuteCustomActionOOM_Setting; + [Write, Description("Do not allow Outlook object model scripts to run for public folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableOutlookobjectmodelscriptsforpublicfolders; + [Write, Description("Include Internet in Safe Zones for Automatic Picture Download (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BlockInternet; + [Write, Description("Security setting for macros (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SecurityLevelOutlook; + [Write, Description("Security Level (User) (2: Always warn, 4: Never warn, disable all, 3: Warn for signed, disable unsigned, 1: No security check)"), ValueMap{"2", "4", "3", "1"}, Values{"2", "4", "3", "1"}] String L_SecurityLevel; + [Write, Description("Remove file extensions blocked as Level 1 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level1RemoveFilePolicy; + [Write, Description("Removed Extensions: (User)")] String L_RemovedExtensions; + [Write, Description("Signature Warning (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SignatureWarning; + [Write, Description("Signature Warning (User) (0: Let user decide if they want to be warned, 1: Always warn about invalid signatures, 2: Never warn about invalid signatures)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_signaturewarning30; + [Write, Description("Display Level 1 attachments (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level1Attachments; + [Write, Description("Minimum encryption settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Minimumencryptionsettings; + [Write, Description("Minimum key size (in bits): (User)")] SInt32 L_Minimumkeysizeinbits; + [Write, Description("Do not allow Outlook object model scripts to run for shared folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableOutlookobjectmodelscripts; + [Write, Description("Configure Outlook object model prompt when executing Save As (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMSaveAs; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMSaveAs_Setting; + [Write, Description("Junk E-mail protection level (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_JunkEmailprotectionlevel; + [Write, Description("Select level: (User) (4294967295: No Protection, 6: Low (Default), 3: High, 2147483648: Trusted Lists Only)"), ValueMap{"4294967295", "6", "3", "2147483648"}, Values{"4294967295", "6", "3", "2147483648"}] String L_Selectlevel; + [Write, Description("Run Programs (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RunPrograms; + [Write, Description(" - Depends on L_RunPrograms (0: disable (don't run any programs), 1: enable (prompt user before running), 2: enable all (run without prompting))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_RunPrograms_L_Empty; + [Write, Description("Scan encrypted macros in PowerPoint Open XML presentations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Determinewhethertoforceencryptedppt; + [Write, Description(" - Depends on L_Determinewhethertoforceencryptedppt (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedpptDropID; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("PowerPoint 97-2003 presentations, shows, templates and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty3; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_L_TurnOffFileValidation; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Publisher Automation Security Level (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PublisherAutomationSecurityLevel; + [Write, Description(" - Depends on L_PublisherAutomationSecurityLevel (1: Low (enabled), 2: By UI (prompted), 3: High (disabled))"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String L_PublisherAutomationSecurityLevel_L_Empty; + [Write, Description("Block macros from running in Office files from the internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins (User) - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty0; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Visio 2000-2002 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio2000Files; + [Write, Description("File block setting: (User) - Depends on L_Visio2000Files (0: Do not block, 2: Open/Save blocked)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_Visio2000FilesDropID; + [Write, Description("Visio 2003-2010 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio2003Files; + [Write, Description("File block setting: (User) - Depends on L_Visio2003Files (0: Do not block, 1: Save blocked, 2: Open/Save blocked)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_Visio2003FilesDropID; + [Write, Description("Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio50AndEarlierFiles; + [Write, Description("File block setting: (User) - Depends on L_Visio50AndEarlierFiles (0: Do not block, 2: Open/Save blocked)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_Visio50AndEarlierFilesDropID; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Dynamic Data Exchange (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowDDE; + [Write, Description("Dynamic Data Exchange setting (User) - Depends on L_AllowDDE (1: Limited Dynamic Data Exchange, 2: Allow Dynamic Data Exchange)"), ValueMap{"1", "2"}, Values{"1", "2"}] String L_AllowDDEDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Word 2 and earlier binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2AndEarlierBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2AndEarlierBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2000 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2000BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2000BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2000BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2003 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2003BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2003BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2003BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2007 and later binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2007AndLaterBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2007AndLaterBinaryDocumentsAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 6.0 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word6Pt0BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word6Pt0BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word6Pt0BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 95 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word95BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word95BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word95BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 97 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word97BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word97BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word97BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word XP binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WordXPBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_WordXPBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_WordXPBinaryDocumentsAndTemplatesDropID; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Scan encrypted macros in Word Open XML documents (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DeterminewhethertoforceencryptedWord; + [Write, Description(" - Depends on L_DeterminewhethertoforceencryptedWord (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedWordDropID; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty19; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_L_TurnOffFileValidation; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; +}; +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] +class MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The policy settings for the device scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] String DeviceSettings; + [Write, Description("The policy settings for the user scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] String UserSettings; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md new file mode 100644 index 0000000000..7e7218c244 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +## Description + +Intune Security Baseline Microsoft365 Apps For Enterprise diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json new file mode 100644 index 0000000000..4bda1f09ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName":"IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "description":"This resource configures an Intune Security Baseline Microsoft365 Apps For Enterprise.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 new file mode 100644 index 0000000000..c3b6e71fd2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 @@ -0,0 +1,904 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft Edge with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft Edge with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Microsoft Edge with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = 'c66347b7-8325-4954-a235-3bf2233dfbfd_2' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Microsoft Edge with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Microsoft Edge with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Microsoft Edge with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Microsoft Edge with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "c66347b7-8325-4954-a235-3bf2233dfbfd_2" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof new file mode 100644 index 0000000000..8a9515e3d3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof @@ -0,0 +1,50 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineMicrosoftEdge")] +class MSFT_IntuneSecurityBaselineMicrosoftEdge : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Allow unconfigured sites to be reloaded in Internet Explorer mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerIntegrationReloadInIEModeAllowed; + [Write, Description("Allow users to proceed from the HTTPS warning page (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SSLErrorOverrideAllowed; + [Write, Description("Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerIntegrationZoneIdentifierMhtFileAllowed; + [Write, Description("Enable browser legacy extension point blocking (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BrowserLegacyExtensionPointsBlockingEnabled; + [Write, Description("Enable site isolation for every site (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SitePerProcess; + [Write, Description("Enhance images enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EdgeEnhanceImagesEnabled; + [Write, Description("Control which extensions cannot be installed (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ExtensionInstallBlocklist; + [Write, Description("Extension IDs the user should be prevented from installing (or * for all) (Device) - Depends on ExtensionInstallBlocklist")] String ExtensionInstallBlocklistDesc[]; + [Write, Description("Force WebSQL to be enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WebSQLAccess; + [Write, Description("Allow Basic authentication for HTTP (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BasicAuthOverHttpEnabled; + [Write, Description("Supported authentication schemes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_HTTPAuthentication_AuthSchemes; + [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NativeMessagingUserLevelHosts; + [Write, Description("Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InsecurePrivateNetworkRequestsAllowed; + [Write, Description("Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerModeToolbarButtonEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenPuaEnabled; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverride; + [Write, Description("Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverrideForFiles; + [Write, Description("Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SharedArrayBufferUnrestrictedAccessAllowed; + [Write, Description("Configure Edge TyposquattingChecker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TyposquattingCheckerEnabled; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md new file mode 100644 index 0000000000..f614869e4f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineMicrosoftEdge + +## Description + +Intune Security Baseline Microsoft Edge diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json new file mode 100644 index 0000000000..67b62b373e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneSecurityBaselineMicrosoftEdge", + "description": "This resource configures an Intune Security Baseline Microsoft Edge.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.psm1 new file mode 100644 index 0000000000..bb6bde14be --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.psm1 @@ -0,0 +1,429 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String[]] + $Environments, + + [Parameter()] + [System.String] + $FilterType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + if ($null -ne $Script:exportedInstances -and $Script:ExportMode) + { + if (-not [System.String]::IsNullOrEmpty($PolicyName)) + { + $instances = $Script:exportedInstances | Where-Object -FilterScript {$_.PolicyName -eq $PolicyName} + } + + if ($null -eq $instance) + { + $instance = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + else + { + if (-not [System.String]::IsNullOrEmpty($PolicyName)) + { + $instance = Get-AdminDlpPolicy -PolicyName $PolicyName -ErrorAction SilentlyContinue + } + + if ($null -eq $instance) + { + $instance = Get-AdminDlpPolicy | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName} + } + } + if ($null -eq $instance) + { + return $nullResult + } + + $results = @{ + DisplayName = $instance.DisplayName + PolicyName = $instance.PolicyName + Environments = $instance.Environments.name + FilterType = $instance.FilterType + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String[]] + $Environments, + + [Parameter()] + [System.String] + $FilterType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + # CREATE + $needToUpdateNewInstance = $false + $policyName = $currentInstance.PolicyName + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Data Policy {$DisplayName}" + $policy = New-AdminDLPPolicy -DisplayName $DisplayName + $policyName = $policy.PolicyName + } + if ($setParameters.ContainsKey('PolicyName')) + { + $setParameters.PolicyName = $policyName + } + else + { + $setParameters.Add("PolicyName", $policyName) + } + + # UPDATE + if (($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') -or $needToUpdateNewInstance) + { + Write-Verbose -Message "Updating Data Policy {$DisplayName}" + $setParameters.Remove('DisplayName') | Out-Null + + if ($null -ne $setParameters.Environments -and $setParameters.Environments.Count -gt 0) + { + $setParameters.Environments = ($setParameters.Environments -join ',') + } + Write-Verbose -Message "Updating Data Policy {$DisplayName} with values:`r`n$(Convert-M365DscHashtableToString -Hashtable $setParameters)" + Set-AdminDLPPolicy @setParameters + } + # REMOVE + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Data Policy {$DisplayName}" + Remove-AdminDLPPolicy -PolicyName $policyName + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String[]] + $Environments, + + [Parameter()] + [System.String] + $FilterType, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:exportedInstances = Get-AdminDlpPolicy -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:exportedInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $Script:exportedInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.DisplayName + Write-Host " |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline + $params = @{ + DisplayName = $config.DisplayName + PolicyName = $config.PolicyName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.schema.mof new file mode 100644 index 0000000000..4ed948ec86 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/MSFT_PPAdminDLPPolicy.schema.mof @@ -0,0 +1,16 @@ +[ClassVersion("1.0.0.0"), FriendlyName("PPAdminDLPPolicy")] +class MSFT_PPAdminDLPPolicy : OMI_BaseResource +{ + [Key, Description("Creates the policy with the input display name")] String DisplayName; + [Write, Description("Unique identifier of the policy.")] String PolicyName; + [Write, Description("Comma separated string list used as input environments to either include or exclude, depending on the FilterType.")] String Environments[]; + [Write, Description("Identifies which filter type the policy will have, none, include, or exclude.")] String FilterType; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/readme.md new file mode 100644 index 0000000000..2dfde53b68 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/readme.md @@ -0,0 +1,6 @@ + +# PPAdminDLPPolicy + +## Description + +Manages a policy's environment and default API group settings. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/settings.json new file mode 100644 index 0000000000..e015f493fc --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPAdminDLPPolicy/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "PPAdminDLPPolicy", + "description": "Manages a policy's environment and default API group settings.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.psm1 new file mode 100644 index 0000000000..ea6471b259 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.psm1 @@ -0,0 +1,472 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ConnectorActionConfigurations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $policy = Get-AdminDlpPolicy | Where-Object -FilterScript {$_.DisplayName -eq $PolicyName} + + if ($null -eq $policy) + { + return $nullResult + } + + $ActionList = Get-PowerAppDlpPolicyConnectorConfigurations -TenantID $PPTenantId ` + -PolicyName $($policy.PolicyName) + $ActionsValue = @() + foreach ($action in $ActionList.connectorActionConfigurations) + { + $entry = @{ + connectorId = $action.connectorId + defaultConnectorActionRuleBehavior = $action.defaultConnectorActionRuleBehavior + } + + $actionRulesValues = @() + foreach ($rule in $action.actionRules) + { + $actionRulesValues += @{ + actionId = $rule.actionId + behavior = $rule.behavior + } + } + $entry.Add('actionRules', $actionRulesValues) + $ActionsValue += $entry + } + + $results = @{ + PPTenantId = $PPTenantId + PolicyName = $PolicyName + ConnectorActionConfigurations = $ActionsValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ConnectorActionConfigurations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $policy = Get-AdminDlpPolicy | Where-Object -FilterScript {$_.DisplayName -eq $PolicyName} + $policyNameValue = $policy.PolicyName + + # CREATE + if ($Ensure -eq 'Present') + { + $body = @{ + connectorActionConfigurations = @() + } + + foreach ($action in $connectorActionConfigurations) + { + $entry = @{ + connectorId = $action.connectorId + defaultConnectorActionRuleBehavior = $action.defaultConnectorActionRuleBehavior + } + + $ruleValues = @() + foreach ($rule in $actionRules) + { + $ruleValues += @{ + actionId = $rule.actionId + behavior = $rule.behavior + } + } + $entry.Add('actionRules', $ruleValues) + $body.connectorActionConfigurations += $entry + } + $payload = $(ConvertTo-Json $body -Depth 9 -Compress) + Write-Verbose -Message "Setting Connector Configuration for Policy {$($PolicyNameValue)} with parameters:`r`n$payload" + + New-PowerAppDlpPolicyConnectorConfigurations -TenantId $PPTenantId ` + -PolicyName $policyNameValue ` + -NewDlpPolicyConnectorConfigurations $body ` + -Verbose + } + # REMOVE + elseif ($Ensure -eq 'Absent') + { + Write-Verbose -Message "Removing Connector Configuration for Policy {$($PolicyNameValue)}" + Remove-PowerAppDlpPolicyConnectorConfigurations -TenantId $PPTenantId -PolicyName $policyNameValue + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ConnectorActionConfigurations, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $tenantInfo = Get-TenantDetailsFromGraph + [array] $policies = Get-AdminDlpPolicy -ErrorAction Stop + + $dscContent = '' + if ($policies.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $i = 1 + foreach ($policy in $policies) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + Write-Host " |---[$i/$($policies.Count)] $($policy.DisplayName)" -NoNewline + $params = @{ + PPTenantId = $tenantInfo.TenantId + PolicyName = $policy.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.ConnectorActionConfigurations) + { + $complexMapping = @( + @{ + Name = 'actionRules' + CimInstanceName = 'PPDLPPolicyConnectorConfigurationsActionRules' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ConnectorActionConfigurations ` + -CIMInstanceName 'PPDLPPolicyConnectorConfigurationsAction' ` + -ComplexTypeMapping $complexMapping + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ConnectorActionConfigurations = $complexTypeStringResult + } + else + { + $Results.Remove('ConnectorActionConfigurations') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.ConnectorActionConfigurations) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ConnectorActionConfigurations' -IsCIMArray:$true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $k++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.schema.mof new file mode 100644 index 0000000000..2324766826 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/MSFT_PPDLPPolicyConnectorConfigurations.schema.mof @@ -0,0 +1,30 @@ +[ClassVersion("1.0.0.0")] +class MSFT_PPDLPPolicyConnectorConfigurationsActionRules +{ + [Write, Description("Id of the action.")] String actionId; + [Write, Description("Associated behavior.")] String behavior; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_PPDLPPolicyConnectorConfigurationsAction +{ + [Write, Description("Unique id of the connector.")] String connectorId; + [Write, Description("Default action behavior for to connector.")] String defaultConnectorActionRuleBehavior; + [Write, Description("List of associated actions."), EmbeddedInstance("MSFT_PPDLPPolicyConnectorConfigurationsActionRules")] String actionRules[]; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("PPDLPPolicyConnectorConfigurations")] +class MSFT_PPDLPPolicyConnectorConfigurations : OMI_BaseResource +{ + [Key, Description("The policy name identifier.")] String PolicyName; + [Key, Description("The tenant identifier.")] String PPTenantId; + [Write, Description("Set of cnnector actions associated with the policy."), EmbeddedInstance("MSFT_PPDLPPolicyConnectorConfigurationsAction")] String ConnectorActionConfigurations[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/readme.md new file mode 100644 index 0000000000..530565738e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/readme.md @@ -0,0 +1,6 @@ + +# PPDLPPolicyConnectorConfigurations + +## Description + +Configures connectors Data Loss Prevention policies in Power Platforms. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/settings.json new file mode 100644 index 0000000000..cde694440e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPDLPPolicyConnectorConfigurations/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "PPDLPPolicyConnectorConfigurations", + "description": "Configures connectors Data Loss Prevention policies in Power Platforms.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.psm1 new file mode 100644 index 0000000000..fc0895a29b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.psm1 @@ -0,0 +1,444 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RuleSet, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $policy = Get-AdminDlpPolicy | Where-Object -FilterScript {$_.DisplayName -eq $PolicyName} + + if ($null -eq $policy) + { + return $nullResult + } + + $rules = Get-PowerAppPolicyUrlPatterns -TenantID $PPTenantId ` + -PolicyName $($policy.PolicyName) + $RulesValue = @() + foreach ($rule in $rules.rules) + { + $RulesValue += @{ + order = $rule.order + customConnectorRuleClassification = $rule.customConnectorRuleClassification + pattern = $rule.pattern + } + } + + $results = @{ + PPTenantId = $PPTenantId + PolicyName = $PolicyName + RuleSet = $RulesValue + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RuleSet, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $policy = Get-AdminDlpPolicy | Where-Object -FilterScript {$_.DisplayName -eq $PolicyName} + $policyNameValue = $policy.PolicyName + + # CREATE + if ($Ensure -eq 'Present') + { + $body = @{ + rules = @() + } + + foreach ($rule in $RuleSet) + { + $body.rules += @{ + order = $rule.order + customConnectorRuleClassification = $rule.customConnectorRuleClassification + pattern = $rule.pattern + } + } + $payload = $(ConvertTo-Json $body -Depth 9 -Compress) + Write-Verbose -Message "Setting new Url Patterns for Policy {$($PolicyNameValue)} with parameters:`r`n$payload" + + New-PowerAppPolicyUrlPatterns -TenantId $PPTenantId ` + -PolicyName $policyNameValue ` + -NewUrlPatterns $body ` + -Verbose + } + # REMOVE + elseif ($Ensure -eq 'Absent') + { + Write-Verbose -Message "Removing Url Patterns for Policy {$($PolicyNameValue)}" + Remove-PowerAppPolicyUrlPatterns -TenantId $PPTenantId -PolicyName $policyNameValue + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $PPTenantId, + + [Parameter(Mandatory = $true)] + [System.String] + $PolicyName, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RuleSet, + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'PowerPlatforms' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + $tenantInfo = Get-TenantDetailsFromGraph + [array] $policies = Get-AdminDlpPolicy -ErrorAction Stop + + $dscContent = '' + if ($policies.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + $i = 1 + foreach ($policy in $policies) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + Write-Host " |---[$i/$($policies.Count)] $($policy.DisplayName)" -NoNewline + $params = @{ + PPTenantId = $tenantInfo.TenantId + PolicyName = $policy.DisplayName + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($null -ne $Results.RuleSet) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.RuleSet ` + -CIMInstanceName 'PPPowerAPpPolicyUrlPatternsRule' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.RuleSet = $complexTypeStringResult + } + else + { + $Results.Remove('RuleSet') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.RuleSet) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'RuleSet' -IsCIMArray:$true + } + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $k++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + + $i++ + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.schema.mof new file mode 100644 index 0000000000..9d323799a0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/MSFT_PPPowerAppPolicyUrlPatterns.schema.mof @@ -0,0 +1,23 @@ +[ClassVersion("1.0.0.0")] +class MSFT_PPPowerAPpPolicyUrlPatternsRule +{ + [Write, Description("Rule priority order.")] String order; + [Write, Description("Rule classification.")] String customConnectorRuleClassification; + [Write, Description("Rule pattern.")] String pattern; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("PPPowerAppPolicyUrlPatterns")] +class MSFT_PPPowerAppPolicyUrlPatterns : OMI_BaseResource +{ + [Key, Description("The policy name identifier.")] String PolicyName; + [Key, Description("The tenant identifier.")] String PPTenantId; + [Write, Description("Set of custom connector pattern rules associated with the policy."), EmbeddedInstance("MSFT_PPPowerAPpPolicyUrlPatternsRule")] String RuleSet[]; + + [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/readme.md new file mode 100644 index 0000000000..2656b9f1e2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/readme.md @@ -0,0 +1,6 @@ + +# PPPowerAppPolicyUrlPatterns + +## Description + +Configures custom connector patterns for Data Loss Prevention policies in Power Platforms. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/settings.json new file mode 100644 index 0000000000..b9f4f13d61 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_PPPowerAppPolicyUrlPatterns/settings.json @@ -0,0 +1,20 @@ +{ + "resourceName": "PPPowerAppPolicyUrlPatterns", + "description": "Configures custom connector patterns for Data Loss Prevention policies in Power Platforms.", + "roles": { + "read": [], + "update": [] + }, + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 index b75b494596..92381749be 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 @@ -140,7 +140,7 @@ function Get-TargetResource ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } - if ([System.String]::IsNullOrEmpty($RestrictedSenderList)) + if ([System.String]::IsNullOrEmpty($Config.RestrictedSenderList)) { $result.Remove('RestrictedSenderList') | Out-Null } @@ -282,12 +282,9 @@ function Set-TargetResource } else { - $tempValue = $null - foreach ($sender in $SetParams.RestrictedSenderList) - { - $tempValue += $sender + ',' - } - $tempValue = $tempValue.Substring(0, $tempValue.Length - 1) + # https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsclientconfiguration?view=teams-ps#-restrictedsenderlist + # This is a semicolon-separated string of the domains you'd like to allow to send emails to Teams channels + $tempValue = $SetParams['RestrictedSenderList'] -join ';' $SetParams.RestrictedSenderList = $tempValue } Set-CsTeamsClientConfiguration @SetParams diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 index 1bc09914bf..20ecfd0716 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 @@ -175,10 +175,22 @@ function Set-TargetResource $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' ` -InboundParameters $PSBoundParameters - foreach ($user in $Users) + if ($Identity -eq 'Global' -and $Users.Length -eq 1 -and $Users[0] -eq '*') { - Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to User {$user} with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" - Grant-CsTeamsUpgradePolicy -PolicyName $Identity -Identity $user -MigrateMeetingsToTeams:$MigrateMeetingsToTeams + Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to all Users with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" + Grant-CsTeamsUpgradePolicy -PolicyName $Identity ` + -MigrateMeetingsToTeams:$MigrateMeetingsToTeams ` + -Global + } + else + { + foreach ($user in $Users) + { + Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to User {$user} with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" + Grant-CsTeamsUpgradePolicy -PolicyName $Identity ` + -Identity $user ` + -MigrateMeetingsToTeams:$MigrateMeetingsToTeams + } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof index 96c8e8e81a..dcd1b3df49 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof @@ -2,7 +2,7 @@ class MSFT_TeamsUpgradePolicy : OMI_BaseResource { [Key, Description("Identity of the Teams Upgrade Policy.")] String Identity; - [Write, Description("List of users that will be granted the Upgrade Policy to.")] String Users[]; + [Write, Description("List of users that will be granted the Upgrade Policy to. Use value * to apply the policy globally.")] String Users[]; [Write, Description("Specifies whether to move existing Skype for Business meetings organized by the user to Teams. This parameter can only be true if the mode of the specified policy instance is either TeamsOnly or SfBWithTeamsCollabAndMeetings, and if the policy instance is being granted to a specific user. It not possible to trigger meeting migration when granting TeamsUpgradePolicy to the entire tenant.")] Boolean MigrateMeetingsToTeams; [Write, Description("Credentials of the Teams Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index d2d088cc8d..7fd6bbe7fe 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -22,7 +22,7 @@ }, @{ ModuleName = 'DSCParser' - RequiredVersion = '2.0.0.10' + RequiredVersion = '2.0.0.11' }, @{ ModuleName = 'ExchangeOnlineManagement' @@ -137,7 +137,7 @@ }, @{ ModuleName = 'ReverseDSC' - RequiredVersion = '2.0.0.20' + RequiredVersion = '2.0.0.22' } ) } diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAdminConsentRequestPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAdminConsentRequestPolicy/2-Update.ps1 new file mode 100644 index 0000000000..9f032afb5c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAdminConsentRequestPolicy/2-Update.ps1 @@ -0,0 +1,54 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAdminConsentRequestPolicy "AADAdminConsentRequestPolicy" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $True; + IsSingleInstance = "Yes"; + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'User' + ReviewerId = "AlexW@$TenantId" + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Group' + ReviewerId = 'Communications' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Payload Author' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Simulation Administrator' + } + ); + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationRequirement/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationRequirement/2-Update.ps1 new file mode 100644 index 0000000000..ec3edca920 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADAuthenticationRequirement/2-Update.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationRequirement "AADAuthenticationRequirement-TestMailbox109@xtasdftestorg.onmicrosoft.com" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + PerUserMfaState = "disabled"; + UserPrincipalName = "TestMailbox109@$OrganizationName"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/1-Create.ps1 new file mode 100644 index 0000000000..2f3be28fb9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/1-Create.ps1 @@ -0,0 +1,36 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup"; + Region = "nam"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/2-Update.ps1 new file mode 100644 index 0000000000..fd34be2c06 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup-new"; + Region = "nam"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/3-Remove.ps1 new file mode 100644 index 0000000000..4e38370dc0 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADConnectorGroupApplicationProxy/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + Name = "testgroup-new"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/1-Create.ps1 new file mode 100644 index 0000000000..7aa18c60ea --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/1-Create.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/2-Update.ps1 new file mode 100644 index 0000000000..273be2450a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing? Drifted" # Drift + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/3-Remove.ps1 new file mode 100644 index 0000000000..9e94cd62e5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADCustomSecurityAttributeDefinition/3-Remove.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADDeviceRegistrationPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADDeviceRegistrationPolicy/2-Update.ps1 new file mode 100644 index 0000000000..255c5e3155 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADDeviceRegistrationPolicy/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADDeviceRegistrationPolicy "MyDeviceRegistrationPolicy" + { + ApplicationId = $ApplicationId; + AzureADAllowedToJoin = "Selected"; + AzureADAllowedToJoinGroups = @(); + AzureADAllowedToJoinUsers = @("AlexW@M365x73318397.OnMicrosoft.com"); + AzureAdJoinLocalAdminsRegisteringGroups = @(); + AzureAdJoinLocalAdminsRegisteringMode = "Selected"; + AzureAdJoinLocalAdminsRegisteringUsers = @("AllanD@M365x73318397.OnMicrosoft.com"); + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + LocalAdminPasswordIsEnabled = $False; + LocalAdminsEnableGlobalAdmins = $True; + MultiFactorAuthConfiguration = $False; + TenantId = $TenantId; + UserDeviceQuota = 50; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADDomain/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/1-Create.ps1 new file mode 100644 index 0000000000..bf3cef52d4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/1-Create.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADDomain/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/2-Update.ps1 new file mode 100644 index 0000000000..c179744bbb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $False; #Drift + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADDomain/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/3-Remove.ps1 new file mode 100644 index 0000000000..9ecf6a71ee --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADDomain/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + Id = "contoso.com"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/1-Create.ps1 new file mode 100644 index 0000000000..0b86b74b9a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/1-Create.ps1 @@ -0,0 +1,66 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''Brazil''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/2-Update.ps1 new file mode 100644 index 0000000000..b7db5fd0a6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/2-Update.ps1 @@ -0,0 +1,69 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + #updated description + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + #updated rule + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + #updated description + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/3-Remove.ps1 new file mode 100644 index 0000000000..0af81405a2 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADIdentityGovernanceLifecycleWorkflow/3-Remove.ps1 @@ -0,0 +1,66 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Absent"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADLifecycleWorkflowSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADLifecycleWorkflowSettings/2-Update.ps1 new file mode 100644 index 0000000000..b6db1874a8 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/AADLifecycleWorkflowSettings/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADLifecycleWorkflowSettings "AADLifecycleWorkflowSettings" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SenderDomain = "microsoft.com"; + TenantId = $TenantId; + UseCompanyBranding = $True; + WorkflowScheduleIntervalInHours = 10; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/ADOPermissionGroupSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/ADOPermissionGroupSettings/2-Update.ps1 new file mode 100644 index 0000000000..fe74d94ba6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/ADOPermissionGroupSettings/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [PSCredential] + $Credential + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + ADOPermissionGroupSettings "ADOPermissionGroupSettings-O365DSC-DEV" + { + AllowPermissions = @( + MSFT_ADOPermission { + NamespaceId = '5a27515b-ccd7-42c9-84f1-54c998f03866' + DisplayName = 'Edit identity information' + Bit = '2' + Token = 'f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + } + ); + Credential = $Credential; + DenyPermissions = @(); + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + GroupName = "[O365DSC-DEV]\My Test Group"; + OrganizationName = "O365DSC-DEV"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOATPBuiltInProtectionRule/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOATPBuiltInProtectionRule/2-Update.ps1 new file mode 100644 index 0000000000..3c3fc7ea9c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOATPBuiltInProtectionRule/2-Update.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOATPBuiltInProtectionRule "EXOATPBuiltInProtectionRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/1-Create.ps1 index 512a22ca2a..30d854debf 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/1-Create.ps1 @@ -25,10 +25,12 @@ Configuration Example { EXOMailboxFolderPermission "EXOMailboxFolderPermission-admin:\Calendar" { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "amdin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "amdin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/2-Update.ps1 index 22c39789c9..53f644e60e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxFolderPermission/2-Update.ps1 @@ -23,10 +23,12 @@ Configuration Example { EXOMailboxFolderPermission "EXOMailboxFolderPermission-admin:\Calendar" { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "admin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "admin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/1-Create.ps1 index f47d2d2105..224ba6554e 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/1-Create.ps1 @@ -23,11 +23,13 @@ Configuration Example { EXOMailboxIRMAccess "EXOMailboxIRMAccess-qwe@testorg.onmicrosoft.com" { - AccessLevel = "Block"; - Credential = $Credscredential; - Ensure = "Present"; - Identity = "qwe@$OrganizationName"; - User = "admin@$OrganizationName"; + AccessLevel = "Block"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "qwe@$OrganizationName"; + User = "admin@$OrganizationName"; } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Remove.ps1 new file mode 100644 index 0000000000..e57be7daf4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMailboxIRMAccess "EXOMailboxIRMAccess-qwe@testorg.onmicrosoft.com" + { + AccessLevel = "Block"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + Identity = "qwe@$OrganizationName"; + User = "admin@$OrganizationName"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 index ba630d844a..e583a1d42c 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/1-Create.ps1 @@ -25,7 +25,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 index 64528717e8..8ceabe1be9 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/2-Update.ps1 @@ -23,7 +23,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 index 3524dc103d..1b2e95e5af 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOManagementScope/3-Remove.ps1 @@ -23,7 +23,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Absent"; Exclusive = $False; Identity = "Test New DGs"; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/1-Create.ps1 new file mode 100644 index 0000000000..58211df214 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/1-Create.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/2-Update.ps1 new file mode 100644 index 0000000000..85ec1ba902 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/2-Update.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + # value for security updated from Tls to None + Security = "None"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/3-Remove.ps1 new file mode 100644 index 0000000000..e1e47e2730 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigrationEndpoint/3-Remove.ps1 @@ -0,0 +1,42 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Absent"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "None"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 new file mode 100644 index 0000000000..d5b7854a82 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 @@ -0,0 +1,44 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 10 + EnablePinRecovery = 'true' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 20 + EnablePinRecovery = 'true' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 new file mode 100644 index 0000000000..4ea17bbc2c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 @@ -0,0 +1,44 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 10 + EnablePinRecovery = 'true' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 30 # Updated property + EnablePinRecovery = 'true' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..93129a03ad --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 new file mode 100644 index 0000000000..b985c55712 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example creates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 new file mode 100644 index 0000000000..8f3133d7cf --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example updates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..a6a52ed29b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example removes a Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/1-Create.ps1 new file mode 100644 index 0000000000..04a9cefe20 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/1-Create.ps1 @@ -0,0 +1,27 @@ +<# This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline. #> +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/2-Update.ps1 new file mode 100644 index 0000000000..04a9cefe20 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/2-Update.ps1 @@ -0,0 +1,27 @@ +<# This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline. #> +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Present"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/3-Remove.ps1 new file mode 100644 index 0000000000..4c67edeead --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDerivedCredential/3-Remove.ps1 @@ -0,0 +1,27 @@ +<# This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline. #> +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Absent"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 index 2cf142bdf2..85a7af0f70 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 index 21679df4b0..e68894c238 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/1-Create.ps1 new file mode 100644 index 0000000000..f19c52da7d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/1-Create.ps1 @@ -0,0 +1,62 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + Description = "TeamsForBusinessInstaller"; + Developer = "Contoso"; + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + MinimumSupportedOperatingSystem = MSFT_DeviceManagementMinimumOperatingSystem{ + v11_0 = $true + } + Notes = ""; + Owner = ""; + PrivacyInformationUrl = ""; + Publisher = "Contoso"; + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment { + groupDisplayName = 'All devices' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + intent = 'required' + } + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '57b5e81c-85bb-4644-a4fd-33b03e451c89' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '1bff2652-03ec-4a48-941c-152e93736515' + DisplayName = 'Kajal 3' + }); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 new file mode 100644 index 0000000000..f7746f29b1 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/2-Update.ps1 @@ -0,0 +1,62 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + Description = "TeamsForBusinessInstaller"; + Developer = "Contoso drift"; #drift + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + MinimumSupportedOperatingSystem = MSFT_DeviceManagementMinimumOperatingSystem{ + v11_0 = $true + } + Notes = ""; + Owner = ""; + PrivacyInformationUrl = ""; + Publisher = "Contoso"; + PublishingState = "published"; + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment { + groupDisplayName = 'All devices' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + intent = 'required' + } + MSFT_DeviceManagementMobileAppAssignment { + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '57b5e81c-85bb-4644-a4fd-33b03e451c89' + intent = 'required' + } + ); + Categories = @(MSFT_DeviceManagementMobileAppCategory { + Id = '1bff2652-03ec-4a48-941c-152e93736515' + DisplayName = 'Kajal 3' + }); + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/3-Remove.ps1 similarity index 62% rename from Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Update.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/3-Remove.ps1 index b516274848..4d1bf4b0a7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOMailboxIRMAccess/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsMacOSLobApp/3-Remove.ps1 @@ -18,9 +18,15 @@ Configuration Example [System.String] $CertificateThumbprint ) + Import-DscResource -ModuleName Microsoft365DSC node localhost { - + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Absent"; + } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 new file mode 100644 index 0000000000..1eb9c2d9fb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 @@ -0,0 +1,54 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 new file mode 100644 index 0000000000..1eb9c2d9fb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 @@ -0,0 +1,54 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 new file mode 100644 index 0000000000..8b731ff4ac --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d8"; + DisplayName = "Microsoft 365 Apps for Windows 10 and later"; + Ensure = "Absent"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 new file mode 100644 index 0000000000..4999c28f32 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 @@ -0,0 +1,58 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 new file mode 100644 index 0000000000..9462f97414 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 @@ -0,0 +1,58 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '2' # Updated property + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 new file mode 100644 index 0000000000..b9a8c3c849 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 new file mode 100644 index 0000000000..fdb3b29ab6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 new file mode 100644 index 0000000000..125c7be94d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "1"; # Drift + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 new file mode 100644 index 0000000000..d9830b3fe9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/1-Create.ps1 new file mode 100644 index 0000000000..82f9e9a159 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/1-Create.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/2-Update.ps1 new file mode 100644 index 0000000000..72da87212b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/2-Update.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Present"; + Environments = "Default-e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + FilterType = "include"; # Drift + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/3-Remove.ps1 new file mode 100644 index 0000000000..0703757596 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPAdminDLPPolicy/3-Remove.ps1 @@ -0,0 +1,33 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/1-Create.ps1 new file mode 100644 index 0000000000..494899726e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/1-Create.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConnectorActionConfigurations = @( + MSFT_PPDLPPolicyConnectorConfigurationsAction{ + actionRules = @( + MSFT_PPDLPPolicyConnectorConfigurationsActionRules{ + actionId = 'CreateInvitation' + behavior = 'Allow' + } + ) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } + ); + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/2-Update.ps1 new file mode 100644 index 0000000000..402a6bf2e6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/2-Update.ps1 @@ -0,0 +1,46 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConnectorActionConfigurations = @( + MSFT_PPDLPPolicyConnectorConfigurationsAction{ + actionRules = @( + MSFT_PPDLPPolicyConnectorConfigurationsActionRules{ + actionId = 'CreateInvitation' + behavior = 'Block' #drift + } + ) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } + ); + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/3-Remove.ps1 new file mode 100644 index 0000000000..72d8324ff1 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPDLPPolicyConnectorConfigurations/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/1-Create.ps1 new file mode 100644 index 0000000000..f658e08a3d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + RuleSet = @( + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = '*' + customConnectorRuleClassification = 'Ignore' + order = 3 + } + ); + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/2-Update.ps1 new file mode 100644 index 0000000000..e7a1509d29 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + RuleSet = @( + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://tailspintoys.com' # drift + customConnectorRuleClassification = 'General' + order = 2 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = '*' + customConnectorRuleClassification = 'Ignore' + order = 3 + } + ); + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/3-Remove.ps1 new file mode 100644 index 0000000000..3c885442c3 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/PPPowerAppPolicyUrlPatterns/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index 68bd75c4a8..db41671f0b 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-10-02 +# Generated on: 2024-10-16 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.1002.1' + ModuleVersion = '1.24.1016.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -144,131 +144,82 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADApplication - * Added AppRoles - * Added AuthenticationBehavior - * Added KeyCredentials - * Added OptionalClaims - * Added PasswordCredentials - * Added PreAuthorizationApplications -* AADAuthenticationMethodPolicy - * Added ReportSuspiciousActivitySettings -* AADAuthenticationMethodPolicyHardware + ReleaseNotes = '* AADAdminConsentRequestPolicy * Initial release. -* AADEntitlementManagementSettings - * Initial release. -* AADFeatureRolloutPolicy - * Initial release -* AADGroup - * Fixes logic to evaluate license assignments and disabled plans. - FIXES [#5101](https://github.com/microsoft/Microsoft365DSC/issues/5101) - * Adds support to assign Service Principal as members or owners. - FIXES [#4972](https://github.com/microsoft/Microsoft365DSC/issues/4972) -* AADPasswordRuleSettings - * Initial release -* ADOOrganizationOwner +* AADApplication + * Fixed an issue trying to retrieve the beta instance. + * Added support for OnPremisesPublishing. + * Added support for ApplicationTemplate. + * Fixes an issue where trying to apply permissions complained about + duplicate entries. +* AADAuthenticationRequirement * Initial release. -* ADOPermissionGroup +* AADConnectorGroupApplicationProxy * Initial release. -* ADOSecurityPolicy +* AADCustomSecurityAttributeDefinition * Initial release. -* AzureSubscription - * Initial Release. -* DefenderSubscriptionDefenderPlan +* AADDeviceRegistrationPolicy * Initial release. -* EXOAntiPhishPolicy - * Use correct type integer for variable `PhishThresholdLevel` -* EXOArcConfig - * Initial Release. -* EXODnssecForVerifiedDomain - * Initial Release. -* EXOEmailTenantSettings - * Initial Release. -* EXOFocusedInbox - * Initial Release. -* EXOMailboxCalendarConfiguration - * Initial Release. -* EXOMailboxIRMAccess - * Initial Release. -* EXOMailboxFolderPermission - * Initial Release. -* EXOMailboxIRMAccess - * Initial Release. -* EXOMailTips - * Remove property `Ensure` since this resource is of type `IsSingleInstance` -* EXOManagementScope - * Initial Release. -* EXORetentionPolicy - * Initial Release. -* EXOPhishSimOverrideRule - * Initial Release. -* IntuneAntivirusPolicyWindows10SettingCatalog - * Fixes an issue with invalid parameter definition. - FIXES [#5015](https://github.com/microsoft/Microsoft365DSC/issues/5015) - * Fixes an issue where the `AccessTokens` parameter was not available. - FIXES [#5121](https://github.com/microsoft/Microsoft365DSC/issues/5121) -* IntuneAppCategory +* AADEntitlementManagementSettings + * Added support for ApplicationSecret +* AADIdentityGovernanceLifecycleWorkflow * Initial release. -* IntuneDeviceCompliancePolicyWindows10 - * Fixes an issue where the property `ValidOperatingSystemBuildRanges` was - not exported properly. - FIXES [#5030](https://github.com/microsoft/Microsoft365DSC/issues/5030) -* IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10 - * Add missing `AccessTokens` parameter to `Export-TargetResource` - FIXES [#5034](https://github.com/microsoft/Microsoft365DSC/issues/5034) -* IntuneFirewallPolicyWindows10 - * Initial release - FIXES [#3033](https://github.com/microsoft/Microsoft365DSC/issues/3033) -* IntuneSettingCatalogCustomPolicyWindows10 - * Update export logic to target more specific policy types. - * Prevent thrown exception to be caught by exception handler. - FIXES [#5088](https://github.com/microsoft/Microsoft365DSC/issues/5088) -* M365DSCDRGUtil - * Add support for more complex Intune Settings Catalog properties - * Update handling of `Update-IntuneDeviceConfigurationPolicy` to throw on error - FIXES [#5055](https://github.com/microsoft/Microsoft365DSC/issues/5055) -* M365DSCResourceGenerator - * Update Intune resource generation for the Settings Catalog. -* O365ExternalConnection +* AADLifecycleWorkflowSettings * Initial release. -* SCDeviceConditionalAccessRule +* AADServicePrincipal + * Adding Delegated Permission Classification Property +* ADOPermissionGroupSettings * Initial release. -* SCDeviceConfigurationRule +* EXOATPBuiltInProtectionRule * Initial release. -* SCInsiderRiskEntityList +* EXOMigrationEndpoint + * Initial Release +* IntuneAccountProtectionPolicy + * Added deprecation notice. +* IntuneAccountProtectionPolicyWindows10 + * Initial Release + FIXES [#5073](https://github.com/microsoft/Microsoft365DSC/issues/5073) +* IntuneAppAndBrowserIsolationPolicyWindows10 * Initial release. -* SCInsiderRiskPolicy + FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* IntuneDerivedCredential * Initial release. -* SCRecordReviewNotificationTemplateConfig +* IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 + * Added deprecation notice. +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Migrate to new Settings Catalog cmdlets. +* IntuneMobileAppsMacOSLobApp + * Initial release +* IntuneMobileAppsWindowsOfficeSuiteApp + * Initial release +* IntuneSecurityBaselineMicrosoft365AppsForEnterprise + * Initial release +* IntuneSecurityBaselineMicrosoftEdge + * Initial release +* PPAdminDLPPolicy * Initial release. -* SCRoleGroup - * Fixes an issue with creation without specifying Displayname - * Fixes an issue with Drifts because of returned Role format - FIXES [#5036](https://github.com/microsoft/Microsoft365DSC/issues/5036) -* SCAutoSensitivityLabelRule - * Fixed issue with incorrectly applying HeaderMatchesPatterns, even when - parameter wasn`t specified. - FIXES [#4641](https://github.com/microsoft/Microsoft365DSC/issues/4641) -* SCSensitivityLabel - * Added support for Auto Labeling settings - FIXES [#3784](https://github.com/microsoft/Microsoft365DSC/issues/3784) -* SentinelSetting +* PPDLPPolicyConnectorConfigurations * Initial release. -* SentinelWatchlist +* PPPowerAppPolicyUrlPatterns * Initial release. -* SPOAccessControlSettings - * Added support for property EnableRestrictedAccessControl. -* M365DSCUtil - * Fixes an issue where the O365Group workload was not properly detected. - FIXES [#5095](https://github.com/microsoft/Microsoft365DSC/issues/5095) +* TeamsClientConfiguration + * Fixed bug where RestrictedSenderList was always empty in the MSFT_TeamsClientConfiguration resource + FIXES [#5190](https://github.com/microsoft/Microsoft365DSC/issues/5190) + * Changed Set-TargetResource to always use semicolon as separator as mentioned in the MS documentation +* TeamsUpgradePolicy + * Added support for tenant wide changes using the * value for users. + FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) +* M365DSCDRGUtil + * Fixes an issue for the handling of skipped one-property elements in the + Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) + * Add Set support for secret Settings Catalog values + * Removed unused functions + * Add support for device / user scoped settings. +* ResourceGenerator + * Add support for device / user scoped settings. * DEPENDENCIES - * Updated DSCParser to version 2.0.0.10. - * Updated Microsoft.Graph to version 2.23.0. - * Added dependencies on Az.Accounts, Az.Resources and Az.SecurityInsights - * Updated DSCParser to version 2.0.0.9. - * Updated MSCloudLoginAssistant to version 1.1.25. - * Added dependency on Microsoft.Graph.Beta.Search. - * Removed unnecessary dependency PSDesiredStateConfiguration v1.1' + * Updated DSCParser to version 2.0.0.11 + * Updated ReverseDSC to version 2.0.0.22' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 542a206b3d..e5ff29e4b2 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -105,7 +105,7 @@ function Rename-M365DSCCimInstanceParameter $subValue = Rename-M365DSCCimInstanceParameter $property -KeyMapping $KeyMapping if ($null -ne $subValue) { - $hashProperties.add($keyName, $subValue) + $hashProperties.Add($keyName, $subValue) } } catch @@ -285,6 +285,7 @@ function Get-M365DSCDRGComplexTypeToString { $indent += ' ' } + #If ComplexObject is an Array if ($ComplexObject.GetType().FullName -like '*[[\]]') { @@ -305,7 +306,7 @@ function Get-M365DSCDRGComplexTypeToString $currentProperty += Get-M365DSCDRGComplexTypeToString -IsArray @splat } - # PowerShell returns all non-captured stream output, not just the argument of the return statement. + #PowerShell returns all non-captured stream output, not just the argument of the return statement. #An empty array is mangled into $null in the process. #However, an array can be preserved on return by prepending it with the array construction operator (,) return , $currentProperty @@ -501,7 +502,6 @@ function Get-M365DSCDRGSimpleObjectTypeToString [Parameter()] [System.String] $Space = ' ' - ) $returnValue = '' @@ -617,6 +617,7 @@ function Compare-M365DSCComplexObject } if ($Source[0].CimClass.CimClassName -eq 'MSFT_DeviceManagementConfigurationPolicyAssignments' -or + $Source[0].CimClass.CimClassName -eq 'MSFT_DeviceManagementMobileAppAssignment' -or ($Source[0].CimClass.CimClassName -like 'MSFT_Intune*Assignments' -and $Source[0].CimClass.CimClassName -ne 'MSFT_IntuneDeviceRemediationPolicyAssignments')) { @@ -734,7 +735,9 @@ function Compare-M365DSCComplexObject { if ($Source.$key.GetType().FullName -like '*CimInstance' -and ( $Source.$key.CimClass.CimClassName -eq 'MSFT_DeviceManagementConfigurationPolicyAssignments' -or - $Source.$key.CimClass.CimClassName -like 'MSFT_Intune*Assignments')) + $Source.$key.CimClass.CimClassName -like 'MSFT_DeviceManagementMobileAppAssignment' -or + $Source.$key.CimClass.CimClassName -like 'MSFT_Intune*Assignments' + )) { $compareResult = Compare-M365DSCIntunePolicyAssignment ` -Source @($Source.$key) ` @@ -795,10 +798,20 @@ function Convert-M365DSCDRGComplexTypeToHashtable [OutputType([hashtable], [hashtable[]])] param( [Parameter(Mandatory = $true)] - $ComplexObject + [AllowNull()] + $ComplexObject, + + [Parameter()] + [switch] + $SingleLevel ) - if ($ComplexObject.getType().Fullname -like '*[[\]]') + if ($null -eq $ComplexObject) + { + return @{} + } + + if ($ComplexObject.GetType().Fullname -like '*[[\]]') { $results = @() foreach ($item in $ComplexObject) @@ -817,11 +830,16 @@ function Convert-M365DSCDRGComplexTypeToHashtable if ($null -ne $hashComplexObject) { - $results = $hashComplexObject.clone() + $results = $hashComplexObject.Clone() + if ($SingleLevel) + { + return [hashtable]$results + } + $keys = $hashComplexObject.Keys | Where-Object -FilterScript { $_ -ne 'PSComputerName' } foreach ($key in $keys) { - if ($hashComplexObject[$key] -and $hashComplexObject[$key].getType().Fullname -like '*CimInstance*') + if ($hashComplexObject[$key] -and $hashComplexObject[$key].GetType().Fullname -like '*CimInstance*') { $results[$key] = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $hashComplexObject[$key] } @@ -829,259 +847,188 @@ function Convert-M365DSCDRGComplexTypeToHashtable { $propertyName = $key[0].ToString().ToLower() + $key.Substring(1, $key.Length - 1) $propertyValue = $results[$key] - $results.remove($key) | Out-Null - $results.add($propertyName, $propertyValue) + $results.Remove($key) | Out-Null + $results.Add($propertyName, $propertyValue) } } } + return [hashtable]$results } -function Get-SettingCatalogSettingValue +function ConvertFrom-IntunePolicyAssignment { [CmdletBinding()] - [OutputType([System.Collections.Hashtable],[System.Collections.Hashtable[]])] + [OutputType([System.Collections.Hashtable[]])] param ( + [Parameter(Mandatory = $true)] + [Array] + $Assignments, [Parameter()] - $SettingValue, - [Parameter()] - $SettingValueType - + [System.Boolean] + $IncludeDeviceFilter = $true ) - switch -Wildcard ($SettingValueType) + $assignmentResult = @() + foreach ($assignment in $Assignments) { - '*ChoiceSettingInstance' + $hashAssignment = @{} + if ($null -ne $assignment.Target.'@odata.type') { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $complexValue.Add('Value',$SettingValue.value) - $children = @() - foreach($child in $SettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) + $dataType = $assignment.Target.'@odata.type' } - '*ChoiceSettingCollectionInstance' + else { - $complexCollection = @() - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('Value',$item.value) - $children = @() - foreach($child in $item.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) + $dataType = $assignment.Target.AdditionalProperties.'@odata.type' } - '*SimpleSettingInstance' + + if ($null -ne $assignment.Target.groupId) { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $valueName = 'IntValue' - $value = $SettingValue.value - if($SettingValue.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($SettingValue.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$SettingValue.valueState) - } + $groupId = $assignment.Target.groupId } - '*SimpleSettingCollectionInstance' + else { - $complexCollection = @() + $groupId = $assignment.Target.AdditionalProperties.groupId + } - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('odataType',$item.'@odata.type') - $valueName = 'IntValue' - $value = $item.value - if($item.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($item.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$item.valueState) - } - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) + if ($null -ne $assignment.Target.collectionId) + { + $collectionId = $assignment.Target.collectionId } - '*GroupSettingInstance' + else { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $SettingValue.children) + $collectionId = $assignment.Target.AdditionalProperties.collectionId + } + + $hashAssignment.Add('dataType',$dataType) + if (-not [string]::IsNullOrEmpty($groupId)) + { + $hashAssignment.Add('groupId', $groupId) + + $group = Get-MgGroup -GroupId ($groupId) -ErrorAction SilentlyContinue + if ($null -ne $group) { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild + $groupDisplayName = $group.DisplayName } - $complexValue.Add('Children',$children) } - '*GroupSettingCollectionInstance' + if (-not [string]::IsNullOrEmpty($collectionId)) + { + $hashAssignment.Add('collectionId', $collectionId) + } + if ($dataType -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') + { + $groupDisplayName = 'All users' + } + if ($dataType -eq '#microsoft.graph.allDevicesAssignmentTarget') + { + $groupDisplayName = 'All devices' + } + if ($null -ne $groupDisplayName) { - $complexCollection = @() - foreach($groupSettingValue in $SettingValue) + $hashAssignment.Add('groupDisplayName', $groupDisplayName) + } + if ($IncludeDeviceFilter) + { + if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) { - $complexValue = @{} - #$complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $groupSettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue + $hashAssignment.Add('deviceAndAppManagementAssignmentFilterType', $assignment.Target.DeviceAndAppManagementAssignmentFilterType.ToString()) + } + if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterId) + { + $hashAssignment.Add('deviceAndAppManagementAssignmentFilterId', $assignment.Target.DeviceAndAppManagementAssignmentFilterId) } - return ,([hashtable[]]$complexCollection) } + + $assignmentResult += $hashAssignment } - return $complexValue + + return ,$assignmentResult } -function Get-SettingCatalogPolicySettingsFromTemplate +function ConvertTo-IntunePolicyAssignment { [CmdletBinding()] - [OutputType([System.Array])] - param - ( + [OutputType([Hashtable[]])] + param ( [Parameter(Mandatory = $true)] - [System.Collections.Hashtable] - $DSCParams, + [AllowNull()] + $Assignments, - [Parameter(Mandatory = $true)] - [System.String] - $templateReferenceId + [Parameter()] + [System.Boolean] + $IncludeDeviceFilter = $true ) - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - $settings = @() - - $templateSettings = Get-MgDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $templateReferenceId - - $simpleSettings = @() - $simpleSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - foreach ($templateSetting in $simpleSettings) + if ($null -eq $Assignments) { - $setting = @{} - $settingKey = $DSCParams.keys | Where-Object -FilterScript { $templateSetting.settingDefinitionId -like "*$($_)" } - if ((-not [String]::IsNullOrEmpty($settingKey)) -and $DSCParams."$settingKey") - { - $setting.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $myFormattedSetting = Format-M365DSCParamsToSettingInstance -DSCParams @{$settingKey = $DSCParams."$settingKey" } ` - -TemplateSetting $templateSetting - - $setting.add('settingInstance', $myFormattedSetting) - $settings += $setting - $DSCParams.Remove($settingKey) | Out-Null - } + return ,@() } - #Prepare attacksurfacereductionrules groupCollectionTemplateSettings - $groupCollectionTemplateSettings = @() - $groupCollectionTemplateSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - - foreach ($groupCollectionTemplateSetting in $groupCollectionTemplateSettings) + $assignmentResult = @() + foreach ($assignment in $Assignments) { - $setting = @{} - $setting.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $settingInstance = [ordered]@{} - $settingInstance.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance') - $settingInstance.add('settingDefinitionId', $groupCollectionTemplateSetting.settingDefinitionId) - $settingInstance.add('settingInstanceTemplateReference', @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingInstanceTemplateReference' - 'settingInstanceTemplateId' = $groupCollectionTemplateSetting.settingInstanceTemplateId - }) - $groupSettingCollectionValues = @() - $groupSettingCollectionValueChildren = @() - $groupSettingCollectionValue = @{} - $groupSettingCollectionValue.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingValue') - - $settingValueTemplateId = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.settingValueTemplateId - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) + $target = @{"@odata.type" = $assignment.dataType} + if ($IncludeDeviceFilter) { - $groupSettingCollectionValue.add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) + if ($null -ne $assignment.DeviceAndAppManagementAssignmentFilterType) + { + $target.Add('deviceAndAppManagementAssignmentFilterType', $assignment.DeviceAndAppManagementAssignmentFilterType) + $target.Add('deviceAndAppManagementAssignmentFilterId', $assignment.DeviceAndAppManagementAssignmentFilterId) + } } - - foreach ($key in $DSCParams.keys) + if ($assignment.dataType -like '*CollectionAssignmentTarget') { - $templateValue = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.children | Where-Object ` - -FilterScript { $_.settingDefinitionId -like "*$key" } - if ($templateValue) + $target.Add('collectionId', $assignment.collectionId) + } + elseif ($assignment.dataType -like '*GroupAssignmentTarget') + { + $group = Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue + if ($null -eq $group) { - $groupSettingCollectionValueChild = Format-M365DSCParamsToSettingInstance ` - -DSCParams @{$key = $DSCParams."$key" } ` - -TemplateSetting $templateValue ` - -IncludeSettingValueTemplateId $false ` - -IncludeSettingInstanceTemplateId $false - - $groupSettingCollectionValueChildren += $groupSettingCollectionValueChild + if ($assignment.groupDisplayName) + { + $group = Get-MgGroup -Filter "DisplayName eq '$($assignment.groupDisplayName)'" -ErrorAction SilentlyContinue + if ($null -eq $group) + { + $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it could not be found in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." + Write-Verbose -Message $message + $target = $null + } + if ($group -and $group.Count -gt 1) + { + $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it is not unique in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." + Write-Verbose -Message $message + $group = $null + $target = $null + } + } + else + { + $message = "Skipping assignment for the group with Id {$($assignment.groupId)} as it could not be found in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." + Write-Verbose -Message $message + $target = $null + } + } + #Skipping assignment if group not found from either groupId or groupDisplayName + if ($null -ne $group) + { + $target.Add('groupId', $group.Id) } } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) - $groupSettingCollectionValues += $groupSettingCollectionValue - $settingInstance.add('groupSettingCollectionValue', $groupSettingCollectionValues) - $setting.add('settingInstance', $settingInstance) - if ($setting.settingInstance.groupSettingCollectionValue.children.count -gt 0) + if ($target) { - $settings += $setting + $assignmentResult += @{target = $target} } } - return $settings + return ,$assignmentResult } -function ConvertFrom-IntunePolicyAssignment +function ConvertFrom-IntuneMobileAppAssignment { [CmdletBinding()] [OutputType([System.Collections.Hashtable[]])] @@ -1116,16 +1063,7 @@ function ConvertFrom-IntunePolicyAssignment $groupId = $assignment.Target.AdditionalProperties.groupId } - if ($null -ne $assignment.Target.collectionId) - { - $collectionId = $assignment.Target.collectionId - } - else - { - $collectionId = $assignment.Target.AdditionalProperties.collectionId - } - - $hashAssignment.Add('dataType',$dataType) + $hashAssignment.Add('dataType', $dataType) if (-not [string]::IsNullOrEmpty($groupId)) { $hashAssignment.Add('groupId', $groupId) @@ -1136,10 +1074,7 @@ function ConvertFrom-IntunePolicyAssignment $groupDisplayName = $group.DisplayName } } - if (-not [string]::IsNullOrEmpty($collectionId)) - { - $hashAssignment.Add('collectionId', $collectionId) - } + if ($dataType -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') { $groupDisplayName = 'All users' @@ -1152,6 +1087,19 @@ function ConvertFrom-IntunePolicyAssignment { $hashAssignment.Add('groupDisplayName', $groupDisplayName) } + + $hashAssignment.Add('intent', $assignment.intent.ToString()) + + # $concatenatedSettings = $assignment.settings.ToString() -join ',' + # $hashAssignment.Add('settings', $concatenatedSettings) + # $hashSettings = @{} + # foreach ($setting in $assignment.Settings) + # { + # $hashSettings.Add('datatype', $setting.dataType) + # $hashSettings.Add('uninstallOnDeviceRemoval', $setting.uninstallOnDeviceRemoval) + # } + # $hashAssignment.Add('settings', $hashSettings) + if ($IncludeDeviceFilter) { if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) @@ -1170,7 +1118,7 @@ function ConvertFrom-IntunePolicyAssignment return ,$assignmentResult } -function ConvertTo-IntunePolicyAssignment +function ConvertTo-IntuneMobileAppAssignment { [CmdletBinding()] [OutputType([Hashtable[]])] @@ -1178,6 +1126,7 @@ function ConvertTo-IntunePolicyAssignment [Parameter(Mandatory = $true)] [AllowNull()] $Assignments, + [Parameter()] [System.Boolean] $IncludeDeviceFilter = $true @@ -1191,6 +1140,7 @@ function ConvertTo-IntunePolicyAssignment $assignmentResult = @() foreach ($assignment in $Assignments) { + $formattedAssignment = @{} $target = @{"@odata.type" = $assignment.dataType} if ($IncludeDeviceFilter) { @@ -1200,11 +1150,10 @@ function ConvertTo-IntunePolicyAssignment $target.Add('deviceAndAppManagementAssignmentFilterId', $assignment.DeviceAndAppManagementAssignmentFilterId) } } - if ($assignment.dataType -like '*CollectionAssignmentTarget') - { - $target.add('collectionId', $assignment.collectionId) - } - elseif ($assignment.dataType -like '*GroupAssignmentTarget') + + $formattedAssignment.Add('intent', $assignment.intent) + + if ($assignment.dataType -like '*groupAssignmentTarget') { $group = Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue if ($null -eq $group) @@ -1236,17 +1185,17 @@ function ConvertTo-IntunePolicyAssignment $target = $null } } - #Skipping assignment if group not found from either groupId or groupDisplayName - if ($null -ne $group) - { + else { + #Skipping assignment if group not found from either groupId or groupDisplayName $target.Add('groupId', $group.Id) } } if ($target) { - $assignmentResult += @{target = $target} + $formattedAssignment.Add('target', $target) } + $assignmentResult += $formattedAssignment } return ,$assignmentResult @@ -1273,6 +1222,8 @@ function Compare-M365DSCIntunePolicyAssignment { $assignmentTarget = $Target | Where-Object -FilterScript { $_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId } $testResult = $null -ne $assignmentTarget + # Check for mobile app assignments with intent + $testResult = $assignment.intent -eq $assignmentTarget.intent # Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key if (-not $testResult) { @@ -1378,14 +1329,14 @@ function Update-DeviceConfigurationPolicyAssignment { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $target = $null } if ($group -and $group.count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $group = $null $target = $null } @@ -1394,14 +1345,14 @@ function Update-DeviceConfigurationPolicyAssignment { $message = "Skipping assignment for the group with Id {$($target.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $target = $null } } #Skipping assignment if group not found from either groupId or groupDisplayName if ($null -ne $group) { - $formattedTarget.add('groupId',$group.Id) + $formattedTarget.Add('groupId',$group.Id) } } if ($target.collectionId) @@ -1436,6 +1387,126 @@ function Update-DeviceConfigurationPolicyAssignment } } +function Update-DeviceAppManagementPolicyAssignment +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param ( + [Parameter(Mandatory = $true)] + [System.String] + $AppManagementPolicyId, + + [Parameter()] + [Array] + $Assignments, + + [Parameter()] + [System.String] + $Repository = 'deviceAppManagement/mobileApps', + + [Parameter()] + [ValidateSet('v1.0','beta')] + [System.String] + $APIVersion = 'beta', + + [Parameter()] + [System.String] + $RootIdentifier = 'mobileAppAssignments' + ) + + try + { + $appManagementPolicyAssignments = @() + $Uri = "/$APIVersion/$Repository/$AppManagementPolicyId/assign" + + foreach ($assignment in $Assignments) + { + $formattedAssignment = @{ + '@odata.type' = '#microsoft.graph.mobileAppAssignment' + intent = $assignment.intent + } + if ($assigment.settings) + { + $formattedAssignment.Add('settings', $assignment.settings) + } + + if ($assignment.target -is [hashtable]) + { + $target = $assignment.target + } + + $formattedTarget = @{"@odata.type" = $target.dataType} + if(-not $formattedTarget."@odata.type" -and $target."@odata.type") + { + $formattedTarget."@odata.type" = $target."@odata.type" + } + if ($target.groupId) + { + $group = Get-MgGroup -GroupId ($target.groupId) -ErrorAction SilentlyContinue + if ($null -eq $group) + { + if ($target.groupDisplayName) + { + $group = Get-MgGroup -Filter "DisplayName eq '$($target.groupDisplayName)'" -ErrorAction SilentlyContinue + if ($null -eq $group) + { + $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it could not be found in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." + Write-Verbose -Message $message + $target = $null + } + if ($group -and $group.count -gt 1) + { + $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it is not unique in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." + Write-Verbose -Message $message + $group = $null + $target = $null + } + } + else + { + $message = "Skipping assignment for the group with Id {$($target.groupId)} as it could not be found in the directory.`r`n" + $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." + Write-Verbose -Message $message + $target = $null + } + } + #Skipping assignment if group not found from either groupId or groupDisplayName + if ($null -ne $group) + { + $formattedTarget.Add('groupId',$group.Id) + } + } + if ($target.deviceAndAppManagementAssignmentFilterType) + { + $formattedTarget.Add('deviceAndAppManagementAssignmentFilterType',$target.deviceAndAppManagementAssignmentFilterType) + } + if ($target.deviceAndAppManagementAssignmentFilterId) + { + $formattedTarget.Add('deviceAndAppManagementAssignmentFilterId',$target.deviceAndAppManagementAssignmentFilterId) + } + $formattedAssignment.Add('target', $formattedTarget) + $appManagementPolicyAssignments += $formattedAssignment + } + + $body = @{$RootIdentifier = $appManagementPolicyAssignments} | ConvertTo-Json -Depth 20 + Write-Verbose -Message $body + + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop + } + catch + { + New-M365DSCLogEntry -Message 'Error updating data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $null + } +} + function Get-OmaSettingPlainTextValue { [CmdletBinding()] @@ -1507,9 +1578,24 @@ function Get-IntuneSettingCatalogPolicySetting [Parameter(Mandatory = 'true')] [System.Collections.Hashtable] $DSCParams, - [Parameter(Mandatory = 'true')] + + [Parameter( + Mandatory = 'true', + ParameterSetName = 'Start' + )] [System.String] - $TemplateId + $TemplateId, + + [Parameter( + Mandatory = 'true', + ParameterSetName = 'DeviceAndUserSettings' + )] + [System.Array] + $SettingTemplates, + + [Parameter(ParameterSetName = 'Start')] + [switch] + $ContainsDeviceAndUserSettings ) $global:excludedDefinitionIds = @() @@ -1518,18 +1604,38 @@ function Get-IntuneSettingCatalogPolicySetting $DSCParams.Remove('DisplayName') | Out-Null $DSCParams.Remove('Description') | Out-Null - # Prepare setting definitions mapping - $settingTemplates = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate ` - -DeviceManagementConfigurationPolicyTemplateId $TemplateId ` - -ExpandProperty 'SettingDefinitions' ` - -All $settingInstances = @() + if ($PSCmdlet.ParameterSetName -eq 'Start') + { + # Prepare setting definitions mapping + $SettingTemplates = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate ` + -DeviceManagementConfigurationPolicyTemplateId $TemplateId ` + -ExpandProperty 'SettingDefinitions' ` + -All + + if ($ContainsDeviceAndUserSettings) + { + $deviceSettingTemplates = $SettingTemplates | Where-object -FilterScript { + $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("device_") + } + $userSettingTemplates = $SettingTemplates | Where-object -FilterScript { + $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("user_") + } + $deviceDscParams = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $DSCParams.DeviceSettings -SingleLevel + $userDscParams = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $DSCParams.UserSettings -SingleLevel + $combinedSettingInstances = @() + $combinedSettingInstances += Get-IntuneSettingCatalogPolicySetting -DSCParams $deviceDscParams -SettingTemplates $deviceSettingTemplates + $combinedSettingInstances += Get-IntuneSettingCatalogPolicySetting -DSCParams $userDscParams -SettingTemplates $userSettingTemplates + + return ,$combinedSettingInstances + } + } # Iterate over all setting instance templates in the setting template - foreach ($settingInstanceTemplate in $settingTemplates.SettingInstanceTemplate) + foreach ($settingInstanceTemplate in $SettingTemplates.SettingInstanceTemplate) { $settingInstance = @{} - $settingDefinition = $settingTemplates.SettingDefinitions | Where-Object { + $settingDefinition = $SettingTemplates.SettingDefinitions | Where-Object { $_.Id -eq $settingInstanceTemplate.SettingDefinitionId -and ` ($_.AdditionalProperties.dependentOn.Count -eq 0 -and $_.AdditionalProperties.options.dependentOn.Count -eq 0) } @@ -1735,18 +1841,56 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue if ($childSettingValue.Keys.Count -gt 0) { - if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + # If only one child item is allowed but we have multiple values, we need to create an object for each child + # Happens e.g. for the IntuneDeviceControlPolicyWindows10 resource --> {ruleid} and {ruleid}_ruledata definitions + if ($childSettingValue.groupSettingCollectionValue.Count -gt 1 -and + $childDefinition.AdditionalProperties.maximumCount -eq 1 -and + $groupSettingCollectionDefinitionChildren.Count -eq 1) { - $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + $childSettingValueOld = $childSettingValue + $childSettingValue = @() + foreach ($childSettingValueItem in $childSettingValueOld.groupSettingCollectionValue) + { + $childSettingValueInner = @{ + children = @() + } + $childSettingValueItem.Add('@odata.type', $childSettingType) + $childSettingValueInner.children += @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = $childSettingValueItem.children + } + ) + settingDefinitionId = $childDefinition.Id + } + if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + { + $childSettingValueInner.children[0].groupSettingCollectionValue.settingInstanceTemplateReference = @{ + 'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId + } + } + $childSettingValue += $childSettingValueInner + } + $groupSettingCollectionValue += $childSettingValue } - if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + else { - $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) + if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + { + $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + } + if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + { + $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) + } + $childSettingValue.Add('@odata.type', $childSettingType) + $groupSettingCollectionValueChildren += $childSettingValue } - $childSettingValue.Add('@odata.type', $childSettingType) - $groupSettingCollectionValueChildren += $childSettingValue } } + + # Does not happen for wrapped children elements if ($groupSettingCollectionValueChildren.Count -gt 0) { $groupSettingCollectionValue += @{ @@ -1927,6 +2071,11 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $settingValue = @{} if (-not [string]::IsNullOrEmpty($SettingValueType)) { + if ($SettingDefinition.AdditionalProperties.valueDefinition.isSecret) + { + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" + $settingValue.Add('valueState', 'NotEncrypted') + } $settingValue.Add('@odata.type', $SettingValueType) } if (-not [string]::IsNullOrEmpty($settingValueTemplateId)) @@ -1972,6 +2121,7 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue $matchCombined = $false $matchesId = $false $matchesOffsetUri = $false + $offsetUriFound = $false $settingDefinitions = $SettingTemplates.SettingDefinitions ` | Where-Object -FilterScript { $_.Name -eq $key } @@ -1997,7 +2147,26 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue # If no parent definition is found, it might have been combined with the OffsetUri if ($null -eq $parentDefinition) { - $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $key -SettingDefinitions $SettingTemplates.SettingDefinitions + $newKey = $key + switch -wildcard ($newKey) + { + '*_HTTPAuthentication_*' { $newKey = $newKey.Replace('HTTPAuthentication', '~HTTPAuthentication') } + '*TrustCenterTrustedLocations_*' { $newKey = $newKey.Replace('TrustCenterTrustedLocations', 'TrustCenter~L_TrustedLocations') } + '*TrustCenterFileBlockSettings_*' { $newKey = $newKey.Replace('TrustCenterFileBlockSettings', 'TrustCenter~L_FileBlockSettings') } + '*TrustCenterProtectedView_*' { $newKey = $newKey.Replace('TrustCenterProtectedView', 'TrustCenter~L_ProtectedView') } + '*_TrustCenter*' { $newKey = $newKey.Replace('_TrustCenter', '~L_TrustCenter') } + '*_Security_*' { $newKey = $newKey.Replace('Security', '~L_Security') } + 'MicrosoftEdge_*' { $newKey = $newKey.Replace('MicrosoftEdge_', 'microsoft_edge~Policy~microsoft_edge') } + 'MicrosoftPublisherV3_*' { $newKey = $newKey.Replace('MicrosoftPublisherV3_', 'pub16v3~Policy~L_MicrosoftOfficePublisher') } + 'MicrosoftPublisherV2_*' { $newKey = $newKey.Replace('MicrosoftPublisherV2_', 'pub16v2~Policy~L_MicrosoftOfficePublisher') } + 'MicrosoftVisio_*' { $newKey = $newKey.Replace('MicrosoftVisio_', 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions') } + 'MicrosoftProject_*' { $newKey = $newKey.Replace('MicrosoftProject_', 'proj16v2~Policy~L_Proj~L_ProjectOptions') } + 'MicrosoftPowerPoint_*' { $newKey = $newKey.Replace('MicrosoftPowerPoint_', 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions') } + 'MicrosoftWord_*' { $newKey = $newKey.Replace('MicrosoftWord_', 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions') } + 'MicrosoftExcel_*' { $newKey = $newKey.Replace('MicrosoftExcel_', 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions') } + 'MicrosoftAccess_*' { $newKey = $newKey.Replace('MicrosoftAccess_', 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings') } + } + $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $newKey -SettingDefinitions $SettingTemplates.SettingDefinitions if ($null -ne $definition) { $offsetUriFound = $true @@ -2040,6 +2209,19 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue $SettingDefinition = $_ } } + + if (-not $matchesId) + { + $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $key -SettingDefinitions $SettingTemplates.SettingDefinitions + if ($null -ne $definition) + { + $offsetUriFound = $true + if ($SettingDefinition.Id -eq $definition.Id) + { + $matchesOffsetUri = $true + } + } + } } } @@ -2130,18 +2312,31 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $settingName = $OffsetUriName $offsetUriPrefix = "" - foreach ($part in $offsetUriParts) + for ($i = 0; $i -lt $offsetUriParts.Count; $i++) { - if ($settingName -like "*$($part)_*") + $part = $offsetUriParts[$i] + if ($settingName -like "$($part)_*") { $settingName = $settingName.Replace("$($part)_", "") # Add wildcards to match removed parts with invalid characters $offsetUriPrefix += "*$($part)*" + $i = 0 } } - $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { - $_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*" + if ($settingName -eq "v2") + { + $settingName = $offsetUriPrefix.Split("*")[-2] + "_v2" # Add the last element of the offset Uri parts before the v2 + $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { + ($_.Id -like "*$settingName" -and $_.Name -eq $settingName.Replace('_v2', '') -and $_.OffsetUri -like "*$offsetUriPrefix*") -or + ($_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*") + } + } + else + { + $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { + $_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*" + } } if ($filteredDefinitions.Count -eq 1) @@ -2153,7 +2348,9 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $settingsWithSameName = $filteredDefinitions foreach ($definition in $filteredDefinitions) { + $parentSetting = Get-ParentSettingDefinition -SettingDefinition $definition -AllSettingDefinitions $SettingDefinitions $skip = 0 + $breakCounter = 0 $newSettingName = $settingName do { $previousSettingName = $newSettingName @@ -2164,12 +2361,34 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($definition.Id -like "*_v2" -and $_.Id -ne $definition.Id.Replace('_v2', '') -or + $definition.Id -notlike "*_v2" -and $_.Id -ne $definition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri + $breakCounter++ $skip++ - } while ($combinationMatchesWithOffsetUri.Count -gt 1) + } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt 8) + + if ($breakCounter -eq 8) + { + if ($null -ne $parentSetting) + { + # Alternative way if no unique setting name can be found + $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] + $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") + # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id + $settingNameV2 = $definition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") + if ($settingNameV2 -eq $OffsetUriName) + { + $newSettingName = $settingNameV2 + } + } + } if ($newSettingName -eq $OffsetUriName) { @@ -2230,6 +2449,12 @@ function Get-SettingDefinitionNameWithParentFromOffsetUri { { $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] } + + if ($Skip -gt $splittedOffsetUri.Length - 1) + { + return $SettingName + } + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] $traversed = $false while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri @@ -2290,14 +2515,51 @@ function Export-IntuneSettingCatalogPolicySettings [Parameter( ParameterSetName = 'Setting' )] - [switch]$IsRoot + [switch]$IsRoot, + + [Parameter( + ParameterSetName = 'Start' + )] + [switch]$ContainsDeviceAndUserSettings ) if ($PSCmdlet.ParameterSetName -eq 'Start') { - foreach ($setting in $Settings) + if ($ContainsDeviceAndUserSettings) { - Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $ReturnHashtable -AllSettingDefinitions $Settings.SettingDefinitions -IsRoot + $deviceSettingsReturnHashtable = @{} + $deviceSettings = $Settings | Where-Object -FilterScript { + $_.SettingInstance.settingDefinitionId.StartsWith("device_") + } + foreach ($setting in $deviceSettings) + { + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $deviceSettingsReturnHashtable -AllSettingDefinitions $deviceSettings.SettingDefinitions -IsRoot + } + + $userSettings = $Settings | Where-Object -FilterScript { + $_.SettingInstance.settingDefinitionId.StartsWith("user_") + } + $userSettingsReturnHashtable = @{} + foreach ($setting in $userSettings) + { + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $userSettingsReturnHashtable -AllSettingDefinitions $userSettings.SettingDefinitions -IsRoot + } + + if ($deviceSettingsReturnHashtable.Keys.Count -gt 0) + { + $ReturnHashtable.Add('DeviceSettings', $deviceSettingsReturnHashtable) + } + if ($userSettingsReturnHashtable.Keys.Count -gt 0) + { + $ReturnHashtable.Add('UserSettings', $userSettingsReturnHashtable) + } + } + else + { + foreach ($setting in $Settings) + { + Export-IntuneSettingCatalogPolicySettings -SettingInstance $setting.SettingInstance -SettingDefinitions $setting.SettingDefinitions -ReturnHashtable $ReturnHashtable -AllSettingDefinitions $Settings.SettingDefinitions -IsRoot + } } return $ReturnHashtable } @@ -2338,7 +2600,12 @@ function Export-IntuneSettingCatalogPolicySettings $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or + $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri @@ -2348,6 +2615,10 @@ function Export-IntuneSettingCatalogPolicySettings if ($breakCounter -lt 8) { + if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") + { + $newSettingName += "_v2" + } $settingName = $newSettingName } else @@ -2369,6 +2640,26 @@ function Export-IntuneSettingCatalogPolicySettings { $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $settingDefinition.OffsetUri -SettingName $settingName } + + # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. + switch -wildcard ($settingName) + { + 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } + 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } + 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } + 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } + 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } + 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } + 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } + 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } + 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } + '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } + '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } + '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } + '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } + '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } + } } $odataType = if ($IsRoot) { $SettingInstance.AdditionalProperties.'@odata.type' } else { $SettingInstance.'@odata.type' } @@ -2526,7 +2817,7 @@ function Update-IntuneDeviceConfigurationPolicy 'settings' = $Settings } $body = $policy | ConvertTo-Json -Depth 20 - #write-verbose -Message $body + #Write-Verbose -Message $body Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop } catch diff --git a/Modules/Microsoft365DSC/Modules/M365DSCStubsUtility.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCStubsUtility.psm1 index e843fe0807..38047897d1 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCStubsUtility.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCStubsUtility.psm1 @@ -19,7 +19,11 @@ function New-M365DSCStubFiles [Parameter()] [System.Collections.Hashtable[]] - $Workloads + $Workloads, + + [Parameter()] + [String[]] + $CmdletsList ) if ($null -eq $Credential) @@ -75,46 +79,67 @@ function New-M365DSCStubFiles @{Name = 'MicrosoftTeams'; ModuleName = 'MicrosoftTeams'; } ) } + if ($null -ne $CmdletsList -and $CmdletsList.Length -gt 0) + { + $workloads = @{Name = 'MicrosoftGraph'; ModuleName = 'Microsoft.Graph.Authentication'} + } foreach ($Module in $workloads) { - Write-Host "Connecting to {$($Module.Name)}" - $ConnectionMode = New-M365DSCConnection -Workload ($Module.Name) ` - -InboundParameters $PSBoundParameters - - Write-Host "Generating Stubs for {$($Module.ModuleName)}..." - $CurrentModuleName = $Module.ModuleName - - if ($null -eq $CurrentModuleName -or $Module.CommandName) - { - Write-Host "Loading proxy for $($Module.ModuleName)" - $foundModule = Get-Module | Where-Object -FilterScript { $_.ExportedCommands.Values.Name -ccontains $Module.CommandName } - $CurrentModuleName = $foundModule.Name - Import-Module $CurrentModuleName -Force -Global -ErrorAction SilentlyContinue - } - else + if ($null -eq $CmdletsList -or $CmdletsList.Length -eq 0) { - Import-Module $CurrentModuleName -Force -Global -ErrorAction SilentlyContinue - $ConnectionMode = New-M365DSCConnection -Workload $Module.Name ` + Write-Host "Connecting to {$($Module.Name)}" + $ConnectionMode = New-M365DSCConnection -Workload ($Module.Name) ` -InboundParameters $PSBoundParameters - } - $cmdlets = Get-Command -CommandType 'Cmdlet' | Where-Object -FilterScript { $_.Source -eq $CurrentModuleName } - if ($null -eq $cmdlets -or $Module.ModuleName -eq 'MicrosoftTeams') - { - $cmdlets += Get-Command -CommandType 'Function' -Module $CurrentModuleName - } + Write-Host "Generating Stubs for {$($Module.ModuleName)}..." + $CurrentModuleName = $Module.ModuleName - try - { - $aliases = Get-Command -CommandType 'Alias' | Where-Object -FilterScript { $_.Source -eq $CurrentModuleName } - $cmdlets += $aliases - $cmdlets = $cmdlets | Select-Object -Unique + if ($null -eq $CurrentModuleName -or $Module.CommandName) + { + Write-Host "Loading proxy for $($Module.ModuleName)" + $foundModule = Get-Module | Where-Object -FilterScript { $_.ExportedCommands.Values.Name -ccontains $Module.CommandName } + $CurrentModuleName = $foundModule.Name + Import-Module $CurrentModuleName -Force -Global -ErrorAction SilentlyContinue + } + else + { + Import-Module $CurrentModuleName -Force -Global -ErrorAction SilentlyContinue + $ConnectionMode = New-M365DSCConnection -Workload $Module.Name ` + -InboundParameters $PSBoundParameters + } + + $cmdlets = Get-Command -CommandType 'Cmdlet' | Where-Object -FilterScript { $_.Source -eq $CurrentModuleName } + if ($null -eq $cmdlets -or $Module.ModuleName -eq 'MicrosoftTeams') + { + $cmdlets += Get-Command -CommandType 'Function' -Module $CurrentModuleName + } + + try + { + $aliases = Get-Command -CommandType 'Alias' | Where-Object -FilterScript { $_.Source -eq $CurrentModuleName } + $cmdlets += $aliases + $cmdlets = $cmdlets | Select-Object -Unique + } + catch + { + Write-Verbose -Message $_ + } } - catch + else { - Write-Verbose -Message $_ + $cmdlets = @() + foreach ($entry in $CmdletsList) + { + $command = Get-Command $entry -ErrorAction SilentlyContinue + if ($null -ne $command) + { + $CurrentModuleName = $command.ModuleName + $cmdlets += $command + } + } } + $StubContent = [System.Text.StringBuilder]::New() $i = 1 foreach ($cmdlet in $cmdlets) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index d8e020b073..93e4d39e0f 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -3825,14 +3825,9 @@ function Get-M365DSCExportContentForResource { $primaryKey = $Results.DomainName } - - if ([String]::IsNullOrEmpty($primaryKey) -and ` - -not $Keys.Contains('IsSingleInstance')) + elseif ($Keys.Contains('UserPrincipalName')) { - foreach ($Key in $Keys) - { - $primaryKey += $Results.$Key - } + $primaryKey = $Results.UserPrincipalName } $instanceName = $ResourceName @@ -3840,6 +3835,10 @@ function Get-M365DSCExportContentForResource { $instanceName += "-$primaryKey" } + else + { + $instanceName += "-" + (New-Guid).ToString() + } if ($Results.ContainsKey('Workload')) { diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 08ad6e8253..7ed3b00e3d 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -59,6 +59,91 @@ } ] }, + { + "ClassName": "MSFT_AADAdminConsentRequestPolicyReviewer", + "Parameters": [ + { + "CIMType": "String", + "Name": "ReviewerType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ReviewerId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "QueryRoot", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADAdminConsentRequestPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "NotifyReviewers", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RemindersEnabled", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "RequestDurationInDays", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADAdminConsentRequestPolicyReviewer[]", + "Name": "Reviewers", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphMember", "Parameters": [ @@ -184,6 +269,166 @@ } ] }, + { + "ClassName": "MSFT_AADApplicationOnPremisesPublishingSegmentCORS", + "Parameters": [ + { + "CIMType": "String[]", + "Name": "allowedHeaders", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "maxAgeInSeconds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "resource", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "allowedMethods", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "allowedOrigins", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADApplicationOnPremisesPublishingSegment", + "Parameters": [ + { + "CIMType": "String", + "Name": "alternateUrl", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADApplicationOnPremisesPublishingSegmentCORS[]", + "Name": "corsConfigurations", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "externalUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "internalUrl", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos", + "Parameters": [ + { + "CIMType": "String", + "Name": "kerberosServicePrincipalName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "kerberosSignOnMappingAttributeType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting", + "Parameters": [ + { + "CIMType": "String", + "Name": "singleSignOnMode", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos", + "Name": "kerberosSignOnSettings", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADApplicationOnPremisesPublishing", + "Parameters": [ + { + "CIMType": "String", + "Name": "alternateUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "applicationServerTimeout", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "externalAuthenticationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "externalUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "internalUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isBackendCertificateValidationEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isHttpOnlyCookieEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isPersistentCookieEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isSecureCookieEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isStateSessionEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isTranslateHostHeaderEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "isTranslateLinksInBodyEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADApplicationOnPremisesPublishingSegment[]", + "Name": "onPremisesApplicationSegments", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting", + "Name": "singleSignOnSettings", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADApplicationPermission", "Parameters": [ @@ -512,6 +757,16 @@ "Name": "Owners", "Option": "Write" }, + { + "CIMType": "MSFT_AADApplicationOnPremisesPublishing", + "Name": "OnPremisesPublishing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationTemplateId", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -2044,6 +2299,56 @@ } ] }, + { + "ClassName": "MSFT_AADAuthenticationRequirement", + "Parameters": [ + { + "CIMType": "String", + "Name": "PerUserMfaState", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UserPrincipalName", + "Option": "Key" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADAuthenticationStrengthPolicy", "Parameters": [ @@ -2499,6 +2804,66 @@ } ] }, + { + "ClassName": "MSFT_AADConnectorGroupApplicationProxy", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Region", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADCrossTenantAccessPolicy", "Parameters": [ @@ -2794,6 +3159,281 @@ } ] }, + { + "ClassName": "MSFT_AADCustomSecurityAttributeDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "AttributeSet", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsCollection", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsSearchable", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Status", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UsePreDefinedValuesOnly", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADDeviceRegistrationPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AzureADJoinIsAdminConfigurable", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "UserDeviceQuota", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AzureADAllowedToJoin", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureADAllowedToJoinUsers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureADAllowedToJoinGroups", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "MultiFactorAuthConfiguration", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LocalAdminsEnableGlobalAdmins", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AzureAdJoinLocalAdminsRegisteringMode", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureAdJoinLocalAdminsRegisteringGroups", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AzureAdJoinLocalAdminsRegisteringUsers", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LocalAdminPasswordIsEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADDomain", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "AuthenticationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AvailabilityStatus", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsAdminManaged", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsDefault", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRoot", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsVerified", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordNotificationWindowInDays", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "PasswordValidityPeriodInDays", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SupportedServices", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AccessPackageResourceRoleScope", "Parameters": [ @@ -4314,6 +4954,251 @@ } ] }, + { + "ClassName": "MSFT_IdentityGovernanceScope", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Rule", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceTrigger", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TimeBasedAttribute", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "OffsetInDays", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Parameters": [ + { + "CIMType": "String", + "Name": "OdataType", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceScope", + "Name": "ScopeValue", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceTrigger", + "Name": "TriggerValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceTaskArguments", + "Parameters": [ + { + "CIMType": "String", + "Name": "Name", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceTask", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Category", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "ExecutionSequence", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ContinueOnError", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TaskDefinitionId", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceTaskArguments[]", + "Name": "Arguments", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADIdentityGovernanceLifecycleWorkflow", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Category", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsEnabled", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsSchedulingEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_AADIdentityGovernanceTask[]", + "Name": "Tasks", + "Option": "Write" + }, + { + "CIMType": "MSFT_IdentityGovernanceWorkflowExecutionConditions", + "Name": "ExecutionConditions", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_AADLifecycleWorkflowSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "SenderDomain", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "WorkflowScheduleIntervalInHours", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseCompanyBranding", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADNamedLocationPolicy", "Parameters": [ @@ -5144,6 +6029,21 @@ } ] }, + { + "ClassName": "MSFT_AADServicePrincipalDelegatedPermissionClassification", + "Parameters": [ + { + "CIMType": "String", + "Name": "Classification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PermissionName", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADServicePrincipal", "Parameters": [ @@ -5232,6 +6132,11 @@ "Name": "Tags", "Option": "Write" }, + { + "CIMType": "MSFT_AADServicePrincipalDelegatedPermissionClassification[]", + "Name": "DelegatedPermissionClassifications", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -5765,56 +6670,141 @@ ] }, { - "ClassName": "MSFT_ADOSecurityPolicy", + "ClassName": "MSFT_ADOPermission", "Parameters": [ { "CIMType": "String", - "Name": "OrganizationName", - "Option": "Key" - }, - { - "CIMType": "Boolean", - "Name": "DisallowAadGuestUserAccess", + "Name": "NamespaceId", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowOAuthAuthentication", + "CIMType": "String", + "Name": "DisplayName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "DisallowSecureShell", + "CIMType": "UInt32", + "Name": "Bit", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "LogAuditEvents", + "CIMType": "String", + "Name": "Token", "Option": "Write" - }, + } + ] + }, + { + "ClassName": "MSFT_ADOPermissionGroupSettings", + "Parameters": [ { - "CIMType": "Boolean", - "Name": "AllowAnonymousAccess", - "Option": "Write" + "CIMType": "String", + "Name": "GroupName", + "Option": "Key" }, { - "CIMType": "Boolean", - "Name": "ArtifactsExternalPackageProtectionToken", + "CIMType": "String", + "Name": "OrganizationName", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "EnforceAADConditionalAccess", + "CIMType": "String", + "Name": "Descriptor", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowTeamAdminsInvitationsAccessToken", + "CIMType": "MSFT_ADOPermission[]", + "Name": "AllowPermissions", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "AllowRequestAccessToken", + "CIMType": "MSFT_ADOPermission[]", + "Name": "DenyPermissions", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_ADOSecurityPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "OrganizationName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "DisallowAadGuestUserAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisallowOAuthAuthentication", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DisallowSecureShell", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "LogAuditEvents", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowAnonymousAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ArtifactsExternalPackageProtectionToken", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "EnforceAADConditionalAccess", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowTeamAdminsInvitationsAccessToken", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AllowRequestAccessToken", "Option": "Write" }, { @@ -6809,6 +7799,71 @@ } ] }, + { + "ClassName": "MSFT_EXOATPBuiltInProtectionRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Comments", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfRecipientDomainIs", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentTo", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExceptIfSentToMemberOf", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOAtpPolicyForO365", "Parameters": [ @@ -12249,6 +13304,136 @@ } ] }, + { + "ClassName": "MSFT_EXOMigrationEndpoint", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "AcceptUntrustedCertificates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppSecretKeyVaultUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Authentication", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EndpointType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExchangeServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MailboxPermission", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxConcurrentIncrementalSyncs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MaxConcurrentMigrations", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NspiServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Port", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RemoteServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RemoteTenant", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RpcProxyServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Security", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SourceMailboxLegacyDN", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseAutoDiscover", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOMobileDeviceMailboxPolicy", "Parameters": [ @@ -18629,6 +19814,211 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "LsaCfgFlags", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FacialFeaturesUseEnhancedAntiSpoofing", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnablePinRecovery", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "Expiration", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "History", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LowercaseLetters", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MaximumPINLength", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MinimumPINLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SpecialCharacters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UppercaseLetters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSecurityDevice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UseCertificateForOnPremAuth", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UsePassportForWork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "EnablePinRecovery", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "Expiration", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "History", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LowercaseLetters", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MaximumPINLength", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "MinimumPINLength", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SpecialCharacters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UppercaseLetters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RequireSecurityDevice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UsePassportForWork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAccountProtectionPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", + "Name": "DeviceSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneAntivirusPolicyWindows10SettingCatalog", "Parameters": [ @@ -19065,157 +20455,322 @@ ] }, { - "ClassName": "MSFT_IntuneAppCategory", + "ClassName": "MSFT_IntuneAppAndBrowserIsolationPolicyWindows10", "Parameters": [ { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Id", + "Name": "Description", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", - "Option": "Write" + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String[]", + "Name": "RoleScopeTagIds", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "AllowWindowsDefenderApplicationGuard", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "ClipboardSettings", "Option": "Write" }, - { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphAndroidPermissionAction", - "Parameters": [ { "CIMType": "String", - "Name": "Action", + "Name": "SaveFilesToHost", "Option": "Write" }, { "CIMType": "String", - "Name": "Permission", + "Name": "InstallWindowsDefenderApplicationGuard", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_MicrosoftGraphAppConfigurationSettingItem", - "Parameters": [ + }, { "CIMType": "String", - "Name": "AppConfigKey", + "Name": "ClipboardFileType", "Option": "Write" }, { "CIMType": "String", - "Name": "AppConfigKeyType", + "Name": "AllowPersistence", "Option": "Write" }, { "CIMType": "String", - "Name": "AppConfigKeyValue", + "Name": "AllowVirtualGPU", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneAppConfigurationDevicePolicy", - "Parameters": [ + }, { - "CIMType": "Boolean", - "Name": "ConnectedAppsEnabled", + "CIMType": "SInt32[]", + "Name": "PrintingSettings", "Option": "Write" }, { "CIMType": "String", - "Name": "PackageId", + "Name": "AllowCameraMicrophoneRedirection", "Option": "Write" }, { "CIMType": "String", - "Name": "PayloadJson", + "Name": "AuditApplicationGuard", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphandroidPermissionAction[]", - "Name": "PermissionActions", + "CIMType": "String[]", + "Name": "CertificateThumbprints", "Option": "Write" }, { - "CIMType": "String", - "Name": "ProfileApplicability", + "CIMType": "String[]", + "Name": "EnterpriseIPRange", "Option": "Write" }, { - "CIMType": "String", - "Name": "EncodedSettingXml", + "CIMType": "String[]", + "Name": "EnterpriseCloudResources", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphappConfigurationSettingItem[]", - "Name": "Settings", + "CIMType": "String[]", + "Name": "EnterpriseNetworkDomainNames", "Option": "Write" }, { - "CIMType": "String", - "Name": "Description", + "CIMType": "String[]", + "Name": "EnterpriseProxyServers", "Option": "Write" }, { - "CIMType": "String", - "Name": "DisplayName", - "Option": "Required" + "CIMType": "String[]", + "Name": "EnterpriseInternalProxyServers", + "Option": "Write" }, { "CIMType": "String[]", - "Name": "RoleScopeTagIds", + "Name": "NeutralResources", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "TargetedMobileApps", + "CIMType": "String", + "Name": "EnterpriseProxyServersAreAuthoritative", "Option": "Write" }, { "CIMType": "String", - "Name": "Id", - "Option": "Key" + "Name": "EnterpriseIPRangesAreAuthoritative", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAppCategory", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAndroidPermissionAction", + "Parameters": [ + { + "CIMType": "String", + "Name": "Action", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Permission", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphAppConfigurationSettingItem", + "Parameters": [ + { + "CIMType": "String", + "Name": "AppConfigKey", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppConfigKeyType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AppConfigKeyValue", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneAppConfigurationDevicePolicy", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "ConnectedAppsEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PackageId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PayloadJson", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphandroidPermissionAction[]", + "Name": "PermissionActions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ProfileApplicability", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EncodedSettingXml", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphappConfigurationSettingItem[]", + "Name": "Settings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "TargetedMobileApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" }, { "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", @@ -20319,6 +21874,81 @@ } ] }, + { + "ClassName": "MSFT_IntuneDerivedCredential", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "HelpUrl", + "Option": "Write" + }, + { + "CIMType": "Uint32", + "Name": "RenewalThresholdPercentage", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Issuer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NotificationType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneDeviceAndAppManagementAssignmentFilter", "Parameters": [ @@ -33542,6 +35172,11 @@ "Name": "DisplayName", "Option": "Key" }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, { "CIMType": "String", "Name": "Description", @@ -34139,6 +35774,551 @@ } ] }, + { + "ClassName": "MSFT_DeviceManagementMobileAppAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "deviceAndAppManagementAssignmentFilterType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "groupDisplayName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "intent", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMinimumOperatingSystem", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "v10_7", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_8", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_9", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_10", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_11", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_12", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_13", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_14", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v10_15", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v11_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v12_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v13_0", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "v14_0", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMimeContent", + "Parameters": [ + { + "CIMType": "String", + "Name": "Type", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Value", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMobileAppCategory", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMobileAppChildApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "BundleId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BuildNumber", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VersionNumber", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneMobileAppsMacOSLobApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Developer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InformationUrl", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsFeatured", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Notes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Owner", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivacyInformationUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Publisher", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PublishingState", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BundleId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BuildNumber", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "VersionNumber", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IgnoreVersionDetection", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMimeContent", + "Name": "LargeIcon", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMinimumOperatingSystem", + "Name": "MinimumSupportedOperatingSystem", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", + "Name": "Categories", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppChildApp[]", + "Name": "ChildApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_DeviceManagementMobileAppExcludedApp", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "Access", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Bing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Excel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Groove", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "InfoPath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Lync", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OneDrive", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OneNote", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Outlook", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PowerPoint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Publisher", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SharePointDesigner", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Teams", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Visio", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Word", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneMobileAppsWindowsOfficeSuiteApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsFeatured", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivacyInformationUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InformationUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Notes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AutoAcceptEula", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ProductIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseSharedComputerActivation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UpdateChannel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficeSuiteAppDefaultFileFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficePlatformArchitecture", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "LocalesToInstall", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InstallProgressDisplayLevel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ShouldUninstallOlderVersionsOfOffice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UpdateVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficeConfigurationXml", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", + "Name": "Categories", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppExcludedApp", + "Name": "ExcludedApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", "Parameters": [ @@ -34250,13 +36430,2458 @@ ] }, { - "ClassName": "MSFT_IntuneRoleAssignment", + "ClassName": "MSFT_IntuneRoleAssignment", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "ResourceScopes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ResourceScopesDisplayNames", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScopeType", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Members", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MembersDisplayNames", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RoleDefinition", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RoleDefinitionDisplayName", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneRoleDefinition", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "IsBuiltIn", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "allowedResourceActions", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "notAllowedResourceActions", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "roleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "Pol_SecGuide_A001_Block_Flash", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pol_SecGuide_Block_Flash", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pol_SecGuide_Legacy_JScript", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_powerpnt", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_onenote", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_mspub", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_msaccess", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_winproj", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_visio", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_outlook", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_winword", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_excel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PolicyEnableSIPHighSecurityMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PolicyDisableHttpConnect", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AddonManagement", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe17", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe15", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe19", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe26", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe22", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe18", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe21", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe24", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe23", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe20", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe14", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe16", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe27", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe25", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ConsistentMimeHandling", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe43", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe51", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe54", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe50", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe46", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe44", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe47", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe48", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe53", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe45", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe42", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe55", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe49", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe52", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Disableusernameandpassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe127", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe126", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe138", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe139", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe128", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe131", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe136", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe137", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe135", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe133", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe129", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe134", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe132", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe130", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Informationbar", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe113", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe114", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe123", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe124", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe120", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe118", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe115", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe121", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe112", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe117", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe125", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe119", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe122", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe116", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LocalMachineZoneLockdownSecurity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe41", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe31", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe30", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe36", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe32", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe29", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe38", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe28", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe35", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe39", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe37", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe33", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe40", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe34", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MimeSniffingSafetyFature", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe59", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe66", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe56", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe61", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe64", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe58", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe69", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe67", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe60", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe62", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe65", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe68", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe63", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe57", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NavigateURL", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe177", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe180", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe172", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe176", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe174", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe179", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe175", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe169", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe170", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe178", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe171", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe173", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe181", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe168", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ObjectCachingProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe77", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe73", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe79", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe83", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe72", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe81", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe82", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe78", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe70", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe71", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe75", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe74", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe76", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe80", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ProtectionFromZoneElevation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe100", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe103", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe101", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe99", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe111", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe105", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe108", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe109", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe107", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe110", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe102", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe104", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe98", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe106", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RestrictActiveXInstall", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spDesignexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RestrictFileDownload", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe5", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe6", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe11", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe9", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe1", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe10", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe8", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe4", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe7", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe12", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe13", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe0", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SavedfromURL", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe158", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe164", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe167", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe163", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe160", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe156", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe159", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe161", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe165", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe166", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe162", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe154", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe155", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe157", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ScriptedWindowSecurityRestrictions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe94", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe97", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe86", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe92", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe95", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe87", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe84", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe85", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe88", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe93", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe89", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe96", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe90", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe91", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Asktoupdateautomaticlinks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadpicturesfromWebpagesnotcreatedinExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableAutoRepublish", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DoNotShowAutoRepublishWarningAlert", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Forcefileextenstionstomatch", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Forcefileextenstionstomatch_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedExcelDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockXLLFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockXLLFromInternetEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableBlockUnsecureQueryFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DBaseIIIANDIVFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DBaseIIIANDIVFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DifAndSylkFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DifAndSylkFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4Workbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4WorkbooksDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel95Workbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel95WorkbooksDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel9597WorkbooksAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel9597WorkbooksAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel972003WorkbooksAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel972003WorkbooksAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_XL4KillSwitchPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableDataBaseFileProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty4", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebContentWarningLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebContentWarningLevelValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyWord", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyVisio", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPublisher", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyProject", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ActiveXControlInitialization", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ActiveXControlInitializationcolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BasicAuthProxyBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowVbaIntranetRefs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AutomationSecurity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SettheAutomationSecuritylevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationFBABehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationFBAEnabledHostsID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_authenticationFBABehaviorEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableStrictVbaRefsSecurityPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableallTrustBarnotificationsfor", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforirm", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforirmcolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforpasswordprotectedoffice972003", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_encryptiontypecolon318", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforpasswordprotectedofficeopen", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypecolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadControlsinForms3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadControlsinForms3colon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MacroRuntimeScanScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MacroRuntimeScanScopeEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Protectdocumentmetadataforrightsmanaged", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Allowmixofpolicyanduserlocations", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisabletheOfficeclientfrompolling", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableSmartDocumentsuseofmanifests", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OutlookSecurityMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressAccess_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMMeetingTaskRequest", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMMeetingTaskRequest_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSend", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSend_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Preventusersfromcustomizingattachmentsecuritysettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RetrievingCRLsCertificateRevocationLists", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty31", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMFormula", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMFormula_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationwithExchangeServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SelecttheauthenticationwithExchangeserver", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableRPCEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Enablelinksinemailmessages", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressBook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressBook_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OutlookSecurityPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowUsersToLowerAttachments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowActiveXOneOffForms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty29", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableScriptsInOneOffForms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level2RemoveFilePolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_removedextensions25", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MSGUnicodeformatwhendraggingtofilesystem", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableOutlookobjectmodelscriptsforpublicfolders", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SecurityLevelOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SecurityLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level1RemoveFilePolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RemovedExtensions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SignatureWarning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_signaturewarning30", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level1Attachments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Minimumencryptionsettings", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "L_Minimumkeysizeinbits", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableOutlookobjectmodelscripts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSaveAs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSaveAs_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_JunkEmailprotectionlevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Selectlevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RunPrograms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RunPrograms_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Determinewhethertoforceencryptedppt", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedpptDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PublisherAutomationSecurityLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PublisherAutomationSecurityLevel_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty0", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2000Files", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2000FilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2003Files", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2003FilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio50AndEarlierFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio50AndEarlierFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowDDE", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowDDEDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2000BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2000BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2003BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2003BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word95BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word95BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word97BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word97BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WordXPBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WordXPBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedWord", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedWordDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty19", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "DeviceSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoftEdge", "Parameters": [ - { - "CIMType": "String", - "Name": "Id", - "Option": "Write" - }, { "CIMType": "String", "Name": "Description", @@ -34269,117 +38894,122 @@ }, { "CIMType": "String[]", - "Name": "ResourceScopes", + "Name": "RoleScopeTagIds", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "ResourceScopesDisplayNames", + "CIMType": "String", + "Name": "Id", "Option": "Write" }, { "CIMType": "String", - "Name": "ScopeType", + "Name": "InternetExplorerIntegrationReloadInIEModeAllowed", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "Members", + "CIMType": "String", + "Name": "SSLErrorOverrideAllowed", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "MembersDisplayNames", + "CIMType": "String", + "Name": "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed", "Option": "Write" }, { "CIMType": "String", - "Name": "RoleDefinition", + "Name": "BrowserLegacyExtensionPointsBlockingEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "RoleDefinitionDisplayName", + "Name": "SitePerProcess", "Option": "Write" }, { - "CIMType": "string", - "Name": "Ensure", + "CIMType": "String", + "Name": "EdgeEnhanceImagesEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "Credential", + "CIMType": "String", + "Name": "ExtensionInstallBlocklist", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExtensionInstallBlocklistDesc", "Option": "Write" }, { "CIMType": "String", - "Name": "ApplicationId", + "Name": "WebSQLAccess", "Option": "Write" }, { "CIMType": "String", - "Name": "TenantId", + "Name": "BasicAuthOverHttpEnabled", "Option": "Write" }, { - "CIMType": "MSFT_Credential", - "Name": "ApplicationSecret", + "CIMType": "String", + "Name": "MicrosoftEdge_HTTPAuthentication_AuthSchemes", "Option": "Write" }, { "CIMType": "String", - "Name": "CertificateThumbprint", + "Name": "authschemes", "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "ManagedIdentity", + "CIMType": "String", + "Name": "NativeMessagingUserLevelHosts", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "AccessTokens", + "CIMType": "String", + "Name": "InsecurePrivateNetworkRequestsAllowed", "Option": "Write" - } - ] - }, - { - "ClassName": "MSFT_IntuneRoleDefinition", - "Parameters": [ + }, { "CIMType": "String", - "Name": "Id", + "Name": "InternetExplorerModeToolbarButtonEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "Description", + "Name": "SmartScreenEnabled", "Option": "Write" }, { "CIMType": "String", - "Name": "DisplayName", - "Option": "Key" + "Name": "SmartScreenPuaEnabled", + "Option": "Write" }, { - "CIMType": "Boolean", - "Name": "IsBuiltIn", + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverride", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "allowedResourceActions", + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverrideForFiles", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "notAllowedResourceActions", + "CIMType": "String", + "Name": "SharedArrayBufferUnrestrictedAccessAllowed", "Option": "Write" }, { - "CIMType": "String[]", - "Name": "roleScopeTagIds", + "CIMType": "String", + "Name": "TyposquattingCheckerEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", "Option": "Write" }, { @@ -37994,6 +42624,231 @@ } ] }, + { + "ClassName": "MSFT_PPAdminDLPPolicy", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "Environments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FilterType", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPDLPPolicyConnectorConfigurationsActionRules", + "Parameters": [ + { + "CIMType": "String", + "Name": "actionId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "behavior", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPDLPPolicyConnectorConfigurationsAction", + "Parameters": [ + { + "CIMType": "String", + "Name": "connectorId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "defaultConnectorActionRuleBehavior", + "Option": "Write" + }, + { + "CIMType": "MSFT_PPDLPPolicyConnectorConfigurationsActionRules[]", + "Name": "actionRules", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPDLPPolicyConnectorConfigurations", + "Parameters": [ + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PPTenantId", + "Option": "Key" + }, + { + "CIMType": "MSFT_PPDLPPolicyConnectorConfigurationsAction[]", + "Name": "ConnectorActionConfigurations", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPPowerAPpPolicyUrlPatternsRule", + "Parameters": [ + { + "CIMType": "String", + "Name": "order", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "customConnectorRuleClassification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "pattern", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_PPPowerAppPolicyUrlPatterns", + "Parameters": [ + { + "CIMType": "String", + "Name": "PolicyName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "PPTenantId", + "Option": "Key" + }, + { + "CIMType": "MSFT_PPPowerAPpPolicyUrlPatternsRule[]", + "Name": "RuleSet", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_PPPowerAppsEnvironment", "Parameters": [ diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index ecdccf6a86..0f8d094ab5 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -245,20 +245,95 @@ function New-M365DSCResource } $templateSettings = @() - $allSettingDefinitions = $SettingsCatalogSettingTemplates.SettingDefinitions - foreach ($settingTemplate in $SettingsCatalogSettingTemplates) + $deviceSettingsCatalogTemplates = $SettingsCatalogSettingTemplates | Where-Object -FilterScript { $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("device_") } + $deviceSettingDefinitions = $deviceSettingsCatalogTemplates.SettingDefinitions + + $userSettingsCatalogTemplates = $SettingsCatalogSettingTemplates | Where-Object -FilterScript { $_.SettingInstanceTemplate.SettingDefinitionId.StartsWith("user_") } + $userSettingDefinitions = $userSettingsCatalogTemplates.SettingDefinitions + + $containsDeviceAndUserSettings = $false + if ($deviceSettingDefinitions.Count -gt 0 -and $userSettingDefinitions.Count -gt 0) + { + $containsDeviceAndUserSettings = $true + } + + $deviceTemplateSettings = @() + foreach ($deviceSettingTemplate in $deviceSettingsCatalogTemplates) { - $templateSettings += New-SettingsCatalogSettingDefinitionSettingsFromTemplate ` + $deviceTemplateSettings += New-SettingsCatalogSettingDefinitionSettingsFromTemplate ` -FromRoot ` - -SettingTemplate $settingTemplate ` - -AllSettingDefinitions $allSettingDefinitions + -SettingTemplate $deviceSettingTemplate ` + -AllSettingDefinitions $deviceSettingDefinitions + } + + $userTemplateSettings = @() + foreach ($userSettingTemplate in $userSettingsCatalogTemplates) + { + $userTemplateSettings += New-SettingsCatalogSettingDefinitionSettingsFromTemplate ` + -FromRoot ` + -SettingTemplate $userSettingTemplate ` + -AllSettingDefinitions $userSettingDefinitions + } + + $deviceDefinitionSettings = @() + foreach ($deviceTemplateSetting in $deviceTemplateSettings) + { + foreach ($deviceChildSetting in $deviceTemplateSetting.ChildSettings) + { + $deviceChildSetting.DisplayName += " - Depends on $($deviceTemplateSetting.Name)" + } + $deviceDefinitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` + -TemplateSetting $deviceTemplateSetting } - $definitionSettings = @() - foreach ($templateSetting in $templateSettings) + $userDefinitionSettings = @() + foreach ($userTemplateSetting in $userTemplateSettings) + { + foreach ($userChildSetting in $userTemplateSetting.ChildSettings) + { + $userChildSetting.DisplayName += " - Depends on $($userTemplateSetting.Name)" + } + $userDefinitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` + -TemplateSetting $userTemplateSetting + } + + if ($containsDeviceAndUserSettings) + { + $definitionSettings = @{ + PowerShell = @( + +@" + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + `$DeviceSettings +"@, +@" + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + `$UserSettings +"@ + ) + MOFInstance = @( +@" +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_$($ResourceName) +{ +$($deviceDefinitionSettings.MOF -join "`r`n") +}; +"@, +@" +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_$($ResourceName) +{ +$($userDefinitionSettings.MOF -join "`r`n") +}; +"@ + ) + } + } + else { - $definitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` - -TemplateSetting $templateSetting + $definitionSettings = $deviceDefinitionSettings + $userDefinitionSettings } $parameterString += $definitionSettings.PowerShell -join ",`r`n`r`n" @@ -269,13 +344,13 @@ function New-M365DSCResource { $parameter -match '\$.*$' $parameterName = $Matches[0].Replace('$', '') - $parameterType = 'IntuneSettingsCatalog' + $parameterName - $cimInstance = $definitionSettings.MOFInstance | Where-Object -FilterScript { $_ -like "*$parameterType`n*" } + $parameterType = 'IntuneSettingsCatalog' + $parameterName + $(if ($parameterName -in @('DeviceSettings', 'UserSettings')) { "_$ResourceName" }) + $cimInstance = $definitionSettings.MOFInstance | Where-Object -FilterScript { $_ -like "*$parameterType`n*" -or $_ -like "*$parameterType`r`n*" } $rowFilter = '\[.*;' $cimRows = [regex]::Matches($cimInstance, $rowFilter) | Foreach-Object { $_.Value } - $cimPropertyNamequery = '[a-zA-Z_]+[\[\]]*;' + $cimPropertyNamequery = '[a-zA-Z0-9_]+[\[\]]*;' $cimProperties = @() foreach ($row in $cimRows) { @@ -297,7 +372,7 @@ function New-M365DSCResource Name = $parameterName IsComplexType = $true IsMandatory = $false - IsArray = $true + IsArray = $parameter -match '\[.*\[\]\]' Type = $parameterType Properties = $cimProperties } @@ -472,10 +547,11 @@ function New-M365DSCResource [array]`$settings = Get-$($CmdLetNoun)Setting `` -DeviceManagementConfigurationPolicyId `$Id `` -ExpandProperty 'settingDefinitions' `` + -All `` -ErrorAction Stop `$policySettings = @{} - `$policySettings = Export-IntuneSettingCatalogPolicySettings -Settings `$settings -ReturnHashtable `$policySettings `r`n + `$policySettings = Export-IntuneSettingCatalogPolicySettings -Settings `$settings -ReturnHashtable `$policySettings$(if ($containsDeviceAndUserSettings) { ' -ContainsDeviceAndUserSettings' })`r`n "@ $settingsCatalogAddSettings = " `$results += `$policySettings`r`n`r`n" } @@ -595,7 +671,7 @@ function New-M365DSCResource $defaultCreateParameters = @" `$settings = Get-IntuneSettingCatalogPolicySetting `` -DSCParams ([System.Collections.Hashtable]`$BoundParameters) `` - -TemplateId `$templateReferenceId + -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" }) `$createParameters = @{ Name = `$DisplayName @@ -718,7 +794,7 @@ function New-M365DSCResource $defaultUpdateParameters = @" `$settings = Get-IntuneSettingCatalogPolicySetting `` -DSCParams ([System.Collections.Hashtable]`$BoundParameters) `` - -TemplateId `$templateReferenceId + -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" }) Update-IntuneDeviceConfigurationPolicy `` -DeviceConfigurationPolicyId `$currentInstance.Id `` @@ -3827,7 +3903,12 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or + $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri @@ -3837,6 +3918,10 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { if ($breakCounter -lt 8) { + if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") + { + $newSettingName += "_v2" + } $settingName = $newSettingName } else @@ -3858,6 +3943,26 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { { $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $SettingDefinition.OffsetUri -SettingName $settingName } + + # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. + switch -wildcard ($settingName) + { + 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } + 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } + 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } + 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } + 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } + 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } + 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } + 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } + 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } + '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } + '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } + '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } + '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } + '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } + } } $childSettings = @() @@ -3930,6 +4035,12 @@ function Get-SettingDefinitionNameWithParentFromOffsetUri { { $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] } + + if ($Skip -gt $splittedOffsetUri.Length - 1) + { + return $SettingName + } + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] $traversed = $false while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri @@ -4025,7 +4136,7 @@ class $ "@ - $mofDefinition = $mofParameterTemplate.Replace("", $TemplateSetting.DisplayName) + $mofDefinition = $mofParameterTemplate.Replace("", $TemplateSetting.DisplayName.Replace("`r`n", "")) $optionsString = "" $valueMapString = "" if ($TemplateSetting.Options) { diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index d45e6582da..d0e9424d6f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -149,6 +149,16 @@ SignInFrequencyValue = 1; State = "disabled"; } + AADConnectorGroupApplicationProxy 'AADConnectorGroupApplicationProxy-testgroup' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup"; + Region = "nam"; + } AADCrossTenantAccessPolicyConfigurationPartner 'AADCrossTenantAccessPolicyConfigurationPartner' { PartnerTenantId = "e7a80bcf-696e-40ca-8775-a7f85fbb3ebc"; # O365DSC.onmicrosoft.com @@ -181,6 +191,36 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + AADDomain 'AADDomain-Contoso' + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } AADEntitlementManagementAccessPackage 'myAccessPackage' { AccessPackagesIncompatibleWith = @(); @@ -320,6 +360,47 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''Brazil''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index e4054cdd9c..86e91dc321 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -149,6 +149,15 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADConnectorGroupApplicationProxy 'AADConnectorGroupApplicationProxy-testgroup' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + Name = "testgroup-new"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + } AADCrossTenantAccessPolicyConfigurationPartner 'AADCrossTenantAccessPolicyConfigurationPartner' { ApplicationId = $ApplicationId @@ -157,6 +166,29 @@ Ensure = "Absent"; PartnerTenantId = "12345-12345-12345-12345-12345"; } + AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + AADDomain 'AADDomain-Contoso' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + Id = "contoso.com"; + TenantId = $TenantId; + } AADEntitlementManagementAccessPackage 'myAccessPackage' { DisplayName = 'Integration Package' @@ -253,6 +285,47 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Absent"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index c9363e1d89..cce664e8ec 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -34,6 +34,35 @@ $Domain = $TenantId Node Localhost { + AADAdminConsentRequestPolicy 'AADAdminConsentRequestPolicy' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $True; + IsSingleInstance = "Yes"; + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'User' + ReviewerId = "AlexW@$TenantId" + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Group' + ReviewerId = 'Communications' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Payload Author' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Simulation Administrator' + } + ); + TenantId = $TenantId; + } AADAdministrativeUnit 'TestUnit' { DisplayName = 'Test-Unit' @@ -408,6 +437,14 @@ ); State = "enabled"; } + AADAuthenticationRequirement 'AADAuthenticationRequirement-TestMailbox109@xtasdftestorg.onmicrosoft.com' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + PerUserMfaState = "disabled"; + UserPrincipalName = "TestMailbox109@$OrganizationName"; + } AADAuthenticationStrengthPolicy 'AADAuthenticationStrengthPolicy-Example' { AllowedCombinations = @("windowsHelloForBusiness","fido2","deviceBasedPush"); # Updated Property @@ -459,6 +496,16 @@ SignInFrequencyValue = 2; # Updated Porperty State = "disabled"; } + AADConnectorGroupApplicationProxy 'AADConnectorGroupApplicationProxy-testgroup' + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup-new"; + Region = "nam"; + } AADCrossTenantAccessPolicy 'AADCrossTenantAccessPolicy' { AllowedCloudEndpoints = @("microsoftonline.us"); @@ -594,6 +641,53 @@ CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; } + AADCustomSecurityAttributeDefinition 'AADCustomSecurityAttributeDefinition-ShoeSize' + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing? Drifted" # Drift + } + AADDeviceRegistrationPolicy 'MyDeviceRegistrationPolicy' + { + ApplicationId = $ApplicationId; + AzureADAllowedToJoin = "Selected"; + AzureADAllowedToJoinGroups = @(); + AzureADAllowedToJoinUsers = @("AlexW@M365x73318397.OnMicrosoft.com"); + AzureAdJoinLocalAdminsRegisteringGroups = @(); + AzureAdJoinLocalAdminsRegisteringMode = "Selected"; + AzureAdJoinLocalAdminsRegisteringUsers = @("AllanD@M365x73318397.OnMicrosoft.com"); + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + LocalAdminPasswordIsEnabled = $False; + LocalAdminsEnableGlobalAdmins = $True; + MultiFactorAuthConfiguration = $False; + TenantId = $TenantId; + UserDeviceQuota = 50; + } + AADDomain 'AADDomain-Contoso' + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $False; #Drift + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } AADEntitlementManagementAccessPackage 'myAccessPackage' { AccessPackagesIncompatibleWith = @(); @@ -767,6 +861,60 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + #updated description + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + #updated rule + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + #updated description + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + AADLifecycleWorkflowSettings 'AADLifecycleWorkflowSettings' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SenderDomain = "microsoft.com"; + TenantId = $TenantId; + UseCompanyBranding = $True; + WorkflowScheduleIntervalInHours = 10; + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index f69b8d3f89..ab1e4fab0a 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -411,10 +411,12 @@ } EXOMailboxFolderPermission 'EXOMailboxFolderPermission-admin:\Calendar' { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "amdin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "amdin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } @@ -431,11 +433,13 @@ } EXOMailboxIRMAccess 'EXOMailboxIRMAccess-qwe@testorg.onmicrosoft.com' { - AccessLevel = "Block"; - Credential = $Credscredential; - Ensure = "Present"; - Identity = "qwe@$OrganizationName"; - User = "admin@$OrganizationName"; + AccessLevel = "Block"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "qwe@$OrganizationName"; + User = "admin@$OrganizationName"; } EXOMailContact 'TestMailContact' { @@ -508,7 +512,9 @@ } EXOManagementScope 'EXOManagementScope-Test New DGs' { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; @@ -530,6 +536,23 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } EXOMobileDeviceMailboxPolicy 'ConfigureMobileDeviceMailboxPolicy' { Name = "Default" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index 331165c9c1..9e231050c0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -340,7 +340,9 @@ } EXOManagementScope 'EXOManagementScope-Test New DGs' { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Absent"; Exclusive = $False; Identity = "Test New DGs"; @@ -357,6 +359,23 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Absent"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "None"; + } EXOMobileDeviceMailboxPolicy 'ConfigureMobileDeviceMailboxPolicy' { Name = "Default" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index bae977e5b8..30dc923214 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -140,6 +140,14 @@ CertificateThumbprint = $CertificateThumbprint; ApplicationId = $ApplicationId; } + EXOATPBuiltInProtectionRule 'EXOATPBuiltInProtectionRule' + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + TenantId = $TenantId; + } EXOAtpPolicyForO365 'ConfigureAntiPhishPolicy' { IsSingleInstance = "Yes" @@ -679,10 +687,12 @@ } EXOMailboxFolderPermission 'EXOMailboxFolderPermission-admin:\Calendar' { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "admin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "admin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } @@ -825,7 +835,9 @@ } EXOManagementScope 'EXOManagementScope-Test New DGs' { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; @@ -847,6 +859,24 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + # value for security updated from Tls to None + Security = "None"; + } EXOMobileDeviceMailboxPolicy 'ConfigureMobileDeviceMailboxPolicy' { Name = "Default" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index f60efd6f58..368146fdd0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -88,6 +88,24 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 10 + EnablePinRecovery = 'true' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 20 + EnablePinRecovery = 'true' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAntivirusPolicyWindows10SettingCatalog 'myAVWindows10Policy' { DisplayName = 'av exclusions' @@ -106,6 +124,32 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAppCategory 'IntuneAppCategory-Data Management' { Id = "a1fc9fe2-728d-4867-9a72-a61e18f8c606"; @@ -261,6 +305,15 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneDerivedCredential 'IntuneDerivedCredential-K5' + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Present"; + } IntuneDeviceAndAppManagementAssignmentFilter 'AssignmentFilter' { DisplayName = 'Test Device Filter' @@ -2288,6 +2341,9 @@ ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } IntuneExploitProtectionPolicyWindows10SettingCatalog 'myWindows10ExploitProtectionPolicy' { @@ -2478,6 +2534,70 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneMobileAppsMacOSLobApp 'IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller' + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + Description = "TeamsForBusinessInstaller"; + Developer = "Contoso"; + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + MinimumSupportedOperatingSystem = MSFT_DeviceManagementMinimumOperatingSystem{ + v11_0 = $true + } + Notes = ""; + Owner = ""; + PrivacyInformationUrl = ""; + Publisher = "Contoso"; + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment { + groupDisplayName = 'All devices' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + intent = 'required' + } + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '57b5e81c-85bb-4644-a4fd-33b03e451c89' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '1bff2652-03ec-4a48-941c-152e93736515' + DisplayName = 'Kajal 3' + }); + } + IntuneMobileAppsWindowsOfficeSuiteApp 'IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later' + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } IntunePolicySets 'Example' { Assignments = @( @@ -2539,6 +2659,50 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneSettingCatalogASRRulesPolicyWindows10 'myASRRulesPolicy' { DisplayName = 'asr 2' diff --git a/Tests/QA/Graph.PermissionList.txt b/Tests/QA/Graph.PermissionList.txt index 3acae21c4a..9afee7e857 100644 Binary files a/Tests/QA/Graph.PermissionList.txt and b/Tests/QA/Graph.PermissionList.txt differ diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAdminConsentRequestPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAdminConsentRequestPolicy.Tests.ps1 new file mode 100644 index 0000000000..0e517729de --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAdminConsentRequestPolicy.Tests.ps1 @@ -0,0 +1,231 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -Command Get-MgUser -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + UserPrincipalName = 'John.Smith@contoso.com' + } + } + + Mock -Command Get-MgGroup -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + DisplayName = 'Communications' + } + } + + Mock -Command Get-MgBetaRoleManagementDirectoryRoleDefinition -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + DisplayName = 'Attack Payload Author' + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsEnabled = $True; + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'User' + ReviewerId = 'John.Smith@contoso.com' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'Group' + ReviewerId = 'Communications' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'Role' + ReviewerId = 'Attack Payload Author' + } -ClientOnly) + ); + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAdminConsentRequestPolicy -MockWith { + return @{ + IsEnabled = $true + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + @{ + Query = "/v1.0/users/e362df2b-8f61-4e5a-9e5e-c6069f3ed2ee" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + }, + @{ + Query = "/v1.0/groups/1bb47df7-d3fa-4ba8-bdbd-e9fc7541fa18/transitiveMembers/microsoft.graph.user" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + @{ + Query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f'" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + ); + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = 'Yes' + IsEnabled = $True; + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'User' + ReviewerId = 'AlexW@contoso.com' # Drift + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'Group' + ReviewerId = 'Communications' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_AADAdminConsentRequestPolicyReviewer -Property @{ + ReviewerType = 'Role' + ReviewerId = 'Attack Payload Author' + } -ClientOnly) + ); + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAdminConsentRequestPolicy -MockWith { + return @{ + IsEnabled = $true + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + @{ + Query = "/v1.0/users/e362df2b-8f61-4e5a-9e5e-c6069f3ed2ee" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + }, + @{ + Query = "/v1.0/groups/1bb47df7-d3fa-4ba8-bdbd-e9fc7541fa18/transitiveMembers/microsoft.graph.user" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + @{ + Query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f'" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + ); + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyAdminConsentRequestPolicy -MockWith { + return @{ + IsEnabled = $true + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + @{ + Query = "/v1.0/users/e362df2b-8f61-4e5a-9e5e-c6069f3ed2ee" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + }, + @{ + Query = "/v1.0/groups/1bb47df7-d3fa-4ba8-bdbd-e9fc7541fa18/transitiveMembers/microsoft.graph.user" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + @{ + Query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '9c6df0f2-1e7c-4dc3-b195-66dfbd24aa8f'" + QueryType = 'MicrosoftGraph' + QueryRoot = '' + } + ); + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1 index 55637d70cd..2a713b43f4 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADApplication.Tests.ps1 @@ -90,14 +90,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { + Mock -CommandName Get-MgBetaApplication -MockWith { return $null } } It 'Should return values from the get method' { (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 1 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 1 } It 'Should return false from the test method' { Test-TargetResource @testParams | Should -Be $false @@ -126,7 +126,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { + Mock -CommandName Get-MgBetaApplication -MockWith { $AADApp = New-Object PSCustomObject $AADApp | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'App1' $AADApp | Add-Member -MemberType NoteProperty -Name Id -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' @@ -147,7 +147,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should return values from the get method' { (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 2 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 3 } It 'Should return false from the test method' { @@ -248,25 +248,12 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { PermissionIds = @('12345-12345-12345-12345-12345') } -ClientOnly ) - + } -ClientOnly Ensure = 'Present' Credential = $Credential } - Mock -CommandName Get-MgBetaApplication -MockWith { - $AADApp = New-Object PSCustomObject - $AADApp | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'App1' - $AADApp | Add-Member -MemberType NoteProperty -Name Id -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' - $AADApp | Add-Member -MemberType NoteProperty -Name AppId -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' - $AADApp | Add-Member -MemberType NoteProperty -Name AuthenticationBehaviors -Value @{ - blockAzureADGraphAccess = $false - removeUnverifiedEmailClaim = $true - requireClientServicePrincipal = $false - } - return $AADApp - } - Mock -CommandName Get-MgApplication -MockWith { $AADApp = New-Object PSCustomObject $AADApp | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'App1' $AADApp | Add-Member -MemberType NoteProperty -Name Id -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' @@ -349,13 +336,18 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $AADApp | Add-Member -MemberType NoteProperty -Name IdentifierUris -Value 'https://app.contoso.com' $AADApp | Add-Member -MemberType NoteProperty -Name Oauth2RequirePostResponse -Value $false $AADApp | Add-Member -MemberType NoteProperty -Name PublicClient -Value $false + $AADApp | Add-Member -MemberType NoteProperty -Name AuthenticationBehaviors -Value @{ + blockAzureADGraphAccess = $false + removeUnverifiedEmailClaim = $true + requireClientServicePrincipal = $false + } return $AADApp } } It 'Should return Values from the get method' { Get-TargetResource @testParams - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 2 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 3 } It 'Should return true from the test method' { @@ -380,7 +372,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { + Mock -CommandName Get-MgBetaApplication -MockWith { $AADApp = New-Object PSCustomObject $AADApp | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'App1' $AADApp | Add-Member -MemberType NoteProperty -Name Id -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' @@ -400,7 +392,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should return values from the get method' { Get-TargetResource @testParams - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 2 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 3 } It 'Should return false from the test method' { @@ -434,28 +426,20 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { - return $null - } - Mock -CommandName Get-MgBetaApplication -MockWith { - return @{ - id = '12345-12345-12345-12345-12345' - appId = '12345-12345-12345-12345-12345' - DisplayName = 'App1' - AuthenticationBehaviours = @{ - blockAzureADGraphAccess = $false - removeUnverifiedEmailClaim = $true - requireClientServicePrincipal = $false + return @( + @{ + id = '12345-12345-12345-12345-12345' + appId = '12345-12345-12345-12345-12345' + DisplayName = 'App1' } - - } + ) } } It 'Should return values from the get method' { Get-TargetResource @testParams - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 1 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 3 } It 'Should return false from the test method' { @@ -464,7 +448,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should call the new method' { Set-TargetResource @testParams - Should -Invoke -CommandName 'New-MgApplication' -Exactly 1 Should -Invoke -CommandName 'Update-MgBetaApplication' -Exactly 1 } @@ -505,14 +488,14 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { + Mock -CommandName Get-MgBetaApplication -MockWith { return $null } } It 'Should return values from the get method' { Get-TargetResource @testParams - Should -Invoke -CommandName 'Get-MgApplication' -Exactly 1 + Should -Invoke -CommandName 'Get-MgBetaApplication' -Exactly 1 } It 'Should return false from the test method' { @@ -533,7 +516,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Credential = $Credential } - Mock -CommandName Get-MgApplication -MockWith { + Mock -CommandName Get-MgBetaApplication -MockWith { $AADApp = New-Object PSCustomObject $AADApp | Add-Member -MemberType NoteProperty -Name DisplayName -Value 'App1' $AADApp | Add-Member -MemberType NoteProperty -Name Id -Value '5dcb2237-c61b-4258-9c85-eae2aaeba9d6' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationRequirement.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationRequirement.Tests.ps1 new file mode 100644 index 0000000000..04b2234a09 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADAuthenticationRequirement.Tests.ps1 @@ -0,0 +1,161 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Enabled' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Enabled' + Credential = $Credential; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state - Enable" -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Enabled' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Disabled' + Credential = $Credential; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).PerUserMfaState | Should -Be 'Disabled' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 -ParameterFilter { $Method -eq 'PATCH' } + } + } + + Context -Name "The instance exists and values are NOT in the desired state - Disable" -Fixture { + BeforeAll { + $testParams = @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Disabled' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Enabled' + Credential = $Credential; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).PerUserMfaState | Should -Be 'Enabled' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 -ParameterFilter { $Method -eq 'PATCH' } + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + UserPrincipalName = "user@test.com" + PerUserMfaState = 'Enabled' + Credential = $Credential; + } + } + + Mock -CommandName Get-MgUser -MockWith { + return @{ + Id = "98ceffcc-7c54-4227-8844-835af5a023ce" + UserPrincipalName = "user@test.com" + Credential = $Credential; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConnectorGroupApplicationProxy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConnectorGroupApplicationProxy.Tests.ps1 new file mode 100644 index 0000000000..8b3034c05e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConnectorGroupApplicationProxy.Tests.ps1 @@ -0,0 +1,198 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADConnectorGroupApplicationProxy" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + } + + Mock -CommandName New-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + } + + Mock -CommandName Remove-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The AADConnectorGroupApplicationProxy should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaOnPremisePublishingProfileConnectorGroup -Exactly 1 + } + } + + Context -Name "The AADConnectorGroupApplicationProxy exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + Ensure = "Absent" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + return @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaOnPremisePublishingProfileConnectorGroup -Exactly 1 + } + } + Context -Name "The AADConnectorGroupApplicationProxy Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + return @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The AADConnectorGroupApplicationProxy exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + return @{ + Id = "FakeStringValue" + Name = "NewFakeStringValue" + Region = "nam" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaOnPremisePublishingProfileConnectorGroup -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaOnPremisePublishingProfileConnectorGroup -MockWith { + return @{ + Id = "FakeStringValue" + Name = "FakeStringValue" + Region = "nam" + + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomSecurityAttributeDefinition.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomSecurityAttributeDefinition.Tests.ps1 new file mode 100644 index 0000000000..1d91bcc2b5 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADCustomSecurityAttributeDefinition.Tests.ps1 @@ -0,0 +1,245 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith{} + + Mock -CommandName Update-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith{} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApplicationId = $ApplicationId; + AttributeSet = "ContosoSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + ##TODO - Replace the New-Cmdlet by the appropriate one + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDirectoryCustomSecurityAttributeDefinition -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApplicationId = $ApplicationId; + AttributeSet = "ContosoSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith { + return @{ + AttributeSet = 'ContosoSet' + IsCollection = $false + IsSearchable = $true + Name = "ShoeSize"; + Status = "Available"; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Id = "ContosoSet_ShoeSize" + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDirectoryCustomSecurityAttributeDefinition -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApplicationId = $ApplicationId; + AttributeSet = "ContosoSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith { + return @{ + AttributeSet = 'ContosoSet' + IsCollection = $false + IsSearchable = $true + Name = "ShoeSize"; + Status = "Available"; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Id = "ContosoSet_ShoeSize" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApplicationId = $ApplicationId; + AttributeSet = "ContosoSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing? Drift" # drift + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith { + return @{ + AttributeSet = 'ContosoSet' + IsCollection = $false + IsSearchable = $true + Name = "ShoeSize"; + Status = "Available"; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Id = "ContosoSet_ShoeSize" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDirectoryCustomSecurityAttributeDefinition -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDirectoryCustomSecurityAttributeDefinition -MockWith { + return @{ + AttributeSet = 'ContosoSet' + IsCollection = $false + IsSearchable = $true + Name = "ShoeSize"; + Status = "Available"; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + Id = "ContosoSet_ShoeSize" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDeviceRegistrationPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDeviceRegistrationPolicy.Tests.ps1 new file mode 100644 index 0000000000..5a438157f0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDeviceRegistrationPolicy.Tests.ps1 @@ -0,0 +1,227 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "AADDeviceRegistrationPolicy" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Update-MgBetaDirectoryAttributeSet -MockWith { + } + + Mock -CommandName Remove-MgBetaDirectoryAttributeSet -MockWith { + } + + Mock -CommandName Get-MgUser -MockWith { + return @{ + id = '12345-12345-12345-12345-12345' + UserPrincipalName = "john.smith@contoso.com" + } + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return $null + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AzureADAllowedToJoin = "None"; + AzureADAllowedToJoinGroups = @(); + AzureADAllowedToJoinUsers = @(); + AzureAdJoinLocalAdminsRegisteringGroups = @(); + AzureAdJoinLocalAdminsRegisteringMode = "Selected"; + AzureAdJoinLocalAdminsRegisteringUsers = @("john.smith@contoso.com"); + IsSingleInstance = "Yes"; + LocalAdminPasswordIsEnabled = $False; + LocalAdminsEnableGlobalAdmins = $True; + MultiFactorAuthConfiguration = $False; + UserDeviceQuota = 50; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyDeviceRegistrationPolicy -MockWith { + return @{ + AzureAdJoin = @{ + IsAdminConfigurable = $true + AllowedToJoin = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + LocalAdmins = @{ + EnableGlobalAdmins = $true + RegisteringUsers = @{ + AdditionalProperties = @{ + "@odata.type" = "#microsoft.graph.enumeratedDeviceRegistrationMembership" + users = @('12345-12345-12345-12345-12345') + groups = @() + } + } + } + } + AzureADRegistration = @{ + IsAdminConfigurable = $false + AllowedToRegister = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + } + Description = "Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication and authorization checks" + DisplayName = "Device Registration Policy" + Id = "deviceRegistrationPolicy" + LocalAdminPassword = @{ + IsEnabled = $false + } + MultiFactorAuthConfiguration = "notRequired" + UserDeviceQuota = 50 + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AzureADAllowedToJoin = "Selected"; + AzureADAllowedToJoinGroups = @(); + AzureADAllowedToJoinUsers = @("john.smith@contoso.com"); + AzureAdJoinLocalAdminsRegisteringGroups = @(); + AzureAdJoinLocalAdminsRegisteringMode = "Selected"; + AzureAdJoinLocalAdminsRegisteringUsers = @("john.smith@contoso.com"); + IsSingleInstance = "Yes"; + LocalAdminPasswordIsEnabled = $False; + LocalAdminsEnableGlobalAdmins = $False; # drift + MultiFactorAuthConfiguration = $False; + UserDeviceQuota = 50; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyDeviceRegistrationPolicy -MockWith { + return @{ + AzureAdJoin = @{ + IsAdminConfigurable = $true + AllowedToJoin = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + LocalAdmins = @{ + EnableGlobalAdmins = $true + RegisteringUsers = @{ + users = @() + groups = @() + "@odata.type" = "#microsoft.graph.enumeratedDeviceRegistrationMembership" + } + } + } + AzureADRegistration = @{ + IsAdminConfigurable = $false + AllowedToRegister = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + } + Description = "Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication and authorization checks" + DisplayName = "Device Registration Policy" + Id = "deviceRegistrationPolicy" + LocalAdminPassword = @{ + IsEnabled = $false + } + MultiFactorAuthConfiguration = "notRequired" + UserDeviceQuota = 50 + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaPolicyDeviceRegistrationPolicy -MockWith { + return @{ + AzureAdJoin = @{ + IsAdminConfigurable = $true + AllowedToJoin = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + LocalAdmins = @{ + EnableGlobalAdmins = $true + RegisteringUsers = @{ + users = @() + groups = @() + "@odata.type" = "#microsoft.graph.enumeratedDeviceRegistrationMembership" + } + } + } + AzureADRegistration = @{ + IsAdminConfigurable = $false + AllowedToRegister = @{ + "@odata.type" = "#microsoft.graph.allDeviceRegistrationMembership" + } + } + Description = "Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication and authorization checks" + DisplayName = "Device Registration Policy" + Id = "deviceRegistrationPolicy" + LocalAdminPassword = @{ + IsEnabled = $false + } + MultiFactorAuthConfiguration = "notRequired" + UserDeviceQuota = 50 + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDomain.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDomain.Tests.ps1 new file mode 100644 index 0000000000..8ecc01432d --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADDomain.Tests.ps1 @@ -0,0 +1,230 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Invoke-MgBetaForceDomainDelete -MockWith{ + } + + Mock -CommandName New-MgBetaDomain -MockWith { + } + + Mock -CommandName Update-MgBetaDomain -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationType = "Managed"; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDomain -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDomain -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationType = "Managed"; + Ensure = "Absent"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDomain -MockWith { + return @{ + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgBetaForceDomainDelete -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationType = "Managed"; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDomain -MockWith { + return @{ + Id = "contoso.com"; + AuthenticationType = "Managed"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AuthenticationType = "Managed"; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDomain -MockWith { + return @{ + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $False; #Drift + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDomain -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDomain -MockWith { + return @{ + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $False; #Drift + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflow.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflow.Tests.ps1 new file mode 100644 index 0000000000..98152b6d9f --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADIdentityGovernanceLifecycleWorkflow.Tests.ps1 @@ -0,0 +1,240 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + } + + Mock -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + } + + Mock -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + } + + Mock -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowNewVersion -MockWith { + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + ##TODO - Mock the Get-MgBetaIdentityGovernanceLifecycleWorkflow to return $null + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + return $null + } + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflow -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + return @{ + Id = "random guid" + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + } + } + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaIdentityGovernanceLifecycleWorkflow -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = $null + ExecutionConditions = (New-CimInstance -ClassName MSFT_IdentityGovernanceWorkflowExecutionConditions -Property @{ + } -ClientOnly) + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + return @{ + Id = "random guid" + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + } + } + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + return $null + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + return @{ + Id = "random guid" + Category = "joiner"; + Description = "Drifted Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + } + } + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + return $null + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaIdentityGovernanceLifecycleWorkflowNewVersion -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflow -MockWith { + return @{ + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + IsEnabled = $True; + IsSchedulingEnabled = $False; + } + } + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowTask -MockWith { + return $null + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADLifecycleWorkflowSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADLifecycleWorkflowSettings.Tests.ps1 new file mode 100644 index 0000000000..0581150cca --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADLifecycleWorkflowSettings.Tests.ps1 @@ -0,0 +1,113 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowSetting -MockWith { + } + + Mock -CommandName Get-MgBetaIdentityGovernanceLifecycleWorkflowSetting -MockWith { + return @{ + EmailSettings = @{ + SenderDomain = 'contoso.com' + UseCompanyBranding = $True; + } + WorkflowScheduleIntervalInHours = 10; + + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SenderDomain = "contoso.com"; + UseCompanyBranding = $True; + WorkflowScheduleIntervalInHours = 10; + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + IsSingleInstance = "Yes"; + SenderDomain = "contoso.com"; + UseCompanyBranding = $True; + WorkflowScheduleIntervalInHours = 11; # Drift + Credential = $Credential; + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaIdentityGovernanceLifecycleWorkflowSetting -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.ADOPermissionGroupSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.ADOPermissionGroupSettings.Tests.ps1 new file mode 100644 index 0000000000..2ac94144c9 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.ADOPermissionGroupSettings.Tests.ps1 @@ -0,0 +1,169 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPermissions = @( + (New-Ciminstance -className MSFT_ADOPermission -Property @{ + NamespaceId = '5a27515b-ccd7-42c9-84f1-54c998f03866' + DisplayName = 'Edit identity information' + Bit = '2' + Token = 'f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + } -ClientOnly) + ); + Credential = $Credential; + DenyPermissions = @(); + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + GroupName = "[O365DSC-DEV]\My Test Group"; + OrganizationName = "O365DSC-DEV"; + } + + Mock -CommandName Invoke-M365DSCAzureDevOPSWebRequest -MockWith { + return @{ + value = @{ + token ='f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + acesDictionary = @( + @{ + descriptor = @{ + Allow = 2 + Deny = 0 + } + } + ) + } + principalName = "[O365DSC-DEV]\My Test Group" + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AllowPermissions = @( + (New-Ciminstance -className MSFT_ADOPermission -Property @{ + NamespaceId = '5a27515b-ccd7-42c9-84f1-54c998f03866' + DisplayName = 'Edit identity information' + Bit = '8' # Drift + Token = 'f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + } -ClientOnly) + ); + Credential = $Credential; + DenyPermissions = @(); + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + GroupName = "[O365DSC-DEV]\My Test Group"; + OrganizationName = "O365DSC-DEV"; + } + + Mock -CommandName Invoke-M365DSCAzureDevOPSWebRequest -MockWith { + return @{ + value = @{ + token ='f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + acesDictionary = @( + @{ + descriptor = @{ + Allow = 2 + Deny = 0 + } + } + ) + principalName = "[O365DSC-DEV]\My Test Group" + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + } + } + } + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Invoke-M365DSCAzureDevOPSWebRequest -MockWith { + return @{ + value = @{ + token ='f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + acesDictionary = @( + @{ + descriptor = @{ + Allow = 2 + Deny = 0 + } + } + ) + principalName = "[O365DSC-DEV]\My Test Group" + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + AccountName = 'O365DSC-Dev' + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOATPBuiltInProtectionRule.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOATPBuiltInProtectionRule.Tests.ps1 new file mode 100644 index 0000000000..ccbf521cb5 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOATPBuiltInProtectionRule.Tests.ps1 @@ -0,0 +1,121 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Set-ATPBuiltInProtectionRule -MockWith { + + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + Credential = $Credential; + } + + Mock -CommandName Get-ATPBuiltInProtectionRule -MockWith { + return @{ + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ExceptIfRecipientDomainIs = @("fabrikam.com"); # Drift + Identity = "ATP Built-In Protection Rule"; + Credential = $Credential; + } + + Mock -CommandName Get-ATPBuiltInProtectionRule -MockWith { + return @{ + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + } + } + } + + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-ATPBuiltInProtectionRule -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-ATPBuiltInProtectionRule -MockWith { + return @{ + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigrationEndpoint.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigrationEndpoint.Tests.ps1 new file mode 100644 index 0000000000..1afff8ab03 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigrationEndpoint.Tests.ps1 @@ -0,0 +1,253 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + } + + Mock -CommandName Set-MigrationEndpoint -MockWith { + } + + Mock -CommandName New-MigrationEndpoint -MockWith { + } + + Mock -CommandName Remove-MigrationEndpoint -MockWith { + } + + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MigrationEndpoint -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + return @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MigrationEndpoint -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + return @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + return @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "None"; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MigrationEndpoint -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MigrationEndpoint -MockWith { + return @{ + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + EndpointType = "IMAP"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 new file mode 100644 index 0000000000..d3d8323968 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 @@ -0,0 +1,390 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAccountProtectionPolicyWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = 'fcef01f2-439d-4c3f-9184-823fd6e97646_1' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + Name = 'History' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_passportforwork_{tenantid}' + parentSettingId = 'device_vendor_msft_passportforwork_{tenantid}' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_passportforwork_{tenantid}' + Name = '{TenantId}' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'device_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + ) + maximumCount = 1 + minimumCount = 0 + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_passportforwork_{tenantid}' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '0ece2bdc-57c1-4be9-93e9-ac9c395a9c94' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue' + value = '10' + } + } + ) + } + ) + } + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + Name = 'History' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'user_vendor_msft_passportforwork_{tenantid}' + parentSettingId = 'user_vendor_msft_passportforwork_{tenantid}' + } + ) + } + }, + @{ + Id = 'user_vendor_msft_passportforwork_{tenantid}' + Name = '{TenantId}' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + childIds = @( + 'user_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + ) + maximumCount = 1 + minimumCount = 0 + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_passportforwork_{tenantid}' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '0ece2bdc-57c1-4be9-93e9-ac9c395a9c94' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'user_vendor_msft_passportforwork_{tenantid}_policies_pincomplexity_history' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue' + value = '20' + } + } + ) + } + ) + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneAccountProtectionPolicyWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 10 + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 20 + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAccountProtectionPolicyWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 10 + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 20 + } -ClientOnly + ) + Ensure = "Absent" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAccountProtectionPolicyWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 10 + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 20 + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAccountProtectionPolicyWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 10 + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ + History = 30 # Drift + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 new file mode 100644 index 0000000000..c72f26f30e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 @@ -0,0 +1,347 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAppAndBrowserIsolationPolicyWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '9f667e40-8f3c-4f88-80d8-457f16906315_1' + } + } + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + Name = 'InstallWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + Name = 'AllowWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + Name = 'AllowPersistence' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + Name = 'AllowVirtualGPU' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + Name = 'AllowCameraMicrophoneRedirection' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + Settinginstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '1f2529c7-4b06-4ae6-bebc-210f7135676f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard_install' + } + } + ) + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard_1' + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Absent' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDerivedCredential.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDerivedCredential.Tests.ps1 new file mode 100644 index 0000000000..1d23b82ab7 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDerivedCredential.Tests.ps1 @@ -0,0 +1,207 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + } + Mock -CommandName New-MgBetaDeviceManagementDerivedCredential -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceManagementDerivedCredential -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name " 1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + return $null + } + } + It ' 1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It ' 1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It ' 1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementDerivedCredential -Exactly 1 + } + } + + Context -Name " 2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Absent' + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + return @{ + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + } + } + } + It ' 2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It ' 2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It ' 2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementDerivedCredential -Exactly 1 + } + } + + Context -Name " 3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + return @{ + Ensure = 'Present' + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + } + } + } + + It ' 3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name " 4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Ensure = 'Present' + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + return @{ + DisplayName = "K5 drift"; #drift + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + } + } + } + + It ' 4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It ' 4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + # Update is not allowed on DerivedCredential resource so it should be called 0 times. + } + + Context -Name ' 5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementDerivedCredential -MockWith { + return @{ + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + } + } + } + It ' 5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index fc863b5c09..e9801b6c53 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -44,12 +44,101 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplate -MockWith { + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { return @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Platforms = "windows10" + Technologies = "mdm,microsoftSense" + TemplateReference = @{ + TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + } } } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + Name = 'Onboarding' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + valueDefinition = @{ + isSecret = $true + } + } + } + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + Name = 'ClientConfigurationPackageType' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '23ab0ea3-1b12-429a-8ed0-7390cf699160' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSecretSettingValue' + value = '84db67dd-caf8-4f86-bf00-b8897972d51f' + valueState = 'encryptedValueToken' + } + } + ) + value = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard' + } + value = "TEST" + } + } + } + @{ + Id = 1 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + Name = 'SampleSharing' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" + } + } + } + } + ) + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ Id = '12345-12345-12345-12345-12345' @@ -69,18 +158,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - SettingInstanceTemplate = @{ - settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - settingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - } - } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { @@ -105,6 +182,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" sampleSharing = "0" } @@ -141,39 +220,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - sampleSharing = "0" - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_1" - } - } - - } - AdditionalProperties = $null - } - } - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" # Drift } } @@ -187,7 +236,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -206,32 +255,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "0" } } @@ -254,35 +280,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" } } @@ -307,38 +307,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 new file mode 100644 index 0000000000..abfda47b65 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsMacOSLobApp.Tests.ps1 @@ -0,0 +1,333 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName New-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Update-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceAppManagementMobileApp -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + MinimumSupportedOperatingSystem = [CimInstance]( + New-CimInstance -ClassName MSFT_DeviceManagementMinimumOperatingSystem -Property @{ + v11_0 = $true + } -ClientOnly) + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return $null + } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + MinimumSupportedOperatingSystem = [CimInstance]( + New-CimInstance -ClassName MSFT_DeviceManagementMinimumOperatingSystem -Property @{ + v11_0 = $true + } -ClientOnly) + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + RoleScopeTagIds = @() + IgnoreVersionDetection = $True + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + PublishingState = "published" + RoleScopeTagIds = @() + IgnoreVersionDetection = $True + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.macOSLobApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + Ensure = 'Present' + } + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + MinimumSupportedOperatingSystem = [CimInstance]( + New-CimInstance -ClassName MSFT_DeviceManagementMinimumOperatingSystem -Property @{ + v11_0 = $true + } -ClientOnly) + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + PublishingState = "published" + RoleScopeTagIds = @() + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.macOSLobApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller" + InformationUrl = "" + IsFeatured = $False + MinimumSupportedOperatingSystem = [CimInstance]( + New-CimInstance -ClassName MSFT_DeviceManagementMinimumOperatingSystem -Property @{ + v11_0 = $true + } -ClientOnly) + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + PublishingState = "published" + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.macOSLobApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "TeamsForBusinessInstaller" + Developer = "Contoso" + DisplayName = "TeamsForBusinessInstaller drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + Owner = "" + PrivacyInformationUrl = "" + Publisher = "Contoso" + PublishingState = "published" + RoleScopeTagIds = @() + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.macOSLobApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 new file mode 100644 index 0000000000..ff169134f0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 @@ -0,0 +1,386 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName New-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Update-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceAppManagementMobileApp -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + PrivacyInformationUrl = "" + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + RoleScopeTagIds = @() + Notes = "" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return $null + } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Ensure = 'Present' + } + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + Ensure = 'Present' + } + } + + # Remove Assignments logic for now as we debug this part + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 new file mode 100644 index 0000000000..a232790964 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 @@ -0,0 +1,500 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineMicrosoft365AppsForEnterprise" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '90316f12-246d-44c6-a767-f87692e86083_2' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + Name = 'L_ProtectionFromZoneElevation' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99' + Name = 'L_excelexe99' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98' + Name = 'L_grooveexe98' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100' + Name = 'L_mspubexe100' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '7f23a242-9f64-47a5-8a57-a4675ca74c2b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_1' + } + } + ) + } + } + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + Name = 'L_Word2003BinaryDocumentsAndTemplates' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'Enabled' + itemId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + } + ) + } + }, + @{ + Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid' + Name = 'L_Word2003BinaryDocumentsAndTemplatesDropID' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'Open/Save blocked, use open policy' + itemId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid_2' + dependentOn = @( + @{ + dependentOn = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + parentSettingId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '23436aa2-f056-40bd-aca3-9bc84b2aeff0' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid' + choiceSettingValue = @{ + children = @() + value = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid_2' + } + } + ) + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Absent" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '0' # Drift + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 new file mode 100644 index 0000000000..c5f003a76e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 @@ -0,0 +1,359 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineMicrosoftEdge" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = 'c66347b7-8325-4954-a235-3bf2233dfbfd_2' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed' + Name = 'InsecurePrivateNetworkRequestsAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'c6dec9f2-a235-4878-8462-e88569b47e0b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0' + } + } + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed' + Name = 'InternetExplorerIntegrationReloadInIEModeAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'fd416796-3442-405c-9f9e-e1ca3c0b9e3f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0' + } + } + } + }, + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed' + Name = 'InternetExplorerIntegrationZoneIdentifierMhtFileAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'ba15aa09-ea95-49bd-92bf-de9cec9c1146' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0' + } + } + } + }, + @{ + Id = '3' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled' + Name = 'InternetExplorerModeToolbarButtonEnabled' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'fd416796-3442-405c-9f9e-e1ca3c0b9e3f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0' + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineMicrosoftEdge should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoftEdge exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineMicrosoftEdge Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoftEdge exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "1" # Drift + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPAdminDLPPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPAdminDLPPolicy.Tests.ps1 new file mode 100644 index 0000000000..84d3de716e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPAdminDLPPolicy.Tests.ps1 @@ -0,0 +1,196 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName New-AdminDlpPolicy -MockWith {} + Mock -CommandName Set-AdminDlpPolicy -MockWith {} + Mock -CommandName Remove-AdminDlpPolicy -MockWith {} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "SuperTest"; + Ensure = "Present"; + Environments = "Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"; + FilterType = "include"; + Credential = $Credential; + } + + Mock -CommandName Get-AdminDlpPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-AdminDLPPolicy -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "SuperTest"; + Ensure = "Absent"; + Environments = "Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"; + FilterType = "include"; + Credential = $Credential; + } + + Mock -CommandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = "MyPolicy" + DisplayName = "SuperTest" + Environments = @(@{ + name = 'Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx' + }) + FilterType = 'include' + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-AdminDlpPolicy -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "SuperTest"; + Ensure = "Present"; + Environments = "Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"; + FilterType = "include"; + Credential = $Credential; + } + + Mock -CommandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = "MyPolicy" + DisplayName = "SuperTest" + Environments = @(@{ + name = 'Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx' + }) + FilterType = 'include' + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = "SuperTest"; + Ensure = "Present"; + Environments = "Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx"; + FilterType = "exclude"; #drift + Credential = $Credential; + } + + Mock -CommandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = "MyPolicy" + DisplayName = "SuperTest" + Environments = @(@{ + name = 'Default-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx' + }) + FilterType = 'include' + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-AdminDlpPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = "MyPolicy" + DisplayName = "SuperTest" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPDLPPolicyConnectorConfigurations.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPDLPPolicyConnectorConfigurations.Tests.ps1 new file mode 100644 index 0000000000..bfb5d25c7e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPDLPPolicyConnectorConfigurations.Tests.ps1 @@ -0,0 +1,231 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -commandName Remove-PowerAppDlpPolicyConnectorConfigurations -MockWith {} + Mock -commandName New-PowerAppDlpPolicyConnectorConfigurations -MockWith {} + Mock -commandName Get-TenantDetailsFromGraph -MockWith { + return @{ + TenantId = 'xxxxxxx' + } + } + Mock -commandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = 'DSCPolicy' + DisplayName = 'DSCPolicy' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ConnectorActionConfigurations = + (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsAction' -Property @{ + actionRules = (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsActionRules' -Property @{ + actionId = 'CreateInvitation' + behavior = 'Block' + } -ClientOnly) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } -ClientOnly) + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppDlpPolicyConnectorConfigurations -MockWith { + return @{ + connectorActionConfigurations = @( + @{ + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + actionRules = @( + @{ + actionId = 'CreateInvitation' + behavior = 'Allow' + } + ) + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-PowerAppDlpPolicyConnectorConfigurations -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ConnectorActionConfigurations = + (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsAction' -Property @{ + actionRules = (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsActionRules' -Property @{ + actionId = 'CreateInvitation' + behavior = 'Block' + } -ClientOnly) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } -ClientOnly) + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppDlpPolicyConnectorConfigurations -MockWith { + return @{ + connectorActionConfigurations = @( + @{ + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + actionRules = @( + @{ + actionId = 'CreateInvitation' + behavior = 'Block' + } + ) + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ConnectorActionConfigurations = + (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsAction' -Property @{ + actionRules = (New-CimInstance -ClassName 'MSFT_PPDLPPolicyConnectorConfigurationsActionRules' -Property @{ + actionId = 'CreateInvitation' + behavior = 'Block' + } -ClientOnly) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } -ClientOnly) + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppDlpPolicyConnectorConfigurations -MockWith { + return @{ + connectorActionConfigurations = @( + @{ + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + actionRules = @( + @{ + actionId = 'CreateInvitation' + behavior = 'Allow' #Drift + } + ) + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-PowerAppDlpPolicyConnectorConfigurations -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppDlpPolicyConnectorConfigurations -MockWith { + return @{ + connectorActionConfigurations = @( + @{ + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + actionRules = @( + @{ + actionId = 'CreateInvitation' + behavior = 'Block' #Drift + } + ) + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPPowerAppPolicyUrlPatterns.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPPowerAppPolicyUrlPatterns.Tests.ps1 new file mode 100644 index 0000000000..0c69d915a5 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.PPPowerAppPolicyUrlPatterns.Tests.ps1 @@ -0,0 +1,241 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -commandName Remove-PowerAppPolicyUrlPatterns -MockWith {} + Mock -commandName Get-PowerAppPolicyUrlPatterns -MockWith {} + Mock -commandName New-PowerAppPolicyUrlPatterns -MockWith {} + Mock -commandName Get-TenantDetailsFromGraph -MockWith { + return @{ + TenantId = 'xxxxxxx' + } + } + Mock -commandName Get-AdminDlpPolicy -MockWith { + return @{ + PolicyName = 'DSCPolicy' + DisplayName = 'DSCPolicy' + } + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + PolicyName = "DSCPolicy"; + PPTenantId = "xxxxxxx"; + RuleSet = @( + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } -ClientOnly) + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } -ClientOnly) + ) + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppPolicyUrlPatterns -MockWith { + return @{ + rules = @( + @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + }, + @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + ) + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-PowerAppPolicyUrlPatterns -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + PolicyName = "DSCPolicy"; + PPTenantId = "xxxxxxx"; + RuleSet = @( + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } -ClientOnly) + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } -ClientOnly) + ) + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppPolicyUrlPatterns -MockWith { + return @{ + rules = @( + @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + }, + @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + ) + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + PolicyName = "DSCPolicy"; + PPTenantId = "xxxxxxx"; + RuleSet = @( + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } -ClientOnly) + (New-CimInstance -ClassName MSFT_PPPowerAPpPolicyUrlPatternsRule -Property @{ + pattern = 'https://tailspintoys.com' #drift + customConnectorRuleClassification = 'General' + order = 2 + } -ClientOnly) + ) + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppPolicyUrlPatterns -MockWith { + return @{ + rules = @( + @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + }, + @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-PowerAppPolicyUrlPatterns -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-PowerAppPolicyUrlPatterns -MockWith { + return @{ + rules = @( + @{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + }, + @{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + ) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index af684909f3..816dc46565 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -18,6 +18,18 @@ function Invoke-AzRest } #endregion +function Get-MgBetaPolicyDeviceRegistrationPolicy +{ + [CmdletBinding()] + param() +} + +function Get-MgBetaPolicyAdminConsentRequestPolicy +{ + [CmdletBinding()] + param() +} + #region Microsoft.Graph.Beta.Applications function Get-MgBetaApplication { @@ -3356,6 +3368,282 @@ function Remove-MgBetaRoleManagementEntitlementManagementRoleAssignment ) } +function Get-MigrationEndpoint +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DiagnosticInfo, + + [Parameter()] + [System.Object] + $Type, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition + ) +} + +function Set-MigrationEndpoint +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Boolean] + $AcceptUntrustedCertificates, + + [Parameter()] + [System.Object] + $MaxConcurrentMigrations, + + [Parameter()] + [System.Byte[]] + $ServiceAccountKeyFileData, + + [Parameter()] + [System.Object] + $TestMailbox, + + [Parameter()] + [System.String] + $ExchangeServer, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipVerification, + + [Parameter()] + [System.Object] + $Authentication, + + [Parameter()] + [System.String] + $AppSecretKeyVaultUrl, + + [Parameter()] + [System.Object] + $Port, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.Object] + $RemoteServer, + + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Object] + $MailboxPermission, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $SourceMailboxLegacyDN, + + [Parameter()] + [System.String] + $NspiServer, + + [Parameter()] + [System.Object] + $RPCProxyServer, + + [Parameter()] + [System.String] + $PublicFolderDatabaseServerLegacyDN, + + [Parameter()] + [System.Object] + $Security, + + [Parameter()] + [System.Object] + $MaxConcurrentIncrementalSyncs, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credentials + ) +} + +function New-MigrationEndpoint +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AcceptUntrustedCertificates, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ExchangeRemoteMove, + + [Parameter()] + [System.Object] + $MaxConcurrentMigrations, + + [Parameter()] + [System.Byte[]] + $ServiceAccountKeyFileData, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PublicFolder, + + [Parameter()] + [System.Object] + $TestMailbox, + + [Parameter()] + [System.String] + $ExchangeServer, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipVerification, + + [Parameter()] + [System.Object] + $Authentication, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ExchangeOutlookAnywhere, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Gmail, + + [Parameter()] + [System.String] + $AppSecretKeyVaultUrl, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Compliance, + + [Parameter()] + [System.Int32] + $Port, + + [Parameter()] + [System.Security.SecureString] + $OAuthCode, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.Object] + $RemoteServer, + + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Object] + $MailboxPermission, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $SourceMailboxLegacyDN, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IMAP, + + [Parameter()] + [System.String] + $RemoteTenant, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PublicFolderToUnifiedGroup, + + [Parameter()] + [System.String] + $NspiServer, + + [Parameter()] + [System.String] + $RedirectUri, + + [Parameter()] + [System.Object] + $RPCProxyServer, + + [Parameter()] + [System.Object] + $EmailAddress, + + [Parameter()] + [System.Object] + $Security, + + [Parameter()] + [System.Object] + $MaxConcurrentIncrementalSyncs, + + [Parameter()] + [System.String] + $PublicFolderDatabaseServerLegacyDN, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Autodiscover + ) +} + +function Remove-MigrationEndpoint +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition + ) +} + function Set-ManagementRoleEntry { [CmdletBinding()] @@ -19059,137 +19347,409 @@ function Get-MgBetaDeviceManagementGroupPolicyConfigurationAssignment $HttpPipelineAppend ) } -function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue + +function New-MgBetaDeviceManagementDerivedCredential { + + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none' + ) +} + +function Get-MgBetaDeviceManagementDerivedCredential { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $DeviceManagementDerivedCredentialSettingsId, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $HelpUrl, + + [Parameter()] + [ValidateSet('intercede', 'entrustData', 'purebred')] + [System.String] + $Issuer, + + [Parameter()] + [ValidateSet('none', 'email', 'companyPortal')] + [System.String] + $NotificationType = 'none' + ) +} + +function Remove-MgBetaDeviceManagementDerivedCredential { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $DeviceManagementDerivedCredentialSettingsId, [Parameter()] - [PSObject] - $InputObject, + [System.Boolean] + $Confirm + ) +} +function New-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $DeviceManagementDerivedCredentialSettingsId, [Parameter()] - [System.Int32] - $PageSize, + [System.String] + $DisplayName, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $Description, [Parameter()] [System.String] - $GroupPolicyDefinitionValueId, + $Developer, [Parameter()] - [System.Int32] - $Skip, + [System.String] + $InformationUrl, [Parameter()] - [System.Int32] - $Top, + [System.Boolean] + $IsFeatured, [Parameter()] [System.String] - $CountVariable, + $Notes, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $ChildApps, [Parameter()] [System.String[]] - $Sort, + $RoleScopeTagIds + ) +} +function Get-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String] + $MobileAppId, [Parameter()] [System.String] - $Filter, + $DisplayName, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $Description, [Parameter()] [System.String] - $Search, + $Developer, [Parameter()] [System.String] - $GroupPolicyConfigurationId, + $InformationUrl, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.Boolean] + $IsFeatured, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Boolean] + $IgnoreVersionDetection, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.String] + $Notes, + + [Parameter()] + [System.String] + $Owner, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds ) } -function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValueDefinition -{ +function Update-MgBetaDeviceAppManagementMobileApp { [CmdletBinding()] - param( + param ( [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $MobileAppId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $DisplayName, [Parameter()] [System.String] - $GroupPolicyDefinitionValueId, + $Description, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $Developer, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $InformationUrl, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Boolean] + $IsFeatured, [Parameter()] [System.String] - $GroupPolicyConfigurationId, + $Notes, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.String] + $Owner, [Parameter()] - [System.String[]] - $Property, + [System.String] + $PrivacyInformationUrl, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $Publisher, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [System.String] + [ValidateSet('notPublished', 'processing','published')] + $PublishingState, + + [Parameter()] + [System.Object[]] + $Categories, + + [Parameter()] + [System.Object[]] + $Assignments, + + [Parameter()] + [System.Object[]] + $ChildApps, + + [Parameter()] + [System.Object[]] + $RoleScopeTagIds ) } -function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValuePresentationValue + +function Remove-MgBetaDeviceAppManagementMobileApp { + [CmdletBinding()] + param ( + [Parameter()] + [System.String] + $MobileAppId, + + [Parameter()] + [System.Boolean] + $Confirm + ) +} + +function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValue +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $GroupPolicyDefinitionValueId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $GroupPolicyConfigurationId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValueDefinition +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $GroupPolicyDefinitionValueId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String] + $GroupPolicyConfigurationId, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaDeviceManagementGroupPolicyConfigurationDefinitionValuePresentationValue { [CmdletBinding()] param( @@ -30572,50 +31132,14 @@ function Get-MgBetaEntitlementManagementConnectedOrganizationInternalSponsor $HttpPipelineAppend ) } -function Get-MgBetaRoleManagementDirectory -{ - [CmdletBinding()] - param( - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $HttpPipelineAppend, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Get-MgBetaRoleManagementDirectoryRoleAssignment +function Get-MgBetaIdentityGovernanceLifecycleWorkflow { [CmdletBinding()] param( [Parameter()] [System.String] - $UnifiedRoleAssignmentId, + $WorkflowId, [Parameter()] [System.String[]] @@ -30673,82 +31197,9 @@ function Get-MgBetaRoleManagementDirectoryRoleAssignment [System.String] $Search, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [PSObject] - $HttpPipelineAppend - ) -} -function Get-MgBetaRoleManagementDirectoryRoleDefinition -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - [Parameter()] [System.String] - $UnifiedRoleDefinitionId, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.String] - $Search, + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -30758,99 +31209,34 @@ function Get-MgBetaRoleManagementDirectoryRoleDefinition [System.String[]] $ExpandProperty, + [Parameter()] + [System.Collections.IDictionary] + $Headers, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule +function Get-MgBetaIdentityGovernanceLifecycleWorkflowTask { [CmdletBinding()] param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $CountVariable, - - [Parameter()] - [System.Uri] - $Proxy, - [Parameter()] [System.String] - $UnifiedRoleEligibilityScheduleId, + $WorkflowId, [Parameter()] [System.String[]] - $Sort, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + $Property, [Parameter()] [System.String] - $Search, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String[]] - $ExpandProperty, + $TaskId, [Parameter()] [PSObject] - $HttpPipelineAppend - ) -} -function Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [System.String] - $UnifiedRoleEligibilityScheduleRequestId, + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -30868,10 +31254,6 @@ function Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest [System.Int32] $Skip, - [Parameter()] - [PSObject] - $InputObject, - [Parameter()] [System.Int32] $Top, @@ -30904,6 +31286,10 @@ function Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest [System.String] $Search, + [Parameter()] + [System.String] + $ResponseHeadersVariable, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -30912,22 +31298,30 @@ function Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest [System.String[]] $ExpandProperty, + [Parameter()] + [System.Collections.IDictionary] + $Headers, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementAccessPackage +function New-MgBetaIdentityGovernanceLifecycleWorkflow { [CmdletBinding()] param( + [Parameter()] + [System.String] + $DisplayName, + [Parameter()] [System.String] $Description, [Parameter()] - [PSObject] - $AccessPackagesIncompatibleWith, + [System.DateTime] + $LastModifiedDateTime, [Parameter()] [System.DateTime] @@ -30935,31 +31329,35 @@ function New-MgBetaEntitlementManagementAccessPackage [Parameter()] [PSObject] - $IncompatibleGroups, + $TaskReports, [Parameter()] - [System.String] - $DisplayName, + [System.DateTime] + $NextScheduleRunDateTime, [Parameter()] - [PSObject] - $AccessPackageCatalog, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] - [System.String] - $CatalogId, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.Collections.Hashtable] + $ExecutionConditions, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [PSObject] + $Runs, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [PSObject] + $Versions, + + [Parameter()] + [System.Int32] + $Version, [Parameter()] [PSObject] @@ -30967,15 +31365,23 @@ function New-MgBetaEntitlementManagementAccessPackage [Parameter()] [PSObject] - $AccessPackageAssignmentPolicies, + $UserProcessingResults, [Parameter()] - [System.String] + [PSObject] $CreatedBy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsRoleScopesVisible, + [PSObject] + $ExecutionScope, + + [Parameter()] + [System.String] + $Category, + + [Parameter()] + [PSObject] + $LastModifiedBy, [Parameter()] [System.Uri] @@ -30983,15 +31389,15 @@ function New-MgBetaEntitlementManagementAccessPackage [Parameter()] [PSObject] - $BodyParameter, + $Tasks, [Parameter()] [System.String] $Id, [Parameter()] - [PSObject] - $IncompatibleAccessPackages, + [System.Management.Automation.SwitchParameter] + $IsSchedulingEnabled, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -30999,60 +31405,52 @@ function New-MgBetaEntitlementManagementAccessPackage [Parameter()] [PSObject] - $AccessPackageResourceRoleScopes, + $BodyParameter, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, + [Parameter()] + [System.DateTime] + $DeletedDateTime, + [Parameter()] [System.String] - $ModifiedBy, + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.Management.Automation.SwitchParameter] + $IsEnabled, [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsHidden + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementAccessPackageAssignment +function New-MgBetaIdentityGovernanceLifecycleWorkflowNewVersion { [CmdletBinding()] param( - [Parameter()] - [System.String] - $Justification, - - [Parameter()] - [System.String[]] - $RequiredUserId, - [Parameter()] [PSObject] - $Answers, + $HttpPipelinePrepend, [Parameter()] [PSObject] - $ExistingAssignment, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Management.Automation.PSObject[]] - $RequiredGroupMember, + $BodyParameter, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.PSCredential] @@ -31060,201 +31458,186 @@ function New-MgBetaEntitlementManagementAccessPackageAssignment [Parameter()] [System.String] - $AccessPackageId, + $WorkflowId, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.String] - $StartDate, + [PSObject] + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.String] - $AssignmentPolicyId, + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] - $HttpPipelineAppend - ) -} -function New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy -{ - [CmdletBinding()] - param( - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.DateTime] - $CreatedDateTime, + $Workflow, [Parameter()] - [System.String] - $DisplayName, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] - $CustomExtensionStageSettings, + $InputObject, [Parameter()] - [PSObject] - $AccessPackageCatalog, + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Remove-MgBetaIdentityGovernanceLifecycleWorkflow +{ + [CmdletBinding()] + param( [Parameter()] [PSObject] - $Questions, + $HttpPipelinePrepend, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $PassThru, [Parameter()] [System.String] - $AccessPackageId, + $IfMatch, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $WorkflowId, [Parameter()] - [PSObject] - $AccessReviewSettings, + [System.String] + $ResponseHeadersVariable, [Parameter()] - [System.String] - $CreatedBy, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [PSObject] - $RequestorSettings, + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] - $CanExtend, + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $VerifiableCredentialSettings, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] - $CustomExtensionHandlers, + $InputObject, [Parameter()] - [System.Int32] - $DurationInDays, + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Update-MgBetaIdentityGovernanceLifecycleWorkflow +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $Id, + $DisplayName, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $Description, [Parameter()] [System.DateTime] - $ExpirationDateTime, + $LastModifiedDateTime, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $WorkflowId, [Parameter()] - [PSObject] - $RequestApprovalSettings, + [System.DateTime] + $CreatedDateTime, [Parameter()] [PSObject] - $AccessPackage, + $TaskReports, [Parameter()] - [PSObject] - $BodyParameter, + [System.DateTime] + $NextScheduleRunDateTime, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $InputObject, [Parameter()] - [System.String] - $ModifiedBy, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $HttpPipelineAppend - ) -} -function New-MgBetaEntitlementManagementAccessPackageCatalog -{ - [CmdletBinding()] - param( - [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsExternallyVisible, + [System.Collections.Hashtable] + $ExecutionConditions, [Parameter()] [PSObject] - $AccessPackageCustomWorkflowExtensions, + $Runs, [Parameter()] - [System.DateTime] - $CreatedDateTime, - - [Parameter()] - [System.String] - $DisplayName, + [PSObject] + $Versions, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.Int32] + $Version, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [PSObject] + $HttpPipelinePrepend, [Parameter()] - [System.String] - $Description, + [PSObject] + $UserProcessingResults, [Parameter()] [PSObject] - $AccessPackages, + $CreatedBy, [Parameter()] [PSObject] - $HttpPipelinePrepend, + $ExecutionScope, [Parameter()] [System.String] - $CreatedBy, + $Category, [Parameter()] [PSObject] - $AccessPackageResourceScopes, + $LastModifiedBy, [Parameter()] [System.Uri] @@ -31262,7 +31645,7 @@ function New-MgBetaEntitlementManagementAccessPackageCatalog [Parameter()] [PSObject] - $BodyParameter, + $Tasks, [Parameter()] [System.String] @@ -31270,226 +31653,214 @@ function New-MgBetaEntitlementManagementAccessPackageCatalog [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $IsSchedulingEnabled, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [PSObject] - $AccessPackageResources, + $BodyParameter, [Parameter()] - [System.String] - $ModifiedBy, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [PSObject] - $CustomAccessPackageWorkflowExtensions, + [System.DateTime] + $DeletedDateTime, [Parameter()] [System.String] - $CatalogStatus, + $ResponseHeadersVariable, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [PSObject] - $AccessPackageResourceRoles, - - [Parameter()] - [System.String] - $CatalogType, + [System.Management.Automation.SwitchParameter] + $IsEnabled, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Collections.IDictionary] + $Headers, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef +function Get-MgBetaRoleManagementDirectory { [CmdletBinding()] param( - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - [Parameter()] [PSObject] $HttpPipelinePrepend, - [Parameter()] - [PSObject] - $BodyParameter, - [Parameter()] [System.Uri] $Proxy, + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + [Parameter()] [System.Management.Automation.SwitchParameter] - $PassThru, + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $InputObject, + [System.String[]] + $ExpandProperty, [Parameter()] - [System.String] - $OdataId, + [System.String[]] + $Property, [Parameter()] [PSObject] $HttpPipelineAppend, - [Parameter()] - [System.String] - $AccessPackageId, - [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Break + ) +} +function Get-MgBetaRoleManagementDirectoryRoleAssignment +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $UnifiedRoleAssignmentId, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String[]] + $Property, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [PSObject] + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break - ) -} -function New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef -{ - [CmdletBinding()] - param( + $ProxyUseDefaultCredentials, + [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Int32] + $PageSize, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [PSObject] - $BodyParameter, + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [System.String[]] + $Sort, [Parameter()] - [PSObject] - $InputObject, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] [System.String] - $OdataId, + $Filter, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.String] - $AccessPackageId, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Search, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $Break, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [System.String[]] + $ExpandProperty, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break + [PSObject] + $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementAccessPackageResourceRequest +function Get-MgBetaRoleManagementDirectoryRoleDefinition { [CmdletBinding()] param( [Parameter()] - [System.String] - $Justification, + [System.String[]] + $Property, [Parameter()] [PSObject] - $AccessPackageResource, + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] - $ExecuteImmediately, + $ProxyUseDefaultCredentials, [Parameter()] - [System.String] - $CatalogId, + [System.Int32] + $PageSize, [Parameter()] [System.String] - $RequestType, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $UnifiedRoleDefinitionId, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [PSObject] - $Requestor, + [System.Int32] + $Skip, [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsValidationOnly, + [System.Int32] + $Top, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $CountVariable, [Parameter()] - [PSObject] - $BodyParameter, + [System.Uri] + $Proxy, [Parameter()] - [System.String] - $Id, + [System.String[]] + $Sort, [Parameter()] - [System.DateTime] - $ExpirationDateTime, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $Filter, [Parameter()] [System.Management.Automation.PSCredential] @@ -31497,80 +31868,76 @@ function New-MgBetaEntitlementManagementAccessPackageResourceRequest [Parameter()] [System.String] - $RequestState, - - [Parameter()] - [System.String] - $RequestStatus, + $Search, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, + [Parameter()] + [System.String[]] + $ExpandProperty, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementAccessPackageResourceRoleScope +function Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule { [CmdletBinding()] param( [Parameter()] - [System.DateTime] - $CreatedDateTime, - - [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.String[]] + $Property, [Parameter()] [PSObject] $InputObject, - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.Int32] + $PageSize, + [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.String] - $CreatedBy, + [System.Int32] + $Skip, [Parameter()] - [PSObject] - $AccessPackageResourceScope, + [System.Int32] + $Top, [Parameter()] [System.String] - $AccessPackageId, + $CountVariable, [Parameter()] - [PSObject] - $BodyParameter, + [System.Uri] + $Proxy, [Parameter()] [System.String] - $Id, + $UnifiedRoleEligibilityScheduleId, [Parameter()] - [System.Uri] - $Proxy, + [System.String[]] + $Sort, [Parameter()] - [PSObject] - $AccessPackageResourceRole, + [System.Management.Automation.SwitchParameter] + $All, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $Filter, [Parameter()] [System.Management.Automation.PSCredential] @@ -31578,84 +31945,76 @@ function New-MgBetaEntitlementManagementAccessPackageResourceRoleScope [Parameter()] [System.String] - $ModifiedBy, + $Search, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [PSObject] - $HttpPipelineAppend - ) + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) } -function New-MgBetaEntitlementManagementConnectedOrganization +function Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest { [CmdletBinding()] param( [Parameter()] - [PSObject] - $ExternalSponsors, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.DateTime] - $CreatedDateTime, + [System.String[]] + $Property, [Parameter()] [System.String] - $DisplayName, - - [Parameter()] - [System.DateTime] - $ModifiedDateTime, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + $UnifiedRoleEligibilityScheduleRequestId, [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.Int32] + $PageSize, + [Parameter()] [PSObject] $HttpPipelinePrepend, + [Parameter()] + [System.Int32] + $Skip, + [Parameter()] [PSObject] - $IdentitySources, + $InputObject, [Parameter()] - [System.String] - $State, + [System.Int32] + $Top, [Parameter()] [System.String] - $CreatedBy, + $CountVariable, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [PSObject] - $BodyParameter, - - [Parameter()] - [System.String] - $Id, + [System.String[]] + $Sort, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $All, [Parameter()] - [PSObject] - $InternalSponsors, + [System.String] + $Filter, [Parameter()] [System.Management.Automation.PSCredential] @@ -31663,68 +32022,56 @@ function New-MgBetaEntitlementManagementConnectedOrganization [Parameter()] [System.String] - $ModifiedBy, - - [Parameter()] - [System.String] - $DomainName, + $Search, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, + [Parameter()] + [System.String[]] + $ExpandProperty, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef +function New-MgBetaEntitlementManagementAccessPackage { [CmdletBinding()] param( [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $Description, [Parameter()] [PSObject] - $BodyParameter, - - [Parameter()] - [System.Uri] - $Proxy, + $AccessPackagesIncompatibleWith, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [System.DateTime] + $CreatedDateTime, [Parameter()] [PSObject] - $InputObject, + $IncompatibleGroups, [Parameter()] [System.String] - $OdataId, + $DisplayName, [Parameter()] [PSObject] - $HttpPipelineAppend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $AccessPackageCatalog, [Parameter()] [System.String] - $ConnectedOrganizationId, + $CatalogId, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.DateTime] + $ModifiedDateTime, [Parameter()] [System.Collections.Hashtable] @@ -31732,16 +32079,7 @@ function New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRe [Parameter()] [System.Management.Automation.SwitchParameter] - $Break - ) -} -function New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef -{ - [CmdletBinding()] - param( - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] @@ -31749,139 +32087,127 @@ function New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRe [Parameter()] [PSObject] - $BodyParameter, + $AccessPackageAssignmentPolicies, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $CreatedBy, [Parameter()] [System.Management.Automation.SwitchParameter] - $PassThru, + $IsRoleScopesVisible, + + [Parameter()] + [System.Uri] + $Proxy, [Parameter()] [PSObject] - $InputObject, + $BodyParameter, [Parameter()] [System.String] - $OdataId, + $Id, [Parameter()] [PSObject] - $HttpPipelineAppend, + $IncompatibleAccessPackages, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, + + [Parameter()] + [PSObject] + $AccessPackageResourceRoleScopes, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.String] - $ConnectedOrganizationId, + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $Break, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [PSObject] + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $IsHidden ) } -function New-MgBetaRoleManagementDirectoryRoleAssignment +function New-MgBetaEntitlementManagementAccessPackageAssignment { [CmdletBinding()] param( - [Parameter()] - [PSObject] - $Principal, - [Parameter()] [System.String] - $ResourceScope, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Justification, [Parameter()] - [PSObject] - $DirectoryScope, + [System.String[]] + $RequiredUserId, [Parameter()] [PSObject] - $HttpPipelinePrepend, - - [Parameter()] - [System.String] - $PrincipalId, - - [Parameter()] - [System.Uri] - $Proxy, + $Answers, [Parameter()] [PSObject] - $BodyParameter, - - [Parameter()] - [System.String] - $Id, - - [Parameter()] - [System.String] - $Condition, + $ExistingAssignment, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $ProxyUseDefaultCredentials, [Parameter()] - [System.String] - $RoleDefinitionId, + [System.Management.Automation.PSObject[]] + $RequiredGroupMember, [Parameter()] [PSObject] - $RoleDefinition, + $HttpPipelinePrepend, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, [Parameter()] - [PSObject] - $AppScope, + [System.String] + $AccessPackageId, [Parameter()] - [System.String] - $DirectoryScopeId, + [System.Uri] + $Proxy, [Parameter()] - [System.String] - $PrincipalOrganizationId, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [System.String] - $AppScopeId, + $StartDate, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, + [Parameter()] + [System.String] + $AssignmentPolicyId, + [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaRoleManagementDirectoryRoleDefinition +function New-MgBetaEntitlementManagementAccessPackageAssignmentPolicy { [CmdletBinding()] param( @@ -31889,13 +32215,29 @@ function New-MgBetaRoleManagementDirectoryRoleDefinition [System.String] $Description, + [Parameter()] + [System.DateTime] + $CreatedDateTime, + [Parameter()] [System.String] $DisplayName, [Parameter()] - [System.String[]] - $ResourceScopes, + [PSObject] + $CustomExtensionStageSettings, + + [Parameter()] + [PSObject] + $AccessPackageCatalog, + + [Parameter()] + [PSObject] + $Questions, + + [Parameter()] + [System.DateTime] + $ModifiedDateTime, [Parameter()] [System.Collections.Hashtable] @@ -31907,80 +32249,96 @@ function New-MgBetaRoleManagementDirectoryRoleDefinition [Parameter()] [System.String] - $TemplateId, + $AccessPackageId, [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsPrivileged, + [PSObject] + $HttpPipelinePrepend, [Parameter()] [PSObject] - $HttpPipelinePrepend, + $AccessReviewSettings, [Parameter()] [System.String] - $Version, + $CreatedBy, + + [Parameter()] + [PSObject] + $RequestorSettings, [Parameter()] [System.Management.Automation.SwitchParameter] - $IsBuiltIn, + $CanExtend, [Parameter()] - [System.Uri] - $Proxy, + [PSObject] + $VerifiableCredentialSettings, [Parameter()] [PSObject] - $BodyParameter, + $CustomExtensionHandlers, + + [Parameter()] + [System.Int32] + $DurationInDays, [Parameter()] [System.String] $Id, [Parameter()] - [PSObject] - $InheritsPermissionsFrom, + [System.Uri] + $Proxy, + + [Parameter()] + [System.DateTime] + $ExpirationDateTime, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.String] - $AllowedPrincipalTypes, + [PSObject] + $RequestApprovalSettings, [Parameter()] [PSObject] - $RolePermissions, + $AccessPackage, + + [Parameter()] + [PSObject] + $BodyParameter, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [System.String] + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] - $IsEnabled, + $Break, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule +function New-MgBetaEntitlementManagementAccessPackageCatalog { [CmdletBinding()] param( [Parameter()] - [System.String] - $MemberType, + [System.Management.Automation.SwitchParameter] + $IsExternallyVisible, [Parameter()] [PSObject] - $Principal, + $AccessPackageCustomWorkflowExtensions, [Parameter()] [System.DateTime] @@ -31988,7 +32346,7 @@ function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule [Parameter()] [System.String] - $CreatedUsing, + $DisplayName, [Parameter()] [System.DateTime] @@ -31999,16 +32357,12 @@ function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule $AdditionalProperties, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [PSObject] - $ScheduleInfo, + [System.String] + $Description, [Parameter()] [PSObject] - $DirectoryScope, + $AccessPackages, [Parameter()] [PSObject] @@ -32016,7 +32370,11 @@ function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule [Parameter()] [System.String] - $PrincipalId, + $CreatedBy, + + [Parameter()] + [PSObject] + $AccessPackageResourceScopes, [Parameter()] [System.Uri] @@ -32026,10 +32384,6 @@ function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule [PSObject] $BodyParameter, - [Parameter()] - [System.String] - $Status, - [Parameter()] [System.String] $Id, @@ -32039,206 +32393,235 @@ function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule $Confirm, [Parameter()] - [System.String] - $RoleDefinitionId, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [PSObject] - $RoleDefinition, + $AccessPackageResources, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $ModifiedBy, [Parameter()] [PSObject] - $AppScope, + $CustomAccessPackageWorkflowExtensions, [Parameter()] [System.String] - $DirectoryScopeId, + $CatalogStatus, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [PSObject] + $AccessPackageResourceRoles, [Parameter()] [System.String] - $AppScopeId, + $CatalogType, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest +function New-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef { [CmdletBinding()] param( [Parameter()] - [System.String] - $Justification, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [PSObject] - $Principal, - - [Parameter()] - [System.DateTime] - $CreatedDateTime, + $HttpPipelinePrepend, [Parameter()] - [System.String] - $Action, + [PSObject] + $BodyParameter, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $PassThru, [Parameter()] [PSObject] - $ScheduleInfo, + $InputObject, [Parameter()] - [PSObject] - $DirectoryScope, + [System.String] + $OdataId, [Parameter()] [PSObject] - $TargetSchedule, + $HttpPipelineAppend, [Parameter()] [System.String] - $ApprovalId, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, + $AccessPackageId, [Parameter()] - [System.String] - $CustomData, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $CreatedBy, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [System.String] - $PrincipalId, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $IsValidationOnly, + $Break + ) +} +function New-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.DateTime] - $CompletedDateTime, + [PSObject] + $HttpPipelinePrepend, [Parameter()] [PSObject] - $TicketInfo, + $BodyParameter, [Parameter()] [System.Uri] $Proxy, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + [Parameter()] [PSObject] - $BodyParameter, + $InputObject, [Parameter()] [System.String] - $Status, + $OdataId, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, [Parameter()] [System.String] - $Id, + $AccessPackageId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.String] - $TargetScheduleId, + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function New-MgBetaEntitlementManagementAccessPackageResourceRequest +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $RoleDefinitionId, + $Justification, [Parameter()] [PSObject] - $RoleDefinition, + $AccessPackageResource, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Management.Automation.SwitchParameter] + $ExecuteImmediately, [Parameter()] - [PSObject] - $AppScope, + [System.String] + $CatalogId, [Parameter()] [System.String] - $DirectoryScopeId, + $RequestType, [Parameter()] - [System.String] - $AppScopeId, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] - $HttpPipelineAppend - ) -} -function Remove-MgBetaEntitlementManagementAccessPackage -{ - [CmdletBinding()] - param( + $HttpPipelinePrepend, + [Parameter()] [PSObject] - $HttpPipelinePrepend, + $Requestor, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Management.Automation.SwitchParameter] + $IsValidationOnly, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $IfMatch, + $Id, [Parameter()] - [PSObject] - $InputObject, + [System.DateTime] + $ExpirationDateTime, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.String] - $AccessPackageId, + $RequestState, + + [Parameter()] + [System.String] + $RequestStatus, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -32249,143 +32632,162 @@ function Remove-MgBetaEntitlementManagementAccessPackage $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementAccessPackageAssignment +function New-MgBetaEntitlementManagementAccessPackageResourceRoleScope { [CmdletBinding()] param( [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.DateTime] + $CreatedDateTime, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.DateTime] + $ModifiedDateTime, [Parameter()] - [System.String] - $AccessPackageAssignmentId, + [PSObject] + $InputObject, [Parameter()] - [System.Uri] - $Proxy, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $PassThru, + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, [Parameter()] [System.String] - $IfMatch, + $CreatedBy, [Parameter()] [PSObject] - $InputObject, + $AccessPackageResourceScope, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $AccessPackageId, [Parameter()] [PSObject] - $HttpPipelineAppend, + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $AccessPackageResourceRole, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $Break, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementAccessPackageAssignmentPolicy +function New-MgBetaEntitlementManagementConnectedOrganization { [CmdletBinding()] param( [Parameter()] [PSObject] - $HttpPipelinePrepend, + $ExternalSponsors, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $Description, [Parameter()] - [System.Uri] - $Proxy, + [System.DateTime] + $CreatedDateTime, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [System.String] + $DisplayName, [Parameter()] - [System.String] - $IfMatch, + [System.DateTime] + $ModifiedDateTime, [Parameter()] - [PSObject] - $InputObject, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] - $HttpPipelineAppend, + $HttpPipelinePrepend, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [PSObject] + $IdentitySources, [Parameter()] [System.String] - $AccessPackageAssignmentPolicyId, + $State, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Remove-MgBetaEntitlementManagementAccessPackageCatalog -{ - [CmdletBinding()] - param( [Parameter()] [System.String] - $AccessPackageCatalogId, + $CreatedBy, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.Uri] + $Proxy, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $BodyParameter, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] - $PassThru, + $Confirm, [Parameter()] - [System.String] - $IfMatch, + [PSObject] + $InternalSponsors, [Parameter()] - [PSObject] - $InputObject, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $ModifiedBy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $DomainName, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -32396,18 +32798,22 @@ function Remove-MgBetaEntitlementManagementAccessPackageCatalog $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef +function New-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorByRef { [CmdletBinding()] param( [Parameter()] - [System.String] - $Id, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [PSObject] $HttpPipelinePrepend, + [Parameter()] + [PSObject] + $BodyParameter, + [Parameter()] [System.Uri] $Proxy, @@ -32416,17 +32822,13 @@ function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackag [System.Management.Automation.SwitchParameter] $PassThru, - [Parameter()] - [System.String] - $IfMatch, - [Parameter()] [PSObject] $InputObject, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $OdataId, [Parameter()] [PSObject] @@ -32438,36 +32840,36 @@ function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackag [Parameter()] [System.String] - $AccessPackageId1, + $ConnectedOrganizationId, [Parameter()] - [System.String] - $AccessPackageId, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] $Break ) } -function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef +function New-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorByRef { [CmdletBinding()] param( [Parameter()] - [System.String] - $Id, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $BodyParameter, [Parameter()] [System.Uri] @@ -32477,82 +32879,118 @@ function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef [System.Management.Automation.SwitchParameter] $PassThru, - [Parameter()] - [System.String] - $IfMatch, - [Parameter()] [PSObject] $InputObject, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [System.String] + $OdataId, [Parameter()] [PSObject] $HttpPipelineAppend, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + [Parameter()] [System.String] - $AccessPackageId, + $ConnectedOrganizationId, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, [Parameter()] - [System.String] - $GroupId, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] $Break ) } -function Remove-MgBetaEntitlementManagementAccessPackageResourceRoleScope +function New-MgBetaRoleManagementDirectoryRoleAssignment { [CmdletBinding()] param( [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $Principal, + + [Parameter()] + [System.String] + $ResourceScope, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $DirectoryScope, [Parameter()] [PSObject] $HttpPipelinePrepend, + [Parameter()] + [System.String] + $PrincipalId, + [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $IfMatch, + $Id, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $Condition, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $RoleDefinitionId, + + [Parameter()] + [PSObject] + $RoleDefinition, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $AppScope, [Parameter()] [System.String] - $AccessPackageResourceRoleScopeId, + $DirectoryScopeId, [Parameter()] [System.String] - $AccessPackageId, + $PrincipalOrganizationId, + + [Parameter()] + [System.String] + $AppScopeId, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -32563,200 +33001,315 @@ function Remove-MgBetaEntitlementManagementAccessPackageResourceRoleScope $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementConnectedOrganization +function New-MgBetaRoleManagementDirectoryRoleDefinition { [CmdletBinding()] param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $ResourceScopes, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String] + $TemplateId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsPrivileged, + [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsBuiltIn, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $IfMatch, + $Id, [Parameter()] [PSObject] - $InputObject, + $InheritsPermissionsFrom, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, + [Parameter()] + [System.String] + $AllowedPrincipalTypes, + [Parameter()] [PSObject] - $HttpPipelineAppend, + $RolePermissions, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.String] - $ConnectedOrganizationId, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $IsEnabled, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorDirectoryObjectByRef +function New-MgBetaRoleManagementDirectoryRoleEligibilitySchedule { [CmdletBinding()] param( [Parameter()] [System.String] - $Id, + $MemberType, + + [Parameter()] + [PSObject] + $Principal, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $CreatedUsing, + + [Parameter()] + [System.DateTime] + $ModifiedDateTime, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $ScheduleInfo, + + [Parameter()] + [PSObject] + $DirectoryScope, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $PrincipalId, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $IfMatch, + $Status, [Parameter()] - [PSObject] - $InputObject, + [System.String] + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, + [Parameter()] + [System.String] + $RoleDefinitionId, + [Parameter()] [PSObject] - $HttpPipelineAppend, + $RoleDefinition, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $AppScope, [Parameter()] [System.String] - $DirectoryObjectId, + $DirectoryScopeId, [Parameter()] [System.String] - $ConnectedOrganizationId, + $AppScopeId, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $Break, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Remove-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorDirectoryObjectByRef +function New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest { [CmdletBinding()] param( [Parameter()] [System.String] - $Id, + $Justification, [Parameter()] [PSObject] - $HttpPipelinePrepend, + $Principal, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.DateTime] + $CreatedDateTime, [Parameter()] - [System.Uri] - $Proxy, + [System.String] + $Action, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] - [System.String] - $IfMatch, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] - $InputObject, + $ScheduleInfo, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm, + [PSObject] + $DirectoryScope, [Parameter()] [PSObject] - $HttpPipelineAppend, + $TargetSchedule, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $ApprovalId, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, [Parameter()] [System.String] - $DirectoryObjectId, + $CustomData, + + [Parameter()] + [PSObject] + $CreatedBy, [Parameter()] [System.String] - $ConnectedOrganizationId, + $PrincipalId, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break - ) -} -function Remove-MgBetaRoleManagementDirectory -{ - [CmdletBinding()] - param( + $IsValidationOnly, + [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.DateTime] + $CompletedDateTime, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $TicketInfo, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, + [PSObject] + $BodyParameter, [Parameter()] [System.String] - $IfMatch, + $Status, + + [Parameter()] + [System.String] + $Id, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $TargetScheduleId, + + [Parameter()] + [System.String] + $RoleDefinitionId, + + [Parameter()] + [PSObject] + $RoleDefinition, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [PSObject] + $AppScope, + + [Parameter()] + [System.String] + $DirectoryScopeId, + + [Parameter()] + [System.String] + $AppScopeId, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -32767,7 +33320,7 @@ function Remove-MgBetaRoleManagementDirectory $HttpPipelineAppend ) } -function Remove-MgBetaRoleManagementDirectoryRoleAssignment +function Remove-MgBetaEntitlementManagementAccessPackage { [CmdletBinding()] param( @@ -32787,10 +33340,6 @@ function Remove-MgBetaRoleManagementDirectoryRoleAssignment [System.Management.Automation.SwitchParameter] $PassThru, - [Parameter()] - [System.String] - $UnifiedRoleAssignmentId, - [Parameter()] [System.String] $IfMatch, @@ -32807,6 +33356,10 @@ function Remove-MgBetaRoleManagementDirectoryRoleAssignment [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, + [Parameter()] + [System.String] + $AccessPackageId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -32816,17 +33369,21 @@ function Remove-MgBetaRoleManagementDirectoryRoleAssignment $HttpPipelineAppend ) } -function Remove-MgBetaRoleManagementDirectoryRoleDefinition +function Remove-MgBetaEntitlementManagementAccessPackageAssignment { [CmdletBinding()] param( + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $AccessPackageAssignmentId, [Parameter()] [System.Uri] @@ -32848,142 +33405,107 @@ function Remove-MgBetaRoleManagementDirectoryRoleDefinition [System.Management.Automation.SwitchParameter] $Confirm, + [Parameter()] + [PSObject] + $HttpPipelineAppend, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, - [Parameter()] - [System.String] - $UnifiedRoleDefinitionId, - [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [PSObject] - $HttpPipelineAppend + $Break ) } -function Set-MgBetaEntitlementManagementAccessPackageAssignmentPolicy +function Remove-MgBetaEntitlementManagementAccessPackageAssignmentPolicy { [CmdletBinding()] param( [Parameter()] [PSObject] - $CustomExtensionHandlers, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.DateTime] - $CreatedDateTime, - - [Parameter()] - [System.String] - $DisplayName, + $HttpPipelinePrepend, [Parameter()] - [PSObject] - $CustomExtensionStageSettings, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [PSObject] - $AccessPackageCatalog, + [System.Uri] + $Proxy, [Parameter()] - [PSObject] - $Questions, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.String] + $IfMatch, [Parameter()] [PSObject] $InputObject, - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [PSObject] - $HttpPipelinePrepend, + $Confirm, [Parameter()] [PSObject] - $AccessReviewSettings, + $HttpPipelineAppend, [Parameter()] - [System.String] - $CreatedBy, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [System.String] $AccessPackageAssignmentPolicyId, - [Parameter()] - [PSObject] - $RequestorSettings, - [Parameter()] [System.Management.Automation.SwitchParameter] - $CanExtend, - - [Parameter()] - [PSObject] - $VerifiableCredentialSettings, - + $Break + ) +} +function Remove-MgBetaEntitlementManagementAccessPackageCatalog +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $AccessPackageId, + $AccessPackageCatalogId, [Parameter()] - [System.Int32] - $DurationInDays, + [PSObject] + $HttpPipelinePrepend, [Parameter()] - [System.String] - $Id, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Uri] $Proxy, - [Parameter()] - [System.DateTime] - $ExpirationDateTime, - [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, - - [Parameter()] - [PSObject] - $RequestApprovalSettings, + $PassThru, [Parameter()] - [PSObject] - $AccessPackage, + [System.String] + $IfMatch, [Parameter()] [PSObject] - $BodyParameter, + $InputObject, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [System.String] - $ModifiedBy, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -32994,89 +33516,94 @@ function Set-MgBetaEntitlementManagementAccessPackageAssignmentPolicy $HttpPipelineAppend ) } -function Update-MgBetaEntitlementManagementAccessPackage +function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackageByRef { [CmdletBinding()] param( [Parameter()] [System.String] - $Description, + $Id, [Parameter()] [PSObject] - $AccessPackagesIncompatibleWith, + $HttpPipelinePrepend, [Parameter()] - [System.DateTime] - $CreatedDateTime, + [System.Uri] + $Proxy, [Parameter()] - [PSObject] - $IncompatibleGroups, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] [System.String] - $DisplayName, + $IfMatch, [Parameter()] [PSObject] - $AccessPackageCatalog, - - [Parameter()] - [System.String] - $CatalogId, + $InputObject, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [PSObject] - $InputObject, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $AccessPackageId1, [Parameter()] - [PSObject] - $AccessPackageAssignmentPolicies, + [System.String] + $AccessPackageId, [Parameter()] - [System.String] - $CreatedBy, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Management.Automation.SwitchParameter] - $IsRoleScopesVisible, - + $Break + ) +} +function Remove-MgBetaEntitlementManagementAccessPackageIncompatibleGroupByRef +{ + [CmdletBinding()] + param( [Parameter()] [System.String] - $AccessPackageId, + $Id, [Parameter()] [PSObject] - $BodyParameter, + $HttpPipelinePrepend, [Parameter()] - [System.String] - $Id, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Uri] $Proxy, + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.String] + $IfMatch, + [Parameter()] [PSObject] - $IncompatibleAccessPackages, + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -33084,314 +33611,272 @@ function Update-MgBetaEntitlementManagementAccessPackage [Parameter()] [PSObject] - $AccessPackageResourceRoleScopes, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + $HttpPipelineAppend, [Parameter()] [System.String] - $ModifiedBy, + $AccessPackageId, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $HttpPipelineAppend, + [System.String] + $GroupId, [Parameter()] [System.Management.Automation.SwitchParameter] - $IsHidden + $Break ) } -function Update-MgBetaEntitlementManagementAccessPackageCatalog +function Remove-MgBetaEntitlementManagementAccessPackageResourceRoleScope { [CmdletBinding()] param( [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsExternallyVisible, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [PSObject] - $AccessPackageCustomWorkflowExtensions, + $HttpPipelinePrepend, [Parameter()] - [System.DateTime] - $CreatedDateTime, + [System.Uri] + $Proxy, [Parameter()] - [System.String] - $DisplayName, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.String] + $IfMatch, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [PSObject] + $InputObject, [Parameter()] - [System.String] - $Description, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] - [PSObject] - $AccessPackages, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $AccessPackageResourceRoleScopeId, [Parameter()] [System.String] - $CreatedBy, + $AccessPackageId, [Parameter()] - [PSObject] - $InputObject, + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [PSObject] - $AccessPackageResourceScopes, + $HttpPipelineAppend + ) +} +function Remove-MgBetaEntitlementManagementConnectedOrganization +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, [Parameter()] - [System.String] - $AccessPackageCatalogId, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Uri] $Proxy, - [Parameter()] - [PSObject] - $BodyParameter, - - [Parameter()] - [System.String] - $Id, - [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $PassThru, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $IfMatch, [Parameter()] [PSObject] - $AccessPackageResources, + $InputObject, [Parameter()] - [System.String] - $ModifiedBy, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [PSObject] - $CustomAccessPackageWorkflowExtensions, - - [Parameter()] - [System.String] - $CatalogStatus, + $HttpPipelineAppend, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [PSObject] - $AccessPackageResourceRoles, + $ProxyUseDefaultCredentials, [Parameter()] [System.String] - $CatalogType, + $ConnectedOrganizationId, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [PSObject] - $HttpPipelineAppend + $Break ) } -function Update-MgBetaEntitlementManagementConnectedOrganization +function Remove-MgBetaEntitlementManagementConnectedOrganizationExternalSponsorDirectoryObjectByRef { [CmdletBinding()] param( [Parameter()] - [PSObject] - $ExternalSponsors, + [System.String] + $Id, [Parameter()] - [System.String] - $Description, + [PSObject] + $HttpPipelinePrepend, [Parameter()] - [System.DateTime] - $CreatedDateTime, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] - [System.String] - $DisplayName, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.SwitchParameter] - $Confirm, + $PassThru, [Parameter()] - [System.DateTime] - $ModifiedDateTime, + [System.String] + $IfMatch, [Parameter()] [PSObject] $InputObject, - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, [Parameter()] [PSObject] - $HttpPipelinePrepend, + $HttpPipelineAppend, [Parameter()] - [PSObject] - $IdentitySources, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [System.String] - $State, + $DirectoryObjectId, [Parameter()] [System.String] - $CreatedBy, - - [Parameter()] - [System.Uri] - $Proxy, + $ConnectedOrganizationId, [Parameter()] - [PSObject] - $BodyParameter, - + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Remove-MgBetaEntitlementManagementConnectedOrganizationInternalSponsorDirectoryObjectByRef +{ + [CmdletBinding()] + param( [Parameter()] [System.String] $Id, - [Parameter()] - [System.String] - $ConnectedOrganizationId, - [Parameter()] [PSObject] - $InternalSponsors, + $HttpPipelinePrepend, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, [Parameter()] - [System.String] - $ModifiedBy, + [System.Uri] + $Proxy, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break, + $PassThru, [Parameter()] - [PSObject] - $HttpPipelineAppend - ) -} -function Update-MgBetaRoleManagementDirectory -{ - [CmdletBinding()] - param( - [Parameter()] - [PSObject] - $RoleAssignmentScheduleRequests, + [System.String] + $IfMatch, [Parameter()] [PSObject] - $TransitiveRoleAssignments, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, [Parameter()] [PSObject] - $RoleEligibilitySchedules, + $HttpPipelineAppend, [Parameter()] - [PSObject] - $ResourceNamespaces, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.String] + $DirectoryObjectId, [Parameter()] - [PSObject] - $RoleDefinitions, + [System.String] + $ConnectedOrganizationId, [Parameter()] - [PSObject] - $RoleEligibilityScheduleRequests, - + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Remove-MgBetaRoleManagementDirectory +{ + [CmdletBinding()] + param( [Parameter()] [PSObject] - $RoleAssignmentSchedules, + $HttpPipelinePrepend, [Parameter()] - [PSObject] - $RoleAssignments, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [PSObject] - $BodyParameter, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] [System.String] - $Id, + $IfMatch, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [PSObject] - $RoleEligibilityScheduleInstances, - - [Parameter()] - [PSObject] - $RoleAssignmentScheduleInstances, - - [Parameter()] - [PSObject] - $RoleAssignmentApprovals, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [System.Management.Automation.SwitchParameter] @@ -33402,193 +33887,324 @@ function Update-MgBetaRoleManagementDirectory $HttpPipelineAppend ) } -function Update-MgBetaRoleManagementDirectoryRoleDefinition +function Remove-MgBetaRoleManagementDirectoryRoleAssignment { [CmdletBinding()] param( [Parameter()] - [System.String] - $Description, + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] [System.String] - $DisplayName, + $UnifiedRoleAssignmentId, [Parameter()] - [System.String[]] - $ResourceScopes, + [System.String] + $IfMatch, [Parameter()] [PSObject] $InputObject, [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, - [Parameter()] - [System.String] - $TemplateId, - [Parameter()] [System.Management.Automation.SwitchParameter] - $IsPrivileged, + $Break, [Parameter()] - [System.String] - $UnifiedRoleDefinitionId, - + [PSObject] + $HttpPipelineAppend + ) +} +function Remove-MgBetaRoleManagementDirectoryRoleDefinition +{ + [CmdletBinding()] + param( [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.String] - $Version, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsBuiltIn, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [PSObject] - $BodyParameter, + [System.Management.Automation.SwitchParameter] + $PassThru, [Parameter()] [System.String] - $Id, + $IfMatch, [Parameter()] [PSObject] - $InheritsPermissionsFrom, + $InputObject, [Parameter()] [System.Management.Automation.SwitchParameter] $Confirm, [Parameter()] - [System.String] - $AllowedPrincipalTypes, - - [Parameter()] - [PSObject] - $RolePermissions, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.String] + $UnifiedRoleDefinitionId, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, - [Parameter()] - [System.Management.Automation.SwitchParameter] - $IsEnabled, - [Parameter()] [PSObject] $HttpPipelineAppend ) } -#endregion -#region Microsoft.Graph.Beta.Identity.SignIns -function Get-MgBetaIdentityConditionalAccess +function Set-MgBetaEntitlementManagementAccessPackageAssignmentPolicy { [CmdletBinding()] param( + [Parameter()] + [PSObject] + $CustomExtensionHandlers, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [PSObject] + $CustomExtensionStageSettings, + + [Parameter()] + [PSObject] + $AccessPackageCatalog, + + [Parameter()] + [PSObject] + $Questions, + + [Parameter()] + [System.DateTime] + $ModifiedDateTime, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + [Parameter()] [PSObject] $HttpPipelinePrepend, + [Parameter()] + [PSObject] + $AccessReviewSettings, + + [Parameter()] + [System.String] + $CreatedBy, + + [Parameter()] + [System.String] + $AccessPackageAssignmentPolicyId, + + [Parameter()] + [PSObject] + $RequestorSettings, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $CanExtend, + + [Parameter()] + [PSObject] + $VerifiableCredentialSettings, + + [Parameter()] + [System.String] + $AccessPackageId, + + [Parameter()] + [System.Int32] + $DurationInDays, + + [Parameter()] + [System.String] + $Id, + [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [System.DateTime] + $ExpirationDateTime, [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + $Confirm, [Parameter()] - [System.String[]] - $ExpandProperty, + [PSObject] + $RequestApprovalSettings, [Parameter()] - [System.String[]] - $Property, + [PSObject] + $AccessPackage, [Parameter()] [PSObject] - $HttpPipelineAppend, + $BodyParameter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] - $Break + $Break, + + [Parameter()] + [PSObject] + $HttpPipelineAppend ) } -function Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference +function Update-MgBetaEntitlementManagementAccessPackage { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $Description, + + [Parameter()] + [PSObject] + $AccessPackagesIncompatibleWith, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [PSObject] + $IncompatibleGroups, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [PSObject] + $AccessPackageCatalog, + + [Parameter()] + [System.String] + $CatalogId, + + [Parameter()] + [System.DateTime] + $ModifiedDateTime, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, + [PSObject] + $HttpPipelinePrepend, [Parameter()] [PSObject] - $HttpPipelinePrepend, + $AccessPackageAssignmentPolicies, [Parameter()] - [System.Int32] - $Skip, + [System.String] + $CreatedBy, [Parameter()] - [System.Int32] - $Top, + [System.Management.Automation.SwitchParameter] + $IsRoleScopesVisible, [Parameter()] [System.String] - $CountVariable, + $AccessPackageId, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $IncompatibleAccessPackages, [Parameter()] [System.Management.Automation.SwitchParameter] - $All, + $Confirm, [Parameter()] - [System.String] - $Filter, + [PSObject] + $AccessPackageResourceRoleScopes, [Parameter()] [System.Management.Automation.PSCredential] @@ -33596,157 +34212,209 @@ function Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference [Parameter()] [System.String] - $Search, - - [Parameter()] - [System.String] - $AuthenticationContextClassReferenceId, + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [PSObject] + $HttpPipelineAppend, [Parameter()] - [PSObject] - $HttpPipelineAppend + [System.Management.Automation.SwitchParameter] + $IsHidden ) } -function Get-MgBetaIdentityConditionalAccessNamedLocation +function Update-MgBetaEntitlementManagementAccessPackageCatalog { [CmdletBinding()] param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsExternallyVisible, + + [Parameter()] + [PSObject] + $AccessPackageCustomWorkflowExtensions, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + [Parameter()] [System.String] - $NamedLocationId, + $DisplayName, [Parameter()] - [System.String[]] - $Property, + [System.DateTime] + $ModifiedDateTime, [Parameter()] - [PSObject] - $InputObject, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.String] + $Description, [Parameter()] - [System.Int32] - $PageSize, + [PSObject] + $AccessPackages, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, + [System.String] + $CreatedBy, [Parameter()] - [System.Int32] - $Top, + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $AccessPackageResourceScopes, [Parameter()] [System.String] - $CountVariable, + $AccessPackageCatalogId, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String] + $Id, [Parameter()] - [System.String] - $Filter, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, + [Parameter()] + [PSObject] + $AccessPackageResources, + [Parameter()] [System.String] - $Search, + $ModifiedBy, + + [Parameter()] + [PSObject] + $CustomAccessPackageWorkflowExtensions, + + [Parameter()] + [System.String] + $CatalogStatus, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [PSObject] + $AccessPackageResourceRoles, + + [Parameter()] + [System.String] + $CatalogType, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaIdentityConditionalAccessPolicy +function Update-MgBetaEntitlementManagementConnectedOrganization { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [PSObject] + $ExternalSponsors, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.DateTime] + $ModifiedDateTime, [Parameter()] [PSObject] $InputObject, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] - [System.Int32] - $PageSize, + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, + [PSObject] + $IdentitySources, [Parameter()] [System.String] - $ConditionalAccessPolicyId, - - [Parameter()] - [System.Int32] - $Top, + $State, [Parameter()] [System.String] - $CountVariable, + $CreatedBy, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String] + $Id, [Parameter()] [System.String] - $Filter, + $ConnectedOrganizationId, + + [Parameter()] + [PSObject] + $InternalSponsors, [Parameter()] [System.Management.Automation.PSCredential] @@ -33754,176 +34422,206 @@ function Get-MgBetaIdentityConditionalAccessPolicy [Parameter()] [System.String] - $Search, + $ModifiedBy, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, - [Parameter()] - [System.String[]] - $ExpandProperty, - [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaIdentityProvider +function Update-MgBetaRoleManagementDirectory { [CmdletBinding()] param( [Parameter()] - [System.String] - $IdentityProviderBaseId, + [PSObject] + $RoleAssignmentScheduleRequests, [Parameter()] - [System.String[]] - $Property, + [PSObject] + $TransitiveRoleAssignments, [Parameter()] - [PSObject] - $InputObject, + [System.Collections.Hashtable] + $AdditionalProperties, [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, + [PSObject] + $RoleEligibilitySchedules, + + [Parameter()] + [PSObject] + $ResourceNamespaces, [Parameter()] [PSObject] $HttpPipelinePrepend, [Parameter()] - [System.Int32] - $Skip, + [PSObject] + $RoleDefinitions, [Parameter()] - [System.Int32] - $Top, + [PSObject] + $RoleEligibilityScheduleRequests, [Parameter()] - [System.String] - $CountVariable, + [PSObject] + $RoleAssignmentSchedules, + + [Parameter()] + [PSObject] + $RoleAssignments, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $BodyParameter, [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.String] + $Id, [Parameter()] - [System.String] - $Filter, + [System.Management.Automation.SwitchParameter] + $Confirm, [Parameter()] [System.Management.Automation.PSCredential] $ProxyCredential, [Parameter()] - [System.String] - $Search, + [PSObject] + $RoleEligibilityScheduleInstances, [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, + [PSObject] + $RoleAssignmentScheduleInstances, [Parameter()] - [System.String[]] - $ExpandProperty, + [PSObject] + $RoleAssignmentApprovals, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaOauth2PermissionGrant +function Update-MgBetaRoleManagementDirectoryRoleDefinition { [CmdletBinding()] param( [Parameter()] - [System.String[]] - $Property, + [System.String] + $Description, [Parameter()] [System.String] - $OAuth2PermissionGrantId, + $DisplayName, + + [Parameter()] + [System.String[]] + $ResourceScopes, [Parameter()] [PSObject] $InputObject, + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, [Parameter()] - [System.Int32] - $PageSize, + [System.String] + $TemplateId, [Parameter()] - [PSObject] - $HttpPipelinePrepend, + [System.Management.Automation.SwitchParameter] + $IsPrivileged, [Parameter()] - [System.Int32] - $Skip, + [System.String] + $UnifiedRoleDefinitionId, [Parameter()] - [System.Int32] - $Top, + [PSObject] + $HttpPipelinePrepend, [Parameter()] [System.String] - $CountVariable, + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsBuiltIn, [Parameter()] [System.Uri] $Proxy, [Parameter()] - [System.String[]] - $Sort, + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $InheritsPermissionsFrom, [Parameter()] [System.Management.Automation.SwitchParameter] - $All, + $Confirm, [Parameter()] [System.String] - $Filter, + $AllowedPrincipalTypes, [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + [PSObject] + $RolePermissions, [Parameter()] - [System.String] - $Search, + [System.Management.Automation.PSCredential] + $ProxyCredential, [Parameter()] [System.Management.Automation.SwitchParameter] $Break, [Parameter()] - [System.String[]] - $ExpandProperty, + [System.Management.Automation.SwitchParameter] + $IsEnabled, [Parameter()] [PSObject] $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthenticationMethodPolicy +#endregion +#region Microsoft.Graph.Beta.Identity.SignIns +function Get-MgBetaIdentityConditionalAccess { [CmdletBinding()] param( @@ -33960,7 +34658,7 @@ function Get-MgBetaPolicyAuthenticationMethodPolicy $Break ) } -function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration +function Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference { [CmdletBinding()] param( @@ -34004,10 +34702,6 @@ function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfigura [System.String[]] $Sort, - [Parameter()] - [System.String] - $AuthenticationMethodConfigurationId, - [Parameter()] [System.Management.Automation.SwitchParameter] $All, @@ -34024,6 +34718,10 @@ function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfigura [System.String] $Search, + [Parameter()] + [System.String] + $AuthenticationContextClassReferenceId, + [Parameter()] [System.Management.Automation.SwitchParameter] $Break, @@ -34037,10 +34735,14 @@ function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfigura $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthenticationStrengthPolicy +function Get-MgBetaIdentityConditionalAccessNamedLocation { [CmdletBinding()] param( + [Parameter()] + [System.String] + $NamedLocationId, + [Parameter()] [System.String[]] $Property, @@ -34061,10 +34763,6 @@ function Get-MgBetaPolicyAuthenticationStrengthPolicy [PSObject] $HttpPipelinePrepend, - [Parameter()] - [System.String] - $AuthenticationStrengthPolicyId, - [Parameter()] [System.Int32] $Skip, @@ -34114,7 +34812,7 @@ function Get-MgBetaPolicyAuthenticationStrengthPolicy $HttpPipelineAppend ) } -function Get-MgBetaPolicyAuthorizationPolicy +function Get-MgBetaIdentityConditionalAccessPolicy { [CmdletBinding()] param( @@ -34126,10 +34824,432 @@ function Get-MgBetaPolicyAuthorizationPolicy [PSObject] $InputObject, - [Parameter()] - [System.String] - $AuthorizationPolicyId, - + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String] + $ConditionalAccessPolicyId, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaIdentityProvider +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $IdentityProviderBaseId, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaOauth2PermissionGrant +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $OAuth2PermissionGrantId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyAuthenticationMethodPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $HttpPipelineAppend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break + ) +} +function Get-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.String] + $AuthenticationMethodConfigurationId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyAuthenticationStrengthPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.String] + $AuthenticationStrengthPolicyId, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaPolicyAuthorizationPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $AuthorizationPolicyId, + [Parameter()] [System.Management.Automation.SwitchParameter] $ProxyUseDefaultCredentials, @@ -90318,7 +91438,7 @@ function Update-MgBetaDeviceAppManagementPolicySetAssignment #endregion #region MgBetaDeviceAppManagementMobileApp -function Get-MgBetaDeviceAppManagementMobileApp +function Get-MgBetaDeviceAppManagementMobileApp # TODOK { [CmdletBinding()] param @@ -90405,7 +91525,7 @@ function Get-MgBetaDeviceAppManagementMobileApp ) } -function New-MgBetaDeviceAppManagementMobileApp +function New-MgBetaDeviceAppManagementMobileApp # TODOK { [CmdletBinding()] param @@ -90544,7 +91664,7 @@ function New-MgBetaDeviceAppManagementMobileApp ) } -function Remove-MgBetaDeviceAppManagementMobileApp +function Remove-MgBetaDeviceAppManagementMobileApp # TODOK { [CmdletBinding()] param @@ -90591,74 +91711,15 @@ function Remove-MgBetaDeviceAppManagementMobileApp [Parameter()] [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials - ) -} - -function Set-MgBetaDeviceAppManagementMobileApp -{ - [CmdletBinding()] - param - ( - [Parameter()] - [System.String] - $MobileAppId, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [PSObject] - $BodyParameter, - - [Parameter()] - [System.String] - $ResponseHeadersVariable, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - - [Parameter()] - [PSObject[]] - $MobileAppAssignments, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.Collections.IDictionary] - $Headers, - - [Parameter()] - [PSObject[]] - $HttpPipelineAppend, - - [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, + $ProxyUseDefaultCredentials, [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials + [System.Boolean] + $Confirm ) } -function Update-MgBetaDeviceAppManagementMobileApp +function Update-MgBetaDeviceAppManagementMobileApp # TODOK { [CmdletBinding()] param @@ -92983,244 +94044,272 @@ function Get-MgBetaDeviceAppManagementMobileAppConfiguration ) } -function New-MgBetaDeviceAppManagementMobileAppConfiguration -{ - [CmdletBinding()] - param - ( - [Parameter()] - [PSObject] - $BodyParameter, - - [Parameter()] - [System.String] - $ResponseHeadersVariable, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - - [Parameter()] - [PSObject[]] - $Assignments, - - [Parameter()] - [System.DateTime] - $CreatedDateTime, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [PSObject] - $DeviceStatusSummary, - - [Parameter()] - [PSObject[]] - $DeviceStatuses, - - [Parameter()] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Id, - - [Parameter()] - [System.DateTime] - $LastModifiedDateTime, - - [Parameter()] - [System.String[]] - $RoleScopeTagIds, - - [Parameter()] - [System.String[]] - $TargetedMobileApps, - - [Parameter()] - [PSObject] - $UserStatusSummary, - - [Parameter()] - [PSObject[]] - $UserStatuses, - - [Parameter()] - [System.Int32] - $Version, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.Collections.IDictionary] - $Headers, - - [Parameter()] - [PSObject[]] - $HttpPipelineAppend, - - [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm - ) -} - -function Remove-MgBetaDeviceAppManagementMobileAppConfiguration +function Get-MgBetaDeviceAppManagementMobileAppAssignment { [CmdletBinding()] - param - ( - [Parameter()] - [System.String] - $ManagedDeviceMobileAppConfigurationId, - - [Parameter()] - [PSObject] - $InputObject, - + param( [Parameter()] [System.String] - $ResponseHeadersVariable, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.Collections.IDictionary] - $Headers, - - [Parameter()] - [PSObject[]] - $HttpPipelineAppend, - - [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm + $MobileAppId ) } -function Set-MgBetaDeviceAppManagementMobileAppConfiguration +function Update-MgBetaDeviceAppManagementMobileAppAssignment { [CmdletBinding()] - param - ( + param( [Parameter()] [System.String] - $ManagedDeviceMobileAppConfigurationId, - - [Parameter()] - [PSObject] - $InputObject, + $MobileAppId, [Parameter()] - [PSObject] - $BodyParameter, + [System.Object] + $Target, [Parameter()] [System.String] - $ResponseHeadersVariable, - - [Parameter()] - [System.Collections.Hashtable] - $AdditionalProperties, - - [Parameter()] - [PSObject[]] - $Assignments, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.Collections.IDictionary] - $Headers, - - [Parameter()] - [PSObject[]] - $HttpPipelineAppend, - - [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $PassThru, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Confirm + $Repository ) } -function Update-MgBetaDeviceAppManagementMobileAppConfiguration +function New-MgBetaDeviceAppManagementMobileAppConfiguration { [CmdletBinding()] param ( - [Parameter()] - [System.String] - $ManagedDeviceMobileAppConfigurationId, - - [Parameter()] - [PSObject] - $InputObject, - + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.DateTime] + $CreatedDateTime, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [PSObject] + $DeviceStatusSummary, + + [Parameter()] + [PSObject[]] + $DeviceStatuses, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.DateTime] + $LastModifiedDateTime, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String[]] + $TargetedMobileApps, + + [Parameter()] + [PSObject] + $UserStatusSummary, + + [Parameter()] + [PSObject[]] + $UserStatuses, + + [Parameter()] + [System.Int32] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaDeviceAppManagementMobileAppConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ManagedDeviceMobileAppConfigurationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Set-MgBetaDeviceAppManagementMobileAppConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ManagedDeviceMobileAppConfigurationId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceAppManagementMobileAppConfiguration +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ManagedDeviceMobileAppConfigurationId, + + [Parameter()] + [PSObject] + $InputObject, + [Parameter()] [PSObject] $BodyParameter, @@ -93833,109 +94922,129 @@ function Update-MgBetaDeviceManagementWindowsQualityUpdateProfile #endregion -#region MgBetaDeviceManagementWindowsQualityUpdateProfileAssignment -function Get-MgBetaDeviceManagementWindowsQualityUpdateProfileAssignment +function Update-MgBetaIdentityGovernanceLifecycleWorkflowSetting { [CmdletBinding()] - param - ( - [Parameter()] - [System.String] - $WindowsQualityUpdateProfileAssignmentId, - - [Parameter()] - [System.String] - $WindowsQualityUpdateProfileId, - - [Parameter()] - [PSObject] - $InputObject, - - [Parameter()] - [System.String[]] - $ExpandProperty, - - [Parameter()] - [System.String[]] - $Property, - - [Parameter()] - [System.String] - $Filter, - - [Parameter()] - [System.String] - $Search, - - [Parameter()] - [System.Int32] - $Skip, - - [Parameter()] - [System.String[]] - $Sort, - - [Parameter()] - [System.Int32] - $Top, - - [Parameter()] - [System.String] - $ResponseHeadersVariable, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $Break, - - [Parameter()] - [System.Collections.IDictionary] - $Headers, - - [Parameter()] - [PSObject[]] - $HttpPipelineAppend, - - [Parameter()] - [PSObject[]] - $HttpPipelinePrepend, - - [Parameter()] - [System.Uri] - $Proxy, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ProxyCredential, - - [Parameter()] - [System.Management.Automation.SwitchParameter] - $ProxyUseDefaultCredentials, - - [Parameter()] - [System.Int32] - $PageSize, - + param( [Parameter()] - [System.Management.Automation.SwitchParameter] - $All, + [System.Object] + $EmailSettings, [Parameter()] - [System.String] - $CountVariable + [System.UInt32] + $WorkflowScheduleIntervalInHours ) } -#endregion +function Get-MgBetaIdentityGovernanceLifecycleWorkflowSetting +{ + [CmdletBinding()] + param() +} -#region MgBetaPolicyFeatureRolloutPolicy -function Get-MgBetaPolicyFeatureRolloutPolicy +#region MgBetaDeviceManagementWindowsQualityUpdateProfileAssignment +function Get-MgBetaDeviceManagementWindowsQualityUpdateProfileAssignment { [CmdletBinding()] param ( [Parameter()] [System.String] - $FeatureRolloutPolicyId, + $WindowsQualityUpdateProfileAssignmentId, + + [Parameter()] + [System.String] + $WindowsQualityUpdateProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +#endregion + +#region MgBetaPolicyFeatureRolloutPolicy +function Get-MgBetaPolicyFeatureRolloutPolicy +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $FeatureRolloutPolicyId, [Parameter()] [PSObject] @@ -94722,3 +95831,1271 @@ function Update-MgBetaExternalConnection ) } #endregion +#region MgBetaOnPremisePublishingProfileConnectorGroup +function Get-MgBetaOnPremisePublishingProfileConnectorGroup +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ConnectorGroupId, + + [Parameter()] + [System.String] + $OnPremisesPublishingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaOnPremisePublishingProfileConnectorGroup +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $OnPremisesPublishingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Applications, + + [Parameter()] + [System.String] + $ConnectorGroupType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsDefault, + + [Parameter()] + [PSObject[]] + $Members, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaOnPremisePublishingProfileConnectorGroup +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ConnectorGroupId, + + [Parameter()] + [System.String] + $OnPremisesPublishingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaOnPremisePublishingProfileConnectorGroup +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $ConnectorGroupId, + + [Parameter()] + [System.String] + $OnPremisesPublishingProfileId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Applications, + + [Parameter()] + [System.String] + $ConnectorGroupType, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsDefault, + + [Parameter()] + [PSObject[]] + $Members, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.String] + $Region, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +function New-MgBetaDomain +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $SharedEmailDomainInvitations, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $DomainNameReferences, + + [Parameter()] + [PSObject] + $ServiceConfigurationRecords, + + [Parameter()] + [System.String[]] + $SupportedServices, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsInitial, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $State, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsVerified, + + [Parameter()] + [System.Int32] + $PasswordNotificationWindowInDays, + + [Parameter()] + [PSObject] + $FederationConfiguration, + + [Parameter()] + [System.Int32] + $PasswordValidityPeriodInDays, + + [Parameter()] + [System.String] + $AvailabilityStatus, + + [Parameter()] + [PSObject] + $RootDomain, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $VerificationDnsRecords, + + [Parameter()] + [System.String] + $AuthenticationType, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsRoot, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsAdminManaged, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsDefault, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-MgBetaDomain +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String] + $DomainId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Update-MgBetaDomain +{ + [CmdletBinding()] + param( + [Parameter()] + [PSObject] + $SharedEmailDomainInvitations, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $DomainNameReferences, + + [Parameter()] + [PSObject] + $ServiceConfigurationRecords, + + [Parameter()] + [System.String[]] + $SupportedServices, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsInitial, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $State, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsVerified, + + [Parameter()] + [System.Int32] + $PasswordNotificationWindowInDays, + + [Parameter()] + [PSObject] + $FederationConfiguration, + + [Parameter()] + [System.Int32] + $PasswordValidityPeriodInDays, + + [Parameter()] + [System.String] + $AvailabilityStatus, + + [Parameter()] + [PSObject] + $RootDomain, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $DomainId, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [PSObject] + $VerificationDnsRecords, + + [Parameter()] + [System.String] + $AuthenticationType, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsRoot, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsAdminManaged, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsDefault, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Invoke-MgBetaForceDomainDelete +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $DisableUserAccounts, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $DomainId, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function Get-ATPBuiltInProtectionRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $State + ) +} +function Set-ATPBuiltInProtectionRule +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Comments, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object[]] + $ExceptIfRecipientDomainIs, + + [Parameter()] + [System.Object[]] + $ExceptIfSentTo, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object[]] + $ExceptIfSentToMemberOf + ) +} + +function Update-MgBetaDirectoryCustomSecurityAttributeDefinition +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $AllowedValues, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $UsePreDefinedValuesOnly, + + [Parameter()] + [System.String] + $AttributeSet, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsSearchable, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsCollection, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $CustomSecurityAttributeDefinitionId, + + [Parameter()] + [System.String] + $Type, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} +function New-MgBetaDirectoryCustomSecurityAttributeDefinition +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [PSObject] + $AllowedValues, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $UsePreDefinedValuesOnly, + + [Parameter()] + [System.String] + $AttributeSet, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsSearchable, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.String] + $Type, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsCollection, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function Get-MgBetaDirectoryCustomSecurityAttributeDefinition +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [PSObject] + $HttpPipelinePrepend, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $CountVariable, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $CustomSecurityAttributeDefinitionId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject] + $HttpPipelineAppend + ) +} + +function Get-AdminDlpPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.Object] + $ApiVersion, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $CreatedBy + ) +} +function New-AdminDlpPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $ApiVersion, + + [Parameter()] + [System.Boolean] + $BlockNonBusinessDataGroup, + + [Parameter()] + [System.String] + $EnvironmentName, + + [Parameter()] + [System.String] + $SchemaVersion + ) +} +function Set-AdminDlpPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $SchemaVersion, + + [Parameter()] + [System.String] + $FilterType, + + [Parameter()] + [System.String] + $EnvironmentName, + + [Parameter()] + [System.String] + $SetNonBusinessDataGroupState, + + [Parameter()] + [System.String] + $DefaultGroup, + + [Parameter()] + [System.String] + $ApiVersion, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $Environments + ) +} + +function Remove-AdminDlpPolicy +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $ApiVersion, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $EnvironmentName + ) +} + +function New-PowerAppPolicyUrlPatterns +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.Object] + $NewUrlPatterns, + + [Parameter()] + [System.String] + $ApiVersion + ) +} +function Remove-PowerAppPolicyUrlPatterns +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $ApiVersion + ) +} +function Get-PowerAppPolicyUrlPatterns +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $ApiVersion + ) +} +function Get-TenantDetailsFromGraph +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $GraphApiVersion + ) +} +function Remove-PowerAppDlpPolicyConnectorConfigurations +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $ApiVersion + ) +} +function New-PowerAppDlpPolicyConnectorConfigurations +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $ApiVersion, + + [Parameter()] + [System.Object] + $NewDlpPolicyConnectorConfigurations + ) +} +function Get-PowerAppDlpPolicyConnectorConfigurations +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $PolicyName, + + [Parameter()] + [System.String] + $ApiVersion + ) +} diff --git a/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md b/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md new file mode 100644 index 0000000000..c87b4f13da --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAdminConsentRequestPolicy.md @@ -0,0 +1,119 @@ +# AADAdminConsentRequestPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **IsEnabled** | Write | Boolean | Determines if the policy is enabled or not. | | +| **NotifyReviewers** | Write | Boolean | Specifies whether reviewers will receive notifications. | | +| **RemindersEnabled** | Write | Boolean | Specifies whether reviewers will receive reminder emails. | | +| **RequestDurationInDays** | Write | UInt32 | Specifies the duration the request is active before it automatically expires if no decision is applied. | | +| **Reviewers** | Write | MSFT_AADAdminConsentRequestPolicyReviewer[] | The list of reviewers for the admin consent. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_AADAdminConsentRequestPolicyReviewer + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ReviewerType** | Write | String | Type of reviewwer. Can be User, Group or Role | | +| **ReviewerId** | Write | String | Identifier for the reviewer instance. | | +| **QueryRoot** | Write | String | Associated query. | | + + +## Description + +Configures the Admin Consent Request Policy in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Policy.Read.All + +- **Update** + + - Policy.ReadWrite.ConsentRequest + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADAdminConsentRequestPolicy "AADAdminConsentRequestPolicy" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsEnabled = $True; + IsSingleInstance = "Yes"; + NotifyReviewers = $False; + RemindersEnabled = $True; + RequestDurationInDays = 30; + Reviewers = @( + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'User' + ReviewerId = "AlexW@$TenantId" + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Group' + ReviewerId = 'Communications' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Payload Author' + } + MSFT_AADAdminConsentRequestPolicyReviewer { + ReviewerType = 'Role' + ReviewerId = 'Attack Simulation Administrator' + } + ); + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADApplication.md b/docs/docs/resources/azure-ad/AADApplication.md index 3ad2464b54..8b9cf78dde 100644 --- a/docs/docs/resources/azure-ad/AADApplication.md +++ b/docs/docs/resources/azure-ad/AADApplication.md @@ -24,6 +24,8 @@ | **PublicClient** | Write | Boolean | Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false. | | | **ReplyURLs** | Write | StringArray[] | Specifies the URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to. | | | **Owners** | Write | StringArray[] | UPN or ObjectID values of the app's owners. | | +| **OnPremisesPublishing** | Write | MSFT_AADApplicationOnPremisesPublishing | Represents the set of properties required for configuring Application Proxy for this application. Configuring these properties allows you to publish your on-premises application for secure remote access. | | +| **ApplicationTemplateId** | Write | String | Identifier of the associated Application Template. | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | @@ -34,6 +36,68 @@ | **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | | **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | +### MSFT_AADApplicationOnPremisesPublishingSegmentCORS + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **allowedHeaders** | Write | StringArray[] | The request headers that the origin domain may specify on the CORS request. The wildcard character * indicates that any header beginning with the specified prefix is allowed. | | +| **maxAgeInSeconds** | Write | UInt32 | The maximum amount of time that a browser should cache the response to the preflight OPTIONS request. | | +| **resource** | Write | String | Resource within the application segment for which CORS permissions are granted. / grants permission for whole app segment. | | +| **allowedMethods** | Write | StringArray[] | The HTTP request methods that the origin domain may use for a CORS request. | | +| **allowedOrigins** | Write | StringArray[] | The origin domains that are permitted to make a request against the service via CORS. The origin domain is the domain from which the request originates. The origin must be an exact case-sensitive match with the origin that the user age sends to the service. | | + +### MSFT_AADApplicationOnPremisesPublishingSegment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alternateUrl** | Write | String | If you're configuring a traffic manager in front of multiple App Proxy application segments, contains the user-friendly URL that will point to the traffic manager. | | +| **corsConfigurations** | Write | MSFT_AADApplicationOnPremisesPublishingSegmentCORS[] | CORS Rule definition for a particular application segment. | | +| **externalUrl** | Write | String | The published external URL for the application segment; for example, https://intranet.contoso.com./ | | +| **internalUrl** | Write | String | The internal URL of the application segment; for example, https://intranet/. | | + +### MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **kerberosServicePrincipalName** | Write | String | The Internal Application SPN of the application server. This SPN needs to be in the list of services to which the connector can present delegated credentials. | | +| **kerberosSignOnMappingAttributeType** | Write | String | The Delegated Login Identity for the connector to use on behalf of your users. For more information, see Working with different on-premises and cloud identities . Possible values are: userPrincipalName, onPremisesUserPrincipalName, userPrincipalUsername, onPremisesUserPrincipalUsername, onPremisesSAMAccountName. | | + +### MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **singleSignOnMode** | Write | String | The preferred single-sign on mode for the application. Possible values are: none, onPremisesKerberos, aadHeaderBased,pingHeaderBased, oAuthToken. | | +| **kerberosSignOnSettings** | Write | MSFT_AADApplicationOnPremisesPublishingSingleSignOnSettingKerberos | The Kerberos Constrained Delegation settings for applications that use Integrated Window Authentication. | | + +### MSFT_AADApplicationOnPremisesPublishing + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **alternateUrl** | Write | String | If you're configuring a traffic manager in front of multiple App Proxy applications, the alternateUrl is the user-friendly URL that points to the traffic manager. | | +| **applicationServerTimeout** | Write | String | The duration the connector waits for a response from the backend application before closing the connection. Possible values are default, long. | | +| **externalAuthenticationType** | Write | String | Details the pre-authentication setting for the application. Pre-authentication enforces that users must authenticate before accessing the app. Pass through doesn't require authentication. Possible values are: passthru, aadPreAuthentication. | | +| **externalUrl** | Write | String | The published external url for the application. For example, https://intranet-contoso.msappproxy.net/. | | +| **internalUrl** | Write | String | The internal url of the application. For example, https://intranet/. | | +| **isBackendCertificateValidationEnabled** | Write | Boolean | Indicates whether backend SSL certificate validation is enabled for the application. For all new Application Proxy apps, the property is set to true by default. For all existing apps, the property is set to false. | | +| **isHttpOnlyCookieEnabled** | Write | Boolean | Indicates if the HTTPOnly cookie flag should be set in the HTTP response headers. Set this value to true to have Application Proxy cookies include the HTTPOnly flag in the HTTP response headers. If using Remote Desktop Services, set this value to False. Default value is false. | | +| **isPersistentCookieEnabled** | Write | Boolean | Indicates if the Persistent cookie flag should be set in the HTTP response headers. Keep this value set to false. Only use this setting for applications that can't share cookies between processes. For more information about cookie settings, see Cookie settings for accessing on-premises applications in Microsoft Entra ID. Default value is false. | | +| **isSecureCookieEnabled** | Write | Boolean | Indicates if the Secure cookie flag should be set in the HTTP response headers. Set this value to true to transmit cookies over a secure channel such as an encrypted HTTPS request. Default value is true. | | +| **isStateSessionEnabled** | Write | Boolean | Indicates whether validation of the state parameter when the client uses the OAuth 2.0 authorization code grant flow is enabled. This setting allows admins to specify whether they want to enable CSRF protection for their apps. | | +| **isTranslateHostHeaderEnabled** | Write | Boolean | Indicates if the application should translate urls in the response headers. Keep this value as true unless your application required the original host header in the authentication request. Default value is true. | | +| **isTranslateLinksInBodyEnabled** | Write | Boolean | Indicates if the application should translate urls in the application body. Keep this value as false unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. For more information, see Link translation with Application Proxy. Default value is false. | | +| **onPremisesApplicationSegments** | Write | MSFT_AADApplicationOnPremisesPublishingSegment[] | Represents the collection of application segments for an on-premises wildcard application that's published through Microsoft Entra application proxy. | | +| **singleSignOnSettings** | Write | MSFT_AADApplicationOnPremisesPublishingSingleSignOnSetting | Represents the single sign-on configuration for the on-premises application. | | + ### MSFT_AADApplicationPermission #### Parameters diff --git a/docs/docs/resources/azure-ad/AADAuthenticationRequirement.md b/docs/docs/resources/azure-ad/AADAuthenticationRequirement.md new file mode 100644 index 0000000000..92c8880213 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADAuthenticationRequirement.md @@ -0,0 +1,86 @@ +# AADAuthenticationRequirement + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PerUserMfaState** | Write | String | The state of the MFA enablement for the user. Possible values are: enabled, disabled. | `enabled`, `disabled` | +| **UserPrincipalName** | Key | String | The unique identifier for an entity. Read-only. | | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Azure AD Authentication Requirement Resource to set up Per-User MFA settings + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - UserAuthenticationMethod.Read.All + +- **Update** + + - UserAuthenticationMethod.ReadWrite.All + +#### Application permissions + +- **Read** + + - UserAuthenticationMethod.Read.All + +- **Update** + + - UserAuthenticationMethod.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + Node localhost + { + AADAuthenticationRequirement "AADAuthenticationRequirement-TestMailbox109@xtasdftestorg.onmicrosoft.com" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + PerUserMfaState = "disabled"; + UserPrincipalName = "TestMailbox109@$OrganizationName"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADConnectorGroupApplicationProxy.md b/docs/docs/resources/azure-ad/AADConnectorGroupApplicationProxy.md new file mode 100644 index 0000000000..fb2b20f1ad --- /dev/null +++ b/docs/docs/resources/azure-ad/AADConnectorGroupApplicationProxy.md @@ -0,0 +1,166 @@ +# AADConnectorGroupApplicationProxy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | The name associated with the connectorGroup. | | +| **Region** | Write | String | The region the connectorGroup is assigned to and will optimize traffic for. This region can only be set if no connectors or applications are assigned to the connectorGroup. The possible values are: nam (for North America), eur (for Europe), aus (for Australia), asia (for Asia), ind (for India), and unknownFutureValue. | `nam`, `eur`, `aus`, `asia`, `ind`, `unknownFutureValue` | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Azure AD Connector Group Application Proxy + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Directory.Read.All + +- **Update** + + - Directory.ReadWrite.All + +#### Application permissions + +- **Read** + + - Directory.Read.All + +- **Update** + + - Directory.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup"; + Region = "nam"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + Name = "testgroup-new"; + Region = "nam"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADConnectorGroupApplicationProxy "AADConnectorGroupApplicationProxy-testgroup" + { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + Name = "testgroup-new"; + Id = "4984dcf7-d9e9-4663-90b4-5db09f92a669"; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md new file mode 100644 index 0000000000..0c447db556 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADCustomSecurityAttributeDefinition.md @@ -0,0 +1,185 @@ +# AADCustomSecurityAttributeDefinition + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | Name of the custom security attribute. Must be unique within an attribute set. Can be up to 32 characters long and include Unicode characters. Can't contain spaces or special characters. Can't be changed later. Case sensitive. | | +| **AttributeSet** | Key | String | Name of the attribute set. Case sensitive. | | +| **Id** | Write | String | Unique identifier of the Attribute Definition. | | +| **Description** | Write | String | Description of the custom security attribute. Can be up to 128 characters long and include Unicode characters. Can't contain spaces or special characters. Can be changed later. | | +| **IsCollection** | Write | Boolean | Indicates whether multiple values can be assigned to the custom security attribute. Can't be changed later. If type is set to Boolean, isCollection can't be set to true. | | +| **IsSearchable** | Write | Boolean | Indicates whether custom security attribute values are indexed for searching on objects that are assigned attribute values. Can't be changed later. | | +| **Status** | Write | String | Specifies whether the custom security attribute is active or deactivated. Acceptable values are Available and Deprecated. Can be changed later. | | +| **Type** | Write | String | Data type for the custom security attribute values. Supported types are: Boolean, Integer, and String. Can't be changed later. | | +| **UsePreDefinedValuesOnly** | Write | Boolean | Indicates whether only predefined values can be assigned to the custom security attribute. If set to false, free-form values are allowed. Can later be changed from true to false, but can't be changed from false to true. If type is set to Boolean, usePreDefinedValuesOnly can't be set to true. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures custom security attribute definitions in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - CustomSecAttributeDefinition.Read.All + +- **Update** + + - CustomSecAttributeDefinition.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing? Drifted" # Drift + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADCustomSecurityAttributeDefinition "AADCustomSecurityAttributeDefinition-ShoeSize" + { + ApplicationId = $ApplicationId; + AttributeSet = "TestAttributeSet"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + IsCollection = $False; + IsSearchable = $True; + Name = "ShoeSize"; + Status = "Available"; + TenantId = $TenantId; + Type = "String"; + UsePreDefinedValuesOnly = $False; + Description = "What size of shoe is the person wearing?" + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADDeviceRegistrationPolicy.md b/docs/docs/resources/azure-ad/AADDeviceRegistrationPolicy.md new file mode 100644 index 0000000000..9d62cc0431 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADDeviceRegistrationPolicy.md @@ -0,0 +1,105 @@ +# AADDeviceRegistrationPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **AzureADJoinIsAdminConfigurable** | Write | Boolean | Determines whether or not administrators can configure Azure AD Join. | | +| **UserDeviceQuota** | Write | UInt32 | Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property isn't specified during the policy update operation, it's automatically reset to 0 to indicate that users aren't allowed to join any devices. | | +| **AzureADAllowedToJoin** | Write | String | Scope that a device registration policy applies to. | `All`, `Selected`, `None` | +| **AzureADAllowedToJoinUsers** | Write | StringArray[] | List of users that this policy applies to. | | +| **AzureADAllowedToJoinGroups** | Write | StringArray[] | List of groups that this policy applies to. | | +| **MultiFactorAuthConfiguration** | Write | Boolean | Specifies the authentication policy for a user to complete registration using Microsoft Entra join or Microsoft Entra registered within your organization. | | +| **LocalAdminsEnableGlobalAdmins** | Write | Boolean | Indicates whether global administrators are local administrators on all Microsoft Entra-joined devices. This setting only applies to future registrations. Default is true. | | +| **AzureAdJoinLocalAdminsRegisteringMode** | Write | String | Scope that a device registration policy applies to for local admins. | `All`, `Selected`, `None` | +| **AzureAdJoinLocalAdminsRegisteringGroups** | Write | StringArray[] | List of groups that this policy applies to. | | +| **AzureAdJoinLocalAdminsRegisteringUsers** | Write | StringArray[] | List of users that this policy applies to. | | +| **LocalAdminPasswordIsEnabled** | Write | Boolean | Specifies whether this policy scope is configurable by the admin. The default value is false. An admin can set it to true to enable Local Admin Password Solution (LAPS) within their organzation. | | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Represents the policy scope that controls quota restrictions, additional authentication, and authorization policies to register device identities to your organization. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Policy.Read.DeviceConfiguration + +- **Update** + + - Policy.ReadWrite.DeviceConfiguration + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + AADDeviceRegistrationPolicy "MyDeviceRegistrationPolicy" + { + ApplicationId = $ApplicationId; + AzureADAllowedToJoin = "Selected"; + AzureADAllowedToJoinGroups = @(); + AzureADAllowedToJoinUsers = @("AlexW@M365x73318397.OnMicrosoft.com"); + AzureAdJoinLocalAdminsRegisteringGroups = @(); + AzureAdJoinLocalAdminsRegisteringMode = "Selected"; + AzureAdJoinLocalAdminsRegisteringUsers = @("AllanD@M365x73318397.OnMicrosoft.com"); + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + LocalAdminPasswordIsEnabled = $False; + LocalAdminsEnableGlobalAdmins = $True; + MultiFactorAuthConfiguration = $False; + TenantId = $TenantId; + UserDeviceQuota = 50; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADDomain.md b/docs/docs/resources/azure-ad/AADDomain.md new file mode 100644 index 0000000000..01a98d0d24 --- /dev/null +++ b/docs/docs/resources/azure-ad/AADDomain.md @@ -0,0 +1,179 @@ +# AADDomain + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Key | String | Custom domain name. | | +| **AuthenticationType** | Write | String | Indicates the configured authentication type for the domain. The value is either Managed or Federated. Managed indicates a cloud managed domain where Microsoft Entra ID performs user authentication. Federated indicates authentication is federated with an identity provider such as the tenant's on-premises Active Directory via Active Directory Federation Services. | | +| **AvailabilityStatus** | Write | String | This property is always null except when the verify action is used. When the verify action is used, a domain entity is returned in the response. The availabilityStatus property of the domain entity in the response is either AvailableImmediately or EmailVerifiedDomainTakeoverScheduled. | | +| **IsAdminManaged** | Write | Boolean | The value of the property is false if the DNS record management of the domain is delegated to Microsoft 365. Otherwise, the value is true. Not nullable | | +| **IsDefault** | Write | Boolean | True if this is the default domain that is used for user creation. There's only one default domain per company. Not nullable. | | +| **IsRoot** | Write | Boolean | True if the domain is a verified root domain. Otherwise, false if the domain is a subdomain or unverified. Not nullable. | | +| **IsVerified** | Write | Boolean | True if the domain completed domain ownership verification. Not nullable. | | +| **PasswordNotificationWindowInDays** | Write | UInt32 | Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used. | | +| **PasswordValidityPeriodInDays** | Write | UInt32 | Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used. | | +| **SupportedServices** | Write | StringArray[] | The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures custom domain names in Entra Id. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - Domain.Read.All + +- **Update** + + - Domain.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $True; + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + AuthenticationType = "Managed"; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + Id = "contoso.com"; + IsAdminManaged = $True; + IsDefault = $True; + IsRoot = $True; + IsVerified = $False; #Drift + PasswordNotificationWindowInDays = 14; + PasswordValidityPeriodInDays = 2147483647; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADDomain "AADDomain-Contoso" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + Id = "contoso.com"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md new file mode 100644 index 0000000000..14afcf7a7f --- /dev/null +++ b/docs/docs/resources/azure-ad/AADIdentityGovernanceLifecycleWorkflow.md @@ -0,0 +1,317 @@ +# AADIdentityGovernanceLifecycleWorkflow + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Specifies the Display Name of the Workflow | | +| **Description** | Write | String | Description of the Workflow | | +| **Category** | Write | String | Category of the Workflow | | +| **IsEnabled** | Write | Boolean | Indicates if the Workflow is enabled | | +| **IsSchedulingEnabled** | Write | Boolean | Indicates if scheduling is enabled for the Workflow | | +| **Tasks** | Write | MSFT_AADIdentityGovernanceTask[] | Tasks associated with this workflow | | +| **ExecutionConditions** | Write | MSFT_IdentityGovernanceWorkflowExecutionConditions | ExecutionConditions for this workflow | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_IdentityGovernanceScope + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **OdataType** | Write | String | The @odata.type for the Scope. | | +| **Rule** | Write | String | The rule associated with the Scope. | | + +### MSFT_IdentityGovernanceTrigger + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **OdataType** | Write | String | The @odata.type for the Trigger. | | +| **TimeBasedAttribute** | Write | String | The time-based attribute for the Trigger. | | +| **OffsetInDays** | Write | SInt32 | The offset in days for the Trigger. | | + +### MSFT_IdentityGovernanceWorkflowExecutionConditions + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **OdataType** | Write | String | The @odata.type for the Workflow Execution Conditions. | | +| **ScopeValue** | Write | MSFT_IdentityGovernanceScope | The scope for the Workflow Execution Conditions. | | +| **TriggerValue** | Write | MSFT_IdentityGovernanceTrigger | The trigger for the Workflow Execution Conditions. | | + +### MSFT_AADIdentityGovernanceTaskArguments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Name** | Key | String | The name of the key | | +| **Value** | Write | String | The value associated with the key | | + +### MSFT_AADIdentityGovernanceTask + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Write | String | Specifies the display name of the Workflow Task | | +| **Description** | Write | String | Description of the Workflow Task | | +| **Category** | Write | String | Category of the Workflow Task | | +| **IsEnabled** | Write | Boolean | Indicates if the Workflow Task is enabled or not | | +| **ExecutionSequence** | Write | SInt32 | The sequence in which the task is executed | | +| **ContinueOnError** | Write | Boolean | Specifies whether the task should continue on error | | +| **TaskDefinitionId** | Write | String | ID of the task definition associated with this Workflow Task | | +| **Arguments** | Write | MSFT_AADIdentityGovernanceTaskArguments[] | Arguments for the Workflow Task | | + + +## Description + +Use this resource to manage Lifecycle workflows. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - LifecycleWorkflows.Read.All + +- **Update** + + - LifecycleWorkflows.ReadWrite.All + +#### Application permissions + +- **Read** + + - LifecycleWorkflows.Read.All + +- **Update** + + - LifecycleWorkflows.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''Brazil''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + #updated description + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + #updated rule + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + #updated description + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADIdentityGovernanceLifecycleWorkflow "AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version" + { + Category = "joiner"; + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Absent"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADLifecycleWorkflowSettings.md b/docs/docs/resources/azure-ad/AADLifecycleWorkflowSettings.md new file mode 100644 index 0000000000..795e0ba97a --- /dev/null +++ b/docs/docs/resources/azure-ad/AADLifecycleWorkflowSettings.md @@ -0,0 +1,88 @@ +# AADLifecycleWorkflowSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **SenderDomain** | Write | String | Specifies the domain that should be used when sending email notifications. This domain must be verified in order to be used. We recommend that you use a domain that has the appropriate DNS records to facilitate email validation, like SPF, DKIM, DMARC, and MX, because this then complies with the RFC compliance for sending and receiving email. For details, see Learn more about Exchange Online Email Routing. | | +| **WorkflowScheduleIntervalInHours** | Write | UInt32 | The interval in hours at which all workflows running in the tenant should be scheduled for execution. This interval has a minimum value of 1 and a maximum value of 24. The default value is 3 hours. | | +| **UseCompanyBranding** | Write | Boolean | Specifies if the organization's banner logo should be included in email notifications. The banner logo will replace the Microsoft logo at the top of the email notification. If true the banner logo will be taken from the tenant's branding settings. This value can only be set to true if the organizationalBranding bannerLogo property is set. | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Update the properties of a lifecycleManagementSettings object. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - LifecycleWorkflows.Read.All + +- **Update** + + - LifecycleWorkflows.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + AADLifecycleWorkflowSettings "AADLifecycleWorkflowSettings" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + IsSingleInstance = "Yes"; + SenderDomain = "microsoft.com"; + TenantId = $TenantId; + UseCompanyBranding = $True; + WorkflowScheduleIntervalInHours = 10; + } + } +} +``` + diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index 8e360204df..fc48241314 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -21,6 +21,7 @@ | **ServicePrincipalNames** | Write | StringArray[] | Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. | | | **ServicePrincipalType** | Write | String | The type of the service principal. | | | **Tags** | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp} | | +| **DelegatedPermissionClassifications** | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -39,6 +40,15 @@ | **PrincipalType** | Write | String | Type of principal. Accepted values are User or Group | `Group`, `User` | | **Identity** | Write | String | Unique identity representing the principal. | | +### MSFT_AADServicePrincipalDelegatedPermissionClassification + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Classification** | Write | String | Classification of the delegated permission | `low`, `medium`, `high` | +| **PermissionName** | Write | String | Name of the permission | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. diff --git a/docs/docs/resources/azure-ad/ADOPermissionGroupSettings.md b/docs/docs/resources/azure-ad/ADOPermissionGroupSettings.md new file mode 100644 index 0000000000..ed460c2a8b --- /dev/null +++ b/docs/docs/resources/azure-ad/ADOPermissionGroupSettings.md @@ -0,0 +1,98 @@ +# ADOPermissionGroupSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **GroupName** | Key | String | Name of the group. | | +| **OrganizationName** | Write | String | Name of the DevOPS Organization. | | +| **Descriptor** | Write | String | Descriptor for the group. | | +| **AllowPermissions** | Write | MSFT_ADOPermission[] | Allow permissions. | | +| **DenyPermissions** | Write | MSFT_ADOPermission[] | Deny permissions | | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_ADOPermission + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **NamespaceId** | Write | String | Id of the associate security namespace. | | +| **DisplayName** | Write | String | Display name of the permission scope. | | +| **Bit** | Write | UInt32 | Bit mask for the permission | | +| **Token** | Write | String | Token value | | + + +## Description + +Manages permissions in Azure DevOPS. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [PSCredential] + $Credential + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + ADOPermissionGroupSettings "ADOPermissionGroupSettings-O365DSC-DEV" + { + AllowPermissions = @( + MSFT_ADOPermission { + NamespaceId = '5a27515b-ccd7-42c9-84f1-54c998f03866' + DisplayName = 'Edit identity information' + Bit = '2' + Token = 'f6492b10-7ae8-4641-8208-ff5c364a6154\dbe6034e-8fbe-4d6e-a7f3-07a7e70816c9' + } + ); + Credential = $Credential; + DenyPermissions = @(); + Descriptor = "vssgp.Uy0xLTktMTU1MTM3NDI0NS0yNzEyNzI0MzgtMzkwMDMyNjIxNC0yMTgxNjI3NzQwLTkxMDg0NDI0NC0xLTgyODcyNzAzNC0yOTkzNjA0MTcxLTI5MjUwMjk4ODgtNTY0MDg1OTcy"; + GroupName = "[O365DSC-DEV]\My Test Group"; + OrganizationName = "O365DSC-DEV"; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOATPBuiltInProtectionRule.md b/docs/docs/resources/exchange/EXOATPBuiltInProtectionRule.md new file mode 100644 index 0000000000..66e58b2ed8 --- /dev/null +++ b/docs/docs/resources/exchange/EXOATPBuiltInProtectionRule.md @@ -0,0 +1,88 @@ +# EXOATPBuiltInProtectionRule + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter specifies the rule that you want to modify. You can use any value that uniquely identifies the rule. | | +| **Comments** | Write | String | The Comments parameter specifies informative comments for the rule, such as what the rule is used for or how it has changed over time. The length of the comment can't exceed 1024 characters. | | +| **ExceptIfRecipientDomainIs** | Write | StringArray[] | The ExceptIfRecipientDomainIs parameter specifies an exception that looks for recipients with email addresses in the specified domains. You can specify multiple domains separated by commas. | | +| **ExceptIfSentTo** | Write | StringArray[] | The ExceptIfSentTo parameter specifies an exception that looks for recipients in messages. You can use any value that uniquely identifies the recipient. | | +| **ExceptIfSentToMemberOf** | Write | StringArray[] | The ExceptIfSentToMemberOf parameter specifies an exception that looks for messages sent to members of groups. You can use any value that uniquely identifies the group. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Configures Defender ATP built-in protection rules. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOATPBuiltInProtectionRule "EXOATPBuiltInProtectionRule" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ExceptIfRecipientDomainIs = @("contoso.com","fabrikam.com"); + Identity = "ATP Built-In Protection Rule"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/exchange/EXOMailboxFolderPermission.md b/docs/docs/resources/exchange/EXOMailboxFolderPermission.md index e73479bb40..41176e7e58 100644 --- a/docs/docs/resources/exchange/EXOMailboxFolderPermission.md +++ b/docs/docs/resources/exchange/EXOMailboxFolderPermission.md @@ -75,10 +75,12 @@ Configuration Example { EXOMailboxFolderPermission "EXOMailboxFolderPermission-admin:\Calendar" { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "amdin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "amdin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } @@ -123,10 +125,12 @@ Configuration Example { EXOMailboxFolderPermission "EXOMailboxFolderPermission-admin:\Calendar" { - Credential = $Credscredential; - Ensure = "Present"; - Identity = "admin:\Calendar"; - UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "admin:\Calendar"; + UserPermissions = @(MSFT_EXOMailboxFolderUserPermission { User = 'Default' AccessRights = 'AvailabilityOnly' } diff --git a/docs/docs/resources/exchange/EXOMailboxIRMAccess.md b/docs/docs/resources/exchange/EXOMailboxIRMAccess.md index d349b97793..280d5c2b7d 100644 --- a/docs/docs/resources/exchange/EXOMailboxIRMAccess.md +++ b/docs/docs/resources/exchange/EXOMailboxIRMAccess.md @@ -62,11 +62,13 @@ Configuration Example { EXOMailboxIRMAccess "EXOMailboxIRMAccess-qwe@testorg.onmicrosoft.com" { - AccessLevel = "Block"; - Credential = $Credscredential; - Ensure = "Present"; - Identity = "qwe@$OrganizationName"; - User = "admin@$OrganizationName"; + AccessLevel = "Block"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Present"; + Identity = "qwe@$OrganizationName"; + User = "admin@$OrganizationName"; } } } @@ -96,7 +98,16 @@ Configuration Example Import-DscResource -ModuleName Microsoft365DSC node localhost { - + EXOMailboxIRMAccess "EXOMailboxIRMAccess-qwe@testorg.onmicrosoft.com" + { + AccessLevel = "Block"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Ensure = "Absent"; + Identity = "qwe@$OrganizationName"; + User = "admin@$OrganizationName"; + } } } ``` diff --git a/docs/docs/resources/exchange/EXOManagementScope.md b/docs/docs/resources/exchange/EXOManagementScope.md index 873248793d..ab66d2b4c3 100644 --- a/docs/docs/resources/exchange/EXOManagementScope.md +++ b/docs/docs/resources/exchange/EXOManagementScope.md @@ -66,7 +66,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; @@ -103,7 +105,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Present"; Exclusive = $False; Identity = "Test New DGs"; @@ -140,7 +144,9 @@ Configuration Example { EXOManagementScope "EXOManagementScope-Test New DGs" { - Credential = $Credscredential; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint Ensure = "Absent"; Exclusive = $False; Identity = "Test New DGs"; diff --git a/docs/docs/resources/exchange/EXOMigrationEndpoint.md b/docs/docs/resources/exchange/EXOMigrationEndpoint.md new file mode 100644 index 0000000000..e8a3134503 --- /dev/null +++ b/docs/docs/resources/exchange/EXOMigrationEndpoint.md @@ -0,0 +1,189 @@ +# EXOMigrationEndpoint + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | Identity of the migration endpoint. | | +| **AcceptUntrustedCertificates** | Write | Boolean | Specifies whether to accept untrusted certificates. | | +| **AppID** | Write | String | The Application ID used for authentication. | | +| **AppSecretKeyVaultUrl** | Write | String | The URL of the Key Vault that stores the application secret. | | +| **Authentication** | Write | String | The authentication method for the migration endpoint. | | +| **EndpointType** | Write | String | The type of migration endpoint. | `IMAP` | +| **ExchangeServer** | Write | String | The Exchange Server address for the migration endpoint. | | +| **MailboxPermission** | Write | String | The mailbox permission for the migration endpoint. | | +| **MaxConcurrentIncrementalSyncs** | Write | String | The maximum number of concurrent incremental syncs. | | +| **MaxConcurrentMigrations** | Write | String | The maximum number of concurrent migrations. | | +| **NspiServer** | Write | String | The NSPI server for the migration endpoint. | | +| **Port** | Write | String | The port number for the migration endpoint. | | +| **RemoteServer** | Write | String | The remote server for the migration endpoint. | | +| **RemoteTenant** | Write | String | The remote tenant for the migration endpoint. | | +| **RpcProxyServer** | Write | String | The RPC proxy server for the migration endpoint. | | +| **Security** | Write | String | The security level for the migration endpoint. | `None`, `Tls`, `Ssl` | +| **SourceMailboxLegacyDN** | Write | String | The legacy distinguished name of the source mailbox. | | +| **UseAutoDiscover** | Write | Boolean | Specifies whether to use AutoDiscover. | | +| **Ensure** | Write | String | Specifies if the migration endpoint should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Use this resource to create and monitor migration endpoints in exchange. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- Recipient Policies, View-Only Recipients, Mail Recipient Creation, View-Only Configuration, Mail Recipients + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "Tls"; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Present"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + # value for security updated from Tls to None + Security = "None"; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + EXOMigrationEndpoint "EXOMigrationEndpoint-testIMAP" + { + AcceptUntrustedCertificates = $True; + Authentication = "Basic"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + EndpointType = "IMAP"; + Ensure = "Absent"; + Identity = "testIMAP"; + MailboxPermission = "Admin"; + MaxConcurrentIncrementalSyncs = "10"; + MaxConcurrentMigrations = "20"; + Port = 993; + RemoteServer = "gmail.com"; + Security = "None"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md new file mode 100644 index 0000000000..8a3356509d --- /dev/null +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md @@ -0,0 +1,236 @@ +# IntuneAccountProtectionPolicyWindows10 + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 | The policy settings for the device scope. | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 | The policy settings for the user scope | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **LsaCfgFlags** | Write | String | Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.) | `0`, `1`, `2` | +| **FacialFeaturesUseEnhancedAntiSpoofing** | Write | String | Facial Features Use Enhanced Anti Spoofing (false: Disabled, true: Enabled) | `false`, `true` | +| **EnablePinRecovery** | Write | String | Enable Pin Recovery (false: Disabled, true: Enabled) | `false`, `true` | +| **Expiration** | Write | SInt32 | Expiration | | +| **History** | Write | SInt32 | PIN History | | +| **LowercaseLetters** | Write | String | Lowercase Letters (0: Allows the use of lowercase letters in PIN., 1: Requires the use of at least one lowercase letters in PIN., 2: Does not allow the use of lowercase letters in PIN.) | `0`, `1`, `2` | +| **MaximumPINLength** | Write | SInt32 | Maximum PIN Length | | +| **MinimumPINLength** | Write | SInt32 | Minimum PIN Length | | +| **SpecialCharacters** | Write | String | Special Characters (0: Allows the use of special characters in PIN., 1: Requires the use of at least one special characters in PIN., 2: Does not allow the use of special characters in PIN.) | `0`, `1`, `2` | +| **UppercaseLetters** | Write | String | Uppercase Letters (0: Allows the use of uppercase letters in PIN., 1: Requires the use of at least one uppercase letters in PIN., 2: Does not allow the use of uppercase letters in PIN.) | `0`, `1`, `2` | +| **RequireSecurityDevice** | Write | String | Require Security Device (false: Disabled, true: Enabled) | `false`, `true` | +| **UseCertificateForOnPremAuth** | Write | String | Use Certificate For On Prem Auth (false: Disabled, true: Enabled) | `false`, `true` | +| **UsePassportForWork** | Write | String | Use Windows Hello For Business (Device) (false: Disabled, true: Enabled) | `false`, `true` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **EnablePinRecovery** | Write | String | Enable Pin Recovery (User) (false: Disabled, true: Enabled) | `false`, `true` | +| **Expiration** | Write | SInt32 | Expiration (User) | | +| **History** | Write | SInt32 | PIN History (User) | | +| **LowercaseLetters** | Write | String | Lowercase Letters (User) (0: Allows the use of lowercase letters in PIN., 1: Requires the use of at least one lowercase letters in PIN., 2: Does not allow the use of lowercase letters in PIN.) | `0`, `1`, `2` | +| **MaximumPINLength** | Write | SInt32 | Maximum PIN Length (User) | | +| **MinimumPINLength** | Write | SInt32 | Minimum PIN Length (User) | | +| **SpecialCharacters** | Write | String | Special Characters (User) (0: Allows the use of special characters in PIN., 1: Requires the use of at least one special characters in PIN., 2: Does not allow the use of special characters in PIN.) | `0`, `1`, `2` | +| **UppercaseLetters** | Write | String | Uppercase Letters (User) (0: Allows the use of uppercase letters in PIN., 1: Requires the use of at least one uppercase letters in PIN., 2: Does not allow the use of uppercase letters in PIN.) | `0`, `1`, `2` | +| **RequireSecurityDevice** | Write | String | Require Security Device (User) (false: Disabled, true: Enabled) | `false`, `true` | +| **UsePassportForWork** | Write | String | Use Windows Hello For Business (User) (false: Disabled, true: Enabled) | `false`, `true` | + + +## Description + +Intune Account Protection Policy for Windows10 + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 10 + EnablePinRecovery = 'true' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 20 + EnablePinRecovery = 'true' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 10 + EnablePinRecovery = 'true' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 + { + History = 30 # Updated property + EnablePinRecovery = 'true' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md new file mode 100644 index 0000000000..31b41d628a --- /dev/null +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md @@ -0,0 +1,230 @@ +# IntuneAppAndBrowserIsolationPolicyWindows10 + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **AllowWindowsDefenderApplicationGuard** | Write | String | Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments) | `0`, `1`, `2`, `3` | +| **ClipboardSettings** | Write | String | Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.) | `0`, `1`, `2`, `3` | +| **SaveFilesToHost** | Write | String | Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.) | `0`, `1` | +| **InstallWindowsDefenderApplicationGuard** | Write | String | Install Windows defender application guard (install: Install) | `install` | +| **ClipboardFileType** | Write | String | Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.) | `1`, `2`, `3` | +| **AllowPersistence** | Write | String | Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.) | `0`, `1` | +| **AllowVirtualGPU** | Write | String | Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.) | `0`, `1` | +| **PrintingSettings** | Write | SInt32Array[] | Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.) | `0`, `1`, `2`, `4`, `8` | +| **AllowCameraMicrophoneRedirection** | Write | String | Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.) | `0`, `1` | +| **AuditApplicationGuard** | Write | String | Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.) | `0`, `1` | +| **CertificateThumbprints** | Write | StringArray[] | Certificate Thumbprints | | +| **EnterpriseIPRange** | Write | StringArray[] | Enterprise IP Range | | +| **EnterpriseCloudResources** | Write | StringArray[] | Enterprise Cloud Resources | | +| **EnterpriseNetworkDomainNames** | Write | StringArray[] | Enterprise Network Domain Names | | +| **EnterpriseProxyServers** | Write | StringArray[] | Enterprise Proxy Servers | | +| **EnterpriseInternalProxyServers** | Write | StringArray[] | Enterprise Internal Proxy Servers | | +| **NeutralResources** | Write | StringArray[] | Neutral Resources | | +| **EnterpriseProxyServersAreAuthoritative** | Write | String | Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **EnterpriseIPRangesAreAuthoritative** | Write | String | Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune App And Browser Isolation Policy for Windows10 + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example creates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example updates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example removes a Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAppCategory.md b/docs/docs/resources/intune/IntuneAppCategory.md index 062055e54c..99193c9196 100644 --- a/docs/docs/resources/intune/IntuneAppCategory.md +++ b/docs/docs/resources/intune/IntuneAppCategory.md @@ -4,7 +4,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | -| **DisplayName** | Key | String | The name of the app category. | | +| **DisplayName** | Key | String | The name of the app. | | | **Id** | Write | String | The unique identifier for an entity. Read-only. | | | **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the workload's Admin | | diff --git a/docs/docs/resources/intune/IntuneDerivedCredential.md b/docs/docs/resources/intune/IntuneDerivedCredential.md new file mode 100644 index 0000000000..c43b79bec9 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDerivedCredential.md @@ -0,0 +1,150 @@ +# IntuneDerivedCredential + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The name of the app category. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **HelpUrl** | Write | String | The URL that will be accessible to end users as they retrieve a derived credential using the Company Portal. | | +| **RenewalThresholdPercentage** | Write | UInt32 | The nominal percentage of time before certificate renewal is initiated by the client. | | +| **Issuer** | Write | String | Supported values for the derived credential issuer. | `intercede`, `entrustDatacard`, `purebred` | +| **NotificationType** | Write | String | Supported values for the notification type to use. | `none`, `email`, `companyPortal` | +| **Ensure** | Write | String | Supported values for the notification type to use. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Intune Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Name of the Azure Active Directory tenant used for authentication. Format contoso.onmicrosoft.com | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +## Create new navigation property to derivedCredentials for deviceManagement for Intune. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + + +```powershell +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Present"; + } + } +} +``` + +### Example 2 + + +```powershell +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Present"; + } + } +} +``` + +### Example 3 + + +```powershell +Configuration Example { + param( + [Parameter()] + [System.String] $ApplicationId, + + [Parameter()] + [System.String] $TenantId, + + [Parameter()] + [System.String] $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + + node localhost { + IntuneDerivedCredential "IntuneDerivedCredential-K5" + { + DisplayName = "K5"; + HelpUrl = "http://www.ff.com/"; + Id = "a409d85f-2a49-440d-884a-80fb52a557ab"; + Issuer = "purebred"; + NotificationType = "email"; + Ensure = "Absent"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md index 9893c32f98..92a2428a6d 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md @@ -6,6 +6,7 @@ | --- | --- | --- | --- | --- | | **Identity** | Write | String | Identity of the endpoint detection and response policy for Windows 10. | | | **DisplayName** | Key | String | Display name of the endpoint detection and response policy for Windows 10. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | | **Description** | Write | String | Description of the endpoint detection and response policy for Windows 10. | | | **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Assignments of the endpoint detection and response policy for Windows 10. | | | **SampleSharing** | Write | String | Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All | `0`, `1` | @@ -100,6 +101,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } @@ -139,6 +143,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md new file mode 100644 index 0000000000..cdb64c20a7 --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileAppsMacOSLobApp.md @@ -0,0 +1,295 @@ +# IntuneMobileAppsMacOSLobApp + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The admin provided or imported title of the app. Inherited from mobileApp. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. Inherited from mobileApp object. | | +| **Description** | Write | String | The description of the app. Inherited from mobileApp. | | +| **Developer** | Write | String | The dewveloper of the app. Inherited from mobileApp. | | +| **InformationUrl** | Write | String | The InformationUrl of the app. Inherited from mobileApp. | | +| **IsFeatured** | Write | Boolean | The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp. | | +| **Notes** | Write | String | Notes for the app. Inherited from mobileApp. | | +| **Owner** | Write | String | The owner of the app. Inherited from mobileApp. | | +| **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | +| **Publisher** | Write | String | The publisher of the app. Inherited from mobileApp. | | +| **PublishingState** | Write | String | The publishing state for the app. The app cannot be assigned unless the app is published. Inherited from mobileApp. | `notPublished`, `processing`, `published` | +| **BundleId** | Write | String | The bundleId of the app. | | +| **BuildNumber** | Write | String | The build number of the app. | | +| **VersionNumber** | Write | String | The version number of the app. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | +| **IgnoreVersionDetection** | Write | Boolean | Whether to ignore the version of the app or not. | | +| **LargeIcon** | Write | MSFT_DeviceManagementMimeContent | The icon for this app. | | +| **MinimumSupportedOperatingSystem** | Write | MSFT_DeviceManagementMinimumOperatingSystem | The minimum supported operating system to install the app. | | +| **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | +| **Assignments** | Write | MSFT_DeviceManagementMobileAppAssignment[] | The list of assignments for this app. | | +| **ChildApps** | Write | MSFT_DeviceManagementMobileAppChildApp[] | The list of child apps for this app package. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementMobileAppAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.mobileAppAssignment` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude. | `none`, `include`, `exclude` | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **intent** | Write | String | Possible values for the install intent chosen by the admin. | `available`, `required`, `uninstall`, `availableWithoutEnrollment` | + +### MSFT_DeviceManagementMinimumOperatingSystem + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **v10_7** | Write | Boolean | Indicates if Mac OS X 10.7 or later is required to install the app. | | +| **v10_8** | Write | Boolean | Indicates if Mac OS X 10.8 or later is required to install the app. | | +| **v10_9** | Write | Boolean | Indicates if Mac OS X 10.9 or later is required to install the app. | | +| **v10_10** | Write | Boolean | Indicates if Mac OS X 10.10 or later is required to install the app. | | +| **v10_11** | Write | Boolean | Indicates if Mac OS X 10.11 or later is required to install the app. | | +| **v10_12** | Write | Boolean | Indicates if Mac OS X 10.12 or later is required to install the app. | | +| **v10_13** | Write | Boolean | Indicates if Mac OS X 10.13 or later is required to install the app. | | +| **v10_14** | Write | Boolean | Indicates if Mac OS X 10.14 or later is required to install the app. | | +| **v10_15** | Write | Boolean | Indicates if Mac OS X 10.15 or later is required to install the app. | | +| **v11_0** | Write | Boolean | Indicates if Mac OS X 11.0 or later is required to install the app. | | +| **v12_0** | Write | Boolean | Indicates if Mac OS X 12.0 or later is required to install the app. | | +| **v13_0** | Write | Boolean | Indicates if Mac OS X 13.0 or later is required to install the app. | | +| **v14_0** | Write | Boolean | Indicates if Mac OS X 14.0 or later is required to install the app. | | + +### MSFT_DeviceManagementMimeContent + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Type** | Write | String | Indicates the type of content mime. | | +| **Value** | Write | String | The Base64 encoded string content. | | + +### MSFT_DeviceManagementMobileAppCategory + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The name of the app category. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | + +### MSFT_DeviceManagementMobileAppChildApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **BundleId** | Write | String | The bundleId of the app. | | +| **BuildNumber** | Write | String | The build number of the app. | | +| **VersionNumber** | Write | String | The version number of the app. | | + + +## Description + +This resource configures an Intune mobile app of MacOSLobApp type for MacOS devices. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + Description = "TeamsForBusinessInstaller"; + Developer = "Contoso"; + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + MinimumSupportedOperatingSystem = MSFT_DeviceManagementMinimumOperatingSystem{ + v11_0 = $true + } + Notes = ""; + Owner = ""; + PrivacyInformationUrl = ""; + Publisher = "Contoso"; + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment { + groupDisplayName = 'All devices' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + intent = 'required' + } + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '57b5e81c-85bb-4644-a4fd-33b03e451c89' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '1bff2652-03ec-4a48-941c-152e93736515' + DisplayName = 'Kajal 3' + }); + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + Description = "TeamsForBusinessInstaller"; + Developer = "Contoso drift"; #drift + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + MinimumSupportedOperatingSystem = MSFT_DeviceManagementMinimumOperatingSystem{ + v11_0 = $true + } + Notes = ""; + Owner = ""; + PrivacyInformationUrl = ""; + Publisher = "Contoso"; + PublishingState = "published"; + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment { + groupDisplayName = 'All devices' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + intent = 'required' + } + MSFT_DeviceManagementMobileAppAssignment { + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '57b5e81c-85bb-4644-a4fd-33b03e451c89' + intent = 'required' + } + ); + Categories = @(MSFT_DeviceManagementMobileAppCategory { + Id = '1bff2652-03ec-4a48-941c-152e93736515' + DisplayName = 'Kajal 3' + }); + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsMacOSLobApp "IntuneMobileAppsMacOSLobApp-TeamsForBusinessInstaller" + { + Id = "8d027f94-0682-431e-97c1-827d1879fa79"; + DisplayName = "TeamsForBusinessInstaller"; + Ensure = "Absent"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md new file mode 100644 index 0000000000..52bfea559e --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md @@ -0,0 +1,276 @@ +# IntuneMobileAppsWindowsOfficeSuiteApp + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The admin provided or imported title of the app. Inherited from mobileApp. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. Inherited from mobileApp object. | | +| **Description** | Write | String | The description of the app. Inherited from mobileApp. | | +| **IsFeatured** | Write | Boolean | The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp. | | +| **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | +| **InformationUrl** | Write | String | The InformationUrl of the app. Inherited from mobileApp. | | +| **Notes** | Write | String | Notes for the app. Inherited from mobileApp. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | +| **AutoAcceptEula** | Write | Boolean | Specifies if the EULA is accepted automatically on the end user's device. | | +| **ProductIds** | Write | StringArray[] | The Product IDs that represent the Office 365 Suite SKU, such as 'O365ProPlusRetail' or 'VisioProRetail'. | | +| **UseSharedComputerActivation** | Write | Boolean | Indicates whether shared computer activation is used for Office installations. | | +| **UpdateChannel** | Write | String | Specifies the update channel for the Office 365 app suite, such as 'Current' or 'Deferred'. | | +| **OfficeSuiteAppDefaultFileFormat** | Write | String | Specifies the default file format type for Office apps, such as 'OfficeOpenXMLFormat' or 'OfficeOpenDocumentFormat'. | | +| **OfficePlatformArchitecture** | Write | String | The architecture of the Office installation (e.g., 'X86', 'X64', or 'Arm64'). Cannot be changed after creation. | | +| **LocalesToInstall** | Write | StringArray[] | Specifies the locales to be installed when the Office 365 apps are deployed. Uses the standard RFC 5646 format (e.g., 'en-US', 'fr-FR'). | | +| **InstallProgressDisplayLevel** | Write | String | Specifies the display level of the installation progress for Office apps. Use 'Full' to display the installation UI, or 'None' for a silent installation. | | +| **ShouldUninstallOlderVersionsOfOffice** | Write | Boolean | Indicates whether older versions of Office should be uninstalled when deploying the Office 365 app suite. | | +| **TargetVersion** | Write | String | The specific target version of the Office 365 app suite to be deployed. | | +| **UpdateVersion** | Write | String | The update version in which the target version is available for the Office 365 app suite. | | +| **OfficeConfigurationXml** | Write | String | A base64-encoded XML configuration file that specifies Office ProPlus installation settings. Takes precedence over all other properties. When present, this XML file will be used to create the app. | | +| **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | +| **Assignments** | Write | MSFT_DeviceManagementMobileAppAssignment[] | The list of assignments for this app. | | +| **ExcludedApps** | Write | MSFT_DeviceManagementMobileAppExcludedApp | The property that represents the apps excluded from the selected Office 365 Product ID. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementMobileAppAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.mobileAppAssignment` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude. | `none`, `include`, `exclude` | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **intent** | Write | String | Possible values for the install intent chosen by the admin. | `available`, `required`, `uninstall`, `availableWithoutEnrollment` | + +### MSFT_DeviceManagementMimeContent + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Type** | Write | String | Indicates the type of content mime. | | +| **Value** | Write | String | The Base64 encoded string content. | | + +### MSFT_DeviceManagementMobileAppCategory + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The name of the app category. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | + +### MSFT_DeviceManagementMobileAppExcludedApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Access** | Write | Boolean | Specifies whether to exclude Microsoft Office Access from the installation. | | +| **Bing** | Write | Boolean | Specifies whether to exclude Microsoft Search (Bing) as the default from the installation. | | +| **Excel** | Write | Boolean | Specifies whether to exclude Microsoft Office Excel from the installation. | | +| **Groove** | Write | Boolean | Specifies whether to exclude Microsoft Office OneDrive for Business (Groove) from the installation. | | +| **InfoPath** | Write | Boolean | Specifies whether to exclude Microsoft Office InfoPath from the installation. | | +| **Lync** | Write | Boolean | Specifies whether to exclude Microsoft Office Skype for Business (Lync) from the installation. | | +| **OneDrive** | Write | Boolean | Specifies whether to exclude Microsoft Office OneDrive from the installation. | | +| **OneNote** | Write | Boolean | Specifies whether to exclude Microsoft Office OneNote from the installation. | | +| **Outlook** | Write | Boolean | Specifies whether to exclude Microsoft Office Outlook from the installation. | | +| **PowerPoint** | Write | Boolean | Specifies whether to exclude Microsoft Office PowerPoint from the installation. | | +| **Publisher** | Write | Boolean | Specifies whether to exclude Microsoft Office Publisher from the installation. | | +| **SharePointDesigner** | Write | Boolean | Specifies whether to exclude Microsoft Office SharePoint Designer from the installation. | | +| **Teams** | Write | Boolean | Specifies whether to exclude Microsoft Office Teams from the installation. | | +| **Visio** | Write | Boolean | Specifies whether to exclude Microsoft Office Visio from the installation. | | +| **Word** | Write | Boolean | Specifies whether to exclude Microsoft Office Word from the installation. | | + + +## Description + +This resource configures an Intune mobile app of OfficeSuiteApp type for Windows devices. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d8"; + DisplayName = "Microsoft 365 Apps for Windows 10 and later"; + Ensure = "Absent"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md new file mode 100644 index 0000000000..78a3f1969a --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md @@ -0,0 +1,678 @@ +# IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise | The policy settings for the device scope | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise | The policy settings for the user scope | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pol_SecGuide_A001_Block_Flash** | Write | String | Block Flash activation in Office documents (0: Disabled, 1: Enabled) | `0`, `1` | +| **Pol_SecGuide_Block_Flash** | Write | String | Block Flash player in Office (Device) - Depends on Pol_SecGuide_A001_Block_Flash (block all flash activation: Block all activation, block embedded flash activation only: Block embedding/linking, allow other activation, allow all flash activation: Allow all activation) | `block all flash activation`, `block embedded flash activation only`, `allow all flash activation` | +| **Pol_SecGuide_Legacy_JScript** | Write | String | Restrict legacy JScript execution for Office (0: Disabled, 1: Enabled) | `0`, `1` | +| **POL_SG_powerpnt** | Write | SInt32 | PowerPoint: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_onenote** | Write | SInt32 | OneNote: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_mspub** | Write | SInt32 | Publisher: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_msaccess** | Write | SInt32 | Access: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_winproj** | Write | SInt32 | Project: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_visio** | Write | SInt32 | Visio: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_outlook** | Write | SInt32 | Outlook: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_winword** | Write | SInt32 | Word: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_excel** | Write | SInt32 | Excel: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **L_PolicyEnableSIPHighSecurityMode** | Write | String | Configure SIP security mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PolicyDisableHttpConnect** | Write | String | Disable HTTP fallback for SIP connection (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AddonManagement** | Write | String | Add-on Management (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_powerpntexe17** | Write | String | powerpnt.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_excelexe15** | Write | String | excel.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_visioexe19** | Write | String | visio.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe26** | Write | String | onent.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_outlookexe22** | Write | String | outlook.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe18** | Write | String | pptview.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_winwordexe21** | Write | String | winword.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe24** | Write | String | exprwd.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe23** | Write | String | spDesign.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_winprojexe20** | Write | String | winproj.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_grooveexe14** | Write | String | groove.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_mspubexe16** | Write | String | mspub.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_mse7exe27** | Write | String | mse7.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe25** | Write | String | msaccess.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_ConsistentMimeHandling** | Write | String | Consistent Mime Handling (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe43** | Write | String | excel.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe51** | Write | String | spDesign.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe54** | Write | String | onent.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_outlookexe50** | Write | String | outlook.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe46** | Write | String | pptview.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_mspubexe44** | Write | String | mspub.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_visioexe47** | Write | String | visio.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_winprojexe48** | Write | String | winproj.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe53** | Write | String | msaccess.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe45** | Write | String | powerpnt.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_grooveexe42** | Write | String | groove.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_mse7exe55** | Write | String | mse7.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_winwordexe49** | Write | String | winword.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe52** | Write | String | exprwd.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_Disableusernameandpassword** | Write | String | Disable user name and password (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe127** | Write | String | excel.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_grooveexe126** | Write | String | groove.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe138** | Write | String | onent.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_mse7exe139** | Write | String | mse7.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_mspubexe128** | Write | String | mspub.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_visioexe131** | Write | String | visio.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe136** | Write | String | exprwd.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe137** | Write | String | msaccess.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe135** | Write | String | spDesign.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_winwordexe133** | Write | String | winword.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe129** | Write | String | powerpnt.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_outlookexe134** | Write | String | outlook.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_winprojexe132** | Write | String | winproj.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe130** | Write | String | pptview.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_Informationbar** | Write | String | Information Bar (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe113** | Write | String | excel.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_mspubexe114** | Write | String | mspub.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe123** | Write | String | msaccess.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe124** | Write | String | onent.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_outlookexe120** | Write | String | outlook.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_winprojexe118** | Write | String | winproj.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe115** | Write | String | powerpnt.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe121** | Write | String | spDesign.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_grooveexe112** | Write | String | groove.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_visioexe117** | Write | String | visio.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_mse7exe125** | Write | String | mse7.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_winwordexe119** | Write | String | winword.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe122** | Write | String | exprwd.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe116** | Write | String | pptview.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_LocalMachineZoneLockdownSecurity** | Write | String | Local Machine Zone Lockdown Security (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mse7exe41** | Write | String | mse7.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe31** | Write | String | powerpnt.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_mspubexe30** | Write | String | mspub.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_outlookexe36** | Write | String | outlook.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe32** | Write | String | pptview.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_excelexe29** | Write | String | excel.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe38** | Write | String | exprwd.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_grooveexe28** | Write | String | groove.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_winwordexe35** | Write | String | winword.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe39** | Write | String | msaccess.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe37** | Write | String | spDesign.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_visioexe33** | Write | String | visio.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe40** | Write | String | onent.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_winprojexe34** | Write | String | winproj.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_MimeSniffingSafetyFature** | Write | String | Mime Sniffing Safety Feature (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_powerpntexe59** | Write | String | powerpnt.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe66** | Write | String | exprwd.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_grooveexe56** | Write | String | groove.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_visioexe61** | Write | String | visio.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_outlookexe64** | Write | String | outlook.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_mspubexe58** | Write | String | mspub.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_mse7exe69** | Write | String | mse7.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe67** | Write | String | msaccess.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe60** | Write | String | pptview.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_winprojexe62** | Write | String | winproj.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe65** | Write | String | spDesign.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe68** | Write | String | onent.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_winwordexe63** | Write | String | winword.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_excelexe57** | Write | String | excel.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_NavigateURL** | Write | String | Navigate URL (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_spdesignexe177** | Write | String | spDesign.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe180** | Write | String | onent.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe172** | Write | String | pptview.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_outlookexe176** | Write | String | outlook.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_winprojexe174** | Write | String | winproj.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe179** | Write | String | msaccess.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_winwordexe175** | Write | String | winword.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_excelexe169** | Write | String | excel.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_mspubexe170** | Write | String | mspub.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe178** | Write | String | exprwd.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe171** | Write | String | powerpnt.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_visioexe173** | Write | String | visio.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_mse7exe181** | Write | String | mse7.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_grooveexe168** | Write | String | groove.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_ObjectCachingProtection** | Write | String | Object Caching Protection (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_winwordexe77** | Write | String | winword.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe73** | Write | String | powerpnt.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe79** | Write | String | spDesign.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_mse7exe83** | Write | String | mse7.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_mspubexe72** | Write | String | mspub.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe81** | Write | String | msaccess.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe82** | Write | String | onent.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_outlookexe78** | Write | String | outlook.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_grooveexe70** | Write | String | groove.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_excelexe71** | Write | String | excel.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_visioexe75** | Write | String | visio.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe74** | Write | String | pptview.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_winprojexe76** | Write | String | winproj.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe80** | Write | String | exprwd.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_ProtectionFromZoneElevation** | Write | String | Protection From Zone Elevation (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mspubexe100** | Write | String | mspub.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_visioexe103** | Write | String | visio.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe101** | Write | String | powerpnt.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_excelexe99** | Write | String | excel.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_mse7exe111** | Write | String | mse7.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_winwordexe105** | Write | String | winword.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe108** | Write | String | exprwd.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe109** | Write | String | msaccess.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe107** | Write | String | spDesign.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe110** | Write | String | onent.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe102** | Write | String | pptview.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_winprojexe104** | Write | String | winproj.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_grooveexe98** | Write | String | groove.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_outlookexe106** | Write | String | outlook.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_RestrictActiveXInstall** | Write | String | Restrict ActiveX Install (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mse7exe** | Write | String | mse7.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe** | Write | String | powerpnt.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_spDesignexe** | Write | String | spDesign.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe** | Write | String | onent.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_excelexe** | Write | String | excel.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_mspubexe** | Write | String | mspub.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_visioexe** | Write | String | visio.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe** | Write | String | exprwd.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_outlookexe** | Write | String | outlook.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe** | Write | String | pptview.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_winprojexe** | Write | String | winproj.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_winwordexe** | Write | String | winword.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_grooveexe** | Write | String | groove.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe** | Write | String | msaccess.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_RestrictFileDownload** | Write | String | Restrict File Download (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_visioexe5** | Write | String | visio.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_winprojexe6** | Write | String | winproj.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe11** | Write | String | msaccess.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe9** | Write | String | spDesign.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_excelexe1** | Write | String | excel.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe3** | Write | String | powerpnt.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_mspubexe2** | Write | String | mspub.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe10** | Write | String | exprwd.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_outlookexe8** | Write | String | outlook.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe4** | Write | String | pptview.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_winwordexe7** | Write | String | winword.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe12** | Write | String | onent.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_mse7exe13** | Write | String | mse7.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_grooveexe0** | Write | String | groove.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_SavedfromURL** | Write | String | Saved from URL (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_pptviewexe158** | Write | String | pptview.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe164** | Write | String | exprwd.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_mse7exe167** | Write | String | mse7.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe163** | Write | String | spDesign.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_winprojexe160** | Write | String | winproj.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_mspubexe156** | Write | String | mspub.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_visioexe159** | Write | String | visio.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_winwordexe161** | Write | String | winword.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe165** | Write | String | msaccess.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe166** | Write | String | onent.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_outlookexe162** | Write | String | outlook.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_grooveexe154** | Write | String | groove.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_excelexe155** | Write | String | excel.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe157** | Write | String | powerpnt.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_ScriptedWindowSecurityRestrictions** | Write | String | Scripted Window Security Restrictions (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_exprwdexe94** | Write | String | exprwd.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_mse7exe97** | Write | String | mse7.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_mspubexe86** | Write | String | mspub.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_outlookexe92** | Write | String | outlook.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe95** | Write | String | msaccess.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe87** | Write | String | powerpnt.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_grooveexe84** | Write | String | groove.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_excelexe85** | Write | String | excel.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe88** | Write | String | pptview.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe93** | Write | String | spDesign.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_visioexe89** | Write | String | visio.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe96** | Write | String | onent.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_winprojexe90** | Write | String | winproj.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_winwordexe91** | Write | String | winword.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks** | Write | String | Do not show data extraction options when opening corrupt workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Asktoupdateautomaticlinks** | Write | String | Ask to update automatic links (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_LoadpicturesfromWebpagesnotcreatedinExcel** | Write | String | Load pictures from Web pages not created in Excel (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableAutoRepublish** | Write | String | Disable AutoRepublish (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DoNotShowAutoRepublishWarningAlert** | Write | String | Do not show AutoRepublish warning alert (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Forcefileextenstionstomatch** | Write | String | Force file extension to match file type (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Forcefileextenstionstomatch_L_Empty** | Write | String | - Depends on L_Forcefileextenstionstomatch (0: Allow different, 1: Allow different, but warn, 2: Always match file type) | `0`, `1`, `2` | +| **L_DeterminewhethertoforceencryptedExcel** | Write | String | Scan encrypted macros in Excel Open XML workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedExcelDropID** | Write | String | - Depends on L_DeterminewhethertoforceencryptedExcel (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **L_BlockXLLFromInternet** | Write | String | Block Excel XLL Add-ins that come from an untrusted source (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_BlockXLLFromInternetEnum** | Write | String | - Depends on L_BlockXLLFromInternet (1: Block, 0: Show Additional Warning, 2: Allow) | `1`, `0`, `2` | +| **MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_EnableBlockUnsecureQueryFiles** | Write | String | Always prevent untrusted Microsoft Query files from opening (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DBaseIIIANDIVFiles** | Write | String | dBase III / IV files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DBaseIIIANDIVFilesDropID** | Write | String | File block setting: (User) - Depends on L_DBaseIIIANDIVFiles (0: Do not block, 2: Open/Save blocked, use open policy) | `0`, `2` | +| **L_DifAndSylkFiles** | Write | String | Dif and Sylk files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DifAndSylkFilesDropID** | Write | String | File block setting: (User) - Depends on L_DifAndSylkFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy) | `0`, `1`, `2` | +| **L_Excel2MacrosheetsAndAddInFiles** | Write | String | Excel 2 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel2MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel2MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel2Worksheets** | Write | String | Excel 2 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel2WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel2Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel3MacrosheetsAndAddInFiles** | Write | String | Excel 3 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel3MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel3MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel3Worksheets** | Write | String | Excel 3 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel3WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel3Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4MacrosheetsAndAddInFiles** | Write | String | Excel 4 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel4MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4Workbooks** | Write | String | Excel 4 workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4WorkbooksDropID** | Write | String | File block setting: (User) - Depends on L_Excel4Workbooks (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4Worksheets** | Write | String | Excel 4 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel4Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel95Workbooks** | Write | String | Excel 95 workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel95WorkbooksDropID** | Write | String | File block setting: (User) - Depends on L_Excel95Workbooks (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_Excel9597WorkbooksAndTemplates** | Write | String | Excel 95-97 workbooks and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel9597WorkbooksAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Excel9597WorkbooksAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel972003WorkbooksAndTemplates** | Write | String | Excel 97-2003 workbooks and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel972003WorkbooksAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Excel972003WorkbooksAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **L_WebPagesAndExcel2003XMLSpreadsheets** | Write | String | Web pages and Excel 2003 XML spreadsheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebPagesAndExcel2003XMLSpreadsheetsDropID** | Write | String | File block setting: (User) - Depends on L_WebPagesAndExcel2003XMLSpreadsheets (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_XL4KillSwitchPolicy** | Write | String | Prevent Excel from running XLM macros (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_EnableDataBaseFileProtectedView** | Write | String | Always open untrusted database files in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty4** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable VBA macros with notification, 3: Disable VBA macros except digitally signed macros, 4: Disable VBA macros without notification, 1: Enable VBA macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftExcel_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebContentWarningLevel** | Write | String | WEBSERVICE Function Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebContentWarningLevelValue** | Write | String | - Depends on L_WebContentWarningLevel (0: Enable all WEBSERVICE functions (not recommended), 1: Disable all with notification, 2: Disable all without notification) | `0`, `1`, `2` | +| **L_NoExtensibilityCustomizationFromDocumentPolicy** | Write | String | Disable UI extending from documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyWord** | Write | String | Disallow in Word (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyExcel** | Write | String | Disallow in Excel (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyVisio** | Write | String | Disallow in Visio (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint** | Write | String | Disallow in PowerPoint (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyPublisher** | Write | String | Disallow in Publisher (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyOutlook** | Write | String | Disallow in Outlook (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyProject** | Write | String | Disallow in Project (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyAccess** | Write | String | Disallow in Access (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath** | Write | String | Disallow in InfoPath (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_ActiveXControlInitialization** | Write | String | ActiveX Control Initialization (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_ActiveXControlInitializationcolon** | Write | String | ActiveX Control Initialization: (User) - Depends on L_ActiveXControlInitialization (1: 1, 2: 2, 3: 3, 4: 4, 5: 5, 6: 6) | `1`, `2`, `3`, `4`, `5`, `6` | +| **L_BasicAuthProxyBehavior** | Write | String | Allow Basic Authentication prompts from network proxies (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowVbaIntranetRefs** | Write | String | Allow VBA to load typelib references by path from untrusted intranet locations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AutomationSecurity** | Write | String | Automation Security (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SettheAutomationSecuritylevel** | Write | String | Set the Automation Security level (User) - Depends on L_AutomationSecurity (3: Disable macros by default, 2: Use application macro security level, 1: Macros enabled (default)) | `3`, `2`, `1` | +| **L_AuthenticationFBABehavior** | Write | String | Control how Office handles form-based sign-in prompts (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AuthenticationFBAEnabledHostsID** | Write | String | Specify hosts allowed to show form-based sign-in prompts to users: (User) - Depends on L_AuthenticationFBABehavior | | +| **L_authenticationFBABehaviorEnum** | Write | String | Behavior: (User) - Depends on L_AuthenticationFBABehavior (1: Block all prompts, 2: Ask the user what to do for each new host, 3: Show prompts only from allowed hosts) | `1`, `2`, `3` | +| **L_DisableStrictVbaRefsSecurityPolicy** | Write | String | Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableallTrustBarnotificationsfor** | Write | String | Disable all Trust Bar notifications for security issues (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypeforirm** | Write | String | Encryption mode for Information Rights Management (IRM) (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypeforirmcolon** | Write | String | IRM Encryption Mode: (User) - Depends on L_Encryptiontypeforirm (1: Cipher Block Chaining (CBC), 2: Electronic Codebook (ECB)) | `1`, `2` | +| **L_Encryptiontypeforpasswordprotectedoffice972003** | Write | String | Encryption type for password protected Office 97-2003 files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_encryptiontypecolon318** | Write | String | Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedoffice972003 | | +| **L_Encryptiontypeforpasswordprotectedofficeopen** | Write | String | Encryption type for password protected Office Open XML files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypecolon** | Write | String | Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedofficeopen | | +| **L_LoadControlsinForms3** | Write | String | Load Controls in Forms3 (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_LoadControlsinForms3colon** | Write | String | Load Controls in Forms3: (User) - Depends on L_LoadControlsinForms3 (1: 1, 2: 2, 3: 3, 4: 4) | `1`, `2`, `3`, `4` | +| **L_MacroRuntimeScanScope** | Write | String | Macro Runtime Scan Scope (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_MacroRuntimeScanScopeEnum** | Write | String | - Depends on L_MacroRuntimeScanScope (0: Disable for all documents, 1: Enable for low trust documents, 2: Enable for all documents) | `0`, `1`, `2` | +| **L_Protectdocumentmetadataforrightsmanaged** | Write | String | Protect document metadata for rights managed Office Open XML Files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Allowmixofpolicyanduserlocations** | Write | String | Allow mix of policy and user locations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisabletheOfficeclientfrompolling** | Write | String | Disable the Office client from polling the SharePoint Server for published links (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableSmartDocumentsuseofmanifests** | Write | String | Disable Smart Document's use of manifests (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OutlookSecurityMode** | Write | String | Outlook Security Mode (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressAccess** | Write | String | Configure Outlook object model prompt when reading address information (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressAccess_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OOMMeetingTaskRequest** | Write | String | Configure Outlook object model prompt when responding to meeting and task requests (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMMeetingTaskRequest_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OOMSend** | Write | String | Configure Outlook object model prompt when sending mail (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSend_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_Preventusersfromcustomizingattachmentsecuritysettings** | Write | String | Prevent users from customizing attachment security settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RetrievingCRLsCertificateRevocationLists** | Write | String | Retrieving CRLs (Certificate Revocation Lists) (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty31** | Write | String | (0: Use system Default, 1: When online always retreive the CRL, 2: Never retreive the CRL) | `0`, `1`, `2` | +| **L_OOMFormula** | Write | String | Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMFormula_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_AuthenticationwithExchangeServer** | Write | String | Authentication with Exchange Server (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SelecttheauthenticationwithExchangeserver** | Write | String | Select the authentication with Exchange server. (User) (9: Kerberos/NTLM Password Authentication, 16: Kerberos Password Authentication, 10: NTLM Password Authentication, 2147545088: Insert a smart card) | `9`, `16`, `10`, `2147545088` | +| **L_EnableRPCEncryption** | Write | String | Enable RPC encryption (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Enablelinksinemailmessages** | Write | String | Allow hyperlinks in suspected phishing e-mail messages (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressBook** | Write | String | Configure Outlook object model prompt when accessing an address book (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressBook_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OutlookSecurityPolicy** | Write | String | Outlook Security Policy: (User) - Depends on L_OutlookSecurityMode (0: Outlook Default Security, 1: Use Security Form from 'Outlook Security Settings' Public Folder, 2: Use Security Form from 'Outlook 10 Security Settings' Public Folder, 3: Use Outlook Security Group Policy) | `0`, `1`, `2`, `3` | +| **L_AllowUsersToLowerAttachments** | Write | String | Allow users to demote attachments to Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowActiveXOneOffForms** | Write | String | Allow Active X One Off Forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty29** | Write | String | Sets which ActiveX controls to allow. (0: Load only Outlook Controls, 1: Allows only Safe Controls, 2: Allows all ActiveX Controls) | `0`, `1`, `2` | +| **L_EnableScriptsInOneOffForms** | Write | String | Allow scripts in one-off Outlook forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Level2RemoveFilePolicy** | Write | String | Remove file extensions blocked as Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_removedextensions25** | Write | String | Removed Extensions: (User) | | +| **L_MSGUnicodeformatwhendraggingtofilesystem** | Write | String | Use Unicode format when dragging e-mail message to file system (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OnExecuteCustomActionOOM** | Write | String | Set Outlook object model custom actions execution prompt (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OnExecuteCustomActionOOM_Setting** | Write | String | When executing a custom action: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_DisableOutlookobjectmodelscriptsforpublicfolders** | Write | String | Do not allow Outlook object model scripts to run for public folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_BlockInternet** | Write | String | Include Internet in Safe Zones for Automatic Picture Download (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SecurityLevelOutlook** | Write | String | Security setting for macros (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SecurityLevel** | Write | String | Security Level (User) (2: Always warn, 4: Never warn, disable all, 3: Warn for signed, disable unsigned, 1: No security check) | `2`, `4`, `3`, `1` | +| **L_Level1RemoveFilePolicy** | Write | String | Remove file extensions blocked as Level 1 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RemovedExtensions** | Write | String | Removed Extensions: (User) | | +| **L_SignatureWarning** | Write | String | Signature Warning (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_signaturewarning30** | Write | String | Signature Warning (User) (0: Let user decide if they want to be warned, 1: Always warn about invalid signatures, 2: Never warn about invalid signatures) | `0`, `1`, `2` | +| **L_Level1Attachments** | Write | String | Display Level 1 attachments (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Minimumencryptionsettings** | Write | String | Minimum encryption settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Minimumkeysizeinbits** | Write | SInt32 | Minimum key size (in bits): (User) | | +| **L_DisableOutlookobjectmodelscripts** | Write | String | Do not allow Outlook object model scripts to run for shared folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSaveAs** | Write | String | Configure Outlook object model prompt when executing Save As (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSaveAs_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_JunkEmailprotectionlevel** | Write | String | Junk E-mail protection level (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Selectlevel** | Write | String | Select level: (User) (4294967295: No Protection, 6: Low (Default), 3: High, 2147483648: Trusted Lists Only) | `4294967295`, `6`, `3`, `2147483648` | +| **L_RunPrograms** | Write | String | Run Programs (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RunPrograms_L_Empty** | Write | String | - Depends on L_RunPrograms (0: disable (don't run any programs), 1: enable (prompt user before running), 2: enable all (run without prompting)) | `0`, `1`, `2` | +| **L_Determinewhethertoforceencryptedppt** | Write | String | Scan encrypted macros in PowerPoint Open XML presentations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedpptDropID** | Write | String | - Depends on L_Determinewhethertoforceencryptedppt (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles** | Write | String | PowerPoint 97-2003 presentations, shows, templates and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty3** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftPowerPoint_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **L_PublisherAutomationSecurityLevel** | Write | String | Publisher Automation Security Level (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PublisherAutomationSecurityLevel_L_Empty** | Write | String | - Depends on L_PublisherAutomationSecurityLevel (1: Low (enabled), 2: By UI (prompted), 3: High (disabled)) | `1`, `2`, `3` | +| **MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins (User) - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty0** | Write | String | - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2000Files** | Write | String | Visio 2000-2002 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2000FilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio2000Files (0: Do not block, 2: Open/Save blocked) | `0`, `2` | +| **L_Visio2003Files** | Write | String | Visio 2003-2010 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2003FilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio2003Files (0: Do not block, 1: Save blocked, 2: Open/Save blocked) | `0`, `1`, `2` | +| **L_Visio50AndEarlierFiles** | Write | String | Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio50AndEarlierFilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio50AndEarlierFiles (0: Do not block, 2: Open/Save blocked) | `0`, `2` | +| **MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowDDE** | Write | String | Dynamic Data Exchange (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowDDEDropID** | Write | String | Dynamic Data Exchange setting (User) - Depends on L_AllowDDE (1: Limited Dynamic Data Exchange, 2: Allow Dynamic Data Exchange) | `1`, `2` | +| **MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **L_Word2AndEarlierBinaryDocumentsAndTemplates** | Write | String | Word 2 and earlier binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2AndEarlierBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2000BinaryDocumentsAndTemplates** | Write | String | Word 2000 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2000BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2000BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2003BinaryDocumentsAndTemplates** | Write | String | Word 2003 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2003BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2003BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2007AndLaterBinaryDocumentsAndTemplates** | Write | String | Word 2007 and later binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2007AndLaterBinaryDocumentsAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_Word6Pt0BinaryDocumentsAndTemplates** | Write | String | Word 6.0 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word6Pt0BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word6Pt0BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word95BinaryDocumentsAndTemplates** | Write | String | Word 95 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word95BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word95BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word97BinaryDocumentsAndTemplates** | Write | String | Word 97 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word97BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word97BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_WordXPBinaryDocumentsAndTemplates** | Write | String | Word XP binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WordXPBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_WordXPBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedWord** | Write | String | Scan encrypted macros in Word Open XML documents (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedWordDropID** | Write | String | - Depends on L_DeterminewhethertoforceencryptedWord (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty19** | Write | String | - Depends on MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftWord_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | + + +## Description + +Intune Security Baseline Microsoft365 Apps For Enterprise + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '2' # Updated property + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md new file mode 100644 index 0000000000..439264f0bc --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -0,0 +1,206 @@ +# IntuneSecurityBaselineMicrosoftEdge + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **InternetExplorerIntegrationReloadInIEModeAllowed** | Write | String | Allow unconfigured sites to be reloaded in Internet Explorer mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **SSLErrorOverrideAllowed** | Write | String | Allow users to proceed from the HTTPS warning page (0: Disabled, 1: Enabled) | `0`, `1` | +| **InternetExplorerIntegrationZoneIdentifierMhtFileAllowed** | Write | String | Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **BrowserLegacyExtensionPointsBlockingEnabled** | Write | String | Enable browser legacy extension point blocking (0: Disabled, 1: Enabled) | `0`, `1` | +| **SitePerProcess** | Write | String | Enable site isolation for every site (0: Disabled, 1: Enabled) | `0`, `1` | +| **EdgeEnhanceImagesEnabled** | Write | String | Enhance images enabled (0: Disabled, 1: Enabled) | `0`, `1` | +| **ExtensionInstallBlocklist** | Write | String | Control which extensions cannot be installed (0: Disabled, 1: Enabled) | `0`, `1` | +| **ExtensionInstallBlocklistDesc** | Write | StringArray[] | Extension IDs the user should be prevented from installing (or * for all) (Device) - Depends on ExtensionInstallBlocklist | | +| **WebSQLAccess** | Write | String | Force WebSQL to be enabled (0: Disabled, 1: Enabled) | `0`, `1` | +| **BasicAuthOverHttpEnabled** | Write | String | Allow Basic authentication for HTTP (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftEdge_HTTPAuthentication_AuthSchemes** | Write | String | Supported authentication schemes (0: Disabled, 1: Enabled) | `0`, `1` | +| **authschemes** | Write | String | Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes | | +| **NativeMessagingUserLevelHosts** | Write | String | Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled) | `0`, `1` | +| **InsecurePrivateNetworkRequestsAllowed** | Write | String | Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled) | `0`, `1` | +| **InternetExplorerModeToolbarButtonEnabled** | Write | String | Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenEnabled** | Write | String | Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenPuaEnabled** | Write | String | Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverride** | Write | String | Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverrideForFiles** | Write | String | Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled) | `0`, `1` | +| **SharedArrayBufferUnrestrictedAccessAllowed** | Write | String | Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context (0: Disabled, 1: Enabled) | `0`, `1` | +| **TyposquattingCheckerEnabled** | Write | String | Configure Edge TyposquattingChecker (0: Disabled, 1: Enabled) | `0`, `1` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune Security Baseline Microsoft Edge + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "1"; # Drift + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/power-platform/PPAdminDLPPolicy.md b/docs/docs/resources/power-platform/PPAdminDLPPolicy.md new file mode 100644 index 0000000000..dd2e85c07f --- /dev/null +++ b/docs/docs/resources/power-platform/PPAdminDLPPolicy.md @@ -0,0 +1,161 @@ +# PPAdminDLPPolicy + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | Creates the policy with the input display name | | +| **PolicyName** | Write | String | Unique identifier of the policy. | | +| **Environments** | Write | StringArray[] | Comma separated string list used as input environments to either include or exclude, depending on the FilterType. | | +| **FilterType** | Write | String | Identifies which filter type the policy will have, none, include, or exclude. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +Manages a policy's environment and default API group settings. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Present"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Present"; + Environments = "Default-e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + FilterType = "include"; # Drift + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPAdminDLPPolicy "PPAdminDLPPolicy-Test" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + DisplayName = "SuperTest"; + Ensure = "Absent"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/power-platform/PPDLPPolicyConnectorConfigurations.md b/docs/docs/resources/power-platform/PPDLPPolicyConnectorConfigurations.md new file mode 100644 index 0000000000..a1731db384 --- /dev/null +++ b/docs/docs/resources/power-platform/PPDLPPolicyConnectorConfigurations.md @@ -0,0 +1,204 @@ +# PPDLPPolicyConnectorConfigurations + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PolicyName** | Key | String | The policy name identifier. | | +| **PPTenantId** | Key | String | The tenant identifier. | | +| **ConnectorActionConfigurations** | Write | MSFT_PPDLPPolicyConnectorConfigurationsAction[] | Set of cnnector actions associated with the policy. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_PPDLPPolicyConnectorConfigurationsActionRules + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **actionId** | Write | String | Id of the action. | | +| **behavior** | Write | String | Associated behavior. | | + +### MSFT_PPDLPPolicyConnectorConfigurationsAction + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **connectorId** | Write | String | Unique id of the connector. | | +| **defaultConnectorActionRuleBehavior** | Write | String | Default action behavior for to connector. | | +| **actionRules** | Write | MSFT_PPDLPPolicyConnectorConfigurationsActionRules[] | List of associated actions. | | + + +## Description + +Configures connectors Data Loss Prevention policies in Power Platforms. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConnectorActionConfigurations = @( + MSFT_PPDLPPolicyConnectorConfigurationsAction{ + actionRules = @( + MSFT_PPDLPPolicyConnectorConfigurationsActionRules{ + actionId = 'CreateInvitation' + behavior = 'Allow' + } + ) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } + ); + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + ConnectorActionConfigurations = @( + MSFT_PPDLPPolicyConnectorConfigurationsAction{ + actionRules = @( + MSFT_PPDLPPolicyConnectorConfigurationsActionRules{ + actionId = 'CreateInvitation' + behavior = 'Block' #drift + } + ) + connectorId = '/providers/Microsoft.PowerApps/apis/shared_aadinvitationmanager' + defaultConnectorActionRuleBehavior = 'Allow' + } + ); + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPDLPPolicyConnectorConfigurations "PPDLPPolicyConnectorConfigurations-9fdd99b8-6c9f-4e9c-aafe-1a4c1e4fe451" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/power-platform/PPPowerAppPolicyUrlPatterns.md b/docs/docs/resources/power-platform/PPPowerAppPolicyUrlPatterns.md new file mode 100644 index 0000000000..d658c23ba1 --- /dev/null +++ b/docs/docs/resources/power-platform/PPPowerAppPolicyUrlPatterns.md @@ -0,0 +1,205 @@ +# PPPowerAppPolicyUrlPatterns + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **PolicyName** | Key | String | The policy name identifier. | | +| **PPTenantId** | Key | String | The tenant identifier. | | +| **RuleSet** | Write | MSFT_PPPowerAPpPolicyUrlPatternsRule[] | Set of custom connector pattern rules associated with the policy. | | +| **Ensure** | Write | String | Present ensures the instance exists, absent ensures it is removed. | `Absent`, `Present` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_PPPowerAPpPolicyUrlPatternsRule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **order** | Write | String | Rule priority order. | | +| **customConnectorRuleClassification** | Write | String | Rule classification. | | +| **pattern** | Write | String | Rule pattern. | | + + +## Description + +Configures custom connector patterns for Data Loss Prevention policies in Power Platforms. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + RuleSet = @( + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://fabrikam.com' + customConnectorRuleClassification = 'General' + order = 2 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = '*' + customConnectorRuleClassification = 'Ignore' + order = 3 + } + ); + TenantId = $TenantId; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Present"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + RuleSet = @( + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://contoso.com' + customConnectorRuleClassification = 'General' + order = 1 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = 'https://tailspintoys.com' # drift + customConnectorRuleClassification = 'General' + order = 2 + } + MSFT_PPPowerAPpPolicyUrlPatternsRule{ + pattern = '*' + customConnectorRuleClassification = 'Ignore' + order = 3 + } + ); + TenantId = $TenantId; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + PPPowerAppPolicyUrlPatterns "PPPowerAppPolicyUrlPatterns" + { + ApplicationId = $ApplicationId; + CertificateThumbprint = $CertificateThumbprint; + Ensure = "Absent"; + PolicyName = "DSCPolicy"; + PPTenantId = "e91d4e0e-d5a5-4e3a-be14-2192592a59af"; + TenantId = $TenantId; + } + } +} +``` + diff --git a/docs/docs/resources/teams/TeamsUpgradePolicy.md b/docs/docs/resources/teams/TeamsUpgradePolicy.md index f06cf2599e..e27774070c 100644 --- a/docs/docs/resources/teams/TeamsUpgradePolicy.md +++ b/docs/docs/resources/teams/TeamsUpgradePolicy.md @@ -5,7 +5,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **Identity** | Key | String | Identity of the Teams Upgrade Policy. | | -| **Users** | Write | StringArray[] | List of users that will be granted the Upgrade Policy to. | | +| **Users** | Write | StringArray[] | List of users that will be granted the Upgrade Policy to. Use value * to apply the policy globally. | | | **MigrateMeetingsToTeams** | Write | Boolean | Specifies whether to move existing Skype for Business meetings organized by the user to Teams. This parameter can only be true if the mode of the specified policy instance is either TeamsOnly or SfBWithTeamsCollabAndMeetings, and if the policy instance is being granted to a specific user. It not possible to trigger meeting migration when granting TeamsUpgradePolicy to the entire tenant. | | | **Credential** | Write | PSCredential | Credentials of the Teams Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/user-guide/get-started/prerequisites.md b/docs/docs/user-guide/get-started/prerequisites.md index 243cd7322f..89c6079a8c 100644 --- a/docs/docs/user-guide/get-started/prerequisites.md +++ b/docs/docs/user-guide/get-started/prerequisites.md @@ -6,6 +6,10 @@ For Microsoft365DSC to function, you need to arrange the following components: Microsoft365DSC is supported for PowerShell version 5.1 and 7.3+. For additional details on how to leverage it with PowerShell 7, please refer to our [PowerShell 7+ Guide for Microsoft365DSC](https://microsoft365dsc.com/user-guide/get-started/powershell7-support/). +### PowerShell Execution Policy + +Microsoft365DSC consists of its own module and various PowerShell submodules. Allowing scripts to run is necessary for the successful execution of the functions. The command `Get-ExecutionPolicy` retrieves the current execution policy. Usually, it is enough if the value is set to RemoteSigned. If you encounter issues while loading scripts, set it to Unrestricted: `Set-ExecutionPolicy -ExecutionPolicy Unrestricted` + ### Windows Remote Management (WinRM) Microsoft365DSC uses the Local Configuration Manager (LCM). This requires PowerShell Remoting to be enabled. Please run either `winrm quickconfig -force` or `Enable-PSRemoting -Force -SkipNetworkProfileCheck` to enable it.