[BUG] Fix duplicate policy creation bug & dynamic group compliance

CHANGELOG.md

@@ -8,9 +8,38 @@
 * AADFeatureRolloutPolicy
   * Fixed policy retrieval
     FIXES [#5521](https://github.com/microsoft/Microsoft365DSC/issues/5521)
+* AADGroup
+  * Only get Members & GroupAsMembers when a static group is defined.
+* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneAccountProtectionPolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneAntivirusPolicyLinux
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneAntivirusPolicyMacOS
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneAntivirusPolicyWindows10SettingCatalog
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneAppAndBrowserIsolationPolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneDeviceControlPolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneDiskEncryptionMacOS
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneDiskEncryptionWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneEndpointDetectionAndResponsePolicyLinux
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneEndpointDetectionAndResponsePolicyMacOS
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneEndpointDetectionAndResponsePolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
+* IntuneSettingCatalogASRRulesPolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
 * IntuneDeviceManagementAndroidDeviceOwnerEnrollmentProfile
   * Fixing issue with the way the QrCodeImage property was exported and handled.
 * IntuneFirewallPolicyWindows10
+  * Fixed creation of policy while it was found by name, now it updates existing policies correctly.
   * Fix export of properties that appear multiple times in subsections.
 * M365DSCDRGUtil
   * Improve settings catalog handling for nested objects.

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -216,6 +216,7 @@ function Get-TargetResource
             }
 
             $MembersValues = $null
+            $result = @{}
             if ($Group.MembershipRuleProcessingState -ne 'On')
             {
                 # Members
@@ -237,6 +238,8 @@ function Get-TargetResource
                         $GroupAsMembersValues += $member.AdditionalProperties.displayName
                     }
                 }
+                $result.Add('Members', $MembersValues)
+                $result.Add('GroupAsMembers', $GroupAsMembersValues)
             }
 
             # MemberOf
@@ -273,15 +276,12 @@ function Get-TargetResource
             if ($assignedLicensesRequest.value.Length -gt 0)
             {
                 $assignedLicensesValues = Get-M365DSCAzureADGroupLicenses -AssignedLicenses $assignedLicensesRequest.value
-
             }
 
-            $result = @{
+            $policySettings = @{
                 DisplayName                   = $Group.DisplayName
                 Id                            = $Group.Id
                 Owners                        = $OwnersValues
-                Members                       = $MembersValues
-                GroupAsMembers                = $GroupAsMembersValues
                 MemberOf                      = $MemberOfValues
                 Description                   = $Group.Description
                 GroupTypes                    = [System.String[]]$Group.GroupTypes
@@ -303,6 +303,7 @@ function Get-TargetResource
                 Managedidentity               = $ManagedIdentity.IsPresent
                 AccessTokens                  = $AccessTokens
             }
+            $result += $policySettings
 
             return $result
         }

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1

@@ -129,34 +129,47 @@ function Get-TargetResource
         Add-M365DSCTelemetryEvent -Data $data
         #endregion
 
-        $nullResult = $PSBoundParameters
-        $nullResult.Ensure = 'Absent'
-
+        #Retrieve policy general settings
         $templateReferenceId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1'
 
-        # Retrieve policy general settings
-        $policy = $null
-        $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue
-
-        if ($null -eq $policy)
+        if ($PSBoundParameters.ContainsKey('Identity'))
         {
-            Write-Verbose -Message "No Account Protection LAPS Policy with Id {$Identity} was found"
-
-            if (-not [System.String]::IsNullOrEmpty($DisplayName))
+            Write-Verbose -Message 'PolicyID was specified'
+            try
             {
-                $policy = Get-MgBetaDeviceManagementConfigurationPolicy `
-                    -Filter "Name eq '$DisplayName' and templateReference/TemplateId eq '$templateReferenceId'" `
-                    -ErrorAction SilentlyContinue
+                $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "No Account Protection LAPS Policy with Id {$Identity} was found"
+                $policy = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName' and templateReference/TemplateId eq '$templateReferenceId'"
+                if ($policy.Length -gt 1)
+                {
+                    throw "Duplicate Account Protection LAPS Policy named $DisplayName exist in tenant"
+                }
+            }
+        }
+        else
+        {
+            Write-Verbose -Message 'Id was NOT specified'
+            ## Can retreive multiple Intune Policies since displayname is not unique
+            $policy = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName' and templateReference/TemplateId eq '$templateReferenceId'"
+            if ($policy.Length -gt 1)
+            {
+                throw "Duplicate Account Protection LAPS Policy named $DisplayName exist in tenant"
             }
         }
 
-        if ($null -eq $policy)
+        if ([String]::IsNullOrEmpty($policy.Id))
         {
-            Write-Verbose -Message "No Account Protection LAPS Policy with Name {$DisplayName} was found"
-            return $nullResult
+            Write-Verbose -Message "No Account Protection LAPS Policy with Name {$DisplayName} were found"
+            $currentValues = $PSBoundParameters
+            $currentValues.Ensure = 'Absent'
+            return $currentValues
         }
+
         $Identity = $policy.Id
-        Write-Verbose "Found Account Protection LAPS Policy with Id {$Identity} and Name {$($policy.Name)}"
+        Write-Verbose -Message "An Account Protection LAPS Policy with Id {$Identity} and Name {$DisplayName} was found"
 
         [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting `
             -DeviceManagementConfigurationPolicyId $Identity `

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1

@@ -85,31 +85,42 @@ function Get-TargetResource
         Add-M365DSCTelemetryEvent -Data $data
         #endregion
 
-        $nullResult = $PSBoundParameters
-        $nullResult.Ensure = 'Absent'
-
-        $getValue = $null
-        #region resource generator code
-        $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue
-
-        if ($null -eq $getValue)
+        if ($PSBoundParameters.ContainsKey('Id'))
         {
-            Write-Verbose -Message "Could not find an Intune Account Protection Policy for Windows10 with Id {$Id}"
-
-            if (-not [System.String]::IsNullOrEmpty($DisplayName))
+            Write-Verbose -Message 'PolicyID was specified'
+            try
+            {
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "No Account Protection Policy for Windows10 with Id {$Id} was found"
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+                if ($getValue.Length -gt 1)
+                {
+                    throw "Duplicate Intune Account Protection Policy for Windows10 named $DisplayName exist in tenant"
+                }
+            }
+        }
+        else
+        {
+            Write-Verbose -Message 'Id was NOT specified'
+            ## Can retreive multiple Intune Policies since displayname is not unique
+            $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+            if ($getValue.Length -gt 1)
             {
-                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy `
-                    -All `
-                    -Filter "Name eq '$DisplayName'" `
-                    -ErrorAction SilentlyContinue
+                throw "Duplicate Intune Account Protection Policy for Windows10 named $DisplayName exist in tenant"
             }
         }
-        #endregion
-        if ($null -eq $getValue)
+
+        if ([String]::IsNullOrEmpty($getValue.Id))
         {
-            Write-Verbose -Message "Could not find an Intune Account Protection Policy for Windows10 with Name {$DisplayName}."
-            return $nullResult
+            Write-Verbose -Message "No Account Protection Policy for Windows10 with Name {$DisplayName} were found"
+            $currentValues = $PSBoundParameters
+            $currentValues.Ensure = 'Absent'
+            return $currentValues
         }
+
         $Id = $getValue.Id
         Write-Verbose -Message "An Intune Account Protection Policy for Windows10 with Id {$Id} and Name {$DisplayName} was found"
 

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1

@@ -192,31 +192,42 @@ function Get-TargetResource
         Add-M365DSCTelemetryEvent -Data $data
         #endregion
 
-        $nullResult = $PSBoundParameters
-        $nullResult.Ensure = 'Absent'
-
-        $getValue = $null
-        #region resource generator code
-        $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue
-
-        if ($null -eq $getValue)
+        if ($PSBoundParameters.ContainsKey('Id'))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Id {$Id}"
-
-            if (-not [System.String]::IsNullOrEmpty($DisplayName))
+            Write-Verbose -Message 'PolicyID was specified'
+            try
+            {
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "No Intune Antivirus Policy for Linux with Id {$Id} was found"
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+                if ($getValue.Length -gt 1)
+                {
+                    throw "Duplicate Intune Antivirus Policy for Linux named $DisplayName exist in tenant"
+                }
+            }
+        }
+        else
+        {
+            Write-Verbose -Message 'Id was NOT specified'
+            ## Can retreive multiple Intune Policies since displayname is not unique
+            $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+            if ($getValue.Length -gt 1)
             {
-                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy `
-                    -All `
-                    -Filter "Name eq '$DisplayName'" `
-                    -ErrorAction SilentlyContinue
+                throw "Duplicate Intune Antivirus Policy for Linux named $DisplayName exist in tenant"
             }
         }
-        #endregion
-        if ($null -eq $getValue)
+
+        if ([String]::IsNullOrEmpty($getValue.Id))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Name {$DisplayName}."
-            return $nullResult
+            Write-Verbose -Message "No Intune Antivirus Policy for Linux with Name {$DisplayName} were found"
+            $currentValues = $PSBoundParameters
+            $currentValues.Ensure = 'Absent'
+            return $currentValues
         }
+
         $Id = $getValue.Id
         Write-Verbose -Message "An Intune Antivirus Policy for Linux with Id {$Id} and Name {$DisplayName} was found"
 

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyMacOS/MSFT_IntuneAntivirusPolicyMacOS.psm1

@@ -195,31 +195,42 @@ function Get-TargetResource
         Add-M365DSCTelemetryEvent -Data $data
         #endregion
 
-        $nullResult = $PSBoundParameters
-        $nullResult.Ensure = 'Absent'
-
-        $getValue = $null
-        #region resource generator code
-        $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue
-
-        if ($null -eq $getValue)
+        if ($PSBoundParameters.ContainsKey('Id'))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for macOS with Id {$Id}"
-
-            if (-not [System.String]::IsNullOrEmpty($DisplayName))
+            Write-Verbose -Message 'PolicyID was specified'
+            try
+            {
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "No Intune Antivirus Policy for macOS with Id {$Id} was found"
+                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+                if ($getValue.Length -gt 1)
+                {
+                    throw "Duplicate Intune Antivirus Policy for macOS named $DisplayName exist in tenant"
+                }
+            }
+        }
+        else
+        {
+            Write-Verbose -Message 'Id was NOT specified'
+            ## Can retreive multiple Intune Policies since displayname is not unique
+            $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+            if ($getValue.Length -gt 1)
             {
-                $getValue = Get-MgBetaDeviceManagementConfigurationPolicy `
-                    -Filter "Name eq '$DisplayName'" `
-                    -All `
-                    -ErrorAction SilentlyContinue
+                throw "Duplicate Intune Antivirus Policy for macOS named $DisplayName exist in tenant"
             }
         }
-        #endregion
-        if ($null -eq $getValue)
+
+        if ([String]::IsNullOrEmpty($getValue.Id))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for macOS with Name {$DisplayName}."
-            return $nullResult
+            Write-Verbose -Message "No Intune Antivirus Policy for macOS with Name {$DisplayName} were found"
+            $currentValues = $PSBoundParameters
+            $currentValues.Ensure = 'Absent'
+            return $currentValues
         }
+
         $Id = $getValue.Id
         Write-Verbose -Message "An Intune Antivirus Policy for macOS with Id {$Id} and Name {$DisplayName} was found"
 

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1

@@ -439,37 +439,46 @@ function Get-TargetResource
         Add-M365DSCTelemetryEvent -Data $data
         #endregion
 
-        $nullResult = $PSBoundParameters
-        $nullResult.Ensure = 'Absent'
-
         $templateReferences = 'd948ff9b-99cb-4ee0-8012-1fbc09685377_1', 'e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1', '45fea5e9-280d-4da1-9792-fb5736da0ca9_1', '804339ad-1553-4478-a742-138fb5807418_1'
 
-        #Retrieve policy general settings
-        $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue
-
-        if ($null -eq $policy)
+        if ($PSBoundParameters.ContainsKey('Identity'))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for Windows10 Setting Catalog with Id {$Identity}"
-
-            if (-not [System.String]::IsNullOrEmpty($DisplayName))
+            Write-Verbose -Message 'PolicyID was specified'
+            try
             {
-                $policy = Get-MgBetaDeviceManagementConfigurationPolicy `
-                    -All `
-                    -Filter "Name eq '$DisplayName'" `
-                    -ErrorAction SilentlyContinue | Where-Object `
-                    -FilterScript {
-                    $_.TemplateReference.TemplateId -in $templateReferences
+                $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction Stop
+            }
+            catch
+            {
+                Write-Verbose -Message "No Intune Antivirus Policy for Windows10 Setting Catalog with Id {$Identity} was found"
+                $policy = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'" | Where-Object -FilterScript {$_.TemplateReference.TemplateId -in $templateReferences}
+                if ($policy.Length -gt 1)
+                {
+                    throw "Duplicate Intune Antivirus Policy for Windows10 Setting Catalog named $DisplayName exist in tenant"
                 }
             }
         }
+        else
+        {
+            Write-Verbose -Message 'Id was NOT specified'
+            ## Can retreive multiple Intune Policies since displayname is not unique
+            $policy = Get-MgBetaDeviceManagementConfigurationPolicy -All -Filter "Name eq '$DisplayName'"
+            if ($policy.Length -gt 1)
+            {
+                throw "Duplicate Intune Antivirus Policy for Windows10 Setting Catalog named $DisplayName exist in tenant"
+            }
+        }
 
-        if ($null -eq $policy)
+        if ([String]::IsNullOrEmpty($policy.Id))
         {
-            Write-Verbose -Message "Could not find an Intune Antivirus Policy for Windows10 Setting Catalog with Name {$DisplayName}"
-            return $nullResult
+            Write-Verbose -Message "No Intune Antivirus Policy for Windows10 Setting Catalog with Name {$DisplayName} were found"
+            $currentValues = $PSBoundParameters
+            $currentValues.Ensure = 'Absent'
+            return $currentValues
         }
+
         $Identity = $policy.Id
-        Write-Verbose -Message "An Intune Antivirus Policy for Windows10 Setting Catalog with Id {$Identity} and Name {$DisplayName} was found."
+        Write-Verbose -Message "An Intune Antivirus Policy for Windows10 Setting Catalog with Id {$Identity} and Name {$DisplayName} was found"
 
         #Retrieve policy specific settings
         [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting `