Merge pull request #4331 from microsoft/Dev

Release 1.24.214.1

.github/workflows/Global - Integration - AAD.yml

@@ -6,6 +6,8 @@ jobs:
     # The type of runner that the job will run on
     runs-on: windows-latest
 
+    permissions: write-all
+
     # Only when run from the main repo
     if: github.repository == 'microsoft/Microsoft365DSC'
 

.github/workflows/Global - Integration - EXO.yml

@@ -6,6 +6,8 @@ jobs:
     # The type of runner that the job will run on
     runs-on: windows-latest
 
+    permissions: write-all
+
     # Only when run from the main repo
     if: github.repository == 'microsoft/Microsoft365DSC'
 

.github/workflows/Global - Integration - INTUNE.yml

@@ -6,6 +6,8 @@ jobs:
     # The type of runner that the job will run on
     runs-on: windows-latest
 
+    permissions: write-all
+
     # Only when run from the main repo
     if: github.repository == 'microsoft/Microsoft365DSC'
 

.github/workflows/PublishGitHubPages.yml

@@ -8,6 +8,8 @@ jobs:
   GenerateResource:
     runs-on: windows-latest
 
+    permissions: write-all
+
       # Only when run from the main repo
     if: github.repository == 'microsoft/Microsoft365DSC'
 

.github/workflows/Unit Tests.yml

@@ -7,6 +7,8 @@ jobs:
     # The type of runner that the job will run on
     runs-on: windows-latest
 
+    permissions: write-all
+
     # Only when run from the main repo
     if: github.repository == 'microsoft/Microsoft365DSC'
 

CHANGELOG.md

@@ -1,5 +1,63 @@
 # Change log for Microsoft365DSC
 
+# 1.24.214.1
+
+* AADConditionalAccessPolicy
+  * Removed invalid empty string value that was added to the validate set
+    of two parameters.
+  * Updated permission reference for app-onlzy authentication.
+    FIXES [[#3329](https://github.com/microsoft/Microsoft365DSC/issues/3329)]
+* AADRoleEligibilityScheduleRequest
+  * Fixed an issue where an error was thrown if no requests were found instead
+    of simply returning the Null object.
+* AADRoleSetting
+  * Fix handling of DisplayName property in comparison
+    FIXES [#4019](https://github.com/microsoft/Microsoft365DSC/issues/4019)
+* AADUser
+  * Fixed and issue where an user would be created even if the resrouce was set to absent.
+    FIXES [[#4265](https://github.com/microsoft/Microsoft365DSC/issues/4265)]
+* EXOMobileDeviceMailboxPolicy
+  * Fixes an issue where an empty MinPasswordLength value was always passed down
+    to the update logic flow.
+* IntuneAppConfigurationPolicy
+  * Added parameter Id to avoid having to retrieve the same policy multiple
+    times
+  * Fixed tests in Test-TargetResource to ensure the resource reports its
+    correct state
+    FIXES [#3542](https://github.com/microsoft/Microsoft365DSC/issues/3542)
+* IntuneDeviceAndAppManagementAssignmentFilter
+  * Fixed Test-TargetResource to ensure that resource reports its correct state
+    FIXES [#3959](https://github.com/microsoft/Microsoft365DSC/issues/3959)
+* IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10
+  * Fixed Test-TargetResource by removing Id from being tested and also used
+    correct filter while retrieving the policy otherwise it could not be found
+    FIXES [#3964](https://github.com/microsoft/Microsoft365DSC/issues/3964)
+* IntuneDeviceConfigurationPolicyAndroidWorkProfile
+  * Fix typo in variable which made it export incorrectly and report that
+    resource was not in correct state due to testing an incorrect value
+    FIXES [#3972](https://github.com/microsoft/Microsoft365DSC/issues/3972)
+* IntuneSettingCatalogASRRulesPolicyWindows10
+  * Fix removal of resource if Identity comes from another tenant or is not
+    present in blueprint
+  * Fix Test-TargetResource by not comparing Identity since it might be from
+    another tenant or not present in blueprint
+  FIXES [#4302](https://github.com/microsoft/Microsoft365DSC/issues/4302)
+* SCDPLPCompianceRule
+  * Added support for multiple additional parameters.
+* SPOSharingSettings
+  * Fixed an issue where the resource would return multiple sites.
+    FIXES [#2759](https://github.com/microsoft/Microsoft365DSC/issues/2759)
+* DEPENDENCIES
+  * Updated DSCParser to version 1.4.0.2.
+  * Updated Microsoft.Graph dependencies to version 2.13.1.
+  * Updated MSCloudLoginAssistant to version 1.1.13.
+* MISC
+  * M365DSCReport
+    * Fix nested change detection for CIMInstances
+    * Fix IntuneDeviceEnrolllmentPlatformRestriction comparison in report
+      FIXES [#4291](https://github.com/microsoft/Microsoft365DSC/issues/4291)
+  * Added new QA test to check for missing description in resource schema
+
 # 1.24.207.2
 
 * TeamsAppSetupPolicy

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -71,7 +71,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -85,7 +85,7 @@ function Get-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -755,7 +755,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -769,7 +769,7 @@ function Set-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -1738,7 +1738,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $IncludeExternalTenantsMembershipKind,
 
         [Parameter()]
@@ -1752,7 +1752,7 @@ function Test-TargetResource
 
         [Parameter()]
         [System.String]
-        [ValidateSet('', 'all', 'enumerated', 'unknownFutureValue')]
+        [ValidateSet('all', 'enumerated', 'unknownFutureValue')]
         $ExcludeExternalTenantsMembershipKind,
 
         [Parameter()]

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -16,10 +16,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("AAD Admin Roles in scope of the Policy.")] String IncludeRoles[];
     [Write, Description("AAD Admin Roles out of scope of the Policy.")] String ExcludeRoles[];
     [Write, Description("Represents the Included internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String IncludeGuestOrExternalUserTypes[];
-    [Write, Description("Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String IncludeExternalTenantsMembershipKind;
+    [Write, Description("Represents the Included Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"all","enumerated","unknownFutureValue"}, Values{"all","enumerated","unknownFutureValue"}] String IncludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Included collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String IncludeExternalTenantsMembers[];
     [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[];
-    [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
+    [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"all","enumerated","unknownFutureValue"}, Values{"all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[];
     [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[];
     [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[];

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json

@@ -52,16 +52,46 @@
             },
             "application": {
                 "read": [
+                    {
+                        "name": "Agreement.Read.All"
+                    },
+                    {
+                        "name": "Application.Read.All"
+                    },
+                    {
+                        "name": "Group.Read.All"
+                    },
                     {
                         "name": "Policy.Read.All"
+                    },
+                    {
+                        "name": "RoleManagement.Read.Directory"
+                    },
+                    {
+                        "name": "User.Read.All"
                     }
                 ],
                 "update": [
+                    {
+                        "name": "Agreement.Read.All"
+                    },
                     {
                         "name": "Application.Read.All"
                     },
+                    {
+                        "name": "Group.Read.All"
+                    },
+                    {
+                        "name": "Policy.Read.All"
+                    },
                     {
                         "name": "Policy.ReadWrite.ConditionalAccess"
+                    },
+                    {
+                        "name": "RoleManagement.Read.Directory"
+                    },
+                    {
+                        "name": "User.Read.All"
                     }
                 ]
             }

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -1075,10 +1075,36 @@ function Export-TargetResource
             All         = [switch]$true
             ErrorAction = 'Stop'
         }
-        if ($Filter -like "*endsWith*") {
+
+        # Define the list of attributes
+        $attributesToCheck = @(
+            "description",
+            "displayName",
+            "hasMembersWithLicenseErrors",
+            "mail",
+            "mailNickname",
+            "onPremisesSecurityIdentifier",
+            "onPremisesSyncEnabled",
+            "preferredLanguage"
+        )
+
+        # Initialize a flag to indicate whether any attribute matches the condition
+        $matchConditionFound = $false
+
+        # Check each attribute in the list
+        foreach ($attribute in $attributesToCheck) {
+            if ($Filter -like "*$attribute eq null*") {
+                $matchConditionFound = $true
+                break
+            }
+        }
+
+        # If any attribute matches, add parameters to $ExportParameters
+        if ($matchConditionFound -or $Filter -like "*endsWith*") {
             $ExportParameters.Add('CountVariable', 'count')
             $ExportParameters.Add('ConsistencyLevel', 'eventual')
         }
+
         [array] $Script:exportedGroups = Get-MgGroup @ExportParameters
         $Script:exportedGroups = $Script:exportedGroups | Where-Object -FilterScript {
             -not ($_.MailEnabled -and ($null -eq $_.GroupTypes -or $_.GroupTypes.Length -eq 0)) -and `

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1

@@ -182,16 +182,20 @@
 
                 $schedule = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'"
                 [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$RoleDefinitionId'" | Sort-Object -Property CompletedDateTime -Descending
-`               $request = $request[0]
+`
+                if ($request.Length -gt 1)
+                {
+                    $request = $request[0]
+                }
             }
         }
         else
         {
             $ObjectGuid = [System.Guid]::empty
             if ($PrincipalType -eq 'User')
-            {            
+            {
                 Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}"
-                
+
                 if ([System.Guid]::TryParse($Principal,[System.Management.Automation.PSReference]$ObjectGuid))
                 {
                     $PrincipalIdValue = Get-MgUser -UserId $Principal -ErrorAction SilentlyContinue

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.psm1

@@ -194,7 +194,7 @@ function Get-TargetResource
         $ManagedIdentity
     )
 
-    Write-Verbose -Message "Getting configuration of Role: $Displayname"
+    Write-Verbose -Message "Getting configuration of Role: $DisplayName"
     $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
         -InboundParameters $PSBoundParameters
 
@@ -225,15 +225,15 @@ function Get-TargetResource
             -ErrorAction SilentlyContinue
     }
 
-    if ($null -eq $RoleDefinition -and -not [System.String]::IsNullOrEmpty($Displayname))
+    if ($null -eq $RoleDefinition -and -not [System.String]::IsNullOrEmpty($DisplayName))
     {
         if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
         {
             $RoleDefinition = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
         }
         else
         {
-            $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$DisplayName'"
+            $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "displayName eq '$DisplayName'"
         }
     }
 
@@ -327,7 +327,7 @@ function Get-TargetResource
 
     try
     {
-        Write-Verbose -Message "Found configuration of Rule $($Displayname)"
+        Write-Verbose -Message "Found configuration of Rule $($DisplayName)"
         $result = @{
             Id                                                        = $Id
             DisplayName                                               = $DisplayName
@@ -587,7 +587,7 @@ function Set-TargetResource
         $ManagedIdentity
     )
 
-    Write-Verbose -Message "Setting configuration of Role settings: $Displayname"
+    Write-Verbose -Message "Setting configuration of Role settings: $DisplayName"
 
     #Ensure the proper dependencies are installed in the current environment.
     Confirm-M365DSCDependencies
@@ -602,7 +602,7 @@ function Set-TargetResource
     #endregion
 
     #get role
-    $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$DisplayName'"
+    $RoleDefinition = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "displayName eq '$DisplayName'"
 
     $Policy = $null
     if (-not [System.String]::IsNullOrEmpty($Id))
@@ -943,7 +943,7 @@ function Set-TargetResource
                         else
                         {
                             #try with group
-                            $Filter = "Displayname eq '" + $item + "'"
+                            $Filter = "displayName eq '" + $item + "'"
                             try
                             {
                                 $group = Get-MgGroup -Filter $Filter -ErrorAction Stop
@@ -1312,7 +1312,7 @@ function Test-TargetResource
     Add-M365DSCTelemetryEvent -Data $data
     #endregion
 
-    Write-Verbose -Message "Testing configuration of Role Assignment: $Displayname"
+    Write-Verbose -Message "Testing configuration of Role Assignment: $DisplayName"
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
 

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleSetting/MSFT_AADRoleSetting.schema.mof

@@ -1,7 +1,7 @@
 [ClassVersion("1.0.0.0"), FriendlyName("AADRoleSetting")]
 class MSFT_AADRoleSetting : OMI_BaseResource
 {
-    [Key, Description("RuleDefinition Displayname")] String Displayname;
+    [Key, Description("RuleDefinition DisplayName")] String DisplayName;
     [Write, Description("Specifies the RoleId.")] String Id;
     [Write, Description("Activation maximum duration (hours).")] String ActivationMaxDuration;
     [Write, Description("Require justification on activation (True/False)")] Boolean ActivationReqJustification;