From 50f4b4fed2db33fb79f5a6955082ae158b146aee Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Fri, 7 Jun 2024 03:35:20 +0200 Subject: [PATCH 01/26] Update settings catalog property comparison and fetch --- .../Modules/M365DSCDRGUtil.psm1 | 209 +++++------------- .../Microsoft365DSC/Modules/M365DSCUtil.psm1 | 11 +- 2 files changed, 70 insertions(+), 150 deletions(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 412350e301..df57d1bd6a 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -906,8 +906,6 @@ function Get-SettingCatalogSettingValue return $complexValue } - - function Get-SettingCatalogPolicySettingsFromTemplate { [CmdletBinding()] @@ -1006,128 +1004,6 @@ function Get-SettingCatalogPolicySettingsFromTemplate return $settings } -function New-IntuneSettingCatalogPolicy -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param - ( - - [Parameter(Mandatory = $true)] - [System.String] - $Name, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [Array] - $Settings - ) - - try - { - $Uri = '/beta/deviceManagement/configurationPolicies' - - $policy = @{ - 'name' = $Name - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = @{'templateId' = $TemplateReferenceId } - 'settings' = $Settings - } - $body = $policy | ConvertTo-Json -Depth 20 - #write-verbose -Message $body - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $body -ErrorAction Stop - } - catch - { - New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $null - } -} - -function Update-IntuneSettingCatalogPolicy -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param - ( - [Parameter(Mandatory = $true)] - [System.String] - $DeviceConfigurationPolicyId, - - [Parameter()] - [System.String] - $Name, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [Array] - $Settings - ) - - try - { - $Uri = "/beta/deviceManagement/configurationPolicies/$DeviceConfigurationPolicyId" - - $policy = @{ - 'name' = $Name - 'description' = $Description - 'platforms' = $Platforms - 'templateReference' = @{'templateId' = $TemplateReferenceId } - 'technologies' = $Technologies - 'settings' = $Settings - } - $body = $policy | ConvertTo-Json -Depth 20 - #write-verbose -Message $body - Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop - } - catch - { - New-M365DSCLogEntry -Message 'Error updating data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $null - } -} function ConvertFrom-IntunePolicyAssignment { [CmdletBinding()] @@ -1320,6 +1196,7 @@ function Compare-M365DSCIntunePolicyAssignment return $testResult } + function Update-DeviceConfigurationPolicyAssignment { [CmdletBinding()] @@ -1523,7 +1400,6 @@ function Get-IntuneSettingCatalogPolicySetting } $settingName = $settingInstanceTemplate.SettingDefinitionId.split('_') | Select-Object -Last 1 $settingType = $settingInstanceTemplate.AdditionalProperties.'@odata.type'.Replace('InstanceTemplate', 'Instance') - $settingInstance.Add('settingDefinitionId', $settingInstanceTemplate.settingDefinitionId) $settingInstance.Add('@odata.type', $settingType) if (-not [string]::IsNullOrEmpty($settingInstanceTemplate.settingInstanceTemplateId)) { @@ -1546,9 +1422,14 @@ function Get-IntuneSettingCatalogPolicySetting -SettingValueName $settingValueName ` -SettingValueType $settingValueType ` -SettingValueTemplateId $settingValueTemplateId + if ($settingValue.Count -gt 0) { $settingInstance += [Hashtable]$settingValue + if ($settingInstance.Keys -notcontains 'settingDefinitionId') + { + $settingInstance.Add('settingDefinitionId', $settingInstanceTemplate.settingDefinitionId) + } $settingInstances += @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' 'settingInstance' = $settingInstance @@ -1625,11 +1506,14 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue -SettingName $childSettingName ` -SettingType $childDefinition.AdditionalProperties.'@odata.type' ` -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` + -SettingValueType $childSettingValueType if ($null -ne $childSettingValue) { - $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + { + $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + } $childSettingValue.Add('@odata.type', $childSettingType) $groupSettingCollectionValueChildren += $childSettingValue } @@ -1655,7 +1539,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $childSettingType = $childDefinition.AdditionalProperties.'@odata.type'.Replace('Definition', 'Instance') $childSettingValueName = $childSettingType.Replace('#microsoft.graph.deviceManagementConfiguration', '').Replace('Instance', 'Value') $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) + $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.Length - 1 ) $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` -DSCParams $DSCParams ` -SettingDefinition $childDefinition ` @@ -1663,30 +1547,44 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue -SettingName $childSettingName ` -SettingType $childDefinition.AdditionalProperties.'@odata.type' ` -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` + -SettingValueType $childSettingValueType if ($childSettingValue.Keys.Count -gt 0) { - $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) - $childSettingValue.Add('@odata.type', $childSettingValueType) + if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + { + $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + } + $childSettingValue.Add('@odata.type', $childSettingType) $choiceSettingValueChildren += $childSettingValue } } if ($choiceSettingDefinitionChildren.Count -gt 0) { $choiceSettingValue.Add('children', $choiceSettingValueChildren) + } else { + $choiceSettingValue.Add('children', @()) } - if ($null -ne $DSCParams[$SettingName]) + + $paramKey = $null + $paramKey = $DSCParams.Keys | Where-Object { $_ -eq $SettingName } + if ($null -eq $paramKey) { - $value = "$($SettingDefinition.Id)_$($DSCParams[$SettingName])" + $paramKey = $SettingName + } + + if ($null -ne $DSCParams[$paramKey]) + { + $value = "$($SettingDefinition.Id)_$($DSCParams[$paramKey])" $choiceSettingValue.Add('value', $value) - $choiceSettingValue.Add('@odata.type', $SettingType.Replace('Instance', 'Value')) - if (-Not [string]::IsNullOrEmpty($SettingValueTemplateId)) + $odataType = $SettingType.Replace('Definition', 'Value').Replace('Instance', 'Value') + $choiceSettingValue.Add('@odata.type', $odataType) + if (-not [string]::IsNullOrEmpty($SettingValueTemplateId)) { $choiceSettingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) } } - if ($choiceSettingValue.Keys.Count -gt 0) + if ($choiceSettingValue.Children.Count -gt 0 -or $null -ne $choiceSettingValue.value) { $settingValuesToReturn.Add('choiceSettingValue', $choiceSettingValue) } @@ -1713,7 +1611,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $matchCombined = $true } } - + if (-not $matchCombined) { # Parent was not combined, look for the id @@ -1737,11 +1635,11 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $settingValueCollection += @{ value = $v - '@odata.type' = $settingValueType + '@odata.type' = $SettingValueType } } if ($settingValueCollection.Count -gt 0) { - $settingValuesToReturn.Add($settingValueName, $settingValueCollection) + $settingValuesToReturn.Add($SettingValueName, $settingValueCollection) } } Default @@ -1767,7 +1665,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $matchCombined = $true } } - + if (-not $matchCombined) { # Parent was not combined, look for the id @@ -1776,12 +1674,24 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $global:excludedDefinitionIds += $_.Id $matchesId = $true + $SettingDefinition = $_ } } } } if (($name.Count -eq 1 -and $SettingName -eq $key) -or $matchCombined -or $matchesId) { + if ($SettingValueType -like "*Simple*") + { + if ($DSCParams[$key] -is [System.String]) + { + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationStringSettingValue" + } + elseif ($DSCParams[$key] -is [System.Int32]) + { + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue" + } + } if ($SettingValueType -like "*Simple*" -or $SettingValueType -in @("#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", "#microsoft.graph.deviceManagementConfigurationStringSettingValue")) { $value = $DSCParams[$key] @@ -1800,17 +1710,18 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue } $settingValue = @{} - if (-Not [string]::IsNullOrEmpty($settingValueType)) + if (-not [string]::IsNullOrEmpty($SettingValueType)) { - $settingValue.Add('@odata.type', $settingValueType) + $settingValue.Add('@odata.type', $SettingValueType) } - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) + if (-not [string]::IsNullOrEmpty($settingValueTemplateId)) { $settingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $settingValueTemplateId }) } $settingValue.Add('value', $value) - $settingValuesToReturn.Add($settingValueName, $settingValue) + $settingValuesToReturn.Add($SettingValueName, $settingValue) + $settingValuesToReturn.Add('settingDefinitionId', $SettingDefinition.Id) } } return $settingValuesToReturn @@ -1861,10 +1772,10 @@ function Export-IntuneSettingCatalogPolicySettings $addToParameters = $true $settingDefinition = $SettingDefinitions | Where-Object -FilterScript { $_.Id -eq $SettingInstance.settingDefinitionId } - $settingName = $settingDefinition | Select-Object -ExpandProperty Name - + $settingName = $settingDefinition.Name + # Check if the name is unique - $settingMatches = $SettingDefinitions | Where-Object -FilterScript { $_.Name -eq $settingName } + $settingMatches = @($SettingDefinitions | Where-Object -FilterScript { $_.Name -eq $settingName }) if ($settingMatches.Count -gt 1) { if ($settingDefinition.AdditionalProperties.dependentOn.parentSettingId.Count -gt 0) @@ -1888,7 +1799,7 @@ function Export-IntuneSettingCatalogPolicySettings $settingName = $($parentSetting.Name) + "_" + $settingName } # If the combination of parent setting and setting name is still not unique, grab the last part of the setting id - else + else { $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") @@ -2007,4 +1918,4 @@ function Update-IntuneDeviceConfigurationPolicy return $null } -} \ No newline at end of file +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index c87282c1d5..a29b8317c8 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -649,7 +649,16 @@ function Test-M365DSCParameterState if ($CheckDesiredValue) { - $desiredType = $DesiredValues.$_.GetType() + $desiredValue = $DesiredValues.$_ + if ($null -eq $desiredValue) + { + $desiredType = $CurrentValues.$_.GetType() + } + else + { + $desiredType = $DesiredValues.$_.GetType() + } + $fieldName = $_ if ($desiredType.IsArray -eq $true) { From 06918f3ee2a5db8e424e41cb9f67a0579c599a4f Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Fri, 7 Jun 2024 03:35:42 +0200 Subject: [PATCH 02/26] Migrate Intune LAPS policy to new Settings Catalog Cmdlets --- CHANGELOG.md | 9 + ...alAdministratorPasswordSolutionPolicy.psm1 | 792 ++++-------------- ...nistratorPasswordSolutionPolicy.schema.mof | 4 +- ...inistratorPasswordSolutionPolicy.Tests.ps1 | 192 +++-- 4 files changed, 291 insertions(+), 706 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 734102a4d7..f5c4cf873c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Migrate to new settings catalog cmdlets +* M365DSCDRGUtil + * Fixes an issue with the settings catalog property generation +* M365DSCUtil + * Fixes an issue where the comparison with null-valued desired value throws an error + # 1.24.605.1 * AADAuthenticationFlowPolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 12d2a7fbf2..c312d913ef 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -32,7 +32,8 @@ function Get-TargetResource $PasswordAgeDays, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -41,7 +42,8 @@ function Get-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $AdPasswordEncryptionEnabled, [Parameter()] @@ -110,141 +112,73 @@ function Get-TargetResource $AccessTokens ) - Write-Verbose -Message "Checking for the Intune Account Protection LAPS Policy {$DisplayName}" + try + { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters ` - -ErrorAction Stop + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters ` + -ErrorAction Stop - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion - $nullResult = $PSBoundParameters - $nullResult.Ensure = 'Absent' + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' - try - { - #Retrieve policy general settings - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ExpandProperty settings -ErrorAction SilentlyContinue + $templateReferenceId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' + + # Retrieve policy general settings + $policy = $null + $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Identity -ErrorAction SilentlyContinue if ($null -eq $policy) { - Write-Verbose -Message "No Account Protection LAPS Policy {id: '$Identity'} was found" - $policyTemplateID = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' - $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue + Write-Verbose -Message "No Account Protection LAPS Policy with Id {$Identity} was found" - if(([array]$policy).count -gt 1) + if (-not [System.String]::IsNullOrEmpty($DisplayName)) { - throw "A policy with a duplicated displayName {'$DisplayName'} was found - Ensure displayName is unique" + $policy = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName' and templateReference/TemplateId eq '$templateReferenceId'" ` + -ErrorAction SilentlyContinue } - - if ($null -eq $policy) - { - Write-Verbose -Message "No Account Protection LAPS Policy {displayName: '$DisplayName'} was found" - return $nullResult - } - - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty settings -ErrorAction SilentlyContinue } + if ($null -eq $policy) + { + Write-Verbose -Message "No Account Protection LAPS Policy with Name {$DisplayName} was found" + return $nullResult + } $Identity = $policy.Id + Write-Verbose "Found Account Protection LAPS Policy with Id {$Identity} and Name {$($policy.Name)}" - Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.id):$($policy.Name)}" - [array]$settings = $policy.settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Identity ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop $returnHashtable = @{} $returnHashtable.Add('Identity', $Identity) - $returnHashtable.Add('DisplayName', $policy.name) - $returnHashtable.Add('Description', $policy.description) - - foreach ($setting in $settings.SettingInstance) - { - $addToParameters = $true - $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 - $replaceUri = $setting.settingDefinitionId.Replace($settingName, '') + $returnHashtable.Add('DisplayName', $policy.Name) + $returnHashtable.Add('Description', $policy.Description) - $settingType = $setting.AdditionalProperties.'@odata.type' - $settingValueName = $settingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $settingValueName = $settingValueName.Substring(0, 1).ToLower() + $settingValueName.Substring(1, $settingValueName.length - 1 ) + $returnHashtable = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $returnHashtable - switch ($settingType) - { - '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - { - $settingValue = $setting.AdditionalProperties.simpleSettingValue.value - } - '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - { - $settingValue = $setting.AdditionalProperties.choiceSettingValue.value.split('_') | Select-Object -Last 1 - } - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.groupSettingCollectionValue.children) - { - $settingName = $value.settingDefinitionId.split('_') | Select-Object -Last 1 - $settingValue = $value.choiceSettingValue.value.split('_') | Select-Object -Last 1 - $returnHashtable.Add($settingName, $settingValue) - $addToParameters = $false - } - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.simpleSettingCollectionValue.value) - { - $values += $value - } - $settingValue = $values - } - Default - { - $settingValue = $setting.value - } - } - - foreach ($childSetting in $setting.AdditionalProperties.$settingValueName.children) - { - $childSettingName = $childSetting.settingDefinitionId.Replace($replaceUri, '') - $childSettingType = $childSetting.'@odata.type'.Replace('#microsoft.graph.deviceManagementConfiguration', '').Replace('Instance', 'Value') - $childSettingType = $childSettingType.Substring(0, 1).ToLower() + $childSettingType.Substring(1, $childSettingType.length - 1 ) - $childSettingValue = $childSetting.$childSettingType.value - - if ($childSettingType -eq 'choiceSettingValue') - { - $childSettingValue = $childSettingValue.split('_') | Select-Object -Last 1 - } - $returnHashtable.Add($childSettingName, $childSettingValue) - } - - if ($addToParameters) - { - $returnHashtable.Add($settingName, $settingValue) - } - - } - $returnAssignments = @() - $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - if ($graphAssignments.count -gt 0) + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) { - $returnAssignments += ConvertFrom-IntunePolicyAssignment ` - -IncludeDeviceFilter:$true ` - -Assignments ($graphAssignments) + $assignmentResult += ConvertFrom-IntunePolicyAssignment -IncludeDeviceFilter $true -Assignments $assignmentsValues } - $returnHashtable.Add('Assignments', $returnAssignments) - - - Write-Verbose -Message "Found Account Protection LAPS Policy {$($policy.name)}" + $returnHashtable.Add('Assignments', $assignmentResult) $returnHashtable.Add('Ensure', 'Present') $returnHashtable.Add('Credential', $Credential) @@ -303,7 +237,8 @@ function Set-TargetResource $PasswordAgeDays, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -312,7 +247,8 @@ function Set-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $AdPasswordEncryptionEnabled, [Parameter()] @@ -394,14 +330,8 @@ function Set-TargetResource #endregion $currentPolicy = Get-TargetResource @PSBoundParameters - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $templateReferenceId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' $platforms = 'windows10' @@ -410,49 +340,66 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { Write-Verbose -Message "Creating new Account Protection LAPS Policy {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + $BoundParameters.Remove('Identity') | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId $createParameters = @{ Name = $DisplayName Description = $Description - TemplateReference = @{templateId = $templateReferenceId } + TemplateReference = @{ templateId = $templateReferenceId } Platforms = $platforms Technologies = $technologies Settings = $settings } - $newPolicy = New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $newPolicy.Id ` - -Targets $assignmentsHash + if ($policy.Id) + { + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Updating existing Account Protection LAPS Policy {$($currentPolicy.DisplayName)}" + $BoundParameters.Remove('Assignments') | Out-Null + $BoundParameters.Remove('Identity') | Out-Null #format settings from PSBoundParameters for update $settings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings #region update policy assignments - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` - -Targets $assignmentsHash + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') @@ -496,7 +443,8 @@ function Test-TargetResource $PasswordAgeDays, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -505,7 +453,8 @@ function Test-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [System.Boolean] + [ValidateSet('true', 'false')] + [System.String] $AdPasswordEncryptionEnabled, [Parameter()] @@ -588,41 +537,76 @@ function Test-TargetResource Write-Verbose -Message "Testing configuration of Account Protection LAPS Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() - $ValuesToCheck.Remove('Identity') | Out-Null - - $testResult = $true if ($CurrentValues.Ensure -ne $Ensure) { Write-Verbose -Message "Test-TargetResource returned $false" return $false } + $testResult = $true #Compare Cim instances - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + if ($key -eq "Assignments") + { + $testResult = Compare-M365DSCIntunePolicyAssignment ` + -Source $source ` + -Target $target + } + else + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + } + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Identity') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" if ($testResult) { - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -703,7 +687,7 @@ function Export-TargetResource Write-Host " |---[$i/$($policies.Count)] $($policy.Name)" -NoNewline $params = @{ - Identity = $policy.id + Identity = $policy.Id DisplayName = $policy.Name Ensure = 'Present' Credential = $Credential @@ -711,53 +695,44 @@ function Export-TargetResource TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent + ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } $Results = Get-TargetResource @params - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $Results)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$($params.displayName)} will not be processed. Refer to the event viewer logs for more information." - } - if ($Results.Ensure -eq 'Present') - { - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results - if ($Results.Assignments) + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments + if ($complexTypeStringResult) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) ` - -CIMInstanceName IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments - if ($complexTypeStringResult) - { - $Results.Assignments = $complexTypeStringResult - } - else - { - $Results.Remove('Assignments') | Out-Null - } + $Results.Assignments = $complexTypeStringResult } - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - - if ($Results.Assignments) + else { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + $Results.Remove('Assignments') | Out-Null } + } - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential - Write-Host $Global:M365DSCEmojiGreenCheckMark - $i++ + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + + Write-Host $Global:M365DSCEmojiGreenCheckMark + $i++ } return $dscContent } @@ -784,433 +759,4 @@ function Export-TargetResource } } -function Get-IntuneSettingCatalogPolicySetting -{ - [CmdletBinding()] - [OutputType([System.Array])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - [Parameter(Mandatory = 'true')] - [System.String] - $TemplateId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - #Prepare setting definitions mapping - $settingDefinitions = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $TemplateId -ExpandProperty settingDefinitions - $settingInstances = @() - foreach ($settingDefinition in $settingDefinitions.SettingInstanceTemplate) - { - - $settingInstance = @{} - $settingName = $settingDefinition.SettingDefinitionId.split('_') | Select-Object -Last 1 - $settingType = $settingDefinition.AdditionalProperties.'@odata.type'.replace('InstanceTemplate', 'Instance') - $settingInstance.Add('settingDefinitionId', $settingDefinition.settingDefinitionId) - $settingInstance.Add('@odata.type', $settingType) - if (-Not [string]::IsNullOrEmpty($settingDefinition.settingInstanceTemplateId)) - { - $settingInstance.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $settingDefinition.settingInstanceTemplateId }) - } - $settingValueName = $settingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $settingValueName = $settingValueName.Substring(0, 1).ToLower() + $settingValueName.Substring(1, $settingValueName.length - 1 ) - $settingValueType = $settingDefinition.AdditionalProperties."$($settingValueName)Template".'@odata.type' - if ($null -ne $settingValueType) - { - $settingValueType = $settingValueType.replace('ValueTemplate', 'Value') - } - $settingValueTemplateId = $settingDefinition.AdditionalProperties."$($settingValueName)Template".settingValueTemplateId - $settingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $settingDefinition ` - -SettingName $settingName ` - -SettingType $settingType ` - -SettingValueName $settingValueName ` - -SettingValueType $settingValueType ` - -SettingValueTemplateId $settingValueTemplateId - - if ($null -ne $settingValue) { - - if ($settingType -ne '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance') - { - $settingValue.$settingValueName.Add('children', @()) - - foreach ($childSettingDefinition in ($settingDefinitions.SettingDefinitions | Where-Object { $_.RootDefinitionId -eq $settingInstance.settingDefinitionId })) - { - if ($childSettingDefinition.Id -eq $settingDefinition.SettingDefinitionId) - { - # We have already covered that setting through the settingInstanceTemplate - Continue - } - - $key = $DSCParams.Keys | Where-Object { $_.ToLower() -eq $settingName } - $dscValue = $DSCParams[$key] - - if ($childSettingDefinition.AdditionalProperties.dependentOn.dependentOn -ne ($settingDefinition.SettingDefinitionId + '_' + $dscValue)) - { - if ($childSettingDefinition.AdditionalProperties.options.dependentOn.dependentOn -notContains ($settingDefinition.SettingDefinitionId + '_' + $dscValue)) - { - # This setting is not dependent on the current setting value - Continue - } - } - $childSettingUri = ($childSettingDefinition.BaseUri + $childSettingDefinition.OffsetUri).Replace('/', '_').Replace('._', '').ToLower() - $replaceUri = $childSettingUri.Replace($childSettingUri.Split('_')[-1], '') - - $childSettingInstance = @{} - $childSettingName = $childSettingDefinition.Id.Replace($replaceUri, '') - $childSettingType = $childSettingDefinition.AdditionalProperties.'@odata.type'.replace('Definition', 'Instance') - $childSettingInstance.Add('settingDefinitionId', $childSettingDefinition.Id) - $childSettingInstance.Add('@odata.type', $childSettingType) - $childSettingValueName = $childSettingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - if ($null -ne $childSettingDefinition.AdditionalProperties.valueDefinition) - { - $childSettingValueType = $childSettingDefinition.AdditionalProperties.valueDefinition.'@odata.type'.Replace('ValueDefinition', 'Value') - } - else - { - $childSettingValueType = $childSettingType.Replace('Instance', 'Value') - } - $childSettingValue = Get-IntuneSettingCatalogPolicySettingDefinitionValue ` - -DSCParams $DSCParams ` - -SettingDefinition $childSettingDefinition ` - -SettingName $childSettingName ` - -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` - - if ($null -ne $childSettingValue) - { - $childSettingInstance += ($childSettingValue) - $settingValue.$settingValueName.children += $childSettingInstance - } - } - } - - $settingInstance += ($settingValue) - $settingInstances += @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - 'settingInstance' = $settingInstance - } - } else { - Continue - } - } - - return $settingInstances -} - -function Get-IntuneSettingCatalogPolicySettingInstanceValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter()] - $SettingDefinition, - - [Parameter()] - [System.String] - $SettingType, - - [Parameter()] - [System.String] - $SettingName, - - [Parameter()] - [System.String] - $SettingValueName, - - [Parameter()] - [System.String] - $SettingValueType, - - [Parameter()] - [System.String] - $SettingValueTemplateId - ) - - $settingValueReturn = @{} - switch ($settingType) - { - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $groupSettingCollectionValue = @{} - $groupSettingCollectionValueChildren = @() - - $groupSettingCollectionDefinitionChildren = $SettingDefinition.AdditionalProperties.groupSettingCollectionValueTemplate.children - foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) - { - $childSettingName = $childDefinition.settingDefinitionId.split('_') | Select-Object -Last 1 - $childSettingType = $childDefinition.'@odata.type'.replace('InstanceTemplate', 'Instance') - $childSettingValueName = $childSettingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - $childSettingValueTemplateId = $childDefinition.$childSettingValueName.settingValueTemplateId - $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $childDefinition ` - -SettingName $childSettingName ` - -SettingType $childDefinition.'@odata.type' ` - -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` - -SettingValueTemplateId $childSettingValueTemplateId - - if ($null -ne $childSettingValue) - { - $childSettingValue.add('settingDefinitionId', $childDefinition.settingDefinitionId) - $childSettingValue.add('@odata.type', $childSettingType ) - $groupSettingCollectionValueChildren += $childSettingValue - } - } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) - $settingValueReturn.Add('groupSettingCollectionValue', @($groupSettingCollectionValue)) - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.ToLower())) - { - $values = $DSCParams[$key] - break - } - } - $settingValueCollection = @() - foreach ($v in $values) - { - $settingValueCollection += @{ - value = $v - '@odata.type' = $settingValueType - } - } - $settingValueReturn.Add($settingValueName, $settingValueCollection) - } - Default - { - $value = $null - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.ToLower())) - { - if ($settingValueType -eq '#microsoft.graph.deviceManagementConfigurationBooleanSettingValue') - { - $value = [bool]::Parse($DSCParams[$key]) - } - elseif ($settingValueType -eq '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $value = [int]::Parse($DSCParams[$key]) - } - elseif ($settingValueType -eq '#microsoft.graph.deviceManagementConfigurationStringSettingValue') - { - $value = $DSCParams[$key] - } - else { - $value = "$($SettingDefinition.settingDefinitionId)_$($DSCParams[$key])" - } - break - } - } - $settingValue = @{} - - if (-not [string]::IsNullOrEmpty($settingValueType)) - { - $settingValue.Add('@odata.type', $settingValueType) - } - if (-not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $settingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $settingValueTemplateId }) - } - - if ($null -eq $value) - { - # Use the default value if exists - $value = $SettingDefinition.$SettingValueName.defaultValue - if ($null -eq $value) - { - return $null - } - } - $settingValue.Add('value', $value) - $settingValueReturn.Add($settingValueName, $settingValue) - } - } - return $settingValueReturn -} - -function Get-IntuneSettingCatalogPolicySettingDefinitionValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter()] - $SettingDefinition, - - [Parameter()] - [System.String] - $SettingName, - - [Parameter()] - [System.String] - $SettingValueName, - - [Parameter()] - [System.String] - $SettingValueType - ) - - $settingValueReturn = @{} - $key = $DSCParams.Keys | Where-Object { $_.ToLower() -eq $SettingName } - if ($null -ne $key) - { - $value = $DSCParams[$key] - } - else - { - # Use default value if exists - if ($null -ne $SettingDefinition.AdditionalProperties.defaultValue) - { - $value = $SettingDefinition.AdditionalProperties.defaultValue.value - } - elseif ($null -ne $SettingDefinition.AdditionalProperties.defaultOptionId) - { - $value = $SettingDefinition.AdditionalProperties.defaultOptionId - } - } - - $settingValue = @{} - if (-Not [string]::IsNullOrEmpty($settingValueType)) - { - $settingValue.add('@odata.type', $settingValueType) - } - if ($null -eq $value) - { - return $null - } - $settingValue.add('value', $value) - $settingValueReturn.Add($settingValueName, $settingValue) - - return $settingValueReturn -} - -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null -} - -function Get-DeviceManagementConfigurationPolicyAssignment -{ - [CmdletBinding()] - param - ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId - ) - - try - { - $configurationPolicyAssignments = @() - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId/assignments" - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null - foreach ($result in $results.value.target) - { - $configurationPolicyAssignments += @{ - dataType = $result.'@odata.type' - groupId = $result.groupId - collectionId = $result.collectionId - deviceAndAppManagementAssignmentFilterType = $result.deviceAndAppManagementAssignmentFilterType - deviceAndAppManagementAssignmentFilterId = $result.deviceAndAppManagementAssignmentFilterId - } - } - - while ($results.'@odata.nextLink') - { - $Uri = $results.'@odata.nextLink' - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null - foreach ($result in $results.value.target) - { - $configurationPolicyAssignments += @{ - dataType = $result.'@odata.type' - groupId = $result.groupId - collectionId = $result.collectionId - deviceAndAppManagementAssignmentFilterType = $result.deviceAndAppManagementAssignmentFilterType - deviceAndAppManagementAssignmentFilterId = $result.deviceAndAppManagementAssignmentFilterId - } - } - } - return $configurationPolicyAssignments - } - catch - { - New-M365DSCLogEntry -Message 'Error retrieving data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $null - } -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof index 4a8235bf89..0c7a470ab6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof @@ -19,9 +19,9 @@ class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy : OMI [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; - [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; + [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account."), ValueMap{"true", "false"}, Values{"true", "false"}] String PasswordExpirationProtectionEnabled; [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; - [Write, Description("Configures whether the password is encrypted before being stored in Active Directory.")] Boolean AdPasswordEncryptionEnabled; + [Write, Description("Configures whether the password is encrypted before being stored in Active Directory."), ValueMap{"true", "false"}, Values{"true", "false"}] String AdPasswordEncryptionEnabled; [Write, Description("Configures the name or SID of a user or group that can decrypt the password stored in Active Directory.")] String AdPasswordEncryptionPrincipal; [Write, Description("Configures the name of the managed local administrator account.")] String AdministratorAccountName; [Write, Description("Configures the password complexity of the managed local administrator account. 1 - Large letters, 2 - Large + small letters, 3 - Large + small letters + numbers, 4 - Large + small letters + numbers + special characters"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] UInt32 PasswordComplexity; diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 index 8a5bc91381..db58ed7c91 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.Tests.ps1 @@ -44,35 +44,29 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplate -MockWith { - return @{ - TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' - } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { } - Mock -CommandName Get-DeviceManagementConfigurationPolicyAssignment -MockWith { + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return ,@() + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ dataType = '#microsoft.graph.exclusionGroupAssignmentTarget' collectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' }) } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -MockWith { - return @({ - Id = '1' - SettingDefinitions = @( - Id = 'device_vendor_msft_laps_policies_backupdirectory' - ) - SettingInstanceTemplate = @{ - settingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - settingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstanceTemplate' - } - } - }) - } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ Id = '12345-12345-12345-12345-12345' @@ -95,7 +89,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } $Script:exportedInstances =$null $Script:ExportMode = $false - } # Test contexts @@ -157,29 +150,36 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_laps_policies_backupdirectory' + Name = 'BackupDirectory' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" } } - AdditionalProperties = $null } + AdditionalProperties = $null } } - - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { - } } It 'Should return Present from the Get method' { @@ -192,7 +192,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -219,24 +219,34 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_laps_policies_backupdirectory' + Name = 'BackupDirectory' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" } } - AdditionalProperties = $null } + AdditionalProperties = $null } } } @@ -267,24 +277,34 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Description = 'My Test Description' Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_laps_policies_backupdirectory' + Name = 'BackupDirectory' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" } } - AdditionalProperties = $null } + AdditionalProperties = $null } } } @@ -319,24 +339,34 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { TemplateReference = @{ TemplateId = 'adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1' } - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_laps_policies_backupdirectory' + Name = 'BackupDirectory' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_laps_policies_backupdirectory_1" - } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_laps_policies_backupdirectory' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'a3270f64-e493-499d-8900-90290f61ed8a' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_laps_policies_backupdirectory_1" } } - AdditionalProperties = $null } + AdditionalProperties = $null } } } From 13357cd178f5b8e18a799cc1c62de19ed7171571 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sat, 15 Jun 2024 02:10:40 +0200 Subject: [PATCH 03/26] Improved assignment export across all Intune resources --- CHANGELOG.md | 7 + .../MSFT_IntuneASRRulesPolicyWindows10.psm1 | 13 +- ...alAdministratorPasswordSolutionPolicy.psm1 | 4 +- ...tectionLocalUserGroupMembershipPolicy.psm1 | 4 +- .../MSFT_IntuneAccountProtectionPolicy.psm1 | 12 +- ...ntivirusPolicyWindows10SettingCatalog.psm1 | 4 +- ...FT_IntuneAppConfigurationDevicePolicy.psm1 | 12 +- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 12 +- ...tuneApplicationControlPolicyWindows10.psm1 | 12 +- ...tionRulesPolicyWindows10ConfigManager.psm1 | 183 ++---------------- ...T_IntuneDeviceCompliancePolicyAndroid.psm1 | 13 +- ...iceCompliancePolicyAndroidDeviceOwner.psm1 | 13 +- ...iceCompliancePolicyAndroidWorkProfile.psm1 | 12 +- ...SFT_IntuneDeviceCompliancePolicyMacOS.psm1 | 12 +- ...IntuneDeviceCompliancePolicyWindows10.psm1 | 4 +- .../MSFT_IntuneDeviceCompliancePolicyiOs.psm1 | 13 +- ...AdministrativeTemplatePolicyWindows10.psm1 | 12 +- ...iceConfigurationCustomPolicyWindows10.psm1 | 12 +- ...rForEndpointOnboardingPolicyWindows10.psm1 | 12 +- ...onDeliveryOptimizationPolicyWindows10.psm1 | 12 +- ...onfigurationDomainJoinPolicyWindows10.psm1 | 12 +- ...figurationEmailProfilePolicyWindows10.psm1 | 12 +- ...tionEndpointProtectionPolicyWindows10.psm1 | 12 +- ...ationFirmwareInterfacePolicyWindows10.psm1 | 26 +-- ...onitoringConfigurationPolicyWindows10.psm1 | 28 +-- ...tionIdentityProtectionPolicyWindows10.psm1 | 28 +-- ...ImportedPfxCertificatePolicyWindows10.psm1 | 26 +-- ...viceConfigurationKioskPolicyWindows10.psm1 | 26 +-- ...urationNetworkBoundaryPolicyWindows10.psm1 | 28 +-- ...urationPkcsCertificatePolicyWindows10.psm1 | 26 +-- ...eviceConfigurationPlatformScriptMacOS.psm1 | 25 +-- ...iceConfigurationPlatformScriptWindows.psm1 | 26 +-- ...ationPolicyAndroidDeviceAdministrator.psm1 | 25 +-- ...ConfigurationPolicyAndroidDeviceOwner.psm1 | 27 +-- ...urationPolicyAndroidOpenSourceProject.psm1 | 25 +-- ...ConfigurationPolicyAndroidWorkProfile.psm1 | 27 +-- ..._IntuneDeviceConfigurationPolicyMacOS.psm1 | 27 +-- ...FT_IntuneDeviceConfigurationPolicyiOS.psm1 | 28 +-- ...urationSCEPCertificatePolicyWindows10.psm1 | 26 +-- ...rationSecureAssessmentPolicyWindows10.psm1 | 26 +-- ...ationSharedMultiDevicePolicyWindows10.psm1 | 28 +-- ...tionTrustedCertificatePolicyWindows10.psm1 | 26 +-- ...DeviceConfigurationVpnPolicyWindows10.psm1 | 26 +-- ...nfigurationWindowsTeamPolicyWindows10.psm1 | 26 +-- ...figurationWiredNetworkPolicyWindows10.psm1 | 28 +-- ...neDeviceEnrollmentPlatformRestriction.psm1 | 31 +-- ...neDeviceEnrollmentStatusPageWindows10.psm1 | 16 +- .../MSFT_IntuneDiskEncryptionMacOS.psm1 | 29 +-- ...ntDetectionAndResponsePolicyWindows10.psm1 | 4 +- ...otectionPolicyWindows10SettingCatalog.psm1 | 29 +-- .../MSFT_IntunePolicySets.psm1 | 44 +---- ...SettingCatalogASRRulesPolicyWindows10.psm1 | 12 +- ...neSettingCatalogCustomPolicyWindows10.psm1 | 27 +-- ...ationPolicyAndroidDeviceAdministrator.psm1 | 25 +-- ...ionPolicyAndroidEnterpriseDeviceOwner.psm1 | 25 +-- ...ionPolicyAndroidEnterpriseWorkProfile.psm1 | 25 +-- ...WifiConfigurationPolicyAndroidForWork.psm1 | 25 +-- ...urationPolicyAndroidOpenSourceProject.psm1 | 25 +-- ...MSFT_IntuneWifiConfigurationPolicyIOS.psm1 | 25 +-- ...FT_IntuneWifiConfigurationPolicyMacOS.psm1 | 25 +-- ...ntuneWifiConfigurationPolicyWindows10.psm1 | 25 +-- ...nProtectionPolicyWindows10MdmEnrolled.psm1 | 12 +- ...rBusinessDriverUpdateProfileWindows10.psm1 | 27 +-- ...BusinessFeatureUpdateProfileWindows10.psm1 | 27 +-- .../Modules/M365DSCDRGUtil.psm1 | 44 +++-- ...SC.IntuneAccountProtectionPolicy.Tests.ps1 | 1 + ...ulesPolicyWindows10ConfigManager.Tests.ps1 | 44 +++-- ...ectionAndResponsePolicyWindows10.Tests.ps1 | 1 + 68 files changed, 372 insertions(+), 1174 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a978c34374..02793687f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* M365DSCDRGUtil + * Add `collectionId` export to `ConvertFrom-IntunePolicyAssignment` +* MISC + * Add group display name export across Intune resources + # 1.24.612.1 * IntuneAppConfigurationDevicePolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index 38589d3139..cfbb8f492e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -520,11 +520,7 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementIntent -BodyParameter $createParameters #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -560,12 +556,7 @@ function Set-TargetResource Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash ` -Repository 'deviceManagement/intents' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 12d2a7fbf2..ebe2c1b9e3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -425,7 +425,7 @@ function Set-TargetResource } $newPolicy = New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $newPolicy.Id ` -Targets $assignmentsHash @@ -449,7 +449,7 @@ function Set-TargetResource -Settings $settings #region update policy assignments - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 563272b1cd..2e4450f341 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -306,7 +306,7 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters #region Assignments - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash @@ -333,7 +333,7 @@ function Set-TargetResource -Settings $settings #region Assignments - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index 7d44051f40..b1991e4383 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -418,11 +418,7 @@ function Set-TargetResource $policy = New-MgBetaDeviceManagementIntent -BodyParameter $createParameters #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -457,11 +453,7 @@ function Set-TargetResource Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index b77d3ffd54..dbe036ce95 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -990,7 +990,7 @@ function Set-TargetResource -Technologies $technologies ` -Settings $settings - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id -Targets $assignmentsHash } @@ -1015,7 +1015,7 @@ function Set-TargetResource -Technologies $technologies ` -Settings $settings - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity -Targets $assignmentsHash } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 index 221e0db766..f51f6c6720 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 @@ -418,11 +418,7 @@ function Set-TargetResource } #region resource generator code $policy = New-MgBetaDeviceAppManagementMobileAppConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.Id) { @@ -464,11 +460,7 @@ function Set-TargetResource -ManagedDeviceMobileAppConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId "$($currentInstance.Id)/microsoft.graph.managedDeviceMobileAppConfiguration" ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index 88fe4add9c..6446ea2caa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -246,11 +246,7 @@ function Set-TargetResource $policy = New-MgBetaDeviceAppManagementTargetedManagedAppConfiguration @creationParams #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -276,11 +272,7 @@ function Set-TargetResource } Update-MgBetaDeviceAppManagementTargetedManagedAppConfiguration @updateParams - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentconfigPolicy.Id ` -Targets $assignmentsHash ` -Repository 'deviceAppManagement/targetedManagedAppConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 index b5bbeb6771..02d998df1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneApplicationControlPolicyWindows10/MSFT_IntuneApplicationControlPolicyWindows10.psm1 @@ -245,11 +245,7 @@ function Set-TargetResource -Settings $Settings #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -288,11 +284,7 @@ function Set-TargetResource } #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $appControlPolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/intents' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.psm1 index 106a08ce7e..846f9ca868 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager/MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.psm1 @@ -255,10 +255,16 @@ function Get-TargetResource { $returnHashtable.Add($settingName, $settingValue) } - } + $returnAssignments = @() - $returnAssignments += Get-DeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $graphAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + if ($graphAssignments.Count -gt 0) + { + $returnAssignments += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($graphAssignments) + } $returnHashtable.Add('Assignments', $returnAssignments) Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" @@ -485,9 +491,9 @@ function Set-TargetResource Technologies = $technologies Settings = $settings } - New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters + New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $Identity ` -Targets $assignmentsHash @@ -502,17 +508,17 @@ function Set-TargetResource -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` -TemplateId $templateReferenceId - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings #region update policy assignments - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash @@ -1107,163 +1113,4 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue return $settingValueReturn } -function New-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = 'https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies' - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - #write-verbose (($policy|ConvertTo-Json -Depth 20)) - Invoke-MgGraphRequest -Method POST ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null -} -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - #write-verbose (($policy|ConvertTo-Json -Depth 20)) - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null -} - - -function Get-DeviceManagementConfigurationPolicyAssignment -{ - [CmdletBinding()] - param - ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId - ) - - try - { - $configurationPolicyAssignments = @() - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId/assignments" - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null - foreach ($result in $results.value.target) - { - $configurationPolicyAssignments += @{ - dataType = $result.'@odata.type' - groupId = $result.groupId - collectionId = $result.collectionId - deviceAndAppManagementAssignmentFilterType = $result.deviceAndAppManagementAssignmentFilterType - deviceAndAppManagementAssignmentFilterId = $result.deviceAndAppManagementAssignmentFilterId - } - } - - while ($results.'@odata.nextLink') - { - $Uri = $results.'@odata.nextLink' - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null - foreach ($result in $results.value.target) - { - $configurationPolicyAssignments += @{ - dataType = $result.'@odata.type' - groupId = $result.groupId - collectionId = $result.collectionId - deviceAndAppManagementAssignmentFilterType = $result.deviceAndAppManagementAssignmentFilterType - deviceAndAppManagementAssignmentFilterId = $result.deviceAndAppManagementAssignmentFilterId - } - } - } - return $configurationPolicyAssignments - } - catch - { - New-M365DSCLogEntry -Message 'Error retrieving data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $null - } -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 index a069990578..5a24dffdba 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroid/MSFT_IntuneDeviceCompliancePolicyAndroid.psm1 @@ -484,11 +484,7 @@ function Set-TargetResource -ScheduledActionsForRule $scheduledActionsForRule #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -516,12 +512,7 @@ function Set-TargetResource -DeviceCompliancePolicyId $configDeviceAndroidPolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDeviceAndroidPolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 index 550b5abbea..24bc016a2b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner/MSFT_IntuneDeviceCompliancePolicyAndroidDeviceOwner.psm1 @@ -378,11 +378,7 @@ function Set-TargetResource -ScheduledActionsForRule $scheduledActionsForRule #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -412,12 +408,7 @@ function Set-TargetResource -DeviceCompliancePolicyId $configDeviceAndroidPolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDeviceAndroidPolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 index 87955c67f5..65e81097f4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile/MSFT_IntuneDeviceCompliancePolicyAndroidWorkProfile.psm1 @@ -460,11 +460,7 @@ function Set-TargetResource -ScheduledActionsForRule $scheduledActionsForRule #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -491,11 +487,7 @@ function Set-TargetResource -DeviceCompliancePolicyId $configDeviceAndroidPolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDeviceAndroidPolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 index 5515288577..debc21a240 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyMacOS/MSFT_IntuneDeviceCompliancePolicyMacOS.psm1 @@ -424,11 +424,7 @@ function Set-TargetResource -ScheduledActionsForRule $scheduledActionsForRule #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -455,11 +451,7 @@ function Set-TargetResource -DeviceCompliancePolicyId $configDevicePolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDevicePolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 index 5add8ab630..795db1d969 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyWindows10/MSFT_IntuneDeviceCompliancePolicyWindows10.psm1 @@ -517,7 +517,7 @@ function Set-TargetResource if ($Assignments.Count -gt 0) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' @@ -542,7 +542,7 @@ function Set-TargetResource if ($Assignments.Count -gt 0) { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDevicePolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 index dbb18d9828..0c29598f55 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceCompliancePolicyiOs/MSFT_IntuneDeviceCompliancePolicyiOs.psm1 @@ -408,11 +408,7 @@ function Set-TargetResource -ScheduledActionsForRule $scheduledActionsForRule #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -444,12 +440,7 @@ function Set-TargetResource -Description $Description ` -DeviceCompliancePolicyId $configDevicePolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } - + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDevicePolicy.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceCompliancePolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 49e699d737..72ee2d7916 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -396,11 +396,7 @@ function Set-TargetResource } #region resource generator code $policy = New-MgBetaDeviceManagementGroupPolicyConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -474,11 +470,7 @@ function Set-TargetResource -BodyParameter $UpdateParameters #Update Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/groupPolicyConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index 353d3c2e67..27267174c5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -324,11 +324,7 @@ function Set-TargetResource } $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -374,11 +370,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 index 50e03fc980..138c7fe2ef 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 @@ -310,11 +310,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsDefenderAdvancedThreatProtectionConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -353,11 +349,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index 891005cab4..c18fcfac7d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -489,11 +489,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsDeliveryOptimizationConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash=@() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -526,11 +522,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 index 41cbd98cce..ce7e63783d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 @@ -285,11 +285,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsDomainJoinConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -322,11 +318,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 index 634da6ae4a..0e720a2bba 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 @@ -409,11 +409,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EasEmailProfileConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -446,11 +442,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index 6b0ece6e0d..9872636808 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -3728,11 +3728,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10EndpointProtectionConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -3778,11 +3774,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 index e14e934998..64c2f2b991 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 @@ -377,18 +377,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -607,11 +603,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10DeviceFirmwareConfigurationInterface") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -644,11 +636,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 index 92e9a68662..ac5435abea 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 @@ -152,20 +152,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -294,11 +288,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsHealthMonitoringConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -332,11 +322,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 index 3611e51591..7358cbd46a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 @@ -214,20 +214,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -400,11 +394,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsIdentityProtectionConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -437,11 +427,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 index 21703df009..e61597df42 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 @@ -190,18 +190,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -344,11 +340,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10ImportedPFXCertificateProfile") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -381,11 +373,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 index 4132864db4..0aef32a176 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 @@ -342,18 +342,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -503,11 +499,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windowsKioskConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -540,11 +532,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 index 966a53527e..e43a2f4422 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 @@ -170,20 +170,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -300,11 +294,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.windows10NetworkBoundaryConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -337,11 +327,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 index 5dcee3028d..8629194fcb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 @@ -254,18 +254,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -436,11 +432,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10PkcsCertificateProfile") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -473,11 +465,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 index 3e403e98ec..4d15e22d1d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 @@ -171,16 +171,11 @@ function Get-TargetResource #$assignmentsValues = Get-MgBetaDeviceManagementDeviceShellScriptAssignment -DeviceShellScriptId $Id $AssignmentsValues = $getValue.Assignments $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -321,11 +316,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.DeviceShellScript") $policy = New-MgBetaDeviceManagementDeviceShellScript -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.Id) { @@ -360,11 +351,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceShellScript ` -DeviceShellScriptId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 index 69fc4522d6..ef5af3cd33 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 @@ -159,18 +159,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementScriptAssignment -DeviceManagementScriptId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -307,11 +303,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.DeviceManagementScript") $policy = New-MgBetaDeviceManagementScript -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.Id) { @@ -346,11 +338,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementScript ` -DeviceManagementScriptId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 index 832d678f09..94da7aa3fa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -461,16 +461,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -818,11 +813,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -869,11 +860,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 index 2a23ae80cb..642ec46423 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 @@ -958,18 +958,13 @@ function Get-TargetResource AccessTokens = $AccessTokens } - $myAssignments=@() - $myAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $myAssignments) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -1666,11 +1661,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash=@() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -1710,11 +1701,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 index 8bc5594816..e0d7d742d1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 @@ -205,16 +205,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -415,11 +410,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -466,11 +457,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 index 667e202147..6a638c6dcb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 @@ -331,18 +331,13 @@ function Get-TargetResource AccessTokens = $AccessTokens } - $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $policy.Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $policy.Id $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -636,11 +631,7 @@ function Set-TargetResource -AdditionalProperties $AdditionalProperties #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -667,11 +658,7 @@ function Set-TargetResource -DeviceConfigurationId $configDevicePolicy.Id #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $configDevicePolicy.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 index b1bb838ef6..85c8e374ec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 @@ -437,16 +437,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -819,11 +814,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -871,17 +862,11 @@ function Set-TargetResource #$UpdateParameters.remove('updateDelayPolicy') #region resource generator code - write-verbose ($UpdateParameters | convertTo-Json -depth 100) - Update-MgBetaDeviceManagementDeviceConfiguration ` -BodyParameter $UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 index b24f0d023d..5984ce817c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 @@ -1158,20 +1158,14 @@ function Get-TargetResource } $results.Add('NetworkUsageRules', $complexNetworkUsageRules) - $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $getValue.Id $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } - $results.Add('Assignments', $assignmentResult) return [System.Collections.Hashtable] $results @@ -2063,11 +2057,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -2108,11 +2098,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 index 43a2d699ac..8ca0e2b141 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 @@ -294,18 +294,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -528,11 +524,7 @@ function Set-TargetResource $CreateParameters.Add("rootCertificate@odata.bind", "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('$RootCertificateId')") $CreateParameters.Add("@odata.type", "#microsoft.graph.windows81SCEPCertificateProfile") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -568,11 +560,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 index e248a0a1dc..f100165917 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 @@ -167,18 +167,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -321,11 +317,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10SecureAssessmentConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -358,11 +350,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 index 3fb7334c67..221414ae76 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 @@ -286,20 +286,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -495,11 +489,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.sharedPCConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -537,11 +527,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 index 9f2fef6f4d..d2ebdb3160 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 @@ -142,18 +142,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -276,11 +272,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows81TrustedRootCertificate") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -313,11 +305,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 index ac21beeb78..1f401a4693 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 @@ -470,18 +470,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -706,11 +702,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10VpnConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -743,11 +735,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 index 6d3c8d0894..bc1307e957 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 @@ -247,18 +247,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -454,11 +450,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.windows10TeamGeneralConfiguration") $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -491,11 +483,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 index ff7a7b9661..667f2d58c5 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10/MSFT_IntuneDeviceConfigurationWiredNetworkPolicyWindows10.psm1 @@ -306,20 +306,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -624,11 +618,7 @@ function Set-TargetResource $CreateParameters.Add('@odata.type', '#microsoft.graph.windowsWiredNetworkConfiguration') $policy = New-MgBetaDeviceManagementDeviceConfiguration -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -671,11 +661,7 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceConfiguration ` -DeviceConfigurationId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.Id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 3176ce93b0..d1db4d3fc7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -178,16 +178,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $config.Id $assignmentResult = @() - foreach ($assignmentEntry in $assignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -379,14 +374,7 @@ function Set-TargetResource # Assignments from DefaultPolicy are not editable and will raise an alert if ($policy.Id -notlike '*_DefaultPlatformRestrictions') { - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.Length -gt 0) - { - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment - } - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash ` @@ -451,14 +439,7 @@ function Set-TargetResource # Assignments from DefaultPolicy are not editable and will raise an alert if ($currentInstance.Identity -notlike '*_DefaultPlatformRestrictions') { - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.Length -gt 0) - { - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment - } - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.Identity ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 6ef11e526d..9a94cdd9e2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -201,20 +201,14 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceEnrollmentConfigurationAssignment -DeviceEnrollmentConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 index 6233583a29..be66e1dcee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 @@ -170,19 +170,14 @@ function Get-TargetResource $results.Add('CertificateThumbprint', $CertificateThumbprint) $results.Add('ManagedIdentity', $ManagedIdentity.IsPresent) $results.Add('AccessTokens', $AccessTokens) - + $assignmentsValues = Get-MgBetaDeviceManagementIntentAssignment -DeviceManagementIntentId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -346,11 +341,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementIntent -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -383,11 +374,7 @@ function Set-TargetResource $body = @{'settings' = $settings } Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` @@ -396,7 +383,7 @@ function Set-TargetResource } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Disk Encryption for macOS with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Removing the Intune Disk Encryption for macOS with Id {$($currentInstance.Id)}" #region resource generator code Remove-MgBetaDeviceManagementIntent -DeviceManagementIntentId $currentInstance.Id #endregion diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index ddb3aea770..a219885cde 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -334,7 +334,7 @@ function Set-TargetResource $assignmentsHash = @() if ($null -ne $Assignments -and $Assignments.count -gt 0 ) { - $assignmentsHash += Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments } Update-DeviceConfigurationPolicyAssignment ` @@ -371,7 +371,7 @@ function Set-TargetResource $assignmentsHash = @() if ($null -ne $Assignments -and $Assignments.count -gt 0 ) { - $assignmentsHash += Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments } Update-DeviceConfigurationPolicyAssignment ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog.psm1 index e938f172a0..d5a5bc6f5d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog/MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog.psm1 @@ -148,20 +148,15 @@ function Get-TargetResource { $returnHashtable.Add($settingName, $settingValue) } - } - $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $returnHashtable.Add('Assignments', $assignmentResult) @@ -304,11 +299,7 @@ function Set-TargetResource -Technologies $technologies ` -Settings $settings #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` @@ -339,11 +330,7 @@ function Set-TargetResource -Settings $settings #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets $assignmentsHash #endregion diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 index 557accf808..15e12dd4f0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 @@ -156,20 +156,13 @@ function Get-TargetResource } $assignmentsValues = $getValue.Assignments - $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } - $results.Add('Assignments', $assignmentResult) $itemsValues = $getValue.Items @@ -309,16 +302,7 @@ function Set-TargetResource } # set assignments and items to work with New-MgbetaDeviceAppManagementPolicySet command - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += @{ - target = @{ - '@odata.type' = $assignment.dataType - groupId = $assignment.groupId - } - } - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments $CreateParameters.Add("Assignments", $assignmentsHash) $itemsHash = @() @@ -359,29 +343,15 @@ function Set-TargetResource #region resource generator code $UpdateParameters.Add("PolicySetId", $currentInstance.Id) - write-verbose -Message ($UpdateParameters | out-string) Update-MgbetaDeviceAppManagementPolicySet @UpdateParameters - if (($itemamendments = Get-ItemsAmendmentsObject -currentObjectItems $currentInstance.Items -targetObjectItems $items) -ne $null ) + if ($null -ne ($itemamendments = Get-ItemsAmendmentsObject -currentObjectItems $currentInstance.Items -targetObjectItems $items)) { - - write-verbose -message ($itemamendments | out-string) $url = ('https://graph.microsoft.com/beta/deviceAppManagement/policySets/' + $currentInstance.Id + '/update' ) Invoke-MgGraphRequest -Method POST -Uri $url -Body $itemamendments } - $assignmentsHash = @{ assignments = @()} - foreach ($assignment in $Assignments) - { - $assignmentsHash.assignments += @{ - target = @{ - '@odata.type' = $assignment.dataType - groupId = $assignment.groupId - } - } - } - - write-verbose -message ($assignmentsHash | out-string) + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments $url = ('https://graph.microsoft.com/beta/deviceAppManagement/policySets/' + $currentInstance.Id + '/update' ) Invoke-MgGraphRequest -Method POST -Uri $url -Body $assignmentsHash #endregion diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index e1b7d65c72..4fd6ac4b5e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -514,11 +514,7 @@ function Set-TargetResource -Settings $settings #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { $intuneAssignments = [Hashtable[]] (ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash) @@ -550,11 +546,7 @@ function Set-TargetResource -Settings $settings #region Assignments - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments $intuneAssignments = [Hashtable[]] (ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash) Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Targets ([Array]($intuneAssignments.target)) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 index 24e690e736..72f55b6c01 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 @@ -184,18 +184,11 @@ function Get-TargetResource } $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -329,11 +322,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add('@odata.type', '#microsoft.graph.DeviceManagementConfigurationPolicy') $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -366,11 +355,7 @@ function Set-TargetResource -DeviceManagementConfigurationPolicyId $currentInstance.Id ` @UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.psm1 index 63673c9f2f..735567533e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneWifiConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -144,16 +144,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -319,11 +314,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -370,11 +361,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.psm1 index 2ccc2c6f62..bc7330e072 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner.psm1 @@ -180,16 +180,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -383,11 +378,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -434,11 +425,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.psm1 index fe9183d21a..b0394cf002 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile/MSFT_IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile.psm1 @@ -144,16 +144,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -318,11 +313,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -369,11 +360,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/MSFT_IntuneWifiConfigurationPolicyAndroidForWork.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/MSFT_IntuneWifiConfigurationPolicyAndroidForWork.psm1 index 4a3eeb2618..dc2aa0fb63 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/MSFT_IntuneWifiConfigurationPolicyAndroidForWork.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidForWork/MSFT_IntuneWifiConfigurationPolicyAndroidForWork.psm1 @@ -144,16 +144,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -318,11 +313,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -369,11 +360,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject.psm1 index 1c0da717d3..b04067e070 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneWifiConfigurationPolicyAndroidOpenSourceProject.psm1 @@ -154,16 +154,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -336,11 +331,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -387,11 +378,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/MSFT_IntuneWifiConfigurationPolicyIOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/MSFT_IntuneWifiConfigurationPolicyIOS.psm1 index 826198a0f1..17ec43cea7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/MSFT_IntuneWifiConfigurationPolicyIOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyIOS/MSFT_IntuneWifiConfigurationPolicyIOS.psm1 @@ -175,16 +175,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -374,11 +369,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -425,11 +416,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/MSFT_IntuneWifiConfigurationPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/MSFT_IntuneWifiConfigurationPolicyMacOS.psm1 index b71edd1783..a3df76d07d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/MSFT_IntuneWifiConfigurationPolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyMacOS/MSFT_IntuneWifiConfigurationPolicyMacOS.psm1 @@ -170,16 +170,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -365,11 +360,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -416,11 +407,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/MSFT_IntuneWifiConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/MSFT_IntuneWifiConfigurationPolicyWindows10.psm1 index b8d398c81e..5d2967c4b1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/MSFT_IntuneWifiConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWifiConfigurationPolicyWindows10/MSFT_IntuneWifiConfigurationPolicyWindows10.psm1 @@ -186,16 +186,11 @@ function Get-TargetResource $assignmentsValues = Get-MgBetaDeviceManagementDeviceConfigurationAssignment -DeviceConfigurationId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -394,11 +389,7 @@ function Set-TargetResource #region resource generator code $policy = New-MgBetaDeviceManagementDeviceConfiguration @CreateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -445,11 +436,7 @@ function Set-TargetResource #region resource generator code Update-MgBetaDeviceManagementDeviceConfiguration @UpdateParameters ` -DeviceConfigurationId $currentInstance.Id - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceConfigurations' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 index ea832f5730..2a4c8a1349 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 @@ -633,11 +633,7 @@ function Set-TargetResource $policy = New-MgBetaDeviceAppManagementMdmWindowsInformationProtectionPolicy -BodyParameter $CreateParameters #endregion - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -672,11 +668,7 @@ function Set-TargetResource -BodyParameter $UpdateParameters #endregion - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceAppManagement/mdmWindowsInformationProtectionPolicies' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 index 5e8f837fd0..3600ab491f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 @@ -142,18 +142,11 @@ function Get-TargetResource $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$($Id)/assignments" $assignmentsValues = (Invoke-MgGraphRequest -Method GET -Uri $uri).value $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -277,11 +270,7 @@ function Set-TargetResource #region resource generator code $uri = '/beta/deviceManagement/windowsDriverUpdateProfiles' $policy = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $($CreateParameters | ConvertTo-Json) - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -311,11 +300,7 @@ function Set-TargetResource #region resource generator code $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$($currentInstance.Id)" Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $($UpdateParameters | ConvertTo-Json) - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentInstance.Id ` -Targets $assignmentsHash ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 index 8d17322aca..9dd8e35d04 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 @@ -143,18 +143,11 @@ function Get-TargetResource } $assignmentsValues = Get-MgBetaDeviceManagementWindowsFeatureUpdateProfileAssignment -WindowsFeatureUpdateProfileId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + if ($assignmentsValues.Count -gt 0) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - { - $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString() - }) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue + $assignmentResult += ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($assignmentsValues) } $results.Add('Assignments', $assignmentResult) @@ -281,11 +274,7 @@ function Set-TargetResource #region resource generator code $CreateParameters.Add("@odata.type", "#microsoft.graph.WindowsFeatureUpdateProfile") $policy=New-MgBetaDeviceManagementWindowsFeatureUpdateProfile -BodyParameter $CreateParameters - $assignmentsHash=@() - foreach($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments if ($policy.id) { @@ -320,11 +309,7 @@ function Set-TargetResource -WindowsFeatureUpdateProfileId $currentInstance.Id ` -BodyParameter $UpdateParameters - $assignmentsHash = @() - foreach ($assignment in $Assignments) - { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment - } + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentInstance.id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/windowsFeatureUpdateProfiles' diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 412350e301..2b5c3f7ae4 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1147,11 +1147,12 @@ function ConvertFrom-IntunePolicyAssignment $hashAssignment = @{} $dataType = $assignment.Target.AdditionalProperties."@odata.type" $groupId = $assignment.Target.AdditionalProperties.groupId + $collectionId = $assignment.Target.AdditionalProperties.collectionId - $hashAssignment.add('dataType',$dataType) + $hashAssignment.Add('dataType',$dataType) if (-not [string]::IsNullOrEmpty($groupId)) { - $hashAssignment.add('groupId', $groupId) + $hashAssignment.Add('groupId', $groupId) $group = Get-MgGroup -GroupId ($groupId) -ErrorAction SilentlyContinue if ($null -ne $group) @@ -1159,6 +1160,10 @@ function ConvertFrom-IntunePolicyAssignment $groupDisplayName = $group.DisplayName } } + if (-not [string]::IsNullOrEmpty($collectionId)) + { + $hashAssignment.Add('collectionId', $collectionId) + } if ($dataType -eq '#microsoft.graph.allLicensedUsersAssignmentTarget') { $groupDisplayName = 'All users' @@ -1169,24 +1174,24 @@ function ConvertFrom-IntunePolicyAssignment } if ($null -ne $groupDisplayName) { - $hashAssignment.add('groupDisplayName', $groupDisplayName) + $hashAssignment.Add('groupDisplayName', $groupDisplayName) } if ($IncludeDeviceFilter) { if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterType) { - $hashAssignment.add('deviceAndAppManagementAssignmentFilterType', $assignment.Target.DeviceAndAppManagementAssignmentFilterType.ToString()) + $hashAssignment.Add('deviceAndAppManagementAssignmentFilterType', $assignment.Target.DeviceAndAppManagementAssignmentFilterType.ToString()) } if ($null -ne $assignment.Target.DeviceAndAppManagementAssignmentFilterId) { - $hashAssignment.add('deviceAndAppManagementAssignmentFilterId', $assignment.Target.DeviceAndAppManagementAssignmentFilterId) + $hashAssignment.Add('deviceAndAppManagementAssignmentFilterId', $assignment.Target.DeviceAndAppManagementAssignmentFilterId) } } $assignmentResult += $hashAssignment } - return $assignmentResult + return ,$assignmentResult } function ConvertTo-IntunePolicyAssignment @@ -1207,16 +1212,17 @@ function ConvertTo-IntunePolicyAssignment $target = @{"@odata.type" = $assignment.dataType} if ($IncludeDeviceFilter) { - if ($null -ne $assignment.DeviceAndAppManagementAssignmentFilterId) - { - $target.add('deviceAndAppManagementAssignmentFilterId', $assignment.DeviceAndAppManagementAssignmentFilterId) - } if ($null -ne $assignment.DeviceAndAppManagementAssignmentFilterType) { - $target.add('deviceAndAppManagementAssignmentFilterType',$assignment.DeviceAndAppManagementAssignmentFilterType) + $target.Add('deviceAndAppManagementAssignmentFilterType', $assignment.DeviceAndAppManagementAssignmentFilterType) + $target.Add('deviceAndAppManagementAssignmentFilterId', $assignment.DeviceAndAppManagementAssignmentFilterId) } } - if ($assignment.dataType -like '*GroupAssignmentTarget') + if ($assignment.dataType -like '*CollectionAssignmentTarget') + { + $target.add('collectionId', $assignment.collectionId) + } + elseif ($assignment.dataType -like '*GroupAssignmentTarget') { $group = Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue if ($null -eq $group) @@ -1228,14 +1234,14 @@ function ConvertTo-IntunePolicyAssignment { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $target = $null } - if ($group -and $group.count -gt 1) + if ($group -and $group.Count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $group = $null $target = $null } @@ -1244,14 +1250,14 @@ function ConvertTo-IntunePolicyAssignment { $message = "Skipping assignment for the group with Id {$($assignment.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - write-verbose -Message $message + Write-Verbose -Message $message $target = $null } } #Skipping assignment if group not found from either groupId or groupDisplayName if ($null -ne $group) { - $target.add('groupId',$group.Id) + $target.Add('groupId', $group.Id) } } @@ -1280,7 +1286,7 @@ function Compare-M365DSCIntunePolicyAssignment { foreach ($assignment in $Source) { - if ($assignment.dataType -like '*groupAssignmentTarget') + if ($assignment.dataType -like '*AssignmentTarget') { $assignmentTarget = $Target | Where-Object -FilterScript { $_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId } $testResult = $null -ne $assignmentTarget @@ -2007,4 +2013,4 @@ function Update-IntuneDeviceConfigurationPolicy return $null } -} \ No newline at end of file +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 index 9f543a8eef..d43e461f56 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 @@ -248,6 +248,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 index b0aedbe068..4d5e9e8d1d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager.Tests.ps1 @@ -50,12 +50,21 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } - Mock -CommandName Get-DeviceManagementConfigurationPolicyAssignment -MockWith { + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ - - dataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - collectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' - }) + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.configurationManagerCollectionAssignmentTarget' + collectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -98,8 +107,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Assignments = @( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ - DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + DataType = '#microsoft.graph.configurationManagerCollectionAssignmentTarget' + CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -133,8 +142,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ - DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + DataType = '#microsoft.graph.configurationManagerCollectionAssignmentTarget' + CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -177,12 +186,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) }) } - } AdditionalProperties = $null } } - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { } } @@ -196,7 +204,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -210,8 +218,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' Assignments = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ - DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + DataType = '#microsoft.graph.configurationManagerCollectionAssignmentTarget' + CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) } @@ -248,7 +256,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) }) } - } AdditionalProperties = $null } @@ -265,8 +272,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Assignments = @( (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ - DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' - CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + DataType = '#microsoft.graph.configurationManagerCollectionAssignmentTarget' + CollectionId = '26d60dd1-fab6-47bf-8656-358194c1a49d' } -ClientOnly) ) Credential = $Credential @@ -308,7 +315,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) }) } - } AdditionalProperties = $null } @@ -372,7 +378,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) }) } - } AdditionalProperties = $null } @@ -381,6 +386,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index bd2a7728fb..2a5931782d 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -343,6 +343,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should Reverse Engineer resource from the Export method' { $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty } } } From f16e44bb808a6e896e33bac68b1c4c59181b7ccd Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sat, 15 Jun 2024 02:18:38 +0200 Subject: [PATCH 04/26] Fix Intune device remedation assignment --- CHANGELOG.md | 6 + .../MSFT_IntuneDeviceRemediation.psm1 | 156 ++++++++++++++---- .../MSFT_IntuneDeviceRemediation.schema.mof | 23 ++- .../IntuneDeviceRemediation/1-Create.ps1 | 17 +- .../IntuneDeviceRemediation/2-Update.ps1 | 17 +- ...ft365DSC.IntuneDeviceRemediation.Tests.ps1 | 134 +++++++++++++++ 6 files changed, 313 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a978c34374..4381c79c00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* IntuneDeviceRemediation + * Fix invalid assignment export and import. + FIXES [#4726](https://github.com/microsoft/Microsoft365DSC/issues/4726) + # 1.24.612.1 * IntuneAppConfigurationDevicePolicy diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 index 9f57d74e78..52e6061070 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 @@ -228,18 +228,22 @@ function Get-TargetResource AccessTokens = $AccessTokens #endregion } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceHealthScriptAssignment -DeviceHealthScriptId $Id $assignmentResult = @() - foreach ($assignmentEntry in $AssignmentsValues) + foreach ($assignment in $assignmentsValues) { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) - {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId + $assignmentResult += @{ + RunRemediationScript = $assignment.RunRemediationScript + RunSchedule = @{ + DataType = $assignment.RunSchedule.AdditionalProperties.'@odata.type' + Date = $assignment.RunSchedule.AdditionalProperties.date + Interval = $assignment.RunSchedule.Interval + Time = Get-Date -Format 'HH:mm:ss' -Date $assignment.RunSchedule.AdditionalProperties.time + UseUtc = $assignment.RunSchedule.AdditionalProperties.useUtc + } + Assignment = ConvertFrom-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignment $assignment } - $assignmentResult += $assignmentValue } $results.Add('Assignments', $assignmentResult) @@ -397,14 +401,43 @@ function Set-TargetResource $assignmentsHash = @() foreach ($assignment in $Assignments) { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + $assignmentTarget = ConvertTo-IntunePolicyAssignment -Assignments $assignment.Assignment + $runSchedule = $null + if ($null -ne $assignment.RunSchedule.DataType) { + $runSchedule = @{ + '@odata.type' = $assignment.RunSchedule.DataType + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Date)) + { + $runSchedule.Add('date', $assignment.RunSchedule.Date) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Interval)) + { + $runSchedule.Add('interval', $assignment.RunSchedule.Interval) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Time)) + { + $runSchedule.Add('time', $assignment.RunSchedule.Time) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.UseUtc)) + { + $runSchedule.Add('useUtc', $assignment.RunSchedule.UseUtc) + } + } + $assignmentsHash += @{ + runRemediationScript = $assignment.RunRemediationScript + runSchedule = $runSchedule + target = $assignmentTarget.target + } } - if ($policy.id) + if ($policy.Id) { - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceHealthScripts' + $uri = "/beta/deviceManagement/deviceHealthScripts/$($policy.Id)/assign" + $body = @{ + deviceHealthScriptAssignments = $assignmentsHash + } | ConvertTo-Json -Depth 20 + Invoke-MgGraphRequest -Method POST -Uri $uri -Body $body -ErrorAction Stop 4> $null } #endregion } @@ -433,20 +466,49 @@ function Set-TargetResource Update-MgBetaDeviceManagementDeviceHealthScript ` -DeviceHealthScriptId $currentInstance.Id ` -BodyParameter $UpdateParameters + $assignmentsHash = @() foreach ($assignment in $Assignments) { - $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + $assignmentTarget = ConvertTo-IntunePolicyAssignment -Assignments $assignment.Assignment + $runSchedule = $null + if ($null -ne $assignment.RunSchedule.DataType) { + $runSchedule = @{ + '@odata.type' = $assignment.RunSchedule.DataType + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Date)) + { + $runSchedule.Add('date', $assignment.RunSchedule.Date) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Interval)) + { + $runSchedule.Add('interval', $assignment.RunSchedule.Interval) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.Time)) + { + $runSchedule.Add('time', $assignment.RunSchedule.Time) + } + if (-not [string]::IsNullOrEmpty($assignment.RunSchedule.UseUtc)) + { + $runSchedule.Add('useUtc', $assignment.RunSchedule.UseUtc) + } + } + $assignmentsHash += @{ + runRemediationScript = $assignment.RunRemediationScript + runSchedule = $runSchedule + target = $assignmentTarget.target + } } - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $currentInstance.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceHealthScripts' + $uri = "/beta/deviceManagement/deviceHealthScripts/$($currentInstance.Id)/assign" + $body = @{ + deviceHealthScriptAssignments = $assignmentsHash + } | ConvertTo-Json -Depth 20 + Invoke-MgGraphRequest -Method POST -Uri $uri -Body $body -ErrorAction Stop 4> $null #endregion } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Device Remediation with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Removing the Intune Device Remediation with Id {$($currentInstance.Id)}" #region resource generator code Remove-MgBetaDeviceManagementDeviceHealthScript -DeviceHealthScriptId $currentInstance.Id #endregion @@ -582,17 +644,39 @@ function Test-TargetResource { $source = $PSBoundParameters.$key $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) + if ($key -eq "Assignments") + { + [hashtable[]]$sourcesWithoutAssignment = @() + foreach ($sourceObject in $source) + { + $sourceWithoutAssignment = $sourceObject.Clone() + $sourcesWithoutAssignment += $sourceWithoutAssignment + } + + [hashtable[]]$targetsWithoutAssignment = @() + foreach ($targetObject in $target) + { + $targetWithoutAssignment = $targetObject.Clone() + $targetsWithoutAssignment += $targetWithoutAssignment + } - if (-Not $testResult) + $testResult = Compare-M365DSCComplexObject ` + -Source ($sourcesWithoutAssignment) ` + -Target ($targetsWithoutAssignment) + } + else + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + } + + if (-not $testResult) { - $testResult = $false break } @@ -600,11 +684,8 @@ function Test-TargetResource } } - $ValuesToCheck.remove('Id') | Out-Null - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" @@ -752,7 +833,15 @@ function Export-TargetResource } if ($Results.Assignments) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + foreach ($assignment in $Results.Assignments) + { + $runSchedule = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment.RunSchedule -CIMInstanceName MSFT_IntuneDeviceRemediationRunSchedule + $assignment.RunSchedule = $runSchedule + $target = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment.Assignment -CIMInstanceName MSFT_DeviceManagementConfigurationPolicyAssignments + $assignment.Assignment = $target | Select-Object -First 1 + $assignment = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment -CIMInstanceName MSFT_IntuneDeviceRemediationPolicyAssignments + } + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName MSFT_IntuneDeviceRemediationPolicyAssignments if ($complexTypeStringResult) { $Results.Assignments = $complexTypeStringResult @@ -777,7 +866,10 @@ function Export-TargetResource } if ($Results.Assignments) { - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + $currentDSCBlock = (Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true).Replace("''", "'") + $currentDSCBlock = [Regex]::Replace($currentDSCBlock, "Assignment = '\r\n ", "Assignment = ") + $currentDSCBlock = $currentDSCBlock.Replace("RunSchedule = '", "RunSchedule = ").Replace("}'", "}") + $currentDSCBlock = [Regex]::Replace($currentDSCBlock, "\r\n '", "") } $dscContent += $currentDSCBlock diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof index 793acac5cb..9270cfc537 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof @@ -8,7 +8,26 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; }; -[ClassVersion("1.0.0")] + +[ClassVersion("1.0.0.0")] +class MSFT_IntuneDeviceRemediationRunSchedule +{ + [Write, Description("The type of the schedule."), ValueMap{"#microsoft.graph.deviceHealthScriptRunOnceSchedule","#microsoft.graph.deviceHealthScriptHourlySchedule","#microsoft.graph.deviceHealthScriptDailySchedule"}, Values{"#microsoft.graph.deviceHealthScriptRunOnceSchedule","#microsoft.graph.deviceHealthScriptHourlySchedule","#microsoft.graph.deviceHealthScriptDailySchedule"}] String dataType; + [Write, Description("The date when to run the schedule. Only applicable when the odataType is a run once schedule. Format: 2024-01-01")] String Date; + [Write, Description("The interval of the schedule. Must be 1 in case of a run once schedule.")] UInt32 Interval; + [Write, Description("The time when to run the schedule. Only applicable when the dataType is not an hourly schedule. Format: 01:00:00")] String Time; + [Write, Description("If to use UTC as the time source. Only applicable when the dataType is not an hourly schedule.")] Boolean UseUtc; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_IntuneDeviceRemediationPolicyAssignments +{ + [Write, Description("If the remediation script should be run.")] Boolean RunRemediationScript; + [Write, Description("The run schedule of the remediation."), EmbeddedInstance("MSFT_IntuneDeviceRemediationRunSchedule")] String RunSchedule; + [Write, Description("Represents the assignment of the schedule."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignment; +}; + +[ClassVersion("1.0.0.0")] class MSFT_MicrosoftGraphDeviceHealthScriptParameter { [Write, Description("Whether Apply DefaultValue When Not Assigned")] Boolean ApplyDefaultValueWhenNotAssigned; @@ -35,7 +54,7 @@ class MSFT_IntuneDeviceRemediation : OMI_BaseResource [Write, Description("Indicate whether PowerShell script(s) should run as 32-bit")] Boolean RunAs32Bit; [Write, Description("Indicates the type of execution context. Possible values are: system, user."), ValueMap{"system","user"}, Values{"system","user"}] String RunAsAccount; [Key, Description("The unique identifier for an entity. Read-only.")] String Id; - [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_IntuneDeviceRemediationPolicyAssignments")] String Assignments[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 index 47145d4c9a..0910babcef 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 @@ -16,9 +16,20 @@ Configuration Example IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' + MSFT_IntuneDeviceRemediationPolicyAssignments{ + RunSchedule = MSFT_IntuneDeviceRemediationRunSchedule{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } + RunRemediationScript = $False + Assignment = MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } } ); Credential = $Credscredential diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 index dc4bef9bde..116faa673a 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 @@ -16,9 +16,20 @@ Configuration Example IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' + MSFT_IntuneDeviceRemediationPolicyAssignments{ + RunSchedule = MSFT_IntuneDeviceRemediationRunSchedule{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } + RunRemediationScript = $False + Assignment = MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } } ); Credential = $Credscredential diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 index 5b991519be..d354e20c66 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 @@ -56,12 +56,56 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Script:ExportMode = $false Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScriptAssignment -MockWith { + return @( + @{ + Id = "FakeStringValue" + RunRemediationScript = $False + RunSchedule = @{ + Interval = 1 + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptRunOnceSchedule" + useUtc = $false + time = "01:00:00.0000000" + date = "2024-01-01" + } + } + Target = @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.groupAssignmentTarget" + groupId = "FakeStringValue" + } + "DeviceAndAppManagementAssignmentFilterId" = "FakeStringValue" + "DeviceAndAppManagementAssignmentFilterType" = "none" + } + DeviceHealthScriptId = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + } + ) } } # Test contexts Context -Name "The IntuneDeviceRemediation should exist but it DOES NOT" -Fixture { BeforeAll { $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = "VGVzdA==" # "Test" DetectionScriptParameters = [CimInstance[]]@( @@ -116,6 +160,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The IntuneDeviceRemediation exists but it SHOULD NOT" -Fixture { BeforeAll { $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = "VGVzdA==" # "Test" DetectionScriptParameters = [CimInstance[]]@( @@ -153,6 +215,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { return @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = [byte[]] @(84, 101, 115, 116) DetectionScriptParameters = @( @@ -205,6 +285,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The IntuneDeviceRemediation Exists and Values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = "VGVzdA==" # "Test" DetectionScriptParameters = [CimInstance[]]@( @@ -286,6 +384,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Context -Name "The IntuneDeviceRemediation exists and values are NOT in the desired state" -Fixture { BeforeAll { $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = "VGVzdA==" # "Test" DetectionScriptParameters = [CimInstance[]]@( @@ -375,6 +491,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { return @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_IntuneDeviceRemediationPolicyAssignments -Property @{ + RunSchedule = New-CimInstance -ClassName MSFT_IntuneDeviceRemediationRunSchedule -Property @{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } -ClientOnly + RunRemediationScript = $False + Assignment = New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + deviceAndAppManagementAssignmentFilterId = 'FakeStringValue' + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = 'FakeStringValue' + } -ClientOnly + } -ClientOnly) + ) Description = "FakeStringValue" DetectionScriptContent = [byte[]] @(84, 101, 115, 116) DetectionScriptParameters = @( From 7c73b191f685168d5950e446b246788b2306f3db Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sat, 15 Jun 2024 13:22:50 +0200 Subject: [PATCH 05/26] Allow null as parameter when converting Intune assignments --- Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 2b5c3f7ae4..647b6e5b44 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1200,12 +1200,18 @@ function ConvertTo-IntunePolicyAssignment [OutputType([Hashtable[]])] param ( [Parameter(Mandatory = $true)] + [AllowNull()] $Assignments, [Parameter()] [System.Boolean] $IncludeDeviceFilter = $true ) + if ($null -eq $Assignments) + { + return ,@() + } + $assignmentResult = @() foreach ($assignment in $Assignments) { From 5d1df8596852dbfe2c78609cd8b555382248b794 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sat, 15 Jun 2024 13:47:20 +0200 Subject: [PATCH 06/26] Fix test cases and null output to file --- .../MSFT_IntuneASRRulesPolicyWindows10.psm1 | 2 +- ...tProtectionLocalAdministratorPasswordSolutionPolicy.psm1 | 6 +++--- ...tuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 | 2 +- .../MSFT_IntuneAccountProtectionPolicy.psm1 | 2 +- .../MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 | 2 +- ...eConfigurationAdministrativeTemplatePolicyWindows10.psm1 | 2 +- .../MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 | 2 +- .../MSFT_IntuneDiskEncryptionMacOS.psm1 | 2 +- ...T_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 | 2 +- .../Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 | 1 + ...uneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 | 2 +- 11 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 index cfbb8f492e..299e5c9e7b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1 @@ -553,7 +553,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null #region Assignments $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index ebe2c1b9e3..9f1bf3b454 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -1154,7 +1154,7 @@ function Update-DeviceManagementConfigurationPolicy Invoke-MgGraphRequest -Method PUT ` -Uri $Uri ` -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null + -Body ($policy | ConvertTo-Json -Depth 20) 4> $null } function Get-DeviceManagementConfigurationPolicyAssignment @@ -1172,7 +1172,7 @@ function Get-DeviceManagementConfigurationPolicyAssignment $configurationPolicyAssignments = @() $Uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$DeviceManagementConfigurationPolicyId/assignments" - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null + $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> $null foreach ($result in $results.value.target) { $configurationPolicyAssignments += @{ @@ -1187,7 +1187,7 @@ function Get-DeviceManagementConfigurationPolicyAssignment while ($results.'@odata.nextLink') { $Uri = $results.'@odata.nextLink' - $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> out-null + $results = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop 4> $null foreach ($result in $results.value.target) { $configurationPolicyAssignments += @{ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 index 2e4450f341..58d3d8bf32 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy/MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy.psm1 @@ -828,7 +828,7 @@ function Update-DeviceManagementConfigurationPolicy Invoke-MgGraphRequest -Method PUT ` -Uri $Uri ` -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null + -Body ($policy | ConvertTo-Json -Depth 20) 4> $null } Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 index b1991e4383..de5585c1c3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicy/MSFT_IntuneAccountProtectionPolicy.psm1 @@ -450,7 +450,7 @@ function Set-TargetResource #Using Rest to reduce the number of calls $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentPolicy.Identity)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null #region Assignments $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index dbe036ce95..66650d1814 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -1830,7 +1830,7 @@ function Update-IntuneDeviceConfigurationPolicy } $body = $policy | ConvertTo-Json -Depth 20 #write-verbose -Message $body - Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop 4> Out-Null + Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop 4> $null } catch diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 72ee2d7916..7b9c180d45 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -1006,7 +1006,7 @@ function Update-DeviceConfigurationGroupPolicyDefinitionValue 'deletedIds' = $DefinitionValueToRemoveIds } #Write-Verbose -Message ($body | ConvertTo-Json -Depth 100) - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ErrorAction Stop 4> Out-Null + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ErrorAction Stop 4> $null } catch { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 9a94cdd9e2..dff34c84e4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -830,7 +830,7 @@ function Update-DeviceEnrollmentConfigurationPriority -Method POST ` -Body $body ` -Uri $Uri ` - -ErrorAction Stop 4> Out-Null + -ErrorAction Stop 4> $null } catch { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 index be66e1dcee..072a820729 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 @@ -372,7 +372,7 @@ function Set-TargetResource #region resource generator code $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$($currentInstance.Id)/updateSettings" $body = @{'settings' = $settings } - Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> Out-Null + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' 4> $null $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index a219885cde..ed1cea2322 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -927,7 +927,7 @@ function Update-DeviceManagementConfigurationPolicy Invoke-MgGraphRequest -Method PUT ` -Uri $Uri ` -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> out-null + -Body ($policy | ConvertTo-Json -Depth 20) 4> $null } Export-ModuleMember -Function *-TargetResource diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 index d43e461f56..db536619f4 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicy.Tests.ps1 @@ -92,6 +92,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { value = $true } }) + TemplateId = '0f2b5d70-d4e9-4156-8c16-1397eb6c54a5' } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index 2a5931782d..fc863b5c09 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -314,7 +314,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Description = 'My Test Description' Name = 'My Test' TemplateReference = @{ - TemplateId = '5dd36540-eb22-4e7e-b19c-2a07772ba627_1' + TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' } } } From e22bd4be50ede4e517413f9bdca21150087f71fa Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sat, 15 Jun 2024 14:07:49 +0200 Subject: [PATCH 07/26] Fix error when time is missing and export indenting --- .../MSFT_IntuneDeviceRemediation.psm1 | 43 +++++++++++++------ .../Modules/M365DSCDRGUtil.psm1 | 6 +-- 2 files changed, 34 insertions(+), 15 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 index 52e6061070..5f4a31dddd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 @@ -233,16 +233,27 @@ function Get-TargetResource $assignmentResult = @() foreach ($assignment in $assignmentsValues) { + if (-not [System.String]::IsNullOrEmpty($assignment.RunSchedule.AdditionalProperties.time)) + { + $time = Get-Date -Format 'HH:mm:ss' -Date $assignment.RunSchedule.AdditionalProperties.time + } + else + { + $time = $null + } + $assignmentResult += @{ RunRemediationScript = $assignment.RunRemediationScript RunSchedule = @{ DataType = $assignment.RunSchedule.AdditionalProperties.'@odata.type' Date = $assignment.RunSchedule.AdditionalProperties.date Interval = $assignment.RunSchedule.Interval - Time = Get-Date -Format 'HH:mm:ss' -Date $assignment.RunSchedule.AdditionalProperties.time + Time = $time UseUtc = $assignment.RunSchedule.AdditionalProperties.useUtc } - Assignment = ConvertFrom-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignment $assignment + Assignment = (ConvertFrom-IntunePolicyAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments $assignment) | Select-Object -First 1 } } $results.Add('Assignments', $assignmentResult) @@ -833,16 +844,24 @@ function Export-TargetResource } if ($Results.Assignments) { - foreach ($assignment in $Results.Assignments) - { - $runSchedule = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment.RunSchedule -CIMInstanceName MSFT_IntuneDeviceRemediationRunSchedule - $assignment.RunSchedule = $runSchedule - $target = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment.Assignment -CIMInstanceName MSFT_DeviceManagementConfigurationPolicyAssignments - $assignment.Assignment = $target | Select-Object -First 1 - $assignment = Get-M365DSCDRGComplexTypeToString -ComplexObject $assignment -CIMInstanceName MSFT_IntuneDeviceRemediationPolicyAssignments - } - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName MSFT_IntuneDeviceRemediationPolicyAssignments - if ($complexTypeStringResult) + $complexMapping = @( + @{ + Name = 'RunSchedule' + CimInstanceName = 'IntuneDeviceRemediationRunSchedule' + IsRequired = $false + } + @{ + Name = 'Assignment' + CimInstanceName = 'DeviceManagementConfigurationPolicyAssignments' + IsRequired = $true + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Assignments ` + -CIMInstanceName 'MSFT_IntuneDeviceRemediationPolicyAssignments' ` + -ComplexTypeMapping $complexMapping + + if (-not [string]::IsNullOrEmpty($complexTypeStringResult)) { $Results.Assignments = $complexTypeStringResult } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 412350e301..fd423a90f5 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1186,7 +1186,7 @@ function ConvertFrom-IntunePolicyAssignment $assignmentResult += $hashAssignment } - return $assignmentResult + return ,$assignmentResult } function ConvertTo-IntunePolicyAssignment @@ -1261,7 +1261,7 @@ function ConvertTo-IntunePolicyAssignment } } - return $assignmentResult + return ,$assignmentResult } function Compare-M365DSCIntunePolicyAssignment @@ -2007,4 +2007,4 @@ function Update-IntuneDeviceConfigurationPolicy return $null } -} \ No newline at end of file +} From 4d052d11fb512bf3942cfaa9dbddd750f3d507c0 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sun, 16 Jun 2024 16:32:34 +0200 Subject: [PATCH 08/26] Cleanup Intune Device Remediation test --- .../MSFT_IntuneDeviceRemediation.psm1 | 31 ++----------------- 1 file changed, 3 insertions(+), 28 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 index 5f4a31dddd..cd8bc0af33 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 @@ -657,34 +657,9 @@ function Test-TargetResource $target = $CurrentValues.$key if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - if ($key -eq "Assignments") - { - [hashtable[]]$sourcesWithoutAssignment = @() - foreach ($sourceObject in $source) - { - $sourceWithoutAssignment = $sourceObject.Clone() - $sourcesWithoutAssignment += $sourceWithoutAssignment - } - - [hashtable[]]$targetsWithoutAssignment = @() - foreach ($targetObject in $target) - { - $targetWithoutAssignment = $targetObject.Clone() - $targetsWithoutAssignment += $targetWithoutAssignment - } - - $testResult = Compare-M365DSCComplexObject ` - -Source ($sourcesWithoutAssignment) ` - -Target ($targetsWithoutAssignment) - } - else - { - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - } + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) if (-not $testResult) { From 8037a8d55f23b526bbf36335565ee45d343b9873 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sun, 16 Jun 2024 17:42:12 +0200 Subject: [PATCH 09/26] Update Intune assignment comparison and Resource generator --- CHANGELOG.md | 5 ++- ...FT_IntuneAppConfigurationDevicePolicy.psm1 | 13 ++---- .../MSFT_IntuneAppConfigurationPolicy.psm1 | 7 --- ...AdministrativeTemplatePolicyWindows10.psm1 | 7 +-- ...iceConfigurationCustomPolicyWindows10.psm1 | 6 --- ...rForEndpointOnboardingPolicyWindows10.psm1 | 6 --- ...onDeliveryOptimizationPolicyWindows10.psm1 | 7 --- ...onfigurationDomainJoinPolicyWindows10.psm1 | 7 --- ...figurationEmailProfilePolicyWindows10.psm1 | 7 --- ...tionEndpointProtectionPolicyWindows10.psm1 | 7 --- ...ationFirmwareInterfacePolicyWindows10.psm1 | 2 - ...onitoringConfigurationPolicyWindows10.psm1 | 2 - ...tionIdentityProtectionPolicyWindows10.psm1 | 2 - ...ImportedPfxCertificatePolicyWindows10.psm1 | 2 - ...viceConfigurationKioskPolicyWindows10.psm1 | 2 - ...urationNetworkBoundaryPolicyWindows10.psm1 | 2 - ...urationPkcsCertificatePolicyWindows10.psm1 | 2 - ...eviceConfigurationPlatformScriptMacOS.psm1 | 2 - ...iceConfigurationPlatformScriptWindows.psm1 | 2 - ...ationPolicyAndroidDeviceAdministrator.psm1 | 2 - ...ConfigurationPolicyAndroidDeviceOwner.psm1 | 2 - ...urationPolicyAndroidOpenSourceProject.psm1 | 2 - ...ConfigurationPolicyAndroidWorkProfile.psm1 | 45 ++----------------- ..._IntuneDeviceConfigurationPolicyMacOS.psm1 | 2 - ...uneDeviceConfigurationPolicyWindows10.psm1 | 30 +------------ ...FT_IntuneDeviceConfigurationPolicyiOS.psm1 | 2 - ...urationSCEPCertificatePolicyWindows10.psm1 | 2 - ...rationSecureAssessmentPolicyWindows10.psm1 | 2 - ...ationSharedMultiDevicePolicyWindows10.psm1 | 2 - ...tionTrustedCertificatePolicyWindows10.psm1 | 2 - ...DeviceConfigurationVpnPolicyWindows10.psm1 | 2 - ...nfigurationWindowsTeamPolicyWindows10.psm1 | 2 - ...neDeviceEnrollmentPlatformRestriction.psm1 | 2 - ...neDeviceEnrollmentStatusPageWindows10.psm1 | 2 - .../MSFT_IntuneDeviceRemediation.psm1 | 2 - .../MSFT_IntuneDiskEncryptionMacOS.psm1 | 19 +++++--- .../MSFT_IntunePolicySets.psm1 | 2 - ...neSettingCatalogCustomPolicyWindows10.psm1 | 1 - ...tDeploymentProfileAzureADHybridJoined.psm1 | 2 - ...topilotDeploymentProfileAzureADJoined.psm1 | 29 ------------ ...nProtectionPolicyWindows10MdmEnrolled.psm1 | 2 - ...rBusinessDriverUpdateProfileWindows10.psm1 | 2 - ...BusinessFeatureUpdateProfileWindows10.psm1 | 2 - ...ForBusinessRingUpdateProfileWindows10.psm1 | 29 ------------ .../Modules/M365DSCDRGUtil.psm1 | 42 +++++++++++------ ResourceGenerator/Module.Template.psm1 | 17 ++----- 46 files changed, 58 insertions(+), 282 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02793687f0..534e740286 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,11 @@ * M365DSCDRGUtil * Add `collectionId` export to `ConvertFrom-IntunePolicyAssignment` + * Add handling for Intune assignments in `Compare-M365DSCComplexObject` +* M365DSCResourceGenerator + * Update CimInstance comparison template * MISC - * Add group display name export across Intune resources + * Add group display name export and update assignment comparison across Intune resources # 1.24.612.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 index f51f6c6720..71d7b8a659 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1 @@ -604,16 +604,9 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.GetType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - if ($key -eq "Assignments") - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - else - { - $testResult = Compare-M365DSCComplexObject -Source ($source) -Target ($target) - } + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) if (-not $testResult) { break } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 index 6446ea2caa..8e92264b4f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1 @@ -384,17 +384,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 index 7b9c180d45..ae48b63d05 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10/MSFT_IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10.psm1 @@ -695,10 +695,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source #Removing Key Definition because it is Read-Only and ID as random if ($key -eq 'DefinitionValues') { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source foreach ($definitionValue in $source) { $definitionValue.remove('Definition') @@ -727,11 +727,6 @@ function Test-TargetResource -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index 27267174c5..da76483b1d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -488,16 +488,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 index 138c7fe2ef..5568a023e3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10/MSFT_IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10.psm1 @@ -487,16 +487,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 index c18fcfac7d..4e4b975bd7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10/MSFT_IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10.psm1 @@ -708,17 +708,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 index ce7e63783d..4d4c45f418 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10/MSFT_IntuneDeviceConfigurationDomainJoinPolicyWindows10.psm1 @@ -448,17 +448,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 index 0e720a2bba..b56ea2d480 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10/MSFT_IntuneDeviceConfigurationEmailProfilePolicyWindows10.psm1 @@ -610,17 +610,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 index 9872636808..2f5fbf8a9c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1 @@ -4854,17 +4854,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if ($key -eq 'Assignments') - { - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - } - if (-Not $testResult) { $testResult = $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 index 64c2f2b991..851e04494c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10/MSFT_IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10.psm1 @@ -850,8 +850,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 index ac5435abea..d3a39b0d4b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10.psm1 @@ -447,8 +447,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 index 7358cbd46a..df8e451d77 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationIdentityProtectionPolicyWindows10.psm1 @@ -596,8 +596,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 index e61597df42..c35a631d74 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10.psm1 @@ -511,8 +511,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 index 0aef32a176..e6edd9ab77 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10/MSFT_IntuneDeviceConfigurationKioskPolicyWindows10.psm1 @@ -677,8 +677,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 index e43a2f4422..6ec8b19c2c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10/MSFT_IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10.psm1 @@ -442,8 +442,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 index 8629194fcb..361f4712c4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationPkcsCertificatePolicyWindows10.psm1 @@ -631,8 +631,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 index 4d15e22d1d..c5d71eb505 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 @@ -486,8 +486,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 index ef5af3cd33..b525226577 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 @@ -469,8 +469,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 index 94da7aa3fa..33c1f163c8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator.psm1 @@ -1167,8 +1167,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) -verbose diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 index 642ec46423..382afb0ab1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner/MSFT_IntuneDeviceConfigurationPolicyAndroidDeviceOwner.psm1 @@ -2366,8 +2366,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) -verbose diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 index e0d7d742d1..c009f67f8c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject/MSFT_IntuneDeviceConfigurationPolicyAndroidOpenSourceProject.psm1 @@ -619,8 +619,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 index 6a638c6dcb..e45f007810 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile/MSFT_IntuneDeviceConfigurationPolicyAndroidWorkProfile.psm1 @@ -948,48 +948,11 @@ function Test-TargetResource if ($CurrentValues.Assignments) { - if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count) - { - Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}" - return $false - } - foreach ($assignment in $CurrentValues.Assignments) - { - #GroupId Assignment - if (-not [String]::IsNullOrEmpty($assignment.groupId)) - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - #AllDevices/AllUsers assignment - else - { - $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.dataType -eq $assignment.dataType } - if (-not $source) - { - Write-Verbose -Message "Configuration drift: {$($assignment.dataType)} not found" - $testResult = $false - break - } - $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment - } - - if (-not $testResult) - { - $testResult = $false - break - } - - } + $testResult = Compare-M365DSCIntunePolicyAssignment ` + -Source $CurrentValues.Assignments ` + -Target $ValuesToCheck.Assignments } + if (-not $testResult) { return $false diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 index 85c8e374ec..452bdee059 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyMacOS/MSFT_IntuneDeviceConfigurationPolicyMacOS.psm1 @@ -1213,8 +1213,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 index 39853a0d10..59e96357e8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyWindows10/MSFT_IntuneDeviceConfigurationPolicyWindows10.psm1 @@ -4644,40 +4644,14 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if( $key -eq "Assignments") + if (-Not $testResult) { - $testResult = $source.count -eq $target.count - if (-Not $testResult) { break } - foreach ($assignment in $source) - { - if ($assignment.dataType -like '*GroupAssignmentTarget') - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) - #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key - if (-not $testResult) - { - $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) - } - if (-not $testResult -and $groupNotFound) - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) - } - } - else - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) - } - if (-Not $testResult) { break } - } - if (-Not $testResult) { break } + break } - if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 index 5984ce817c..fd4f3b0a6f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPolicyiOS/MSFT_IntuneDeviceConfigurationPolicyiOS.psm1 @@ -2958,8 +2958,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) -verbose diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 index 8ca0e2b141..4aa737ee63 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationSCEPCertificatePolicyWindows10.psm1 @@ -776,8 +776,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 index f100165917..a56154cf6d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10/MSFT_IntuneDeviceConfigurationSecureAssessmentPolicyWindows10.psm1 @@ -488,8 +488,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 index 221414ae76..a885a6e2ab 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10/MSFT_IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10.psm1 @@ -711,8 +711,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 index d2ebdb3160..6e2471d614 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10/MSFT_IntuneDeviceConfigurationTrustedCertificatePolicyWindows10.psm1 @@ -423,8 +423,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 index 1f401a4693..0f63f932cf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10/MSFT_IntuneDeviceConfigurationVpnPolicyWindows10.psm1 @@ -951,8 +951,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 index bc1307e957..34c3369232 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10/MSFT_IntuneDeviceConfigurationWindowsTeamPolicyWindows10.psm1 @@ -674,8 +674,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index d1db4d3fc7..156c641231 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -589,8 +589,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*' -and $key -ne 'WindowsMobileRestriction') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index dff34c84e4..89e4be5f1a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -624,8 +624,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 index 9f57d74e78..ca13266778 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 @@ -584,8 +584,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 index 072a820729..95739178cf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1 @@ -308,11 +308,6 @@ function Set-TargetResource throw 'SelectedRecoveryKeyTypes and PersonalRecoveryKeyHelpMessage must be specified when Enabled is $true' } - if (-not $AllowDeferralUntilSignOut) - { - throw 'AllowDeferralUntilSignOut must be $true' - } - $currentInstance = Get-TargetResource @PSBoundParameters $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters @@ -321,6 +316,12 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Disk Encryption for macOS with DisplayName {$DisplayName}" + + if (-not $AllowDeferralUntilSignOut) + { + throw 'AllowDeferralUntilSignOut must be $true' + } + $BoundParameters.Remove('Assignments') | Out-Null $BoundParameters.Remove('Id') | Out-Null $BoundParameters.Remove('DisplayName') | Out-Null @@ -354,6 +355,12 @@ function Set-TargetResource elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { Write-Verbose -Message "Updating the Intune Disk Encryption for macOS with Id {$($currentInstance.Id)}" + + if (-not $AllowDeferralUntilSignOut) + { + throw 'AllowDeferralUntilSignOut must be $true' + } + $BoundParameters.Remove("Assignments") | Out-Null $BoundParameters.Remove('Id') | Out-Null $BoundParameters.Remove('DisplayName') | Out-Null @@ -554,8 +561,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 index 15e12dd4f0..12cfb3aaa2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntunePolicySets/MSFT_IntunePolicySets.psm1 @@ -466,8 +466,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 index 72f55b6c01..162682d973 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1 @@ -478,7 +478,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 index 30fecacf02..77eae9b2a8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined.psm1 @@ -568,8 +568,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 index b3f0db8444..887a954850 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined/MSFT_IntuneWindowsAutopilotDeploymentProfileAzureADJoined.psm1 @@ -567,39 +567,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if( $key -eq "Assignments") - { - $testResult = $source.count -eq $target.count - if (-Not $testResult) { break } - foreach ($assignment in $source) - { - if ($assignment.dataType -like '*GroupAssignmentTarget') - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) - #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key - if (-not $testResult) - { - $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) - } - if (-not $testResult -and $groupNotFound) - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) - } - } - else - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) - } - if (-Not $testResult) { break } - } - if (-Not $testResult) { break } - } if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 index 2a4c8a1349..19eb40d2d3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled/MSFT_IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled.psm1 @@ -856,8 +856,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 index 3600ab491f..4e19d5bcae 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 @@ -419,8 +419,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 index 9dd8e35d04..03ca64b90a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10.psm1 @@ -421,8 +421,6 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 index 07509d3684..f49064ae6d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10.psm1 @@ -999,39 +999,10 @@ function Test-TargetResource $target = $CurrentValues.$key if ($source.getType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) - if( $key -eq "Assignments") - { - $testResult = $source.count -eq $target.count - if (-Not $testResult) { break } - foreach ($assignment in $source) - { - if ($assignment.dataType -like '*GroupAssignmentTarget') - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupId -eq $assignment.groupId}) - #Using assignment groupDisplayName only if the groupId is not found in the directory otherwise groupId should be the key - if (-not $testResult) - { - $groupNotFound = $null -eq (Get-MgGroup -GroupId ($assignment.groupId) -ErrorAction SilentlyContinue) - } - if (-not $testResult -and $groupNotFound) - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType -and $_.groupDisplayName -eq $assignment.groupDisplayName}) - } - } - else - { - $testResult = $null -ne ($target | Where-Object {$_.dataType -eq $assignment.DataType}) - } - if (-Not $testResult) { break } - } - if (-Not $testResult) { break } - } if (-Not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 647b6e5b44..bd732609d8 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -598,25 +598,24 @@ function Compare-M365DSCComplexObject return $false } - if ($Source.getType().FullName -like '*CimInstance[[\]]' -or $Source.getType().FullName -like '*Hashtable[[\]]') + if ($Source.GetType().FullName -like '*CimInstance[[\]]' -or $Source.GetType().FullName -like '*Hashtable[[\]]') { - if ($source.count -ne $target.count) + if ($source.Count -ne $target.Count) { - Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($source.count)} Target {$($target.count)}" + Write-Verbose -Message "Configuration drift - The complex array have different number of items: Source {$($source.Count)} Target {$($target.Count)}" return $false } - if ($source.count -eq 0) + if ($source.Count -eq 0) { return $true } foreach ($item in $Source) { - $hashSource = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $item foreach ($targetItem in $Target) { $compareResult = Compare-M365DSCComplexObject ` - -Source $hashSource ` + -Source $item ` -Target $targetItem if ($compareResult) @@ -634,7 +633,15 @@ function Compare-M365DSCComplexObject return $true } - $keys = $Source.Keys | Where-Object -FilterScript { $_ -ne 'PSComputerName' } + if ($Source.GetType().FullName -like "*CimInstance") + { + $keys = $Source.CimInstanceProperties.Name | Where-Object -FilterScript { $_ -notin @('PSComputerName', 'CimClass', 'CmiInstanceProperties', 'CimSystemProperties') } + } + else + { + $keys = $Source.Keys | Where-Object -FilterScript { $_ -ne 'PSComputerName' } + } + foreach ($key in $keys) { #Matching possible key names between Source and Target @@ -664,12 +671,21 @@ function Compare-M365DSCComplexObject #Both keys aren't null or empty if (($null -ne $Source.$key) -and ($null -ne $Target.$tkey)) { - if ($Source.$key.getType().FullName -like '*CimInstance*' -or $Source.$key.getType().FullName -like '*hashtable*') + if ($Source.$key.GetType().FullName -like '*CimInstance*' -or $Source.$key.GetType().FullName -like '*hashtable*') { - #Recursive call for complex object - $compareResult = Compare-M365DSCComplexObject ` - -Source (Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Source.$key) ` - -Target $Target.$tkey + if ($Source.$key.GetType().FullName -like '*CimInstance' -and $Source.$key.CimClass.CimClassName -eq 'MSFT_DeviceManagementConfigurationPolicyAssignments') + { + $compareResult = Compare-M365DSCIntunePolicyAssignment ` + -Source @($Source.$key) ` + -Target @($Target.$tkey) + } + else + { + #Recursive call for complex object + $compareResult = Compare-M365DSCComplexObject ` + -Source $Source.$key ` + -Target $Target.$tkey + } if (-not $compareResult) { @@ -684,7 +700,7 @@ function Compare-M365DSCComplexObject $differenceObject = $Source.$key #Identifying date from the current values - $targetType = ($Target.$tkey.getType()).Name + $targetType = ($Target.$tkey.GetType()).Name if ($targetType -like '*Date*') { $compareResult = $true diff --git a/ResourceGenerator/Module.Template.psm1 b/ResourceGenerator/Module.Template.psm1 index e54b40f83a..132197bba8 100644 --- a/ResourceGenerator/Module.Template.psm1 +++ b/ResourceGenerator/Module.Template.psm1 @@ -262,20 +262,9 @@ function Test-TargetResource $target = $CurrentValues.$key if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - if ($key -eq "Assignments") - { - $testResult = Compare-M365DSCIntunePolicyAssignment ` - -Source $source ` - -Target $target - } - else - { - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - } + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) if (-not $testResult) { From b535b5a5136f45922402797be8819885ed49df49 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Sun, 16 Jun 2024 19:57:57 +0200 Subject: [PATCH 10/26] Add secondary Intune assignment type comparison check --- Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index bd732609d8..d9c537343d 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -673,7 +673,9 @@ function Compare-M365DSCComplexObject { if ($Source.$key.GetType().FullName -like '*CimInstance*' -or $Source.$key.GetType().FullName -like '*hashtable*') { - if ($Source.$key.GetType().FullName -like '*CimInstance' -and $Source.$key.CimClass.CimClassName -eq 'MSFT_DeviceManagementConfigurationPolicyAssignments') + if ($Source.$key.GetType().FullName -like '*CimInstance' -and ( + $Source.$key.CimClass.CimClassName -eq 'MSFT_DeviceManagementConfigurationPolicyAssignments' -or + $Source.$key.CimClass.CimClassName -like 'MSFT_Intune*Assignments')) { $compareResult = Compare-M365DSCIntunePolicyAssignment ` -Source @($Source.$key) ` From 1a2176b250f01f03dfdff154144e6ea4b32812ae Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Thu, 20 Jun 2024 13:42:50 -0400 Subject: [PATCH 11/26] Delete docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md --- .../azure-ad/AADGroupOwnerConsentSettings.md | 114 ------------------ 1 file changed, 114 deletions(-) delete mode 100644 docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md diff --git a/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md b/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md deleted file mode 100644 index 8c87bd96a1..0000000000 --- a/docs/docs/resources/azure-ad/AADGroupOwnerConsentSettings.md +++ /dev/null @@ -1,114 +0,0 @@ -# AADGroupOwnerConsentSettings - -## Parameters - -| Parameter | Attribute | DataType | Description | Allowed Values | -| --- | --- | --- | --- | --- | -| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | -| **EnableGroupSpecificConsent** | Write | Boolean | Flag indicating if groups owners are allowed to grant group specific permissions. | | -| **BlockUserConsentForRiskyApps** | Write | Boolean | Flag indicating if user consent will be blocked when a risky request is detected. Administrators will still be able to consent to apps considered risky. | | -| **EnableAdminConsentRequests** | Write | Boolean | Flag indicating if users will be able to request admin consent when they are unable to grant consent to an app themselves. | | -| **ConstrainGroupSpecificConsentToMembersOfGroupName** | Write | String | If EnableGroupSpecificConsent is set to “True” and this is set to a security group name, members (both direct and transitive) of the group identified will be authorized to grant group-specific permissions to the groups they own. | | -| **Ensure** | Write | String | Specify if the Azure AD Group Consent Settings should exist or not. | `Present`, `Absent` | -| **Credential** | Write | PSCredential | Credentials of the Admin | | -| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | -| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | -| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | -| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | -| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | - - -# AADGroupOwnerConsentPolicySettings - -## Description - -Azure AD Group Owner Consent Settings - -## Permissions - -### Microsoft Graph - -To authenticate with the Microsoft Graph API, this resource required the following permissions: - -#### Delegated permissions - -- **Read** - - - Directory.Read.All, Group.Read.All - -- **Update** - - - Directory.ReadWrite.All, Policy.ReadWrite.Authorization - -#### Application permissions - -- **Read** - - - Directory.Read.All, Group.Read.All - -- **Update** - - - Directory.ReadWrite.All, Policy.ReadWrite.Authorization - -## Examples - -### Example 1 - -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. - -```powershell -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - #ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = 'Present' - Credential = $Credscredential - } - } -} -``` - -### Example 2 - -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. - -```powershell -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true # prerequisite for specifying a constraining group - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Group-Vetted-GroupOwners' - Ensure = 'Present' - Credential = $Credscredential - } - } -} -``` - From eb3df7e1e36a7bbb89d205a11b525e092f4eaab0 Mon Sep 17 00:00:00 2001 From: Yorick Kuijs Date: Tue, 25 Jun 2024 10:05:12 +0200 Subject: [PATCH 12/26] Implemented PnP issue workaround --- .../MSFT_ODSettings/MSFT_ODSettings.psm1 | 14 ++++++++++++- .../MSFT_SPOAccessControlSettings.psm1 | 12 +++++++++++ .../DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 | 13 ++++++++++++ .../MSFT_SPOBrowserIdleSignout.psm1 | 13 ++++++++++++ .../MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 | 8 ++++++++ .../MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 | 14 +++++++++---- .../MSFT_SPOOrgAssetsLibrary.psm1 | 9 +++++++++ .../MSFT_SPOPropertyBag.psm1 | 13 +++++++++++- .../MSFT_SPOSearchManagedProperty.psm1 | 13 ++++++++++++ .../MSFT_SPOSearchResultSource.psm1 | 13 ++++++++++++ .../MSFT_SPOSharingSettings.psm1 | 13 ++++++++++++ .../MSFT_SPOSite/MSFT_SPOSite.psm1 | 15 ++++++++++++++ .../MSFT_SPOSiteAuditSettings.psm1 | 13 ++++++++++++ .../MSFT_SPOSiteDesign.psm1 | 13 ++++++++++++ .../MSFT_SPOSiteDesignRights.psm1 | 16 ++++++++++++++- .../MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 | 20 +++++++++++++++++-- .../MSFT_SPOSiteScript.psm1 | 15 ++++++++++++++ .../MSFT_SPOStorageEntity.psm1 | 19 ++++++++++++++++-- .../MSFT_SPOTenantCdnEnabled.psm1 | 9 +++++++++ .../MSFT_SPOTenantCdnPolicy.psm1 | 9 +++++++++ .../MSFT_SPOTenantSettings.psm1 | 14 +++++++++---- .../MSFT_SPOTheme/MSFT_SPOTheme.psm1 | 19 ++++++++++++++++-- .../MSFT_SPOUserProfileProperty.psm1 | 20 ++++++++++++++++--- 23 files changed, 297 insertions(+), 20 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 index 139de8c59b..912fac0c75 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 @@ -103,6 +103,11 @@ function Get-TargetResource ) Write-Verbose -Message 'Getting configuration of OneDrive Settings' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -333,6 +338,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -445,7 +454,6 @@ function Set-TargetResource Write-Verbose -Message ($Options | Out-String) Set-PnPTenantSyncClientRestriction @Options - } function Test-TargetResource @@ -634,6 +642,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 index ea35a596ee..e07dd525f9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 @@ -94,6 +94,10 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration of SharePoint Online Access Control Settings' + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -264,6 +268,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -466,6 +474,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 index c11eef7d8d..025b4630ac 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 @@ -63,6 +63,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for app $Identity" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -198,6 +203,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -357,6 +366,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 index 524530bcfb..9f350aaa02 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 @@ -61,6 +61,11 @@ function Get-TargetResource ) Write-Verbose -Message 'Getting configuration for SPO Browser Idle Signout settings' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -192,6 +197,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -349,6 +358,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 index 4e04ecc4ad..ed5444e7fa 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 @@ -56,6 +56,10 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for hub site collection $Url" + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -183,6 +187,10 @@ function Set-TargetResource #endregion Write-Verbose -Message "Setting configuration for home site '$Url'" + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 index c9a532062f..ee077dc200 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 @@ -75,6 +75,10 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for hub site collection $Url" + + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -111,8 +115,6 @@ function Get-TargetResource else { $hubSite = Get-PnPHubSite -Identity $Url - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters $principals = @() foreach ($permission in $hubSite.Permissions.PrincipalName) { @@ -269,10 +271,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters try @@ -612,6 +614,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 index 94ec165cc3..45534c87f8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 @@ -60,6 +60,11 @@ function Get-TargetResource ) Write-Verbose -Message 'Getting configuration of SPO Org Assets Library' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -452,6 +457,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 index 8b8351eee0..bdc5755f18 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 @@ -59,7 +59,10 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration of SPOPropertyBag for $Key" - Write-Verbose -Message 'Connecting to PnP from the Get method' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters ` @@ -229,6 +232,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters ` -Url $Url @@ -382,6 +389,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 index b0d6ba4470..328c817570 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 @@ -126,6 +126,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for Managed Property instance $Name" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -381,6 +386,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -911,6 +920,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 index d8c204e313..58db760bdf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 @@ -114,6 +114,11 @@ function Get-TargetResource ) Write-Verbose -Message "Setting configuration for Result Source instance $Name" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -296,6 +301,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -597,6 +606,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 index f8b5887c2d..f55c955988 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 @@ -151,6 +151,11 @@ function Get-TargetResource ) Write-Verbose -Message 'Getting configuration for SPO Sharing settings' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -421,6 +426,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -831,6 +840,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 index 8d18964b3d..0b5f00327b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 @@ -156,6 +156,13 @@ function Get-TargetResource [System.String[]] $AccessTokens ) + + Write-Verbose -Message "Getting configuration for site collection $Url" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -450,6 +457,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -902,6 +913,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 index 910ca12ba6..594fef8bce 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 @@ -50,6 +50,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting SPOSiteAuditSettings for {$Url}" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $Url -ErrorAction SilentlyContinue @@ -174,6 +179,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $Url @@ -311,6 +320,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 index 373dfbe9f6..9d0310816d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 @@ -80,6 +80,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for SPO SiteDesign for $Title" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -261,6 +266,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -469,6 +478,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 index fe9b9e9d04..7fe117356b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 @@ -60,6 +60,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for SPO SiteDesignRights for $SiteDesignTitle" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -207,7 +212,12 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters $cursiteDesign = Get-PnPSiteDesign -Identity $SiteDesignTitle if ($null -eq $cursiteDesign) @@ -402,6 +412,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 index af4f4942fd..84dbf7adf7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 @@ -62,6 +62,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting SPOSiteGroups for {$Url}" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -239,7 +244,13 @@ function Set-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters ` + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters ` -ErrorAction SilentlyContinue $currentValues = Get-TargetResource @PSBoundParameters @@ -479,7 +490,12 @@ function Export-TargetResource try { - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters ` + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters ` -ErrorAction SilentlyContinue #Ensure the proper dependencies are installed in the current environment. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 index 87686aff73..7e7b4e2bcd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 @@ -61,6 +61,13 @@ function Get-TargetResource [System.String[]] $AccessTokens ) + + Write-Verbose -Message "Getting Site Script: $Title" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -214,6 +221,10 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -459,6 +470,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 index ef17a4c155..bfa960a507 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 @@ -72,7 +72,13 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for SPO Storage Entity for $Key" - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters ` + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters ` -Url $SiteUrl #Ensure the proper dependencies are installed in the current environment. @@ -229,7 +235,12 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters ` + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters ` -Url $SiteUrl $curStorageEntry = Get-TargetResource @PSBoundParameters @@ -424,6 +435,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 index 0bb148e40f..b4191d595f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 @@ -58,6 +58,11 @@ function Get-TargetResource try { Write-Verbose -Message 'Getting configuration of SPO Cdn enabled' + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -333,6 +338,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 index d79b564659..298a9da75d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 @@ -55,6 +55,11 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for SPOTenantCdnPolicy {$CDNType}" + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -348,6 +353,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index b4e4dda3a6..21414fb375 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -149,8 +149,12 @@ function Get-TargetResource ) Write-Verbose -Message 'Getting configuration for SPO Tenant' - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -395,7 +399,8 @@ function Set-TargetResource if (-not [string]::IsNullOrEmpty($TenantDefaultTimezone)) { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' -InboundParameters $PSBoundParameters + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters } $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters @@ -672,8 +677,9 @@ function Export-TargetResource try { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 index 146582b783..e34786e03d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 @@ -59,7 +59,13 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for SPO Theme $Name" - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -188,7 +194,12 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters $CurrentPalette = Get-TargetResource @PSBoundParameters if ($Ensure -eq 'Present') @@ -379,6 +390,10 @@ function Export-TargetResource try { + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 index 4a4caa9fbd..57958cadec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 @@ -47,7 +47,12 @@ function Get-TargetResource Write-Verbose -Message "Getting SPO Profile Properties for user {$UserName}" - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -171,7 +176,12 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' -InboundParameters $PSBoundParameters + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` + -InboundParameters $PSBoundParameters $currentProperties = Get-TargetResource @PSBoundParameters @@ -306,7 +316,11 @@ function Export-TargetResource try { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) + $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. From 1eb882ba61ddcbfd04cc0faf2f389209a0cafc33 Mon Sep 17 00:00:00 2001 From: Yorick Kuijs Date: Tue, 25 Jun 2024 13:01:19 +0200 Subject: [PATCH 13/26] Reverted workaround, implemented in MSCloudLoginAssistant --- CHANGELOG.md | 5 +++++ .../MSFT_ODSettings/MSFT_ODSettings.psm1 | 12 ------------ .../MSFT_SPOAccessControlSettings.psm1 | 12 ------------ .../DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 | 12 ------------ .../MSFT_SPOBrowserIdleSignout.psm1 | 12 ------------ .../MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 | 8 -------- .../MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 | 4 ---- .../MSFT_SPOOrgAssetsLibrary.psm1 | 8 -------- .../MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 | 12 ------------ .../MSFT_SPOSearchManagedProperty.psm1 | 12 ------------ .../MSFT_SPOSearchResultSource.psm1 | 12 ------------ .../MSFT_SPOSharingSettings.psm1 | 12 ------------ .../DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 | 12 ------------ .../MSFT_SPOSiteAuditSettings.psm1 | 12 ------------ .../MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 | 12 ------------ .../MSFT_SPOSiteDesignRights.psm1 | 12 ------------ .../MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 | 12 ------------ .../MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 | 12 ------------ .../MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 | 12 ------------ .../MSFT_SPOTenantCdnEnabled.psm1 | 8 -------- .../MSFT_SPOTenantCdnPolicy.psm1 | 8 -------- .../DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 | 12 ------------ .../MSFT_SPOUserProfileProperty.psm1 | 12 ------------ 23 files changed, 5 insertions(+), 240 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d6508fa1e7..b7740a7eea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# Unreleased + +* OD and SPO resources + * Implemented PnP/Graph conflict issue workaround (Issue 4746) + # 1.24.619.1 * SCDLPComplianceRule diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 index 912fac0c75..08d53e6512 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_ODSettings/MSFT_ODSettings.psm1 @@ -104,10 +104,6 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration of OneDrive Settings' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -338,10 +334,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -642,10 +634,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 index e07dd525f9..ea35a596ee 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOAccessControlSettings/MSFT_SPOAccessControlSettings.psm1 @@ -94,10 +94,6 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration of SharePoint Online Access Control Settings' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -268,10 +264,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -474,10 +466,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 index 025b4630ac..b4b2cf069e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOApp/MSFT_SPOApp.psm1 @@ -64,10 +64,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for app $Identity" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -203,10 +199,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -366,10 +358,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 index 9f350aaa02..ac82c4feae 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOBrowserIdleSignout/MSFT_SPOBrowserIdleSignout.psm1 @@ -62,10 +62,6 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration for SPO Browser Idle Signout settings' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -197,10 +193,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -358,10 +350,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 index ed5444e7fa..4e04ecc4ad 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHomeSite/MSFT_SPOHomeSite.psm1 @@ -56,10 +56,6 @@ function Get-TargetResource ) Write-Verbose -Message "Getting configuration for hub site collection $Url" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -187,10 +183,6 @@ function Set-TargetResource #endregion Write-Verbose -Message "Setting configuration for home site '$Url'" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 index ee077dc200..2a705aedbf 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOHubSite/MSFT_SPOHubSite.psm1 @@ -614,10 +614,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 index 45534c87f8..62cd260221 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOOrgAssetsLibrary/MSFT_SPOOrgAssetsLibrary.psm1 @@ -61,10 +61,6 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration of SPO Org Assets Library' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -457,10 +453,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 index bdc5755f18..a96e8024a9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOPropertyBag/MSFT_SPOPropertyBag.psm1 @@ -60,10 +60,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration of SPOPropertyBag for $Key" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters ` -Url $Url @@ -232,10 +228,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters ` -Url $Url @@ -389,10 +381,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 index 328c817570..8d0ac5298a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchManagedProperty/MSFT_SPOSearchManagedProperty.psm1 @@ -127,10 +127,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for Managed Property instance $Name" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -386,10 +382,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -920,10 +912,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 index 58db760bdf..cfd3d78ac8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSearchResultSource/MSFT_SPOSearchResultSource.psm1 @@ -115,10 +115,6 @@ function Get-TargetResource Write-Verbose -Message "Setting configuration for Result Source instance $Name" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -301,10 +297,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -606,10 +598,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 index f55c955988..5aaa8340ba 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSharingSettings/MSFT_SPOSharingSettings.psm1 @@ -152,10 +152,6 @@ function Get-TargetResource Write-Verbose -Message 'Getting configuration for SPO Sharing settings' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -426,10 +422,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -840,10 +832,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 index 0b5f00327b..9c398a741b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSite/MSFT_SPOSite.psm1 @@ -159,10 +159,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for site collection $Url" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -457,10 +453,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -913,10 +905,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 index 594fef8bce..608fdea4df 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteAuditSettings/MSFT_SPOSiteAuditSettings.psm1 @@ -51,10 +51,6 @@ function Get-TargetResource Write-Verbose -Message "Getting SPOSiteAuditSettings for {$Url}" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $Url -ErrorAction SilentlyContinue @@ -179,10 +175,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $Url @@ -320,10 +312,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 index 9d0310816d..452cf6e844 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesign/MSFT_SPOSiteDesign.psm1 @@ -81,10 +81,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for SPO SiteDesign for $Title" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -266,10 +262,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -478,10 +470,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 index 7fe117356b..aa9ef5291c 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteDesignRights/MSFT_SPOSiteDesignRights.psm1 @@ -61,10 +61,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for SPO SiteDesignRights for $SiteDesignTitle" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -212,10 +208,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -412,10 +404,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 index 84dbf7adf7..f1822fa249 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteGroup/MSFT_SPOSiteGroup.psm1 @@ -63,10 +63,6 @@ function Get-TargetResource Write-Verbose -Message "Getting SPOSiteGroups for {$Url}" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -245,10 +241,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -ErrorAction SilentlyContinue @@ -490,10 +482,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -ErrorAction SilentlyContinue diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 index 7e7b4e2bcd..013255de19 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOSiteScript/MSFT_SPOSiteScript.psm1 @@ -64,10 +64,6 @@ function Get-TargetResource Write-Verbose -Message "Getting Site Script: $Title" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -221,10 +217,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PnP' ` -InboundParameters $PSBoundParameters @@ -470,10 +462,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 index bfa960a507..7d432498df 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOStorageEntity/MSFT_SPOStorageEntity.psm1 @@ -73,10 +73,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for SPO Storage Entity for $Key" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $SiteUrl @@ -235,10 +231,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters ` -Url $SiteUrl @@ -435,10 +427,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 index b4191d595f..32d83984f1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnEnabled/MSFT_SPOTenantCdnEnabled.psm1 @@ -59,10 +59,6 @@ function Get-TargetResource { Write-Verbose -Message 'Getting configuration of SPO Cdn enabled' - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -338,10 +334,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 index 298a9da75d..76c1a467ff 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 @@ -56,10 +56,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for SPOTenantCdnPolicy {$CDNType}" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -353,10 +349,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 index e34786e03d..5e4066479f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTheme/MSFT_SPOTheme.psm1 @@ -60,10 +60,6 @@ function Get-TargetResource Write-Verbose -Message "Getting configuration for SPO Theme $Name" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -194,10 +190,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -390,10 +382,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 index 57958cadec..06c347aa47 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOUserProfileProperty/MSFT_SPOUserProfileProperty.psm1 @@ -47,10 +47,6 @@ function Get-TargetResource Write-Verbose -Message "Getting SPO Profile Properties for user {$UserName}" - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -176,10 +172,6 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters @@ -316,10 +308,6 @@ function Export-TargetResource try { - # Temp workaround for Graph connection issue. Make sure connecting to Graph first (#xxxx) - $ConnectionModeGraph = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - $ConnectionMode = New-M365DSCConnection -Workload 'PNP' ` -InboundParameters $PSBoundParameters From 16fffbaecdcb7619fc45e92159da230953ba0acc Mon Sep 17 00:00:00 2001 From: Yorick Kuijs Date: Tue, 25 Jun 2024 13:09:33 +0200 Subject: [PATCH 14/26] Update CHANGELOG.md --- CHANGELOG.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7740a7eea..eef7a84641 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,6 @@ # Unreleased -* OD and SPO resources - * Implemented PnP/Graph conflict issue workaround (Issue 4746) - # 1.24.619.1 * SCDLPComplianceRule From 49b141ed6632cf0abc74b67df7249516ce9995f9 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 25 Jun 2024 08:55:44 -0400 Subject: [PATCH 15/26] Fixes #4782 --- .../DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 | 6 +++--- .../Microsoft365DSC/Modules/M365DSCReverse.psm1 | 2 +- Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 | 14 ++++++++++++-- .../Microsoft365DSC.AADGroup.Tests.ps1 | 1 - 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 index acc0ae91b1..826c629314 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1 @@ -437,7 +437,7 @@ function Set-TargetResource $currentParameters.Remove('Owners') | Out-Null $currentParameters.Remove('Members') | Out-Null $currentParameters.Remove('MemberOf') | Out-Null - #$currentParameters.Remove('AssignedToRole') | Out-Null + $currentParameters.Remove('AssignedToRole') | Out-Null if ($Ensure -eq 'Present' -and ` ($null -ne $GroupTypes -and $GroupTypes.Contains('Unified')) -and ` @@ -533,7 +533,7 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentGroup.Ensure -eq 'Absent') { Write-Verbose -Message "Checking to see if an existing deleted group exists with DisplayName {$DisplayName}" - $restorinExisting = $false + $restoringExisting = $false [Array]$groups = Get-MgBetaDirectoryDeletedItemAsGroup -Filter "DisplayName eq '$DisplayName'" if ($groups.Length -gt 1) { @@ -794,7 +794,7 @@ function Set-TargetResource } } - if ($currentGroup.IsAssignableToRole -eq $true -and $currentParameters.ContainsKey('AssignedToRole')) + if ($currentGroup.IsAssignableToRole -eq $true -and $PSBoundParameters.ContainsKey('AssignedToRole')) { #AssignedToRole $currentAssignedToRoleValue = @() diff --git a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 index c074c3d4b8..97ec7abbc0 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCReverse.psm1 @@ -872,7 +872,7 @@ function Start-M365DSCConfigurationExtract try { - $Global:M365DSCExportContentSize = ((Get-Item -Path $outputDSCFile).Length/1KB).ToString().Split('.')[0] + " kb" + $Global:M365DSCExportContentSize = $DSCContent.Length } catch { diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 4877184ed1..cab1686b26 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -514,11 +514,11 @@ function Get-M365DSCTenantNameFromParameterSet [System.Collections.HashTable] $ParameterSet ) - if ($ParameterSet.TenantId) + if ($ParameterSet.ContainsKey('TenantId')) { return $ParameterSet.TenantId } - elseif ($ParameterSet.Credential) + elseif ($ParameterSet.ContainsKey('Credential')) { try { @@ -584,6 +584,9 @@ function Test-M365DSCParameterState $dataEvaluation.Add('Resource', "$Source") $dataEvaluation.Add('Method', 'Test-TargetResource') $dataEvaluation.Add('Tenant', $TenantName) + + $ConnectionMode = Get-M365DSCAuthenticationMode $DesiredValues + $dataEvaluation.Add('ConnectionMode', $ConnectionMode) $ValuesToCheckData = $ValuesToCheck | Where-Object -FilterScript {$_ -ne 'Verbose'} $dataEvaluation.Add('Parameters', $ValuesToCheckData -join "`r`n") $dataEvaluation.Add('ParametersCount', $ValuesToCheckData.Length) @@ -3439,6 +3442,13 @@ function Get-M365DSCExportContentForResource $Resource = $Script:AllM365DscResources.Where({ $_.Name -eq $ResourceName }) $Keys = $Resource.Properties.Where({ $_.IsMandatory }) | ` Select-Object -ExpandProperty Name + if ($null -eq $keys) + { + Import-Module $Resource.Path -Force + $moduleInfo = Get-Command -Module $ModuleFullName -ErrorAction SilentlyContinue + $cmdInfo = $moduleInfo | Where-Object -FilterScript {$_.Name -eq 'Get-TargetResource'} + $Keys = $cmdInfo.Parameters.Keys + } } else { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 index 720574a2ae..9bf9dfdaac 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroup.Tests.ps1 @@ -531,7 +531,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { GroupTypes = @() MailNickname = 'M365DSC' IsAssignableToRole = $true - Ensure = 'Present' } } Mock -CommandName Get-MgGroupMemberOf -MockWith { From 146f9429500ff1a802791e05853b88f9483e2853 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 25 Jun 2024 14:53:32 -0400 Subject: [PATCH 16/26] Updated MSCloudLoginAssistant --- CHANGELOG.md | 7 ++++++- Modules/Microsoft365DSC/Dependencies/Manifest.psd1 | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eef7a84641..dfd1f38020 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Change log for Microsoft365DSC -# Unreleased +# UNRELEASED + +* AADGroup + * FIXES [#4782](https://github.com/microsoft/Microsoft365DSC/issues/4782) +* DEPENDENCIES + * Updated MSCloudLoginAssistant to version 1.18.0. # 1.24.619.1 diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index ee2f616534..b1f218cf87 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -90,7 +90,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.17" + RequiredVersion = "1.1.18" }, @{ ModuleName = 'PnP.PowerShell' From e59a66ef192021fa208df75478529402042f6f28 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 25 Jun 2024 14:54:53 -0400 Subject: [PATCH 17/26] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dfd1f38020..cffe7c9be1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ * AADGroup * FIXES [#4782](https://github.com/microsoft/Microsoft365DSC/issues/4782) * DEPENDENCIES - * Updated MSCloudLoginAssistant to version 1.18.0. + * Updated MSCloudLoginAssistant to version 1.1.18 # 1.24.619.1 From 80f7803c2ad294e375ad0791c43289c2894013fd Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 25 Jun 2024 16:19:12 -0400 Subject: [PATCH 18/26] Initial --- ...uneDeviceManagementComplianceSettings.psm1 | 711 ++++++++++++++++++ ...iceManagementComplianceSettings.schema.mof | 14 + .../readme.md | 191 +++++ .../settings.json | 38 + .../MSFT_IntuneDeviceRemediation.schema.mof | 2 +- .../2-Update.ps1 | 40 + ...viceManagementComplianceSettings.Tests.ps1 | 476 ++++++++++++ 7 files changed, 1471 insertions(+), 1 deletion(-) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 new file mode 100644 index 0000000000..feffde0216 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 @@ -0,0 +1,711 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + [ValidateSet('Yes')] + $IsSingleInstance, + + [Parameter()] + [System.UInt32] + $DeviceComplianceCheckinThresholdDays, + + [Parameter()] + [System.Boolean] + $SecureByDefault, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Checking for the Intune Device Management Compliance Settings" + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + try + { + $uri = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/deviceManagement/settings' + $settings = Invoke-MgGraphRequest -Method 'GET' -Uri $uri + $results = @{ + IsSingleInstance = 'Yes' + DeviceComplianceCheckinThresholdDays = $settings.deviceComplianceCheckinThresholdDays + SecureByDefault = [Boolean]$settings.secureByDefault + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + $nullResult = Clear-M365DSCAuthenticationParameter -BoundParameters $nullResult + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $PasswordRequired, + + [Parameter()] + [System.Boolean] + $PasswordBlockSimple, + + [Parameter()] + [System.Boolean] + $PasswordRequiredToUnlockFromIdle, + + [Parameter()] + [System.Int32] + $PasswordMinutesOfInactivityBeforeLock, + + [Parameter()] + [System.Int32] + $PasswordExpirationDays, + + [Parameter()] + [System.Int32] + $PasswordMinimumLength, + + [Parameter()] + [System.Int32] + $PasswordPreviousPasswordBlockCount, + + [Parameter()] + [System.Int32] + $PasswordMinimumCharacterSetCount, + + [Parameter()] + [System.String] + [ValidateSet('DeviceDefault', 'Alphanumeric', 'Numeric')] + $PasswordRequiredType, + + [Parameter()] + [System.Boolean] + $RequireHealthyDeviceReport, + + [Parameter()] + [System.String] + $OsMinimumVersion, + + [Parameter()] + [System.String] + $OsMaximumVersion, + + [Parameter()] + [System.String] + $MobileOsMinimumVersion, + + [Parameter()] + [System.String] + $MobileOsMaximumVersion, + + [Parameter()] + [System.Boolean] + $EarlyLaunchAntiMalwareDriverEnabled, + + [Parameter()] + [System.Boolean] + $BitLockerEnabled, + + [Parameter()] + [System.Boolean] + $SecureBootEnabled, + + [Parameter()] + [System.Boolean] + $CodeIntegrityEnabled, + + [Parameter()] + [System.Boolean] + $StorageRequireEncryption, + + [Parameter()] + [System.Boolean] + $ActiveFirewallRequired, + + [Parameter()] + [System.Boolean] + $DefenderEnabled, + + [Parameter()] + [System.String] + $DefenderVersion, + + [Parameter()] + [System.Boolean] + $SignatureOutOfDate, + + [Parameter()] + [System.Boolean] + $RtpEnabled, + + [Parameter()] + [System.Boolean] + $AntivirusRequired, + + [Parameter()] + [System.Boolean] + $AntiSpywareRequired, + + [Parameter()] + [System.Boolean] + $DeviceThreatProtectionEnabled, + + [Parameter()] + [System.String] + [ValidateSet('Unavailable', 'Secured', 'Low', 'Medium', 'High', 'NotSet')] + $DeviceThreatProtectionRequiredSecurityLevel, + + [Parameter()] + [System.Boolean] + $ConfigurationManagerComplianceRequired, + + [Parameter()] + [System.Boolean] + $TPMRequired, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyScript, + + [Parameter()] + [System.Array] + $ValidOperatingSystemBuildRanges, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + Write-Verbose -Message "Intune Device Compliance Windows 10 Policy {$DisplayName}" + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentDeviceWindows10Policy = Get-TargetResource @PSBoundParameters + + $PSBoundParameters.Remove('Ensure') | Out-Null + $PSBoundParameters.Remove('Credential') | Out-Null + $PSBoundParameters.Remove('ApplicationId') | Out-Null + $PSBoundParameters.Remove('TenantId') | Out-Null + $PSBoundParameters.Remove('ApplicationSecret') | Out-Null + $PSBoundParameters.Remove('AccessTokens') | Out-Null + + $scheduledActionsForRule = @{ + '@odata.type' = '#microsoft.graph.deviceComplianceScheduledActionForRule' + ruleName = 'PasswordRequired' + scheduledActionConfigurations = @( + @{ + '@odata.type' = '#microsoft.graph.deviceComplianceActionItem' + actionType = 'block' + } + ) + } + + if ($Ensure -eq 'Present' -and $currentDeviceWindows10Policy.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating new Intune Device Compliance Windows 10 Policy {$DisplayName}" + $PSBoundParameters.Remove('DisplayName') | Out-Null + $PSBoundParameters.Remove('Description') | Out-Null + $PSBoundParameters.Remove('Assignments') | Out-Null + + $AdditionalProperties = Get-M365DSCIntuneDeviceCompliancePolicyWindows10AdditionalProperties -Properties ([System.Collections.Hashtable]$PSBoundParameters) + $policy = New-MgBetaDeviceManagementDeviceCompliancePolicy -DisplayName $DisplayName ` + -Description $Description ` + -AdditionalProperties $AdditionalProperties ` + -ScheduledActionsForRule $scheduledActionsForRule + + if ($Assignments.Count -gt 0) + { + $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceCompliancePolicies' + } + } + elseif ($Ensure -eq 'Present' -and $currentDeviceWindows10Policy.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating Intune Device Compliance Windows 10 Policy {$DisplayName}" + $configDevicePolicy = Get-MgBetaDeviceManagementDeviceCompliancePolicy ` + -ErrorAction Stop | Where-Object ` + -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` + $_.displayName -eq $($DisplayName) } + + $PSBoundParameters.Remove('DisplayName') | Out-Null + $PSBoundParameters.Remove('Description') | Out-Null + $PSBoundParameters.Remove('Assignments') | Out-Null + + $AdditionalProperties = Get-M365DSCIntuneDeviceCompliancePolicyWindows10AdditionalProperties -Properties ([System.Collections.Hashtable]$PSBoundParameters) + Update-MgBetaDeviceManagementDeviceCompliancePolicy -AdditionalProperties $AdditionalProperties ` + -Description $Description ` + -DeviceCompliancePolicyId $configDevicePolicy.Id + + if ($Assignments.Count -gt 0) + { + $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDevicePolicy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceCompliancePolicies' + } + } + elseif ($Ensure -eq 'Absent' -and $currentDeviceWindows10Policy.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing Intune Device Compliance Windows 10 Policy {$DisplayName}" + $configDevicePolicy = Get-MgBetaDeviceManagementDeviceCompliancePolicy ` + -ErrorAction Stop | Where-Object ` + -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` + $_.displayName -eq $($DisplayName) } + + Remove-MgBetaDeviceManagementDeviceCompliancePolicy -DeviceCompliancePolicyId $configDevicePolicy.Id + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $PasswordRequired, + + [Parameter()] + [System.Boolean] + $PasswordBlockSimple, + + [Parameter()] + [System.Boolean] + $PasswordRequiredToUnlockFromIdle, + + [Parameter()] + [System.Int32] + $PasswordMinutesOfInactivityBeforeLock, + + [Parameter()] + [System.Int32] + $PasswordExpirationDays, + + [Parameter()] + [System.Int32] + $PasswordMinimumLength, + + [Parameter()] + [System.Int32] + $PasswordPreviousPasswordBlockCount, + + [Parameter()] + [System.Int32] + $PasswordMinimumCharacterSetCount, + + [Parameter()] + [System.String] + [ValidateSet('DeviceDefault', 'Alphanumeric', 'Numeric')] + $PasswordRequiredType, + + [Parameter()] + [System.Boolean] + $RequireHealthyDeviceReport, + + [Parameter()] + [System.String] + $OsMinimumVersion, + + [Parameter()] + [System.String] + $OsMaximumVersion, + + [Parameter()] + [System.String] + $MobileOsMinimumVersion, + + [Parameter()] + [System.String] + $MobileOsMaximumVersion, + + [Parameter()] + [System.Boolean] + $EarlyLaunchAntiMalwareDriverEnabled, + + [Parameter()] + [System.Boolean] + $BitLockerEnabled, + + [Parameter()] + [System.Boolean] + $SecureBootEnabled, + + [Parameter()] + [System.Boolean] + $CodeIntegrityEnabled, + + [Parameter()] + [System.Boolean] + $StorageRequireEncryption, + + [Parameter()] + [System.Boolean] + $ActiveFirewallRequired, + + [Parameter()] + [System.Boolean] + $DefenderEnabled, + + [Parameter()] + [System.String] + $DefenderVersion, + + [Parameter()] + [System.Boolean] + $SignatureOutOfDate, + + [Parameter()] + [System.Boolean] + $RtpEnabled, + + [Parameter()] + [System.Boolean] + $AntivirusRequired, + + [Parameter()] + [System.Boolean] + $AntiSpywareRequired, + + [Parameter()] + [System.Boolean] + $DeviceThreatProtectionEnabled, + + [Parameter()] + [System.String] + [ValidateSet('Unavailable', 'Secured', 'Low', 'Medium', 'High', 'NotSet')] + $DeviceThreatProtectionRequiredSecurityLevel, + + [Parameter()] + [System.Boolean] + $ConfigurationManagerComplianceRequired, + + [Parameter()] + [System.Boolean] + $TPMRequired, + + [Parameter()] + [System.String] + $DeviceCompliancePolicyScript, + + [Parameter()] + [System.Array] + $ValidOperatingSystemBuildRanges, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of Intune Device Compliance Windows 10 Policy {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) + { + Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" + throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." + } + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + $ValuesToCheck = $PSBoundParameters + + $testResult = $true + if ($CurrentValues.Ensure -ne $Ensure) + { + $testResult = $false + } + #region Assignments + if ($testResult) + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments + $target = $CurrentValues.Assignments + $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + $ValuesToCheck.Remove('Assignments') | Out-Null + } + #endregion + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $params = @{ + IsSingleInstance = 'Yes' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + + Write-Host $Global:M365DSCEmojiGreenCheckMark + return $currentDSCBlock + } + catch + { + if ($_.Exception -like '*401*' -or $_.ErrorDetails.Message -like "*`"ErrorCode`":`"Forbidden`"*" -or ` + $_.Exception -like "*Request not applicable to target tenant*") + { + Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." + } + else + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + } + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.schema.mof new file mode 100644 index 0000000000..0ede675ec4 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.schema.mof @@ -0,0 +1,14 @@ +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceManagementComplianceSettings")] +class MSFT_IntuneDeviceManagementComplianceSettings : OMI_BaseResource +{ + [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; + [Write, Description("Device should be noncompliant when there is no compliance policy targeted when this is true.")] Boolean SecureByDefault; + [Write, Description("The number of days a device is allowed to go without checking in to remain compliant.")] UInt32 DeviceComplianceCheckinThresholdDays; + [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md new file mode 100644 index 0000000000..1f4dc15df1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md @@ -0,0 +1,191 @@ + +# IntuneDeviceCompliancePolicyWindows10 + +## Description + +This resource configures the settings of Windows 10 compliance policies +in your cloud-based organization. + +## Parameters + +### Device Health +#### Windows Health Attestation Service evaluation rules +* **Require BitLocker:** + Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn't tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM verifies the state of the computer. + * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. + * Require - The device can protect data that's stored on the drive from unauthorized access when the system is off, or hibernates. + + Device HealthAttestation CSP - BitLockerStatus + +* **Require Secure Boot to be enabled on the device:** + * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. + * Require - The system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn't boot. + +### Device Properties +#### Operating System Version +To discover build versions for all Windows 10 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows 10 release information. Be sure to include the 10.0. prefix before the build numbers, as the following examples illustrate. + +* **Minimum OS version:** + Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format: + + Microsoft Windows [Version 10.0.17134.1] + + When a device has an earlier version than the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources. + +* **Maximum OS version:** + Enter the maximum allowed version, in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format: + + Microsoft Windows [Version 10.0.17134.1] + + When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version. + +* **Minimum OS required for mobile devices:** + Enter the minimum allowed version, in the major.minor.build number format. + + When a device has an earlier version that the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources. + +* **Maximum OS required for mobile devices:** + Enter the maximum allowed version, in the major.minor.build number. + + When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version. + +* **Valid operating system builds:** + Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example. + + Example: + The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. After you define one or more entries, you can Export the list as a comma-separated values (CSV) file. + + | Description | Minimum OS version | Maximum OS version | + |-----------------------------|--------------------|--------------------| + | Win 10 2004 (Jun-Sept 2020) | 10.0.19041.329 | 10.0.19041.508 | + | Win 10 1909 (Jun-Sept 2020) | 10.0.18363.900 | 10.0.18363.1110 | + | Win 10 1809 (Jun-Sept 2020) | 10.0.17763.1282 | 10.0.17763.1490 | + +### Configuration Manager Compliance +Applies only to co-managed devices running Windows 10 and later. Intune-only devices return a not available status. + +* **Require device compliance from Configuration Manager:** + * Not configured _(default)_ - Intune doesn't check for any of the Configuration Manager settings for compliance. + * Require - Require all settings (configuration items) in Configuration Manager to be compliant. + +### System Security +#### Password +* **Require a password to unlock mobile devices:** + * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. + * Require - Users must enter a password before they can access their device. + +* **Simple passwords:** + * Not configured _(default)_ - Users can create simple passwords, such as 1234 or 1111. + * Block - Users can't create simple passwords, such as 1234 or 1111. + +* **Password type:** + Choose the type of password or PIN required. Your options: + * Device _(default)_ - Require a password, numeric PIN, or alphanumeric PIN + * Numeric - Require a password or numeric PIN + * Alphanumeric - Require a password, or alphanumeric PIN. + When set to Alphanumeric, the following settings are available: + + * Password complexity: + Your options: + * Require digits and lowercase letters _(default)_ + * Require digits, lowercase letters, and uppercase letters + * Require digits, lowercase letters, uppercase letters, and special characters + +* **Minimum password length:** + Enter the minimum number of digits or characters that the password must have. + +* **Maximum minutes of inactivity before password is required:** + Enter the idle time before the user must reenter their password. + +* **Password expiration (days):** + Enter the number of days before the password expires, and they must create a new one, from 1-730. + +* **Number of previous passwords to prevent reuse:** + Enter the number of previously used passwords that can't be used. + +* **Require password when device returns from idle state (Mobile and Holographic):** + * Not configured _(default)_ + * Require - Require device users to enter the password every time the device returns from an idle state. + + **Important** + When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that's when the device goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords. + +### Encryption + +* **Encryption of data storage on a device:** + This setting applies to all drives on a device. + * Not configured _(default)_ + * Require - Use Require to encrypt data storage on your devices. + + **Note** + The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level. + +### Device Security + +* **Firewall:** + * Not configured _(default)_ - Intune doesn't control the Microsoft Defender Firewall, nor change existing settings. + * Require - Turn on the Microsoft Defender Firewall, and prevent users from turning it off. + + **Note** + If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually sync the device. + +* **Trusted Platform Module (TPM):** + * Not configured _(default)_ - Intune doesn't check the device for a TPM chip version. + * Require - Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn't compliant if there isn't a TPM version on the device. + +* **Antivirus:** + * Not configured _(default)_ - Intune doesn't check for any antivirus solutions installed on the device. + * Require - Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender. + +* **Antispyware:** + * Not configured _(default)_ - Intune doesn't check for any antispyware solutions installed on the device. + * Require - Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender. + +### Defender +The following compliance settings are supported with Windows 10 Desktop. + +* **Microsoft Defender Antimalware:** + * Not configured _(default)_ - Intune doesn't control the service, nor change existing settings. + * Require - Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off. + +* **Microsoft Defender Antimalware minimum version:** + Enter the minimum allowed version of Microsoft Defender anti-malware service. For example, enter 4.11.0.0. When left blank, any version of the Microsoft Defender anti-malware service can be used. + + By _(default)_, no version is configured. + +* **Microsoft Defender Antimalware security intelligence up-to-date:** + Controls the Windows Security virus and threat protection updates on the devices. + * Not configured _(default)_ - Intune doesn't enforce any requirements. + * Require - Force the Microsoft Defender security intelligence be up-to-date. + +* **Real-time protection:** + * Not configured (_(default)_) - Intune doesn't control this feature, nor change existing settings. + * Require - Turn on real-time protection, which scans for malware, spyware, and other unwanted software. + +### Microsoft Defender for Endpoint +#### Microsoft Defender for Endpoint rules +For additional information on Microsoft Defender for Endpoint integration in conditional access scenarios, see Configure Conditional Access in Microsoft Defender for Endpoint. + +* **Require the device to be at or under the machine risk score:** + Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level: + * Not configured (_(default)_) + * Clear -This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as non-compliant. + * Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status. + * Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be non-compliant. + * High - This option is the least secure, and allows all threat levels. It may be useful if you're using this solution only for reporting purposes. + +### Windows Holographic for Business +Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business supports the following setting: + +**System Security > Encryption > Encryption of data storage on device.** +To verify device encryption on the Microsoft HoloLens, see Verify device encryption. + +### Surface Hub +Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for both compliance and Conditional Access. To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work. + +For guidance, see set up enrollment for Windows devices. + +Special consideration for Surface Hubs running Windows 10 Team OS: +Surface Hubs that run Windows 10 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs that run Windows 10 Team OS set the following two settings to their _(default)_ of _Not configured_: +* In the category Password, set Require a password to unlock mobile devices to the _(default)_ of Not configured. +* In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the _(default)_ of Not configured. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json new file mode 100644 index 0000000000..876c98b3c1 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/settings.json @@ -0,0 +1,38 @@ +{ + "resourceName": "IntuneDeviceCompliancePolicyWindows10", + "description": "This resource configures the settings of Windows 10 compliance policies in your cloud-based organization.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "Group.Read.All" + }, + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof index 793acac5cb..2951037764 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof @@ -36,7 +36,7 @@ class MSFT_IntuneDeviceRemediation : OMI_BaseResource [Write, Description("Indicates the type of execution context. Possible values are: system, user."), ValueMap{"system","user"}, Values{"system","user"}] String RunAsAccount; [Key, Description("The unique identifier for an entity. Read-only.")] String Id; [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; - [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Present ensures the policy exists, absent ensures it is removed.")] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 new file mode 100644 index 0000000000..dc4bef9bde --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example updates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content 2"; # Updated property + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content 2"; # Updated property + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } + } +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 new file mode 100644 index 0000000000..e2694a7aa2 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 @@ -0,0 +1,476 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource 'IntuneDeviceCompliancePolicyWindows10' -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + + BeforeAll { + $secpasswd = ConvertTo-SecureString ((New-Guid).ToString()) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return 'Credentials' + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -MockWith { + + return @() + } + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "When the Windows 10 Device Compliance Policy doesn't already exist" -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return $null + } + } + + It 'Should return absent from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create the Windows 10 Device Compliance Policy from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName 'New-MgBetaDeviceManagementDeviceCompliancePolicy' -Exactly 1 + } + } + + Context -Name 'When the Windows 10 Device Compliance Policy already exists and is NOT in the Desired State' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' + PasswordRequired = $False + PasswordBlockSimple = $True; #Drift + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + RoleScopeTagIds = '0' + } + } + } + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should update the iOS Device Compliance Policy from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementDeviceCompliancePolicy -Exactly 1 + } + } + + Context -Name 'When the policy already exists and IS in the Desired State' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + RoleScopeTagIds = '0' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name 'When the policy exists and it SHOULD NOT' -Fixture { + BeforeAll { + $testParams = @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + RoleScopeTagIds = '0' + } + } + } + } + + It 'Should return Present from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the iOS Device Compliance Policy from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementDeviceCompliancePolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + return @{ + DisplayName = 'Windows 10 DSC Policy' + Description = 'Test policy' + Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' + PasswordRequired = $False + PasswordBlockSimple = $False + PasswordRequiredToUnlockFromIdle = $True + PasswordMinutesOfInactivityBeforeLock = 15 + PasswordExpirationDays = 365 + PasswordMinimumLength = 6 + PasswordPreviousPasswordBlockCount = 13 + PasswordMinimumCharacterSetCount = 1 + PasswordRequiredType = 'Devicedefault' + RequireHealthyDeviceReport = $True + OsMinimumVersion = 10 + OsMaximumVersion = 10.19 + MobileOsMinimumVersion = 10 + MobileOsMaximumVersion = 10.19 + EarlyLaunchAntiMalwareDriverEnabled = $False + BitLockerEnabled = $False + SecureBootEnabled = $True + CodeIntegrityEnabled = $True + StorageRequireEncryption = $True + ActiveFirewallRequired = $True + DefenderEnabled = $True + DefenderVersion = '' + SignatureOutOfDate = $True + RtpEnabled = $True + AntivirusRequired = $True + AntiSpywareRequired = $True + DeviceThreatProtectionEnabled = $True + DeviceThreatProtectionRequiredSecurityLevel = 'Medium' + ConfigurationManagerComplianceRequired = $False + TPMRequired = $False + DeviceCompliancePolicyScript = $null + ValidOperatingSystemBuildRanges = @() + RoleScopeTagIds = '0' + } + } + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams -Verbose + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 4c266a805770665efc6733da6abd375cb55720fb Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Tue, 25 Jun 2024 16:37:15 -0400 Subject: [PATCH 19/26] updated resource --- CHANGELOG.md | 2 + ...uneDeviceManagementComplianceSettings.psm1 | 405 +---------------- .../readme.md | 190 +------- .../2-Update.ps1 | 28 +- ...viceManagementComplianceSettings.Tests.ps1 | 406 ++---------------- 5 files changed, 60 insertions(+), 971 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cffe7c9be1..ae6d738edb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ * AADGroup * FIXES [#4782](https://github.com/microsoft/Microsoft365DSC/issues/4782) +* IntuneDeviceManagementComplianceSettings + * Initial Release. * DEPENDENCIES * Updated MSCloudLoginAssistant to version 1.1.18 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 index feffde0216..cf73c2b59a 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/MSFT_IntuneDeviceManagementComplianceSettings.psm1 @@ -102,150 +102,16 @@ function Set-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.Boolean] - $PasswordRequired, - - [Parameter()] - [System.Boolean] - $PasswordBlockSimple, - - [Parameter()] - [System.Boolean] - $PasswordRequiredToUnlockFromIdle, - - [Parameter()] - [System.Int32] - $PasswordMinutesOfInactivityBeforeLock, - - [Parameter()] - [System.Int32] - $PasswordExpirationDays, - - [Parameter()] - [System.Int32] - $PasswordMinimumLength, - - [Parameter()] - [System.Int32] - $PasswordPreviousPasswordBlockCount, - - [Parameter()] - [System.Int32] - $PasswordMinimumCharacterSetCount, - - [Parameter()] - [System.String] - [ValidateSet('DeviceDefault', 'Alphanumeric', 'Numeric')] - $PasswordRequiredType, - - [Parameter()] - [System.Boolean] - $RequireHealthyDeviceReport, - - [Parameter()] - [System.String] - $OsMinimumVersion, - - [Parameter()] - [System.String] - $OsMaximumVersion, - - [Parameter()] - [System.String] - $MobileOsMinimumVersion, - - [Parameter()] - [System.String] - $MobileOsMaximumVersion, - - [Parameter()] - [System.Boolean] - $EarlyLaunchAntiMalwareDriverEnabled, - - [Parameter()] - [System.Boolean] - $BitLockerEnabled, - - [Parameter()] - [System.Boolean] - $SecureBootEnabled, - - [Parameter()] - [System.Boolean] - $CodeIntegrityEnabled, - - [Parameter()] - [System.Boolean] - $StorageRequireEncryption, - - [Parameter()] - [System.Boolean] - $ActiveFirewallRequired, - - [Parameter()] - [System.Boolean] - $DefenderEnabled, - - [Parameter()] - [System.String] - $DefenderVersion, - - [Parameter()] - [System.Boolean] - $SignatureOutOfDate, - - [Parameter()] - [System.Boolean] - $RtpEnabled, - - [Parameter()] - [System.Boolean] - $AntivirusRequired, - - [Parameter()] - [System.Boolean] - $AntiSpywareRequired, - - [Parameter()] - [System.Boolean] - $DeviceThreatProtectionEnabled, - - [Parameter()] - [System.String] - [ValidateSet('Unavailable', 'Secured', 'Low', 'Medium', 'High', 'NotSet')] - $DeviceThreatProtectionRequiredSecurityLevel, + [ValidateSet('Yes')] + $IsSingleInstance, [Parameter()] - [System.Boolean] - $ConfigurationManagerComplianceRequired, + [System.UInt32] + $DeviceComplianceCheckinThresholdDays, [Parameter()] [System.Boolean] - $TPMRequired, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyScript, - - [Parameter()] - [System.Array] - $ValidOperatingSystemBuildRanges, - - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance[]] - $Assignments, - - [Parameter()] - [System.String] - [ValidateSet('Absent', 'Present')] - $Ensure = 'Present', + $SecureByDefault, [Parameter()] [System.Management.Automation.PSCredential] @@ -276,7 +142,7 @@ function Set-TargetResource $AccessTokens ) - Write-Verbose -Message "Intune Device Compliance Windows 10 Policy {$DisplayName}" + Write-Verbose -Message "Updating the Intune Device Management Compliance Settings" $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters @@ -292,82 +158,11 @@ function Set-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - $currentDeviceWindows10Policy = Get-TargetResource @PSBoundParameters - - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null - - $scheduledActionsForRule = @{ - '@odata.type' = '#microsoft.graph.deviceComplianceScheduledActionForRule' - ruleName = 'PasswordRequired' - scheduledActionConfigurations = @( - @{ - '@odata.type' = '#microsoft.graph.deviceComplianceActionItem' - actionType = 'block' - } - ) - } - - if ($Ensure -eq 'Present' -and $currentDeviceWindows10Policy.Ensure -eq 'Absent') - { - Write-Verbose -Message "Creating new Intune Device Compliance Windows 10 Policy {$DisplayName}" - $PSBoundParameters.Remove('DisplayName') | Out-Null - $PSBoundParameters.Remove('Description') | Out-Null - $PSBoundParameters.Remove('Assignments') | Out-Null - - $AdditionalProperties = Get-M365DSCIntuneDeviceCompliancePolicyWindows10AdditionalProperties -Properties ([System.Collections.Hashtable]$PSBoundParameters) - $policy = New-MgBetaDeviceManagementDeviceCompliancePolicy -DisplayName $DisplayName ` - -Description $Description ` - -AdditionalProperties $AdditionalProperties ` - -ScheduledActionsForRule $scheduledActionsForRule - - if ($Assignments.Count -gt 0) - { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceCompliancePolicies' - } - } - elseif ($Ensure -eq 'Present' -and $currentDeviceWindows10Policy.Ensure -eq 'Present') - { - Write-Verbose -Message "Updating Intune Device Compliance Windows 10 Policy {$DisplayName}" - $configDevicePolicy = Get-MgBetaDeviceManagementDeviceCompliancePolicy ` - -ErrorAction Stop | Where-Object ` - -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` - $_.displayName -eq $($DisplayName) } - - $PSBoundParameters.Remove('DisplayName') | Out-Null - $PSBoundParameters.Remove('Description') | Out-Null - $PSBoundParameters.Remove('Assignments') | Out-Null - - $AdditionalProperties = Get-M365DSCIntuneDeviceCompliancePolicyWindows10AdditionalProperties -Properties ([System.Collections.Hashtable]$PSBoundParameters) - Update-MgBetaDeviceManagementDeviceCompliancePolicy -AdditionalProperties $AdditionalProperties ` - -Description $Description ` - -DeviceCompliancePolicyId $configDevicePolicy.Id - - if ($Assignments.Count -gt 0) - { - $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $configDevicePolicy.id ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceCompliancePolicies' - } - } - elseif ($Ensure -eq 'Absent' -and $currentDeviceWindows10Policy.Ensure -eq 'Present') - { - Write-Verbose -Message "Removing Intune Device Compliance Windows 10 Policy {$DisplayName}" - $configDevicePolicy = Get-MgBetaDeviceManagementDeviceCompliancePolicy ` - -ErrorAction Stop | Where-Object ` - -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.windows10CompliancePolicy' -and ` - $_.displayName -eq $($DisplayName) } - - Remove-MgBetaDeviceManagementDeviceCompliancePolicy -DeviceCompliancePolicyId $configDevicePolicy.Id + $settings = @{ + deviceComplianceCheckinThresholdDays = $DeviceComplianceCheckinThresholdDays + secureByDefault = $SecureByDefault } + Update-MgBetaDeviceManagement -Settings $settings } function Test-TargetResource @@ -378,150 +173,16 @@ function Test-TargetResource ( [Parameter(Mandatory = $true)] [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.Boolean] - $PasswordRequired, - - [Parameter()] - [System.Boolean] - $PasswordBlockSimple, - - [Parameter()] - [System.Boolean] - $PasswordRequiredToUnlockFromIdle, - - [Parameter()] - [System.Int32] - $PasswordMinutesOfInactivityBeforeLock, - - [Parameter()] - [System.Int32] - $PasswordExpirationDays, - - [Parameter()] - [System.Int32] - $PasswordMinimumLength, - - [Parameter()] - [System.Int32] - $PasswordPreviousPasswordBlockCount, - - [Parameter()] - [System.Int32] - $PasswordMinimumCharacterSetCount, - - [Parameter()] - [System.String] - [ValidateSet('DeviceDefault', 'Alphanumeric', 'Numeric')] - $PasswordRequiredType, - - [Parameter()] - [System.Boolean] - $RequireHealthyDeviceReport, - - [Parameter()] - [System.String] - $OsMinimumVersion, - - [Parameter()] - [System.String] - $OsMaximumVersion, - - [Parameter()] - [System.String] - $MobileOsMinimumVersion, - - [Parameter()] - [System.String] - $MobileOsMaximumVersion, - - [Parameter()] - [System.Boolean] - $EarlyLaunchAntiMalwareDriverEnabled, - - [Parameter()] - [System.Boolean] - $BitLockerEnabled, - - [Parameter()] - [System.Boolean] - $SecureBootEnabled, - - [Parameter()] - [System.Boolean] - $CodeIntegrityEnabled, - - [Parameter()] - [System.Boolean] - $StorageRequireEncryption, - - [Parameter()] - [System.Boolean] - $ActiveFirewallRequired, - - [Parameter()] - [System.Boolean] - $DefenderEnabled, - - [Parameter()] - [System.String] - $DefenderVersion, - - [Parameter()] - [System.Boolean] - $SignatureOutOfDate, - - [Parameter()] - [System.Boolean] - $RtpEnabled, - - [Parameter()] - [System.Boolean] - $AntivirusRequired, - - [Parameter()] - [System.Boolean] - $AntiSpywareRequired, - - [Parameter()] - [System.Boolean] - $DeviceThreatProtectionEnabled, - - [Parameter()] - [System.String] - [ValidateSet('Unavailable', 'Secured', 'Low', 'Medium', 'High', 'NotSet')] - $DeviceThreatProtectionRequiredSecurityLevel, + [ValidateSet('Yes')] + $IsSingleInstance, [Parameter()] - [System.Boolean] - $ConfigurationManagerComplianceRequired, + [System.UInt32] + $DeviceComplianceCheckinThresholdDays, [Parameter()] [System.Boolean] - $TPMRequired, - - [Parameter()] - [System.String] - $DeviceCompliancePolicyScript, - - [Parameter()] - [System.Array] - $ValidOperatingSystemBuildRanges, - - [Parameter()] - [Microsoft.Management.Infrastructure.CimInstance[]] - $Assignments, - - [Parameter()] - [System.String] - [ValidateSet('Absent', 'Present')] - $Ensure = 'Present', + $SecureByDefault, [Parameter()] [System.Management.Automation.PSCredential] @@ -564,42 +225,16 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Intune Device Compliance Windows 10 Policy {$DisplayName}" + Write-Verbose -Message "Testing configuration of Intune Device Management Compliance Settings" $CurrentValues = Get-TargetResource @PSBoundParameters - if (-not (Test-M365DSCAuthenticationParameter -BoundParameters $CurrentValues)) - { - Write-Verbose "An error occured in Get-TargetResource, the policy {$displayName} will not be processed" - throw "An error occured in Get-TargetResource, the policy {$displayName} will not be processed. Refer to the event viewer logs for more information." - } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = $PSBoundParameters - - $testResult = $true - if ($CurrentValues.Ensure -ne $Ensure) - { - $testResult = $false - } - #region Assignments - if ($testResult) - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target - $ValuesToCheck.Remove('Assignments') | Out-Null - } - #endregion - - if ($testResult) - { - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - } + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md index 1f4dc15df1..afdb546248 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceManagementComplianceSettings/readme.md @@ -1,191 +1,7 @@ -# IntuneDeviceCompliancePolicyWindows10 +# IntuneDeviceManagementComplianceSettings ## Description -This resource configures the settings of Windows 10 compliance policies -in your cloud-based organization. - -## Parameters - -### Device Health -#### Windows Health Attestation Service evaluation rules -* **Require BitLocker:** - Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn't tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can't be accessed until the TPM verifies the state of the computer. - * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. - * Require - The device can protect data that's stored on the drive from unauthorized access when the system is off, or hibernates. - - Device HealthAttestation CSP - BitLockerStatus - -* **Require Secure Boot to be enabled on the device:** - * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. - * Require - The system is forced to boot to a factory trusted state. The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If any files are tampered with, which breaks their signature, the system doesn't boot. - -### Device Properties -#### Operating System Version -To discover build versions for all Windows 10 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows 10 release information. Be sure to include the 10.0. prefix before the build numbers, as the following examples illustrate. - -* **Minimum OS version:** - Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format: - - Microsoft Windows [Version 10.0.17134.1] - - When a device has an earlier version than the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources. - -* **Maximum OS version:** - Enter the maximum allowed version, in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver. The ver command returns the version in the following format: - - Microsoft Windows [Version 10.0.17134.1] - - When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version. - -* **Minimum OS required for mobile devices:** - Enter the minimum allowed version, in the major.minor.build number format. - - When a device has an earlier version that the OS version you enter, it's reported as noncompliant. A link with information on how to upgrade is shown. The end user can choose to upgrade their device. After they upgrade, they can access company resources. - -* **Maximum OS required for mobile devices:** - Enter the maximum allowed version, in the major.minor.build number. - - When a device is using an OS version later than the version entered, access to organization resources is blocked. The end user is asked to contact their IT administrator. The device can't access organization resources until the rule is changed to allow the OS version. - -* **Valid operating system builds:** - Specify a list of minimum and maximum operating system builds. Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example. - - Example: - The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. This is sample data only. The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. After you define one or more entries, you can Export the list as a comma-separated values (CSV) file. - - | Description | Minimum OS version | Maximum OS version | - |-----------------------------|--------------------|--------------------| - | Win 10 2004 (Jun-Sept 2020) | 10.0.19041.329 | 10.0.19041.508 | - | Win 10 1909 (Jun-Sept 2020) | 10.0.18363.900 | 10.0.18363.1110 | - | Win 10 1809 (Jun-Sept 2020) | 10.0.17763.1282 | 10.0.17763.1490 | - -### Configuration Manager Compliance -Applies only to co-managed devices running Windows 10 and later. Intune-only devices return a not available status. - -* **Require device compliance from Configuration Manager:** - * Not configured _(default)_ - Intune doesn't check for any of the Configuration Manager settings for compliance. - * Require - Require all settings (configuration items) in Configuration Manager to be compliant. - -### System Security -#### Password -* **Require a password to unlock mobile devices:** - * Not configured _(default)_ - This setting isn't evaluated for compliance or non-compliance. - * Require - Users must enter a password before they can access their device. - -* **Simple passwords:** - * Not configured _(default)_ - Users can create simple passwords, such as 1234 or 1111. - * Block - Users can't create simple passwords, such as 1234 or 1111. - -* **Password type:** - Choose the type of password or PIN required. Your options: - * Device _(default)_ - Require a password, numeric PIN, or alphanumeric PIN - * Numeric - Require a password or numeric PIN - * Alphanumeric - Require a password, or alphanumeric PIN. - When set to Alphanumeric, the following settings are available: - - * Password complexity: - Your options: - * Require digits and lowercase letters _(default)_ - * Require digits, lowercase letters, and uppercase letters - * Require digits, lowercase letters, uppercase letters, and special characters - -* **Minimum password length:** - Enter the minimum number of digits or characters that the password must have. - -* **Maximum minutes of inactivity before password is required:** - Enter the idle time before the user must reenter their password. - -* **Password expiration (days):** - Enter the number of days before the password expires, and they must create a new one, from 1-730. - -* **Number of previous passwords to prevent reuse:** - Enter the number of previously used passwords that can't be used. - -* **Require password when device returns from idle state (Mobile and Holographic):** - * Not configured _(default)_ - * Require - Require device users to enter the password every time the device returns from an idle state. - - **Important** - When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that's when the device goes from idle to active. Users with passwords that meet the requirement are still prompted to change their passwords. - -### Encryption - -* **Encryption of data storage on a device:** - This setting applies to all drives on a device. - * Not configured _(default)_ - * Require - Use Require to encrypt data storage on your devices. - - **Note** - The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. Currently, Intune supports only the encryption check with BitLocker. For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level. - -### Device Security - -* **Firewall:** - * Not configured _(default)_ - Intune doesn't control the Microsoft Defender Firewall, nor change existing settings. - * Require - Turn on the Microsoft Defender Firewall, and prevent users from turning it off. - - **Note** - If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually sync the device. - -* **Trusted Platform Module (TPM):** - * Not configured _(default)_ - Intune doesn't check the device for a TPM chip version. - * Require - Intune checks the TPM chip version for compliance. The device is compliant if the TPM chip version is greater than 0 (zero). The device isn't compliant if there isn't a TPM version on the device. - -* **Antivirus:** - * Not configured _(default)_ - Intune doesn't check for any antivirus solutions installed on the device. - * Require - Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender. - -* **Antispyware:** - * Not configured _(default)_ - Intune doesn't check for any antispyware solutions installed on the device. - * Require - Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender. - -### Defender -The following compliance settings are supported with Windows 10 Desktop. - -* **Microsoft Defender Antimalware:** - * Not configured _(default)_ - Intune doesn't control the service, nor change existing settings. - * Require - Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off. - -* **Microsoft Defender Antimalware minimum version:** - Enter the minimum allowed version of Microsoft Defender anti-malware service. For example, enter 4.11.0.0. When left blank, any version of the Microsoft Defender anti-malware service can be used. - - By _(default)_, no version is configured. - -* **Microsoft Defender Antimalware security intelligence up-to-date:** - Controls the Windows Security virus and threat protection updates on the devices. - * Not configured _(default)_ - Intune doesn't enforce any requirements. - * Require - Force the Microsoft Defender security intelligence be up-to-date. - -* **Real-time protection:** - * Not configured (_(default)_) - Intune doesn't control this feature, nor change existing settings. - * Require - Turn on real-time protection, which scans for malware, spyware, and other unwanted software. - -### Microsoft Defender for Endpoint -#### Microsoft Defender for Endpoint rules -For additional information on Microsoft Defender for Endpoint integration in conditional access scenarios, see Configure Conditional Access in Microsoft Defender for Endpoint. - -* **Require the device to be at or under the machine risk score:** - Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level: - * Not configured (_(default)_) - * Clear -This option is the most secure, as the device can't have any threats. If the device is detected as having any level of threats, it's evaluated as non-compliant. - * Low - The device is evaluated as compliant if only low-level threats are present. Anything higher puts the device in a non-compliant status. - * Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. If the device is detected to have high-level threats, it's determined to be non-compliant. - * High - This option is the least secure, and allows all threat levels. It may be useful if you're using this solution only for reporting purposes. - -### Windows Holographic for Business -Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business supports the following setting: - -**System Security > Encryption > Encryption of data storage on device.** -To verify device encryption on the Microsoft HoloLens, see Verify device encryption. - -### Surface Hub -Surface Hub uses the Windows 10 and later platform. Surface Hubs are supported for both compliance and Conditional Access. To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work. - -For guidance, see set up enrollment for Windows devices. - -Special consideration for Surface Hubs running Windows 10 Team OS: -Surface Hubs that run Windows 10 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. Therefore, for Surface Hubs that run Windows 10 Team OS set the following two settings to their _(default)_ of _Not configured_: -* In the category Password, set Require a password to unlock mobile devices to the _(default)_ of Not configured. -* In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the _(default)_ of Not configured. +This resource configures the settings of the device management compliance +at the tenant level. diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 index dc4bef9bde..8466ff6b8a 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceManagementComplianceSettings/2-Update.ps1 @@ -1,5 +1,5 @@ <# -This example updates a new Device Remediation. +This example updates the Device Management Compliance Settings #> Configuration Example @@ -13,28 +13,12 @@ Configuration Example node localhost { - IntuneDeviceRemediation 'ConfigureDeviceRemediation' + IntuneDeviceManagementComplianceSettings 'DeviceManagementComplianceSettings' { - Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' - } - ); - Credential = $Credscredential - Description = 'Description' - DetectionScriptContent = "Base64 encoded script content 2"; # Updated property - DeviceHealthScriptType = "deviceHealthScript"; - DisplayName = "Device remediation"; - EnforceSignatureCheck = $False; - Ensure = "Present"; - Id = '00000000-0000-0000-0000-000000000000' - Publisher = "Some Publisher"; - RemediationScriptContent = "Base64 encoded script content 2"; # Updated property - RoleScopeTagIds = @("0"); - RunAs32Bit = $True; - RunAsAccount = "system"; - TenantId = $OrganizationName; + Credential = $Credscredential + DeviceComplianceCheckinThresholdDays = 22; + IsSingleInstance = "Yes"; + SecureByDefault = $True; } } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 index e2694a7aa2..7bf483c06c 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceManagementComplianceSettings.Tests.ps1 @@ -15,7 +15,7 @@ Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` -Resolve) $Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` - -DscResource 'IntuneDeviceCompliancePolicyWindows10' -GenericStubModule $GenericStubPath + -DscResource 'IntuneDeviceManagementComplianceSettings' -GenericStubModule $GenericStubPath Describe -Name $Global:DscHelper.DescribeHeader -Fixture { InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { @@ -32,27 +32,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } - Mock -CommandName Invoke-MgGraphRequest -MockWith { + Mock -CommandName Update-MgBetaDeviceManagement -MockWith { } - Mock -CommandName Update-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { - } - - Mock -CommandName New-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - } - } - - Mock -CommandName Remove-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { - } - - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicyAssignment -MockWith { - - return @() - } - Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { - } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { } @@ -61,250 +43,25 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } # Test contexts - Context -Name "When the Windows 10 Device Compliance Policy doesn't already exist" -Fixture { + Context -Name "The settings are already in the desired state." -Fixture { BeforeAll { $testParams = @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - Ensure = 'Present' - Credential = $Credential - } - - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { - return $null + DeviceComplianceCheckinThresholdDays = 22; + IsSingleInstance = "Yes"; + SecureByDefault = $True; + Credential = $Credential } - } - - It 'Should return absent from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - } - - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should create the Windows 10 Device Compliance Policy from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName 'New-MgBetaDeviceManagementDeviceCompliancePolicy' -Exactly 1 - } - } - Context -Name 'When the Windows 10 Device Compliance Policy already exists and is NOT in the Desired State' -Fixture { - BeforeAll { - $testParams = @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - Ensure = 'Present' - Credential = $Credential - } - - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + Mock -CommandName Invoke-MgGraphRequest -MockWith { return @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' - PasswordRequired = $False - PasswordBlockSimple = $True; #Drift - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - RoleScopeTagIds = '0' - } + deviceComplianceCheckinThresholdDays = 22 + secureByDefault = $true } } } - It 'Should return Present from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should update the iOS Device Compliance Policy from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgBetaDeviceManagementDeviceCompliancePolicy -Exactly 1 - } - } - - Context -Name 'When the policy already exists and IS in the Desired State' -Fixture { - BeforeAll { - $testParams = @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - Ensure = 'Present' - Credential = $Credential - } - - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { - return @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - RoleScopeTagIds = '0' - } - } - } + It 'Should return Yes from the Get method' { + (Get-TargetResource @testParams).IsSingleInstance | Should -Be 'Yes' } It 'Should return true from the Test method' { @@ -312,103 +69,34 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } - Context -Name 'When the policy exists and it SHOULD NOT' -Fixture { + Context -Name "The settings are NOT in the desired state." -Fixture { BeforeAll { $testParams = @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - Ensure = 'Absent' - Credential = $Credential + DeviceComplianceCheckinThresholdDays = 40; #Drift + IsSingleInstance = "Yes"; + SecureByDefault = $True; + Credential = $Credential } - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + Mock -CommandName Invoke-MgGraphRequest -MockWith { return @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - RoleScopeTagIds = '0' - } + deviceComplianceCheckinThresholdDays = 22 + secureByDefault = $true } } } - It 'Should return Present from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + It 'Should return Yes from the Get method' { + (Get-TargetResource @testParams).IsSingleInstance | Should -Be 'Yes' } It 'Should return true from the Test method' { Test-TargetResource @testParams | Should -Be $false } - It 'Should remove the iOS Device Compliance Policy from the Set method' { + It 'Should call the Update cmdlet from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Remove-MgBetaDeviceManagementDeviceCompliancePolicy -Exactly 1 + Should -Invoke -CommandName Update-MgBetaDeviceManagement -Exactly 1 } } @@ -416,51 +104,15 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { BeforeAll { $Global:CurrentModeIsExport = $true $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ - Credential = $Credential + Credential = $Credential } - Mock -CommandName Get-MgBetaDeviceManagementDeviceCompliancePolicy -MockWith { + Mock -CommandName Invoke-MgGraphRequest -MockWith { return @{ - DisplayName = 'Windows 10 DSC Policy' - Description = 'Test policy' - Id = 'f38b283d-d893-4c33-b6d2-d3bcb5f2dcc2' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.windows10CompliancePolicy' - PasswordRequired = $False - PasswordBlockSimple = $False - PasswordRequiredToUnlockFromIdle = $True - PasswordMinutesOfInactivityBeforeLock = 15 - PasswordExpirationDays = 365 - PasswordMinimumLength = 6 - PasswordPreviousPasswordBlockCount = 13 - PasswordMinimumCharacterSetCount = 1 - PasswordRequiredType = 'Devicedefault' - RequireHealthyDeviceReport = $True - OsMinimumVersion = 10 - OsMaximumVersion = 10.19 - MobileOsMinimumVersion = 10 - MobileOsMaximumVersion = 10.19 - EarlyLaunchAntiMalwareDriverEnabled = $False - BitLockerEnabled = $False - SecureBootEnabled = $True - CodeIntegrityEnabled = $True - StorageRequireEncryption = $True - ActiveFirewallRequired = $True - DefenderEnabled = $True - DefenderVersion = '' - SignatureOutOfDate = $True - RtpEnabled = $True - AntivirusRequired = $True - AntiSpywareRequired = $True - DeviceThreatProtectionEnabled = $True - DeviceThreatProtectionRequiredSecurityLevel = 'Medium' - ConfigurationManagerComplianceRequired = $False - TPMRequired = $False - DeviceCompliancePolicyScript = $null - ValidOperatingSystemBuildRanges = @() - RoleScopeTagIds = '0' - } + deviceComplianceCheckinThresholdDays = 22 + secureByDefault = $true } } } From 7d0d89c1b01ccbfd1d8120eb1ca087fb98e89e4e Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 25 Jun 2024 21:44:34 +0000 Subject: [PATCH 20/26] Updated Resources and Cmdlet documentation pages --- ...ntuneDeviceManagementComplianceSettings.md | 78 +++++++++++++++++++ .../intune/IntuneDeviceRemediation.md | 2 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 docs/docs/resources/intune/IntuneDeviceManagementComplianceSettings.md diff --git a/docs/docs/resources/intune/IntuneDeviceManagementComplianceSettings.md b/docs/docs/resources/intune/IntuneDeviceManagementComplianceSettings.md new file mode 100644 index 0000000000..d373490263 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceManagementComplianceSettings.md @@ -0,0 +1,78 @@ +# IntuneDeviceManagementComplianceSettings + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **IsSingleInstance** | Key | String | Only valid value is 'Yes'. | `Yes` | +| **SecureByDefault** | Write | Boolean | Device should be noncompliant when there is no compliance policy targeted when this is true. | | +| **DeviceComplianceCheckinThresholdDays** | Write | UInt32 | The number of days a device is allowed to go without checking in to remain compliant. | | +| **Credential** | Write | PSCredential | Credentials of the Intune Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + + +## Description + +This resource configures the settings of the device management compliance +at the tenant level. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - Group.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - Group.Read.All, DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example updates the Device Management Compliance Settings + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceManagementComplianceSettings 'DeviceManagementComplianceSettings' + { + Credential = $Credscredential + DeviceComplianceCheckinThresholdDays = 22; + IsSingleInstance = "Yes"; + SecureByDefault = $True; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md index 91c47bf340..72156999e6 100644 --- a/docs/docs/resources/intune/IntuneDeviceRemediation.md +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -18,7 +18,7 @@ | **RunAsAccount** | Write | String | Indicates the type of execution context. Possible values are: system, user. | `system`, `user` | | **Id** | Key | String | The unique identifier for an entity. Read-only. | | | **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | -| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | | | **Credential** | Write | PSCredential | Credentials of the Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | From 82d76a1778f1434669c7c8d042c912d0f0c6ffd7 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Tue, 25 Jun 2024 21:45:53 +0000 Subject: [PATCH 21/26] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 6b881e8506..7e1fa557a8 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -29294,6 +29294,61 @@ } ] }, + { + "ClassName": "MSFT_IntuneDeviceManagementComplianceSettings", + "Parameters": [ + { + "CIMType": "String", + "Name": "IsSingleInstance", + "Option": "Key" + }, + { + "CIMType": "Boolean", + "Name": "SecureByDefault", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DeviceComplianceCheckinThresholdDays", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphDeviceHealthScriptParameter", "Parameters": [ From 1feebe0433bd5387eb0aacc955066835d3c34208 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 26 Jun 2024 13:46:04 +0000 Subject: [PATCH 22/26] Updated Resources and Cmdlet documentation pages --- .../intune/IntuneDeviceRemediation.md | 60 ++++++++++++++++--- 1 file changed, 52 insertions(+), 8 deletions(-) diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md index 72156999e6..d4d43ac6c0 100644 --- a/docs/docs/resources/intune/IntuneDeviceRemediation.md +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -17,8 +17,8 @@ | **RunAs32Bit** | Write | Boolean | Indicate whether PowerShell script(s) should run as 32-bit | | | **RunAsAccount** | Write | String | Indicates the type of execution context. Possible values are: system, user. | `system`, `user` | | **Id** | Key | String | The unique identifier for an entity. Read-only. | | -| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | -| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | | +| **Assignments** | Write | MSFT_IntuneDeviceRemediationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -40,6 +40,28 @@ | **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | | **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | +### MSFT_IntuneDeviceRemediationRunSchedule + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the schedule. | `#microsoft.graph.deviceHealthScriptRunOnceSchedule`, `#microsoft.graph.deviceHealthScriptHourlySchedule`, `#microsoft.graph.deviceHealthScriptDailySchedule` | +| **Date** | Write | String | The date when to run the schedule. Only applicable when the odataType is a run once schedule. Format: 2024-01-01 | | +| **Interval** | Write | UInt32 | The interval of the schedule. Must be 1 in case of a run once schedule. | | +| **Time** | Write | String | The time when to run the schedule. Only applicable when the dataType is not an hourly schedule. Format: 01:00:00 | | +| **UseUtc** | Write | Boolean | If to use UTC as the time source. Only applicable when the dataType is not an hourly schedule. | | + +### MSFT_IntuneDeviceRemediationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **RunRemediationScript** | Write | Boolean | If the remediation script should be run. | | +| **RunSchedule** | Write | MSFT_IntuneDeviceRemediationRunSchedule | The run schedule of the remediation. | | +| **Assignment** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments | Represents the assignment of the schedule. | | + ### MSFT_MicrosoftGraphDeviceHealthScriptParameter #### Parameters @@ -105,9 +127,20 @@ Configuration Example IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' + MSFT_IntuneDeviceRemediationPolicyAssignments{ + RunSchedule = MSFT_IntuneDeviceRemediationRunSchedule{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } + RunRemediationScript = $False + Assignment = MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } } ); Credential = $Credscredential @@ -148,9 +181,20 @@ Configuration Example IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' + MSFT_IntuneDeviceRemediationPolicyAssignments{ + RunSchedule = MSFT_IntuneDeviceRemediationRunSchedule{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } + RunRemediationScript = $False + Assignment = MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } } ); Credential = $Credscredential From ba216d160e8afb958926a73d39ca42490800a1c2 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 26 Jun 2024 13:47:54 +0000 Subject: [PATCH 23/26] Updated Schema Definition --- Modules/Microsoft365DSC/SchemaDefinition.json | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 7e1fa557a8..55bafee6c4 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -29349,6 +29349,56 @@ } ] }, + { + "ClassName": "MSFT_IntuneDeviceRemediationRunSchedule", + "Parameters": [ + { + "CIMType": "String", + "Name": "dataType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Date", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "Interval", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Time", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseUtc", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceRemediationPolicyAssignments", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "RunRemediationScript", + "Option": "Write" + }, + { + "CIMType": "MSFT_IntuneDeviceRemediationRunSchedule", + "Name": "RunSchedule", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments", + "Name": "Assignment", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphDeviceHealthScriptParameter", "Parameters": [ @@ -29453,7 +29503,7 @@ "Option": "Key" }, { - "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "CIMType": "MSFT_IntuneDeviceRemediationPolicyAssignments[]", "Name": "Assignments", "Option": "Write" }, From f01a57f7792b0d8b6b6ca0c65282fec83d1963a3 Mon Sep 17 00:00:00 2001 From: NikCharlebois Date: Wed, 26 Jun 2024 13:48:24 +0000 Subject: [PATCH 24/26] Updated {Create} Intune Integration Tests --- .../M365DSCIntegration.INTUNE.Create.Tests.ps1 | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 9d6028a771..71cbbb9dc0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -2027,9 +2027,20 @@ IntuneDeviceRemediation 'ConfigureDeviceRemediation' { Assignments = @( - MSFT_DeviceManagementConfigurationPolicyAssignments{ - deviceAndAppManagementAssignmentFilterType = 'none' - dataType = '#microsoft.graph.allDevicesAssignmentTarget' + MSFT_IntuneDeviceRemediationPolicyAssignments{ + RunSchedule = MSFT_IntuneDeviceRemediationRunSchedule{ + Date = '2024-01-01' + Time = '01:00:00' + Interval = 1 + DataType = '#microsoft.graph.deviceHealthScriptRunOnceSchedule' + UseUtc = $False + } + RunRemediationScript = $False + Assignment = MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } } ); Credential = $Credscredential From 6deab92be9c4534d139dd45001d55eca15397589 Mon Sep 17 00:00:00 2001 From: Nik Charlebois Date: Wed, 26 Jun 2024 10:14:25 -0400 Subject: [PATCH 25/26] Release 1.24.626.1 --- CHANGELOG.md | 7 +++--- Modules/Microsoft365DSC/Microsoft365DSC.psd1 | 25 +++++++++++++------- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7fac548f9..949e7a03e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,13 @@ # Change log for Microsoft365DSC -# UNRELEASED +# 1.24.626.1 * AADGroup * FIXES [#4782](https://github.com/microsoft/Microsoft365DSC/issues/4782) * IntuneDeviceManagementComplianceSettings * Initial Release. * IntuneDeviceRemediation - * Fix invalid assignment export and import. + * Fix invalid assignment export and import. FIXES [#4726](https://github.com/microsoft/Microsoft365DSC/issues/4726) * DEPENDENCIES * Updated MSCloudLoginAssistant to version 1.1.18 @@ -17,7 +17,8 @@ * M365DSCResourceGenerator * Update CimInstance comparison template * MISC - * Add group display name export and update assignment comparison across Intune resources + * Add group display name export and update assignment comparison across Intune + resources. # 1.24.619.1 diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index 9fa4b54885..8109119103 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-06-20 +# Generated on: 2024-06-26 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.619.1' + ModuleVersion = '1.24.626.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -142,14 +142,23 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* SCDLPComplianceRule - * Fix #4259 and #3845 -* TeamsM365App - * Initial release. + ReleaseNotes = '* AADGroup + * FIXES [#4782](https://github.com/microsoft/Microsoft365DSC/issues/4782) +* IntuneDeviceManagementComplianceSettings + * Initial Release. +* IntuneDeviceRemediation + * Fix invalid assignment export and import. + FIXES [#4726](https://github.com/microsoft/Microsoft365DSC/issues/4726) * DEPENDENCIES - * Updated MicrosoftTeams to version 6.4.0. + * Updated MSCloudLoginAssistant to version 1.1.18 +* M365DSCDRGUtil + * Add `collectionId` export to `ConvertFrom-IntunePolicyAssignment` + * Add handling for Intune assignments in `Compare-M365DSCComplexObject` +* M365DSCResourceGenerator + * Update CimInstance comparison template * MISC - * Improved telemetry around Export sizes.' + * Add group display name export and update assignment comparison across Intune + resources.' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false From 335c47ac075491147abd082148cfcb20c56272c3 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Wed, 26 Jun 2024 16:18:14 +0200 Subject: [PATCH 26/26] Revert parameter and MOF changes to LAPS resource --- CHANGELOG.md | 1 + ...alAdministratorPasswordSolutionPolicy.psm1 | 28 +++++++++++-------- ...nistratorPasswordSolutionPolicy.schema.mof | 4 +-- .../Modules/M365DSCDRGUtil.psm1 | 5 ++++ 4 files changed, 24 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ded616e97..ee2f403f4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ * M365DSCDRGUtil * Add `collectionId` export to `ConvertFrom-IntunePolicyAssignment` * Add handling for Intune assignments in `Compare-M365DSCComplexObject` + * Fix issue with target handling in `Update-DeviceConfigurationPolicyAssignment` * M365DSCResourceGenerator * Update CimInstance comparison template * MISC diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 4b5c957998..889071b44e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -32,8 +32,7 @@ function Get-TargetResource $PasswordAgeDays, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -42,8 +41,7 @@ function Get-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $AdPasswordEncryptionEnabled, [Parameter()] @@ -172,6 +170,16 @@ function Get-TargetResource $returnHashtable = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $returnHashtable + if ($null -ne $returnHashtable.PasswordExpirationProtectionEnabled) + { + $returnHashtable.PasswordExpirationProtectionEnabled = [bool]::Parse($returnHashtable.PasswordExpirationProtectionEnabled) + } + + if ($null -ne $returnHashtable.AdPasswordEncryptionEnabled) + { + $returnHashtable.AdPasswordEncryptionEnabled = [bool]::Parse($returnHashtable.AdPasswordEncryptionEnabled) + } + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id $assignmentResult = @() if ($assignmentsValues.Count -gt 0) @@ -237,8 +245,7 @@ function Set-TargetResource $PasswordAgeDays, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -247,8 +254,7 @@ function Set-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $AdPasswordEncryptionEnabled, [Parameter()] @@ -435,8 +441,7 @@ function Test-TargetResource $PasswordAgeDays, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $PasswordExpirationProtectionEnabled, [Parameter()] @@ -445,8 +450,7 @@ function Test-TargetResource $AdEncryptedPasswordHistorySize, [Parameter()] - [ValidateSet('true', 'false')] - [System.String] + [System.Boolean] $AdPasswordEncryptionEnabled, [Parameter()] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof index 0c7a470ab6..4a8235bf89 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof @@ -19,9 +19,9 @@ class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy : OMI [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; - [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account."), ValueMap{"true", "false"}, Values{"true", "false"}] String PasswordExpirationProtectionEnabled; + [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; - [Write, Description("Configures whether the password is encrypted before being stored in Active Directory."), ValueMap{"true", "false"}, Values{"true", "false"}] String AdPasswordEncryptionEnabled; + [Write, Description("Configures whether the password is encrypted before being stored in Active Directory.")] Boolean AdPasswordEncryptionEnabled; [Write, Description("Configures the name or SID of a user or group that can decrypt the password stored in Active Directory.")] String AdPasswordEncryptionPrincipal; [Write, Description("Configures the name of the managed local administrator account.")] String AdministratorAccountName; [Write, Description("Configures the password complexity of the managed local administrator account. 1 - Large letters, 2 - Large + small letters, 3 - Large + small letters + numbers, 4 - Large + small letters + numbers + special characters"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] UInt32 PasswordComplexity; diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 00a848a615..12d8287ca9 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1261,6 +1261,11 @@ function Update-DeviceConfigurationPolicyAssignment foreach ($target in $targets) { + if ($target.target -is [hashtable]) + { + $target = $target.target + } + $formattedTarget = @{"@odata.type" = $target.dataType} if(-not $formattedTarget."@odata.type" -and $target."@odata.type") {