Merge pull request #4999 from microsoft/Dev

Release 1.24.828.1

CHANGELOG.md

@@ -1,5 +1,78 @@
 # Change log for Microsoft365DSC
 
+# 1.24.828.1
+
+* AADAdministrativeUnit
+ * Fix Properties for Dynamic Administrative Units in Graph have moved
+* AADConditionalAccessPolicy
+ * Fixing issue where the resource crashed when trying to retrieve groups
+ and users from Entra ID which no longer existed
+ * Fixes an issue where the `AuthenticationFlows` property changed in Graph
+ and updates on the documentation for the possible values of `TransferMethods`.
+ FIXES [#4961](https://github.com/microsoft/Microsoft365DSC/issues/4961)
+ FIXES [#4960](https://github.com/microsoft/Microsoft365DSC/issues/4960)
+ FIXES [#4734](https://github.com/microsoft/Microsoft365DSC/issues/4734)
+ FIXES [#4725](https://github.com/microsoft/Microsoft365DSC/issues/4725)
+* AADGroup
+ * FIXES [#4994](https://github.com/microsoft/Microsoft365DSC/issues/4994)
+* EXOAuthenticationPolicyAssignment
+ * Removes the 1000 user limit when exporting authentication policy assignments
+ FIXES [#4956](https://github.com/microsoft/Microsoft365DSC/issues/4956)
+* EXOHostedContentFilterRule
+ * Don't check if associated `EXOHostedContentFilterPolicy` is present
+ while removing resource since it's not required
+ * EXORoleGroup
+ * Fix an issue where roles that have empty members cannot be compared
+ FIXES [#4977] (https://github.com/microsoft/Microsoft365DSC/issues/4977)
+* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy
+ * Fixed issue if `PasswordComplexity` was set to 5 by allowing that value
+ FIXES [#4963](https://github.com/microsoft/Microsoft365DSC/issues/4963)
+* IntuneDeviceCompliancePolicyWindows10
+ * Fix extraction of property `TpmRequired`
+* IntuneDeviceConfigurationCustomPolicyWindows10
+ * Change app and delegated permissions for reading to
+ DeviceManagementConfiguration.ReadWrite.All to cope with
+ getOmaSettingPlainTextValue which is only working if RW is granted
+ FIXES [#4412](https://github.com/microsoft/Microsoft365DSC/issues/4412)
+* IntuneDeviceRemediation
+ * Add export of global remediation scripts.
+* O365OrgSettings
+ * FIXES [#4741](https://github.com/microsoft/Microsoft365DSC/issues/4741)
+* SCAutoSensitivityLabelPolicy
+ * Fixes issue where Mode=Enabled is not supported for SP and OD. Changing
+ property to TestWithoutNotifications in those instances.
+ FIXES [#4990](https://github.com/microsoft/Microsoft365DSC/issues/4990)
+* SCAutoSensitivityLabelRule
+ * Fixes issue where the export was looping through all possible workloads
+ instead of the actually targeted workload
+ FIXES [#4989](https://github.com/microsoft/Microsoft365DSC/issues/4989)
+* SCSensitivityLabel
+ * Corrected issue where ExternalAccess properties were configured inverted
+ FIXES [#3782](https://github.com/microsoft/Microsoft365DSC/issues/3782)
+* M365DSCDRGUtil
+ * Update Intune Settings Catalog Handling.
+ * Fixes an issue where the `MSFT_IntuneDeviceRemediationPolicyAssignments`
+ type would trigger an incorrect comparison in `Compare-M365DSCComplexObject`.
+* M365DSCResourceGenerator
+ * Update Intune resource generation for the Settings Catalog.
+* M365DSCUtil
+ * Fix `Compare-PSCustomObjectArrays` by allowing empty arrays as input
+ FIXES [#4952](https://github.com/microsoft/Microsoft365DSC/issues/4952)
+* O365OrgSettings
+ * FIXES [#4741](https://github.com/microsoft/Microsoft365DSC/issues/4741)
+* MISC
+ * Improve module updates and PowerShell Core support across the DSC
+ resources.
+ FIXES [#4941](https://github.com/microsoft/Microsoft365DSC/issues/4941)
+ * Replace some `Write-Host` occurrences in core engine with
+ appropriate alternatives.
+ FIXES [#4943](https://github.com/microsoft/Microsoft365DSC/issues/4943)
+ * Fixed a typo within M365DSCReport.psm1 related to a .png file
+ FIXES [#4983](https://github.com/microsoft/Microsoft365DSC/pull/4983)
+* DEPENDENCIES
+ * Updated MicrosoftTeams to version 6.5.0.
+ * Updated MSCloudLoginAssistant to version 1.1.19.
+
 # 1.24.731.1
 
 * AADAuthenticationMethodPolicyFido2

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1

@@ -158,17 +158,17 @@ function Get-TargetResource
  #endregion
  }
 
- if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipType))
+ if (-not [string]::IsNullOrEmpty($getValue.membershipType))
  {
- $results.Add('MembershipType', $getValue.AdditionalProperties.membershipType)
+ $results.Add('MembershipType', $getValue.membershipType)
  }
- if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipRule))
+ if (-not [string]::IsNullOrEmpty($getValue.membershipRule))
  {
- $results.Add('MembershipRule', $getValue.AdditionalProperties.membershipRule)
+ $results.Add('MembershipRule', $getValue.membershipRule)
  }
- if (-not [string]::IsNullOrEmpty($getValue.AdditionalProperties.membershipRuleProcessingState))
+ if (-not [string]::IsNullOrEmpty($getValue.membershipRuleProcessingState))
  {
- $results.Add('MembershipRuleProcessingState', $getValue.AdditionalProperties.membershipRuleProcessingState)
+ $results.Add('MembershipRuleProcessingState', $getValue.membershipRuleProcessingState)
  }
 
  Write-Verbose -Message "AU {$DisplayName} MembershipType {$($results.MembershipType)}"

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -314,6 +314,7 @@ function Get-TargetResource
  -Source $($MyInvocation.MyCommand.Source) `
  -TenantId $TenantId `
  -Credential $Credential
+ continue
  }
  if ($IncludeUser)
  {
@@ -349,6 +350,7 @@ function Get-TargetResource
  -Source $($MyInvocation.MyCommand.Source) `
  -TenantId $TenantId `
  -Credential $Credential
+ continue
  }
  if ($ExcludeUser)
  {
@@ -372,7 +374,7 @@ function Get-TargetResource
  $IncludeGroup = $null
  try
  {
- $IncludeGroup = (Get-MgGroup -GroupId $IncludeGroupGUID).displayname
+ $IncludeGroup = (Get-MgGroup -GroupId $IncludeGroupGUID -ErrorAction Stop).displayname
  }
  catch
  {
@@ -382,6 +384,7 @@ function Get-TargetResource
  -Source $($MyInvocation.MyCommand.Source) `
  -TenantId $TenantId `
  -Credential $Credential
+ continue
  }
  if ($IncludeGroup)
  {
@@ -400,7 +403,7 @@ function Get-TargetResource
  $ExcludeGroup = $null
  try
  {
- $ExcludeGroup = (Get-MgGroup -GroupId $ExcludeGroupGUID).displayname
+ $ExcludeGroup = (Get-MgGroup -GroupId $ExcludeGroupGUID -ErrorAction Stop).displayname
  }
  catch
  {
@@ -410,6 +413,7 @@ function Get-TargetResource
  -Source $($MyInvocation.MyCommand.Source) `
  -TenantId $TenantId `
  -Credential $Credential
+ continue
  }
  if ($ExcludeGroup)
  {
@@ -1026,7 +1030,7 @@ function Set-TargetResource
  $userguid = $null
  try
  {
- $userguid = (Get-MgUser -UserId $includeuser).Id
+ $userguid = (Get-MgUser -UserId $includeuser -ErrorAction Stop).Id
  }
  catch
  {
@@ -1073,7 +1077,7 @@ function Set-TargetResource
  $userguid = $null
  try
  {
- $userguid = (Get-MgUser -UserId $excludeuser).Id
+ $userguid = (Get-MgUser -UserId $excludeuser -ErrorAction Stop).Id
  }
  catch
  {
@@ -1118,7 +1122,7 @@ function Set-TargetResource
  $GroupLookup = $null
  try
  {
- $GroupLookup = Get-MgGroup -Filter "DisplayName eq '$includegroup'"
+ $GroupLookup = Get-MgGroup -Filter "DisplayName eq '$includegroup'" -ErrorAction Stop
  }
  catch
  {
@@ -1168,7 +1172,7 @@ function Set-TargetResource
  $GroupLookup = $null
  try
  {
- $GroupLookup = Get-MgGroup -Filter "DisplayName eq '$ExcludeGroup'"
+ $GroupLookup = Get-MgGroup -Filter "DisplayName eq '$ExcludeGroup'" -ErrorAction Stop
  }
  catch
  {
@@ -1519,15 +1523,23 @@ function Set-TargetResource
  if ($currentParameters.ContainsKey('TransferMethods'))
  {
  #create and provision TransferMethods condition object if used
+ $authenticationFlows = if ([System.String]::IsNullOrEmpty($TransferMethods))
+ {
+ $null
+ }
+ else
+ {
+ @{
+ transferMethods = $TransferMethods
+ }
+ }
  if (-not $conditions.Contains('authenticationFlows'))
  {
- $conditions.Add('authenticationFlows', @{
- transferMethods = $TransferMethods
- })
+ $conditions.Add('authenticationFlows', $authenticationFlows)
  }
  else
  {
- $conditions.authenticationFlows.Add('transferMethods', $TransferMethods)
+ $conditions.authenticationFlows = $authenticationFlows
  }
 
  }
@@ -1972,10 +1984,28 @@ function Test-TargetResource
  $ValuesToCheck = $PSBoundParameters
  $ValuesToCheck.Remove('Id') | Out-Null
 
- $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
- -Source $($MyInvocation.MyCommand.Source) `
- -DesiredValues $PSBoundParameters `
- -ValuesToCheck $ValuesToCheck.Keys
+ # If no TransferMethod is specified, ignore it
+ # If a TransferMethod is specified, check if it is equal to the current value
+ # while ignoring the order of the values
+ if (-not $PSBoundParameters.ContainsKey('TransferMethods') -or
+ $null -eq (Compare-Object -ReferenceObject $TransferMethods.Split(',') -DifferenceObject $CurrentValues.TransferMethods.Split(',')))
+ {
+ $ValuesToCheck.Remove('TransferMethods') | Out-Null
+ $TestResult = $true
+ }
+ else
+ {
+ Write-Verbose -Message "TransferMethods are not equal: [$TransferMethods] - [$($CurrentValues.TransferMethods)]"
+ $TestResult = $false
+ }
+
+ if ($TestResult)
+ {
+ $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
+ -Source $($MyInvocation.MyCommand.Source) `
+ -DesiredValues $PSBoundParameters `
+ -ValuesToCheck $ValuesToCheck.Keys
+ }
 
  Write-Verbose -Message "Test-TargetResource returned $TestResult"
 

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -44,7 +44,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
  [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled;
  [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode;
  [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
- [Write, Description("Names of the associated authentication flow transfer methods")] String TransferMethods;
+ [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods;
  [Write, Description("Authentication context class references.")] String AuthenticationContexts[];
  [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
  [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential;

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -24,6 +24,10 @@ function Get-TargetResource
  [System.String[]]
  $Members,
 
+ [Parameter()]
+ [System.String[]]
+ $GroupAsMembers,
+
  [Parameter()]
  [System.String[]]
  $MemberOf,
@@ -213,12 +217,17 @@ function Get-TargetResource
  # Members
  [Array]$members = Get-MgGroupMember -GroupId $Group.Id -All:$true
  $MembersValues = @()
+ $GroupAsMembersValues = @()
  foreach ($member in $members)
  {
- if ($member.AdditionalProperties.userPrincipalName -ne $null)
+ if ($member.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.user")
  {
  $MembersValues += $member.AdditionalProperties.userPrincipalName
  }
+ elseif($member.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.group")
+ {
+ $GroupAsMembersValues += $member.AdditionalProperties.displayName
+ }
  }
  }
 
@@ -265,6 +274,7 @@ function Get-TargetResource
  Id = $Group.Id
  Owners = $OwnersValues
  Members = $MembersValues
+ GroupAsMembers = $GroupAsMembersValues
  MemberOf = $MemberOfValues
  Description = $Group.Description
  GroupTypes = [System.String[]]$Group.GroupTypes
@@ -327,6 +337,10 @@ function Set-TargetResource
  [System.String[]]
  $Members,
 
+ [Parameter()]
+ [System.String[]]
+ $GroupAsMembers,
+
  [Parameter()]
  [System.String[]]
  $MemberOf,
@@ -432,10 +446,12 @@ function Set-TargetResource
  $currentParameters.Remove('ManagedIdentity') | Out-Null
  $backCurrentOwners = $currentGroup.Owners
  $backCurrentMembers = $currentGroup.Members
+ $backCurrentGroupAsMembers = $currentGroup.GroupAsMembers
  $backCurrentMemberOf = $currentGroup.MemberOf
  $backCurrentAssignedToRole = $currentGroup.AssignedToRole
  $currentParameters.Remove('Owners') | Out-Null
  $currentParameters.Remove('Members') | Out-Null
+ $currentParameters.Remove('GroupAsMembers') | Out-Null
  $currentParameters.Remove('MemberOf') | Out-Null
  $currentParameters.Remove('AssignedToRole') | Out-Null
 
@@ -728,6 +744,57 @@ function Set-TargetResource
  Write-Verbose -Message 'Ignoring membership since this is a dynamic group.'
  }
 
+ #GroupAsMembers
+ if ($MembershipRuleProcessingState -ne 'On' -and $PSBoundParameters.ContainsKey('GroupAsMembers'))
+ {
+ $currentGroupAsMembersValue = @()
+ if ($currentParameters.GroupAsMembers.Length -ne 0)
+ {
+ $currentGroupAsMembersValue = $backCurrentGroupAsMembers
+ }
+ $desiredGroupAsMembersValue = @()
+ if ($GroupAsMembers.Length -ne 0)
+ {
+ $desiredGroupAsMembersValue = $GroupAsMembers
+ }
+ if ($backCurrentGroupAsMembers -eq $null)
+ {
+ $backCurrentGroupAsMembers = @()
+ }
+ $groupAsMembersDiff = Compare-Object -ReferenceObject $backCurrentGroupAsMembers -DifferenceObject $desiredGroupAsMembersValue
+ foreach ($diff in $groupAsMembersDiff)
+ {
+ try
+ {
+ $groupAsMember = Get-MgGroup -Filter "DisplayName eq '$($diff.InputObject)'" -ErrorAction Stop
+ }
+ catch
+ {
+ $groupAsMember = $null
+ }
+ if ($null -eq $groupAsMember)
+ {
+ throw "Group '$($diff.InputObject)' does not exist"
+ }
+ else
+ {
+ if ($diff.SideIndicator -eq '=>')
+ {
+ Write-Verbose -Message "Adding AAD group {$($groupAsMember.DisplayName)} as member of AAD group {$($currentGroup.DisplayName)}"
+ $groupAsMemberObject = @{
+ "@odata.id"= "https://graph.microsoft.com/v1.0/directoryObjects/$($groupAsMember.Id)"
+ }
+ New-MgGroupMemberByRef -GroupId ($currentGroup.Id) -Body $groupAsMemberObject | Out-Null
+ }
+ if ($diff.SideIndicator -eq '<=')
+ {
+ Write-Verbose -Message "Removing AAD Group {$($groupAsMember.DisplayName)} from AAD group {$($currentGroup.DisplayName)}"
+ Remove-MgGroupMemberDirectoryObjectByRef -GroupId ($currentGroup.Id) -DirectoryObjectId ($groupAsMember.Id) | Out-Null
+ }
+ }
+ }
+ }
+
  #MemberOf
  if ($PSBoundParameters.ContainsKey('MemberOf'))
  {
@@ -879,6 +946,10 @@ function Test-TargetResource
  [System.String[]]
  $Members,
 
+ [Parameter()]
+ [System.String[]]
+ $GroupAsMembers,
+
  [Parameter()]
  [System.String[]]
  $MemberOf,

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.schema.mof

@@ -14,6 +14,7 @@ class MSFT_AADGroup : OMI_BaseResource
  [Write, Description("Specifies an ID for the group.")] String Id;
  [Write, Description("User Service Principal values for the group's owners.")] String Owners[];
  [Write, Description("User Service Principal values for the group's members.")] String Members[];
+ [Write, Description("Displayname values for the groups member of the group.")] String GroupAsMembers[];
  [Write, Description("DisplayName values for the groups that this group is a member of.")] String MemberOf[];
  [Write, Description("Specifies that the group is a dynamic group. To create a dynamic group, specify a value of DynamicMembership.")] String GroupTypes[];
  [Write, Description("Specifies the membership rule for a dynamic group.")] String MembershipRule;