Merge pull request #5812 from microsoft/Dev

Release 1.25.219.1

CHANGELOG.md

@@ -1,5 +1,73 @@
 # Change log for Microsoft365DSC
 
+# 1.25.219.1
+
+* AADAccessReviewPolicy
+  * Missing AccessReview permission for Application Read access
+    FIXES [#5796](https://github.com/microsoft/Microsoft365DSC/issues/5796)
+* AADApplication
+  * Test-TargetResource logic updated to skip evaluating CIMArrays that are empty
+    when passed as desired values.
+* AADDeviceRegistrationPolicy
+  * Fixed an issue where the AzureADJoinIsAdminConfigurable was not returned by the
+    Get-TargetResource function.
+  * Fix issue setting Selected Users and Groups for Entra Join.
+    FIXES [#5798](https://github.com/microsoft/Microsoft365DSC/issues/5798)
+* AADGroup
+  * Returns an empty array for roles and licenses from the Get-TargetResource
+    function instead of null when no instances are found.
+* AADRoleEligibilityScheduleRequest
+  * Reduce call count when reconciling object type
+    FIXES [#5621](https://github.com/microsoft/Microsoft365DSC/issues/5621)
+  * Add check if object lookup fails
+    FIXES [#5801](https://github.com/microsoft/Microsoft365DSC/issues/5801)
+* AADServicePrincipal
+  * Evaluating assigned users based on UPN and not just on DisplayName.
+  * FIXES [#5359](https://github.com/microsoft/Microsoft365DSC/issues/5359) AADServicePrincipal fails on Managed Identities when DelegatedPermissions returns 500 response
+* ADOSecurityPolicy
+  * Fixes an issue where the resource threw an error trying to parse the default
+    values.
+* EXODistributionGroup
+  * Changed logic to retrieve existing members by UserPrincipalName.
+* EXORoleGroup
+  * Evaluating assigned users based on UPN and not just on DisplayName if they
+    have an associated mailbox.
+* IntuneDeviceManagementEnrollmentAndroidGooglePlay
+  * Marked the Id property as mandatory in the resource.
+* M365DSCRuleEvaluation
+  * Added support for specifying a Filter property.
+* M365DSCUtil
+  * Add M365DSC prefix to `Remove-EmptyValue`.
+  * Fixes an issue with `Credential` property being escaped and indentation.
+  * Adds the possibility to allow variables in strings and no authentication
+    results update during conversion to final export.
+    FIXES [#3861](https://github.com/microsoft/Microsoft365DSC/issues/3861)
+* SCInsiderRiskPolicy
+  * Enforces the MDATPTriageStatus to be a string array.
+* SCSensitivityLabel
+  * Fixes invalid accepted content type values.
+* IntuneDeviceCompliancePolicyAndroidDeviceOwner
+  * Adds support for Scheduled Actions and other missing properties
+    FIXES [#5593] (https://github.com/microsoft/Microsoft365DSC/issues/5593)
+* IntuneDeviceCompliancePolicyAndroidWorkProfile
+  * Adds support for Scheduled Actions and other missing properties
+    FIXES [#5593] (https://github.com/microsoft/Microsoft365DSC/issues/5592)
+* TeamsAppPermissionPolicy
+  * Updated correct Typecasting for AppPresetMeeting and PinnedMessagebarApps
+    before adding them to the policy
+* TeamsAppSetupPolicy
+  * FIXES [[#5752](https://github.com/microsoft/Microsoft365DSC/issues/5752)
+* TeamsM365App
+  * Remove `Ensure` property from being exported.
+    FIXES [#5781](https://github.com/microsoft/Microsoft365DSC/issues/5781)
+* AADGroupEligibilitySchedule
+  * FIXES [#5792](https://github.com/microsoft/Microsoft365DSC/issues/5792) issue where complete DSC isn't exported after generated
+  * FIXES [#5793](https://github.com/microsoft/Microsoft365DSC/issues/5793) issue where PrincipalType isn't correctly captured in AzureGov
+* DEPENDENCIES
+  * Updated ExchangeOnlineManagement to version 3.7.1
+  * Updated Microsoft.Graph modules to version 2.26.0
+  * Updated ReverseDSC to version 2.0.0.27
+
 # 1.25.212.2
 
 * MISC

Modules/Microsoft365DSC/DSCResources/MSFT_AADAccessReviewPolicy/settings.json

@@ -15,6 +15,9 @@
                 "read": [
                     {
                         "name": "Policy.Read.All"
+                    },
+                    {
+                        "name": "AccessReview.Read.All"
                     }
                 ],
                 "update": [

Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1

@@ -1425,14 +1425,21 @@ function Test-TargetResource
         $target = $CurrentValues.$key
         if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*')
         {
-            $testResult = Compare-M365DSCComplexObject `
-                -Source ($source) `
-                -Target ($target)
-
-            if (-not $testResult)
+            if (-not ($source.GetType().Name -eq 'CimInstance[]' -and $source.Count -eq 0))
             {
-                Write-Verbose "TestResult returned False for $source"
-                $testTargetResource = $false
+                $testResult = Compare-M365DSCComplexObject `
+                    -Source ($source) `
+                    -Target ($target)
+
+                if (-not $testResult)
+                {
+                    Write-Verbose "TestResult returned False for $source"
+                    $testTargetResource = $false
+                }
+                else
+                {
+                    $ValuesToCheck.Remove($key) | Out-Null
+                }
             }
             else
             {

Modules/Microsoft365DSC/DSCResources/MSFT_AADDeviceRegistrationPolicy/MSFT_AADDeviceRegistrationPolicy.psm1

@@ -215,6 +215,7 @@ function Get-TargetResource
         }
         $results = @{
             IsSingleInstance                        = 'Yes'
+            AzureADJoinIsAdminConfigurable          = [Boolean]$getValue.AzureAdJoin.IsAdminConfigurable
             AzureADAllowedToJoin                    = $AzureADAllowedToJoin
             AzureADAllowedToJoinGroups              = $AzureADAllowedToJoinGroups
             AzureADAllowedToJoinUsers               = $AzureADAllowedToJoinUsers
@@ -406,8 +407,8 @@ function Set-TargetResource
             isAdminConfigurable = $AzureADJoinIsAdminConfigurable
             allowedToJoin       = @{
                 '@odata.type' = $azureADRegistrationAllowedToRegister
-                users         = $AzureADAllowedToJoinUsers
-                groups        = $AzureADAllowedToJoinGroups
+                users         = $azureADRegistrationAllowedUsers
+                groups        = $azureADRegistrationAllowedGroups
             }
             localAdmins         = @{
                 enableGlobalAdmins = $LocalAdminsEnableGlobalAdmins

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -245,7 +245,7 @@ function Get-TargetResource
         }
 
         # AssignedToRole
-        $AssignedToRoleValues = $null
+        $AssignedToRoleValues = @()
         if ($Group.IsAssignableToRole -eq $true)
         {
             $AssignedToRoleValues = @()
@@ -258,7 +258,7 @@ function Get-TargetResource
         }
 
         # Licenses
-        $assignedLicensesValues = $null
+        $assignedLicensesValues = @()
         $uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/groups/$($Group.Id)/assignedLicenses"
         $assignedLicensesRequest = Invoke-MgGraphRequest -Method 'GET' `
             -Uri $uri

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupEligibilitySchedule/MSFT_AADGroupEligibilitySchedule.psm1

@@ -217,25 +217,35 @@ function Get-TargetResource
         }
         #endregion
 
-        switch ($getValue.PrincipalType)
+        if ([string]::IsNullOrEmpty($getValue.PrincipalType))
         {
-            'group' {
-                $PrincipalDisplayName = (Get-MgGroup -GroupId $getvalue.PrincipalId).DisplayName
-            }
-            'user' {
-                $PrincipalDisplayName = (Get-MgUser -UserId $getvalue.PrincipalId).DisplayName
-            }
+            $getValue.PrincipalType = "unknown"
         }
 
-        $GroupDisplayName = (Get-MgGroup -GroupId $getvalue.GroupId).DisplayName
+       	switch ($getValue.PrincipalType)
+       	{
+       	    'group' {
+		$PrincipalDisplayName = (Get-MgGroup -GroupId $getvalue.PrincipalId).DisplayName
+            }
+       	    'user' {
+		$PrincipalDisplayName = (Get-MgUser -UserId $getvalue.PrincipalId).DisplayName
+       	    }
+       	    'unknown' {
+		        $objectInfo = Get-MgBetaDirectoryObjectById -Ids $getvalue.PrincipalId -ErrorAction SilentlyContinue
+            	$getValue.PrincipalType = $objectInfo.AdditionalProperties['@odata.type'].Split('.')[2]
+		        $PrincipalDisplayName = $objectInfo.AdditionalProperties['displayName']
+       	    }
+       	}
+
+	$GroupDisplayName = (Get-MgGroup -GroupId $getvalue.GroupId).DisplayName
 
         $results = @{
             #region resource generator code
             AccessId              = $enumAccessId
             GroupId               = $getValue.groupId
             GroupDisplayName      = $GroupDisplayName
             MemberType            = $enumMemberType
-            PrincipalType         = $PrincipalType
+            PrincipalType         = $getValue.PrincipalType
             PrincipalDisplayname  = $PrincipalDisplayName
             ScheduleInfo          = $complexScheduleInfo
             Id                    = $getValue.Id
@@ -794,6 +804,9 @@ function Export-TargetResource
         {
             Write-Host "`r`n" -NoNewline
         }
+
+        $dscContent = ''
+
         foreach ($group in $groups)
         {
             Write-Host "    |---[$j/$($groups.Count)] $($group.DisplayName)" -NoNewline
@@ -804,7 +817,7 @@ function Export-TargetResource
                 -ErrorAction SilentlyContinue
 
             $i = 1
-            $dscContent = ''
+
             if ($getValue.Length -eq 0)
             {
                 Write-Host $Global:M365DSCEmojiGreenCheckMark

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleAssignmentScheduleRequest/MSFT_AADRoleAssignmentScheduleRequest.psm1

@@ -138,6 +138,10 @@ function Get-TargetResource
             $PrincipalValue = $PrincipalInstance.DisplayName
         }
 
+        if ([System.String]::IsNullOrEmpty($PrincipalValue)) {
+            return $nullResult
+        }
+
         Write-Verbose -Message 'Found Principal'
         $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
         Write-Verbose -Message "Retrieved role definition {$RoleDefinition} with ID {$RoleDefinitionId}"

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1

@@ -715,33 +715,15 @@ function Export-TargetResource
             Write-Host "    |---[$i/$($Script:exportedInstances.Count)] $displayedKey" -NoNewline
             # Find the Principal Type
             $principalType = 'User'
-            $userInfo = Get-MgUser -UserId $config.PrincipalId -ErrorAction SilentlyContinue
-
-            if ($null -eq $userInfo)
+            $userInfo = Get-MgBetaDirectoryObjectById -Ids $config.PrincipalId -ErrorAction SilentlyContinue
+            $principalType = $userInfo.AdditionalProperties['@odata.type'].Split('.')[2]
+            $PrincipalValue = if ($principalType -eq 'user' )
             {
-                $principalType = 'Group'
-                $groupInfo = Get-MgGroup -GroupId $config.PrincipalId -ErrorAction SilentlyContinue
-                if ($null -eq $groupInfo)
-                {
-                    $principalType = 'ServicePrincipal'
-                    $spnInfo = Get-MgServicePrincipal -ServicePrincipalId $config.PrincipalId -ErrorAction SilentlyContinue
-                    if ($null -ne $spnInfo)
-                    {
-                        $PrincipalValue = $spnInfo.DisplayName
-                    }
-                    else
-                    {
-                        $PrincipalValue = $null
-                    }
-                }
-                else
-                {
-                    $PrincipalValue = $groupInfo.DisplayName
-                }
+                $userInfo.AdditionalProperties['userPrincipalName']
             }
             else
             {
-                $PrincipalValue = $userInfo.UserPrincipalName
+                $userInfo.AdditionalProperties['displayName']
             }
 
             if ($null -ne $PrincipalValue)

Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/settings.json

@@ -15,11 +15,17 @@
                 "read": [
                     {
                         "name": "RoleEligibilitySchedule.Read.Directory"
+                    },
+                    {
+                        "name": "Directory.Read.All"
                     }
                 ],
                 "update": [
                     {
                         "name": "RoleEligibilitySchedule.ReadWrite.Directory"
+                    },
+                    {
+                        "name": "Directory.Read.All"
                     }
                 ]
             }

Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1

@@ -175,14 +175,12 @@ function Get-TargetResource
                     $appInstance = Get-MgApplication -Filter "DisplayName eq '$AppId'"
                     if ($appInstance)
                     {
-                        $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($appInstance.AppId)'" `
-                            -Expand 'AppRoleAssignedTo'
+                        $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($appInstance.AppId)'"
                     }
                 }
                 else
                 {
-                    $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($AppId)'" `
-                        -Expand 'AppRoleAssignedTo'
+                    $AADServicePrincipal = Get-MgServicePrincipal -Filter "AppID eq '$($AppId)'"
                 }
             }
             if ($null -eq $AADServicePrincipal)
@@ -196,7 +194,8 @@ function Get-TargetResource
         }
 
         $AppRoleAssignedToValues = @()
-        foreach ($principal in $AADServicePrincipal.AppRoleAssignedTo)
+        $assignmentsValue = Get-MgServicePrincipalAppROleAssignedTo -ServicePrincipalId $AADServicePrincipal.Id -ErrorAction SilentlyContinue
+        foreach ($principal in $assignmentsValue)
         {
             $currentAssignment = @{
                 PrincipalType = $null
@@ -206,7 +205,7 @@ function Get-TargetResource
             {
                 $user = Get-MgUser -UserId $principal.PrincipalId
                 $currentAssignment.PrincipalType = 'User'
-                $currentAssignment.Identity = $user.UserPrincipalName.Split('@')[0]
+                $currentAssignment.Identity = $user.UserPrincipalName
                 $AppRoleAssignedToValues += $currentAssignment
             }
             elseif ($principal.PrincipalType -eq 'Group')
@@ -230,8 +229,17 @@ function Get-TargetResource
         }
 
         [Array]$complexDelegatedPermissionClassifications = @()
-        $Uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/servicePrincipals/$($AADServicePrincipal.Id)/delegatedPermissionClassifications"
-        $permissionClassifications = Invoke-MgGraphRequest -Uri $Uri -Method Get
+        #Managed Identities in AzureGov return exception when pulling delegatedPermissionClassifications
+        try
+        {
+            $Uri = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/servicePrincipals/$($AADServicePrincipal.Id)/delegatedPermissionClassifications"
+            $permissionClassifications = Invoke-MgGraphRequest -Uri $Uri -Method Get
+        }
+        catch
+        {
+            Write-Verbose -Message "Service Principal didn't return delegated permission classifications. Expected for Managedidentities."
+        }
+
         foreach ($permissionClassification in $permissionClassifications.Value)
         {
             $hashtable = @{

Modules/Microsoft365DSC/DSCResources/MSFT_ADOSecurityPolicy/MSFT_ADOSecurityPolicy.psm1

@@ -91,27 +91,59 @@ function Get-TargetResource
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.DisallowOAuthAuthentication?defaultValue"
         $DisallowOAuthAuthenticationValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($DisallowOAuthAuthenticationValue))
+        {
+            $DisallowOAuthAuthenticationValue = $true
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.DisallowSecureShell?defaultValue"
         $DisallowSecureShellValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($DisallowSecureShellValue))
+        {
+            $DisallowSecureShellValue = $false
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.LogAuditEvents?defaultValue"
         $LogAuditEventsValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($LogAuditEventsValue))
+        {
+            $LogAuditEventsValue = $false
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.AllowAnonymousAccess?defaultValue"
         $AllowAnonymousAccessValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($AllowAnonymousAccessValue))
+        {
+            $AllowAnonymousAccessValue = $false
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.ArtifactsExternalPackageProtectionToken?defaultValue"
         $ArtifactsExternalPackageProtectionTokenValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($ArtifactsExternalPackageProtectionTokenValue))
+        {
+            $ArtifactsExternalPackageProtectionTokenValue = $true
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.EnforceAADConditionalAccess?defaultValue"
         $EnforceAADConditionalAccessValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($EnforceAADConditionalAccessValue))
+        {
+            $EnforceAADConditionalAccessValue = $false
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.AllowTeamAdminsInvitationsAccessToken?defaultValue"
         $AllowTeamAdminsInvitationsAccessTokenValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($AllowTeamAdminsInvitationsAccessTokenValue))
+        {
+            $AllowTeamAdminsInvitationsAccessTokenValue = $true
+        }
 
         $uri = "https://dev.azure.com/$($OrganizationName)/_apis/OrganizationPolicy/Policies/Policy.AllowRequestAccessToken?defaultValue"
         $AllowRequestAccessTokenValue = (Invoke-M365DSCAzureDevOPSWebRequest -Uri $uri).Value
+        if ([System.String]::IsNullOrEmpty($AllowRequestAccessTokenValue))
+        {
+            $AllowRequestAccessTokenValue = $true
+        }
 
         $results = @{
             OrganizationName                        = $OrganizationName