Skip to content

Commit

Permalink
Merge pull request #5586 from BuehlerSimon/disableResilienceDefaults
Browse files Browse the repository at this point in the history 
Add Conditional Access disableResilienceDefaults
  • Loading branch information
@ykuijs
ykuijs authored Jan 15, 2025
2 parents 69f160d + 5cf075d commit eefb68c
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 5 deletions.
8 changes: 5 additions & 3 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@

* AADAuthenticationRequirement
* Changed Export logic to extract instances from all users.
* AADConditionalAccessPolicy
* Add disableResilienceDefaults
* AADOrganizationCertificateBasedAuthConfiguration
* Fixed the primary key of the resource.
FIXES [#5523](https://github.com/microsoft/Microsoft365DSC/issues/5523)
Expand All @@ -73,11 +75,11 @@
* Fixes comparison issue for permissions.
* EXOTransportRule
* Fixes issue extracting arrays in Get-TargetResource.
* FIXES [#5575](https://github.com/microsoft/Microsoft365DSC/issues/5575)
FIXES [#5575](https://github.com/microsoft/Microsoft365DSC/issues/5575)
* TeamsMeetingPolicy
* Adds support for additional Copilot setting value.
* FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573)
* FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550)
FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573)
FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550)
* MISC
* Fixed the Fabric web request to use basic parsing.
* Reset only necessary authentication context.
Expand Down
20 changes: 19 additions & 1 deletion ...t365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,10 @@ function Get-TargetResource
[System.Boolean]
$PersistentBrowserIsEnabled,

[Parameter()]
[System.Boolean]
$DisableResilienceDefaultsIsEnabled,

[Parameter()]
[System.String]
$TermsOfUse,
Expand Down Expand Up @@ -706,6 +710,8 @@ function Get-TargetResource
SignInFrequencyInterval = $SignInFrequencyIntervalValue
#no translation needed
PersistentBrowserIsEnabled = $false -or $Policy.SessionControls.PersistentBrowser.IsEnabled
#no translation needed
DisableResilienceDefaultsIsEnabled = $false -or $Policy.SessionControls.disableResilienceDefaults.IsEnabled
#make false if undefined, true if true
PersistentBrowserMode = [System.String]$Policy.SessionControls.PersistentBrowser.Mode
#no translation needed
Expand Down Expand Up @@ -929,6 +935,10 @@ function Set-TargetResource
[System.Boolean]
$PersistentBrowserIsEnabled,

[Parameter()]
[System.Boolean]
$DisableResilienceDefaultsIsEnabled,

[Parameter()]
[System.String]
$TermsOfUse,
Expand Down Expand Up @@ -1735,7 +1745,7 @@ function Set-TargetResource
$NewParameters.Add('grantControls', $GrantControls)
}

if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled)
if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled -or $DisableResilienceDefaultsIsEnabled)
{
Write-Verbose -Message 'Set-Targetresource: process session controls'
$sessioncontrols = $null
Expand Down Expand Up @@ -1802,6 +1812,10 @@ function Set-TargetResource
$sessioncontrols.persistentBrowser.isEnabled = $true
$sessioncontrols.persistentBrowser.mode = $PersistentBrowserMode
}
if ($DisableResilienceDefaultsIsEnabled)
{
$sessioncontrols.Add('disableResilienceDefaults', $true)
}
$NewParameters.Add('sessionControls', $sessioncontrols)
#add SessionControls to the parameter list
}
Expand Down Expand Up @@ -2087,6 +2101,10 @@ function Test-TargetResource
[System.Boolean]
$PersistentBrowserIsEnabled,

[Parameter()]
[System.Boolean]
$DisableResilienceDefaultsIsEnabled,

[Parameter()]
[System.String]
$TermsOfUse,
Expand Down
2 changes: 1 addition & 1 deletion ...C/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
[Write, Description("Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue."), ValueMap{"timeBased","everyTime","unknownFutureValue"}, Values{"timeBased","everyTime","unknownFutureValue"}] String SignInFrequencyInterval;
[Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled;
[Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode;
[Write, Description("Specifies, if DisableResilienceDefaults is enabled.")] Boolean DisableResilienceDefaultsIsEnabled;
[Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength;
[Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods;
[Write, Description("Authentication context class references.")] String AuthenticationContexts[];
Expand All @@ -60,4 +61,3 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};

5 changes: 5 additions & 0 deletions Modules/Microsoft365DSC/SchemaDefinition.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3522,6 +3522,11 @@
"Name": "PersistentBrowserMode",
"Option": "Write"
},
{
"CIMType": "Boolean",
"Name": "DisableResilienceDefaultsIsEnabled",
"Option": "Write"
},
{
"CIMType": "String",
"Name": "AuthenticationStrength",
Expand Down
19 changes: 19 additions & 0 deletions Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest')
PersistentBrowserIsEnabled = $True
PersistentBrowserMode = 'Always'
DisableResilienceDefaultsIsEnabled = $True
SignInFrequencyIsEnabled = $True
SignInFrequencyType = 'Days'
SignInFrequencyValue = 5
Expand Down Expand Up @@ -178,6 +179,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest')
PersistentBrowserIsEnabled = $True
PersistentBrowserMode = 'Always'
DisableResilienceDefaultsIsEnabled = $True
SignInFrequencyIsEnabled = $True
SignInFrequencyType = 'Days'
SignInFrequencyValue = 5
Expand Down Expand Up @@ -254,6 +256,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IsEnabled = $True
Mode = 'Always'
}
disableResilienceDefaults = @{
IsEnabled = $True
}
}
}
}
Expand Down Expand Up @@ -372,6 +377,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IsEnabled = $True
Mode = 'Always'
}
disableResilienceDefaults = @{
IsEnabled = $True
}
}
}
}
Expand Down Expand Up @@ -450,6 +458,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest')
PersistentBrowserIsEnabled = $True
PersistentBrowserMode = 'Always'
DisableResilienceDefaultsIsEnabled = $True
SignInFrequencyIsEnabled = $True
SignInFrequencyType = 'Days'
SignInFrequencyValue = 5
Expand Down Expand Up @@ -548,6 +557,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IsEnabled = $True
Mode = 'Always'
}
disableResilienceDefaults = @{
IsEnabled = $True
}
}
}
}
Expand Down Expand Up @@ -615,6 +627,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IncludeUsers = 'All'
PersistentBrowserIsEnabled = $True
PersistentBrowserMode = 'Always'
DisableResilienceDefaultsIsEnabled = $True
SignInFrequencyIsEnabled = $True
SignInFrequencyType = 'Days'
SignInFrequencyValue = 5
Expand Down Expand Up @@ -691,6 +704,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IsEnabled = $True
Mode = 'Always'
}
disableResilienceDefaults = @{
IsEnabled = $True
}
}
}
}
Expand Down Expand Up @@ -808,6 +824,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
IsEnabled = $True
Mode = 'Always'
}
disableResilienceDefaults = @{
IsEnabled = $True
}
}
}
}
Expand Down
1 change: 1 addition & 0 deletions docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
| **SignInFrequencyInterval** | Write | String | Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue. | `timeBased`, `everyTime`, `unknownFutureValue` |
| **PersistentBrowserIsEnabled** | Write | Boolean | Specifies, whether Browser Persistence is controlled by the Policy. | |
| **PersistentBrowserMode** | Write | String | Specifies, what Browser Persistence control is enforced by the Policy. | `Always`, `Never`, `` |
| **DisableResilienceDefaultsIsEnabled** | Write | Boolean | Specifies, if DisableResilienceDefaults is enabled. | |
| **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | |
| **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. | |
| **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | |
Expand Down

0 comments on commit eefb68c

Please sign in to comment.