Merge pull request #3773 from NikCharlebois/PIM-Fixes

Fixes #3744
microsoft · Oct 10, 2023 · 1bd0218 · 1bd0218
2 parents 235e283 + f079ce5
commit 1bd0218
Show file tree

Hide file tree

Showing 5 changed files with 145 additions and 31 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,8 +2,14 @@
 
 # UNRELEASED
 
+* AADRoleEligibilityScheduleRequest
+  * Added support for groups assignment.
+    FIXES [#3744](https://github.com/microsoft/Microsoft365DSC/issues/3744)
+
 * EXODistributionGroup
   * Fixes the export of group membership to use Identity.
+* DEPENDENCIES
+  * Updated Micrsoft.Graph dependencies to version 2.7.0.
 
 # 1.23.1004.1
 

diff --git a/...ources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/...ources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1
@@ -12,6 +12,11 @@
         [System.String]
         $RoleDefinition,
 
+        [Parameter()]
+        [ValidateSet('User', 'Group')]
+        [System.String]
+        $PrincipalType = 'User',
+
         [Parameter()]
         [System.String]
         $Id,
@@ -120,15 +125,54 @@
             if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
             {
                     Write-Verbose -Message "Getting Role Eligibility by PrincipalId and RoleDefinitionId"
-                    $PrincipalId = (Get-MgUser -Filter "UserPrincipalName eq '$Principal'").Id
+                    if ($PrincipalType -eq 'User')
+                    {
+                        $PrincipalIdValue = Get-MgUser -Filter "UserPrincipalName eq '$Principal'" -ErrorAction SilentlyContinue
+                        $PrincipalTypeValue = 'User'
+                    }
+                    if ($null -eq $PrincipalIdValue -or $PrincipalType -eq 'Group')
+                    {
+                        $PrincipalIdValue = Get-MgGroup -Filter "DisplayName eq '$Principal'" -ErrorAction SilentlyContinue
+                        $PrincipalTypeValue = 'Group'
+                    }
+
+                    if ($null -ne $PrincipalIdValue)
+                    {
+                        $PrincipalId = $PrincipalIdValue.Id
+                    }
+                    else
+                    {
+                        return $nullResult
+                    }
                     Write-Verbose -Message "Found Principal {$PrincipalId}"
                     $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
                     $request = $Script:exportedInstances | Where-Object -FilterScript {$_.PrincipalId -eq $PrincipalId -and $_.RoleDefinitionId -eq $RoleDefinition}
             }
             else
             {
                 Write-Verbose -Message "Getting Role Eligibility by PrincipalId and RoleDefinitionId"
-                $PrincipalId = (Get-MgUser -Filter "UserPrincipalName eq '$Principal'").Id
+                if ($PrincipalType -eq 'User')
+                {
+                    Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}"
+                    $PrincipalIdValue = Get-MgUser -Filter "UserPrincipalName eq '$Principal'" -ErrorAction SilentlyContinue
+                    $PrincipalTypeValue = 'User'
+                }
+
+                if ($null -eq $PrincipalIdValue -or $PrincipalType -eq 'Group')
+                {
+                    Write-Verbose -Message "Retrieving principal {$Principal} of type {$PrincipalType}"
+                    $PrincipalIdValue = Get-MgGroup -Filter "DisplayName eq '$Principal'" -ErrorAction SilentlyContinue
+                    $PrincipalTypeValue = 'Group'
+                }
+
+                if ($null -ne $PrincipalIdValue)
+                {
+                    $PrincipalId = $PrincipalIdValue.Id
+                }
+                else
+                {
+                    return $nullResult
+                }
                 Write-Verbose -Message "Found Principal {$PrincipalId}"
                 $RoleDefinitionId = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
                 Write-Verbose -Message "Found Role {$RoleDefinitionId}"
@@ -142,7 +186,21 @@
         }
 
         Write-Verbose -Message "Found existing AADRolelLigibilityScheduleRequest"
-        $PrincipalValue = Get-MgUser -UserId $request.PrincipalId
+        if ($PrincipalType -eq 'User')
+        {
+            $PrincipalInstance = Get-MgUser -UserId $request.PrincipalId -ErrorAction SilentlyContinue
+            $PrincipalTypeValue = 'User'
+        }
+        if ($null -eq $PrincipalInstance -or $PrincipalType -eq 'Group')
+        {
+            $PrincipalInstance = Get-MGGroup -GroupId $request.PrincipalId -ErrorAction SilentlyContinue
+            $PrincipalTypeValue = 'Group'
+        }
+
+        if ($null -eq $PrincipalInstance)
+        {
+            return $nullResult
+        }
         $RoleDefinitionValue = Get-MgBetaRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $request.RoleDefinitionId
 
         $ScheduleInfoValue = @{}
@@ -195,8 +253,19 @@
             }
         }
 
+        $PrincipalValue = $null
+        if ($PrincipalTypeValue -eq 'User')
+        {
+            $PrincipalValue = $PrincipalInstance.UserPrincipalName
+        }
+        elseif ($PrincipalTypeValue -eq 'Group')
+        {
+            $PrincipalValue = $PrincipalInstance.DisplayName
+        }
+
         $results = @{
-            Principal             = $PrincipalValue.UserPrincipalName
+            Principal             = $PrincipalValue
+            PrincipalType         = $PrincipalTypeValue
             RoleDefinition        = $RoleDefinitionValue.DisplayName
             DirectoryScopeId      = $request.DirectoryScopeId
             AppScopeId            = $request.AppScopeId
@@ -242,6 +311,11 @@ function Set-TargetResource
         [System.String]
         $RoleDefinition,
 
+        [Parameter()]
+        [ValidateSet('User', 'Group')]
+        [System.String]
+        $PrincipalType = 'User',
+
         [Parameter()]
         [System.String]
         $Id,
@@ -339,8 +413,24 @@ function Set-TargetResource
 
     $ParametersOps = ([Hashtable]$PSBoundParameters).clone()
 
-    $PrincipalIdValue = (Get-MgUser -Filter "UserPrincipalName eq '$Principal'").Id
-    $ParametersOps.Add("PrincipalId", $PrincipalIdValue)
+    if ($PrincipalType -eq 'User')
+    {
+        [Array]$PrincipalIdValue = (Get-MgUser -Filter "UserPrincipalName eq '$Principal'").Id
+    }
+    elseif ($PrincipalType -eq 'Group')
+    {
+        [Array]$PrincipalIdValue = (Get-MgGroup -Filter "DisplayName eq '$Principal'").Id
+    }
+
+    if ($null -eq $PrincipalIdValue)
+    {
+        throw "Couldn't find Principal {$PrincipalId} of type {$PrincipalType}"
+    }
+    elseif ($PrincipalIdValue.Length -gt 1)
+    {
+        throw "Multiple Principal with ID {$PrincipalId} of type {$PrincipalType} were found. Cannot create schedule."
+    }
+    $ParametersOps.Add("PrincipalId", $PrincipalIdValue[0])
     $ParametersOps.Remove("Principal") | Out-Null
 
     $RoleDefinitionIdValue = (Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq '$RoleDefinition'").Id
@@ -408,24 +498,24 @@ function Set-TargetResource
         Write-Verbose -Message "ScheduleInfo: $(Convert-M365DscHashtableToString -Hashtable $ScheduleInfoValue)"
         $ParametersOps.ScheduleInfo = $ScheduleInfoValue
     }
-
+    $ParametersOps.Remove("PrincipalType") | Out-Null
     if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent')
     {
-        Write-Verbose -Message "Creating an Azure AD Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
+        Write-Verbose -Message "Creating a Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
         $ParametersOps.Remove("Id") | Out-Null
-
+        Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $ParametersOps)"
         New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest @ParametersOps
     }
     elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present')
     {
-        Write-Verbose -Message "Updating the Azure AD Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
+        Write-Verbose -Message "Updating the Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
         $ParametersOps.Remove("Id") | Out-Null
         $ParametersOps.Action = 'AdminUpdate'
         New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest @ParametersOps
     }
     elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present')
     {
-        Write-Verbose -Message "Removing the Azure AD Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
+        Write-Verbose -Message "Removing the Role Eligibility Schedule Request for user {$Principal} and role {$RoleDefinition}"
         $ParametersOps.Remove("Id") | Out-Null
         $ParametersOps.Action = 'AdminRemove'
         New-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest @ParametersOps
@@ -446,6 +536,11 @@ function Test-TargetResource
         [System.String]
         $RoleDefinition,
 
+        [Parameter()]
+        [ValidateSet('User', 'Group')]
+        [System.String]
+        $PrincipalType = 'User',
+
         [Parameter()]
         [System.String]
         $Id,
@@ -632,8 +727,14 @@ function Export-TargetResource
     {
         $Script:ExportMode = $true
         #region resource generator code
-        [array] $Script:exportedInstances = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -All `
-            -Filter "Status ne 'Revoked'" -ErrorAction Stop
+        $schedules = Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -All -ErrorAction Stop
+        [array] $Script:exportedInstances = @()
+        foreach ($schedule in $schedules)
+        {
+            [array] $allRequests = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -All `
+                -Filter "Status ne 'Revoked'" -ErrorAction Stop
+            [array] $Script:exportedInstances += $allRequests | Where-Object -FilterScript {$_.TargetScheduleId -eq $schedule.Id}
+        }
         #endregion
 
         $i = 1

diff --git a/.../MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.schema.mof b/.../MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.schema.mof
@@ -55,6 +55,7 @@ class MSFT_AADRoleEligibilityScheduleRequest : OMI_BaseResource
 {
     [Key, Description("User Principal Name of the eligibility request.")] String Principal;
     [Key, Description("Role associated with the eligibility request.")] String RoleDefinition;
+    [Write, Description("Represented the type of principal to assign the request to. Accepted values are: Group and User."), ValueMap{"Group","User"}, Values{"Group","User"}] String PrincipalType;
     [Write, Description("Identifier of the directory object representing the scope of the role eligibility. The scope of an role eligibility determines the set of resources for which the principal has been granted access. Directory scopes are shared scopes stored in the directory that are understood by multiple applications. Use / for tenant-wide scope. Use appScopeId to limit the scope to an application only. Either directoryScopeId or appScopeId is required.")] String DirectoryScopeId;
     [Write, Description("Identifier for the Role Eligibility Schedule Request.")] String Id;
     [Write, Description("Identifier of the app-specific scope when the role eligibility is scoped to an app. The scope of a role eligibility determines the set of resources for which the principal is eligible to access. App scopes are scopes that are defined and understood by this application only. Use / for tenant-wide app scopes. Use directoryScopeId to limit the scope to particular directory objects, for example, administrative units. Either directoryScopeId or appScopeId is required.")] String AppScopeId;

diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1
@@ -10,71 +10,71 @@
         },
         @{
             ModuleName      = 'Microsoft.Graph.Applications'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Authentication'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.DeviceManagement'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Devices.CorporateManagement'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.DeviceManagement.Administration'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.DeviceManagement.Enrollment'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Identity.DirectoryManagement'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Identity.Governance'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Identity.SignIns'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Reports'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.Teams'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.DeviceManagement.Administration'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Beta.DirectoryObjects'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Groups'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Planner'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Users'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.Graph.Users.Actions'
-            RequiredVersion = '2.6.1'
+            RequiredVersion = '2.7.0'
         },
         @{
             ModuleName      = 'Microsoft.PowerApps.Administration.PowerShell'

diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1
@@ -24,7 +24,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
             $Global:CurrentModeIsExport = $false
             $secpasswd = ConvertTo-SecureString 'test@password1' -AsPlainText -Force
             $Credential = New-Object System.Management.Automation.PSCredential ('[email protected]', $secpasswd)
-
+            $Script:exportedInstances = $null
             Mock -CommandName Add-M365DSCTelemetryEvent -MockWith {
             }
 
@@ -51,6 +51,11 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                     Id          = '12345'
                 }
             }
+            Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -MockWith {
+                return @{
+                    Id          = '12345-12345-12345-12345-12345'
+                }
+            }
 
             # Mock Write-Host to hide output during the tests
             Mock -CommandName Write-Host -MockWith {
@@ -262,6 +267,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
                                     type        = 'afterDateTime'
                                 }
                         };
+                        TargetScheduleId = "12345-12345-12345-12345-12345"
                     }
                 }
             }