Merge pull request #5535 from NikCharlebois/FIXES-#5524

Fixes #5534
microsoft · Dec 11, 2024 · c536100 · c536100
2 parents ec19141 + 3269486
commit c536100
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 53 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 # UNRELEASED
 
+* AADApplication
+  * Changed logic to remove all permissions when an empty array is specified.
+    FIXES [#5534](https://github.com/microsoft/Microsoft365DSC/issues/5534)
 * AADFeatureRolloutPolicy
   * Fixed policy retrieval
     FIXES [#5521](https://github.com/microsoft/Microsoft365DSC/issues/5521)

diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1
@@ -975,72 +975,81 @@ function Set-TargetResource
         }
     }
 
-    if ($needToUpdatePermissions -and -not [System.String]::IsNullOrEmpty($Permissions) -and $Permissions.Length -gt 0)
+    if ($needToUpdatePermissions -and $null -ne $Permissions)
     {
         Write-Verbose -Message "Will update permissions for Azure AD Application {$($currentAADApp.DisplayName)}"
-        $allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
-        $allRequiredAccess = @()
 
-        foreach ($sourceAPI in $allSourceAPIs)
+        if ($Permissions.Length -eq 0)
         {
-            Write-Verbose -Message "Adding permissions for API {$($sourceAPI)}"
-            $permissionsForcurrentAPI = $Permissions | Where-Object -FilterScript { $_.SourceAPI -eq $sourceAPI }
-            $apiPrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($sourceAPI)'"
-            $currentAPIAccess = @{
-                ResourceAppId  = $apiPrincipal.AppId
-                ResourceAccess = @()
-            }
-            foreach ($permission in $permissionsForcurrentAPI)
+            Write-Verbose -Message "Desired set of permissions is empty, removing all permissions on the app."
+            $allRequiredAccess = @()
+        }
+        else
+            {
+            $allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique
+            $allRequiredAccess = @()
+
+            foreach ($sourceAPI in $allSourceAPIs)
             {
-                if ($permission.Type -eq 'Delegated')
+                Write-Verbose -Message "Adding permissions for API {$($sourceAPI)}"
+                $permissionsForcurrentAPI = $Permissions | Where-Object -FilterScript { $_.SourceAPI -eq $sourceAPI }
+                $apiPrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$($sourceAPI)'"
+                $currentAPIAccess = @{
+                    ResourceAppId  = $apiPrincipal.AppId
+                    ResourceAccess = @()
+                }
+                foreach ($permission in $permissionsForcurrentAPI)
                 {
-                    $scope = $apiPrincipal.Oauth2PermissionScopes | Where-Object -FilterScript { $_.Value -eq $permission.Name }
-                    $scopeId = $null
-                    if ($null -eq $scope)
+                    if ($permission.Type -eq 'Delegated')
                     {
-                        $ObjectGuid = [System.Guid]::empty
-                        if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
+                        $scope = $apiPrincipal.Oauth2PermissionScopes | Where-Object -FilterScript { $_.Value -eq $permission.Name }
+                        $scopeId = $null
+                        if ($null -eq $scope)
                         {
-                            $scopeId = $permission.Name
+                            $ObjectGuid = [System.Guid]::empty
+                            if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
+                            {
+                                $scopeId = $permission.Name
+                            }
                         }
-                    }
-                    else
-                    {
-                        $scopeId = $scope.Id
-                    }
-                    Write-Verbose -Message "Adding Delegated Permission {$($scopeId)}"
-                    $delPermission = @{
-                        Id   = $scopeId
-                        Type = 'Scope'
-                    }
-                    $currentAPIAccess.ResourceAccess += $delPermission
-                }
-                elseif ($permission.Type -eq 'AppOnly')
-                {
-                    $role = $apiPrincipal.AppRoles | Where-Object -FilterScript { $_.Value -eq $permission.Name }
-                    $roleId = $null
-                    if ($null -eq $role)
-                    {
-                        $ObjectGuid = [System.Guid]::empty
-                        if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
+                        else
                         {
-                            $roleId = $permission.Name
+                            $scopeId = $scope.Id
                         }
+                        Write-Verbose -Message "Adding Delegated Permission {$($scopeId)}"
+                        $delPermission = @{
+                            Id   = $scopeId
+                            Type = 'Scope'
+                        }
+                        $currentAPIAccess.ResourceAccess += $delPermission
                     }
-                    else
+                    elseif ($permission.Type -eq 'AppOnly')
                     {
-                        $roleId = $role.Id
-                    }
-                    $appPermission = @{
-                        Id   = $roleId
-                        Type = 'Role'
+                        $role = $apiPrincipal.AppRoles | Where-Object -FilterScript { $_.Value -eq $permission.Name }
+                        $roleId = $null
+                        if ($null -eq $role)
+                        {
+                            $ObjectGuid = [System.Guid]::empty
+                            if ([System.Guid]::TryParse($permission.Name, [System.Management.Automation.PSReference]$ObjectGuid))
+                            {
+                                $roleId = $permission.Name
+                            }
+                        }
+                        else
+                        {
+                            $roleId = $role.Id
+                        }
+                        $appPermission = @{
+                            Id   = $roleId
+                            Type = 'Role'
+                        }
+                        $currentAPIAccess.ResourceAccess += $appPermission
                     }
-                    $currentAPIAccess.ResourceAccess += $appPermission
                 }
-            }
-            if ($null -ne $currentAPIAccess)
-            {
-                $allRequiredAccess += $currentAPIAccess
+                if ($null -ne $currentAPIAccess)
+                {
+                    $allRequiredAccess += $currentAPIAccess
+                }
             }
         }
 
@@ -1298,9 +1307,15 @@ function Test-TargetResource
 
     $CurrentValues = Get-TargetResource @PSBoundParameters
 
-    if ($CurrentValues.Permissions.Length -gt 0 -and $null -ne $CurrentValues.Permissions.Name -and $Permissions.Name.Length -gt 0)
+    if ($CurrentValues.Permissions.Length -gt 0 -and `
+        $null -ne $CurrentValues.Permissions.Name)
     {
-        $permissionsDiff = Compare-Object -ReferenceObject ($CurrentValues.Permissions.Name) -DifferenceObject ($Permissions.Name)
+        $differenceObject = $Permissions.Name
+        if ($null -eq $differenceObject)
+        {
+            $differenceObject = @()
+        }
+        $permissionsDiff = Compare-Object -ReferenceObject ($CurrentValues.Permissions.Name) -DifferenceObject $differenceObject
         $driftedParams = @{}
         if ($null -ne $permissionsDiff)
         {