diff --git a/CHANGELOG.md b/CHANGELOG.md index 08e9875496..ada57933f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,19 +2,14 @@ # UNRELEASED - * AADAdministrativeUnit * Fix the Update logic flow to get around a bug in Microsoft.Graph 2.11.1. * AADAuthenticationMethodPolicyX509 * Added support for the property for include targets * AADConditionalAccessPolicy * Added support for application filters in the conditions. -* AADConditionalAccessPolicy * Implement Fix #3885. Manage Exclude Application. FIXES [[#3885](https://github.com/microsoft/Microsoft365DSC/issues/3885)] -* AADGroupOwnerConsentSettings - * Initial release - Implements [#4112](https://github.com/microsoft/Microsoft365DSC/issues/4112) * EXOHostedContentFilterPolicy * Fix issue on parameters AllowedSenders, AllowedSenderDomains, BlockedSenders, BlockSenderDomains if desired state is empty but current state is not empty. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 deleted file mode 100644 index 507f857ec8..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.psm1 +++ /dev/null @@ -1,552 +0,0 @@ -function Get-TargetResource -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [System.String] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - try - { - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - $nullResult = $PSBoundParameters - $nullResult.Ensure = 'Absent' - - $getValue = $null - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" - $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $getValue = Get-MgGroupSetting -GroupSettingId $consentPolicySettingsTemplateId -ErrorAction SilentlyContinue - - if ($null -eq $getValue) - { - Write-Verbose -Message "Could not find an Azure AD Group Consent Settings with Id {$($settings.Id)}" - - if (-Not [string]::IsNullOrEmpty($templateSettings.DisplayName)) - { - $getValue = Get-MgGroupSetting -Filter "DisplayName eq '$($templateSettings.DisplayName)'" -ErrorAction SilentlyContinue - } - } - #endregion - if ($null -eq $getValue) - { - Write-Verbose -Message "UNEXPECTED: Could not find an Azure AD Group Consent Settings with DisplayName {$($templateSettings.DisplayName)}" - - # insert default values from template - $nullresult.EnableGroupSpecificConsent = $templateSettings.Values.Where({$_.Name -eq 'EnableGroupSpecificConsent' }).DefaultValue - $nullresult.BlockUserConsentForRiskyApps = $templateSettings.Values.Where({$_.Name -eq 'BlockUserConsentForRiskyApps'}).DefaultValue - $nullresult.EnableAdminConsentRequests = $templateSettings.Values.Where({$_.Name -eq 'EnableAdminConsentRequests' }).DefaultValue - $nullresult.ConstrainGroupSpecificConsentToMembersOfGroupName = $null - return $nullResult - } - $Id = $getValue.Id - - Write-Verbose -Message "An Azure AD Group Consent Settings with Id {$Id} and DisplayName {$($settings.DisplayName)} was found." - - # translate returned Values array to hashtable - $getValue.Values | ForEach-Object -Begin {$groupSettingsValues = @{}} -Process {$groupSettingsValues.($_.Name) = $_.Value} - - if ($groupSettingsValues.EnableGroupSpecificConsent -eq $true -and -not [string]::IsNullOrEmpty($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)) - { - write-verbose -message "Get-TargetResource: Get Group for ConstrainGroupSpecificConsentToMembersOfGroupId=$($groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId)" - $constrainConsentToGroupName = Get-MgGroup -GroupId $groupSettingsValues.ConstrainGroupSpecificConsentToMembersOfGroupId | Select-Object -ExpandProperty DisplayName - write-verbose -message "Group DisplayName='$constrainConsentToGroupName'" - } - else - { - write-verbose -message 'Get-TargetResource: ConstrainGroupSpecificConsentToMembersOfGroupId=$null' - $constrainConsentToGroupName = $null - } - - $results = @{ - IsSingleInstance = 'Yes' - EnableGroupSpecificConsent = $groupSettingsValues.EnableGroupSpecificConsent - BlockUserConsentForRiskyApps = $groupSettingsValues.BlockUserConsentForRiskyApps - EnableAdminConsentRequests = $groupSettingsValues.EnableAdminConsentRequests - ConstrainGroupSpecificConsentToMembersOfGroupName = $constrainConsentToGroupName - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - } - - return [System.Collections.Hashtable] $results - } - catch - { - New-M365DSCLogEntry -Message 'Error retrieving data:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return $nullResult - } -} - -function Set-TargetResource -{ - [CmdletBinding()] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [system.string] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - $currentInstance = Get-TargetResource @PSBoundParameters - - write-verbose "Retrieve Group Settings Template" - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - $templateSettings = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - - if ($Ensure -eq 'Present') - { - Write-Verbose -Message "Creating an Azure AD Group Consent Setting - common code" - $valuesParam = @() - - # build array of values - if specified in Set-TargetResource, that value is included otherwise the existing value is used - - if ($PSBoundParameters.ContainsKey('EnableGroupSpecificConsent')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$EnableGroupSpecificConsent}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableGroupSpecificConsent'; Value=$currentInstance.EnableGroupSpecificConsent}) - } - - if ($PSBoundParameters.ContainsKey('BlockUserConsentForRiskyApps')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$BlockUserConsentForRiskyApps}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='BlockUserConsentForRiskyApps'; Value=$currentInstance.BlockUserConsentForRiskyApps}) - } - - if ($PSBoundParameters.ContainsKey('EnableAdminConsentRequests')) - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$EnableAdminConsentRequests}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='EnableAdminConsentRequests'; Value=$currentInstance.EnableAdminConsentRequests}) - } - - if ($EnableGroupSpecificConsent -and -not [string]::IsNullOrEmpty($ConstrainGroupSpecificConsentToMembersOfGroupName)) - { - $constrainConsentGroupObj = Get-MgGroup -Filter "DisplayName eq '$ConstrainGroupSpecificConsentToMembersOfGroupName'" - if ($null -eq $constrainConsentGroupObj -or $constrainConsentGroupObj.securityEnabled -ne $true) - { - $message = "ConstrainGroupSpecificConsentToMembersOfGroupName '$ConstrainGroupSpecificConsentToMembersOfGroupName' does not exist or is not a security group" - Add-M365DscEvent -Message $message ` - -Source $($MyInvocation.MyCommand.Source) ` - -EntryType Error ` - -EventId 2 ` - -EventType Error ` - -TenantId $TenantId - - throw $message - } - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$constrainConsentGroupObj.Id}) - } - else - { - $valuesParam += [Microsoft.Graph.PowerShell.Models.MicrosoftGraphSettingValue]::DeserializeFromPSObject([pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId'; Value=$null}) - } - - - $BodyParam = @{ - DisplayName = $templateSettings.DisplayName - Values = $valuesParam - } - - if ($currentInstance.Ensure -eq 'Absent') - { - $BodyParam.Add('TemplateId', $templateSettings.Id) - $policy = New-MgGroupSetting @BodyParam - } - elseif ($currentInstance.Ensure -eq 'Present') - { - Write-Verbose -Message "Updating the Azure AD Group Consent Settings" - $BodyParam.Add('GroupSettingId', $templateSettings.Id) - - Update-MgGroupSetting @BodyParam - } - } - else - { - if ($currentInstance.Ensure -eq 'Present') - { - Remove-MgGroupSetting -GroupSettingId $templateSettings.Id - } - } -} - -function Test-TargetResource -{ - [CmdletBinding()] - [OutputType([System.Boolean])] - param - ( - [Parameter(Mandatory = $true)] - [validateset('Yes')] - [system.string] - $IsSingleInstance, - - [Parameter()] - [System.Boolean] - $EnableGroupSpecificConsent, - - [Parameter()] - [System.Boolean] - $BlockUserConsentForRiskyApps, - - [Parameter()] - [System.Boolean] - $EnableAdminConsentRequests, - - [Parameter()] - [system.string] - $ConstrainGroupSpecificConsentToMembersOfGroupName, - - [Parameter()] - [System.String] - [ValidateSet('Present')] - $Ensure = 'Present', - - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - Write-Verbose -Message "Testing configuration of the Azure AD Group Consent Settings with Id {$Id} and DisplayName {$DisplayName}" - - $CurrentValues = Get-TargetResource @PSBoundParameters - $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() - - if ($CurrentValues.Ensure -ne $PSBoundParameters.Ensure) - { - Write-Verbose -Message "Test-TargetResource returned $false" - return $false - } - $testResult = $true - - #Compare Cim instances - foreach ($key in $PSBoundParameters.Keys) - { - $source = $PSBoundParameters.$key - $target = $CurrentValues.$key - if ($source.getType().Name -like '*CimInstance*') - { - $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source - - $testResult = Compare-M365DSCComplexObject ` - -Source ($source) ` - -Target ($target) - - if (-Not $testResult) - { - $testResult = $false - break - } - - $ValuesToCheck.Remove($key) | Out-Null - } - } - - $ValuesToCheck.remove('Id') | Out-Null - $ValuesToCheck.Remove('Credential') | Out-Null - $ValuesToCheck.Remove('ApplicationId') | Out-Null - $ValuesToCheck.Remove('TenantId') | Out-Null - $ValuesToCheck.Remove('ApplicationSecret') | Out-Null - - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - - if ($testResult) - { - $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys - } - - Write-Verbose -Message "Test-TargetResource returned $testResult" - - return $testResult -} - -function Export-TargetResource -{ - [CmdletBinding()] - [OutputType([System.String])] - param - ( - [Parameter()] - [System.Management.Automation.PSCredential] - $Credential, - - [Parameter()] - [System.String] - $ApplicationId, - - [Parameter()] - [System.String] - $TenantId, - - [Parameter()] - [System.Management.Automation.PSCredential] - $ApplicationSecret, - - [Parameter()] - [System.String] - $CertificateThumbprint, - - [Parameter()] - [Switch] - $ManagedIdentity - ) - - $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` - -InboundParameters $PSBoundParameters - - #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies - - #region Telemetry - $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') - $CommandName = $MyInvocation.MyCommand - $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` - -CommandName $CommandName ` - -Parameters $PSBoundParameters - Add-M365DSCTelemetryEvent -Data $data - #endregion - - - try - { - $currentDSCBlock = $null - - $consentPolicySettingsTemplateId = Get-MSConsentPolicySettingsTemplateId - write-verbose "Get GroupSettings template with TemplateId $consentPolicySettingsTemplateId" - $groupConsentSettingsTemplate = Get-MgGroupSettingTemplateGroupSettingTemplate -GroupSettingTemplateId $consentPolicySettingsTemplateId - - $params = @{ - IsSingleInstance = 'Yes' - Credential = $Credential - ApplicationId = $ApplicationId - TenantId = $TenantId - ApplicationSecret = $ApplicationSecret - CertificateThumbprint = $CertificateThumbprint - ManagedIdentity = $ManagedIdentity - } - $results = Get-TargetResource @params - - if ($results -is [System.Collections.Hashtable] -and $results.Count -gt 1) - { - Write-Host "`r`n" -NoNewline - Write-Host " |---[1/1] $($groupConsentSettingsTemplate.DisplayName)" -NoNewline - $results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $results - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $results ` - -Credential $Credential - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName - - Write-Host $Global:M365DSCEmojiGreenCheckMark - } - else - { - Write-Host $Global:M365DSCEmojiRedX - } - - return $currentDSCBlock - - } - catch - { - Write-Host $Global:M365DSCEmojiRedX - - New-M365DSCLogEntry -Message 'Error during Export:' ` - -Exception $_ ` - -Source $($MyInvocation.MyCommand.Source) ` - -TenantId $TenantId ` - -Credential $Credential - - return '' - } -} - -function Get-MSConsentPolicySettingsTemplateId -{ -param() - - # fixed GUID - return 'dffd5d46-495d-40a9-8e21-954ff55e198a' -} - -Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof deleted file mode 100644 index ff5899f641..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/MSFT_AADGroupOwnerConsentSettings.schema.mof +++ /dev/null @@ -1,16 +0,0 @@ -[ClassVersion("1.0.0.0"), FriendlyName("AADGroupOwnerConsentSettings")] -class MSFT_AADGroupOwnerConsentSettings : OMI_BaseResource -{ - [Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance; - [Write, Description("Flag indicating if groups owners are allowed to grant group specific permissions.")] Boolean EnableGroupSpecificConsent; - [Write, Description("Flag indicating if user consent will be blocked when a risky request is detected. Administrators will still be able to consent to apps considered risky.")] Boolean BlockUserConsentForRiskyApps; - [Write, Description("Flag indicating if users will be able to request admin consent when they are unable to grant consent to an app themselves.")] Boolean EnableAdminConsentRequests; - [Write, Description("If EnableGroupSpecificConsent is set to “True” and this is set to a security group name, members (both direct and transitive) of the group identified will be authorized to grant group-specific permissions to the groups they own.")] String ConstrainGroupSpecificConsentToMembersOfGroupName; - [Write, Description("Specify if the Azure AD Group Consent Settings should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; - [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; - [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; - [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; -}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md deleted file mode 100644 index 42c5aafab6..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/readme.md +++ /dev/null @@ -1,6 +0,0 @@ - -# AADGroupOwnerConsentPolicySettings - -## Description - -Azure AD Group Owner Consent Settings diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json deleted file mode 100644 index b2f664fc10..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADGroupOwnerConsentSettings/settings.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "resourceName": "AADGroupOwnerConsentSettings", - "description": "This resource configures an Azure AD Group Owner Consent Settings.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "Directory.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Directory.ReadWrite.All" - }, - { - "name": "Policy.ReadWrite.Authorization" - } - ] - }, - "application": { - "read": [ - { - "name": "Directory.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Directory.ReadWrite.All" - }, - { - "name": "Policy.ReadWrite.Authorization" - } - ] - } - } -} - -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 deleted file mode 100644 index 7cd08b1b41..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/1-AADGroupOwnerConsentSettings-Example.ps1 +++ /dev/null @@ -1,28 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - #ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = 'Present' - Credential = $Credscredential - } - } -} diff --git a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 b/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 deleted file mode 100644 index 867199f2d5..0000000000 --- a/Modules/Microsoft365DSC/Examples/Resources/AADGroupOwnerConsentSettings/2-AADGroupOwnerConsentSettings-Example.ps1 +++ /dev/null @@ -1,26 +0,0 @@ -<# -This example is used to test new resources and showcase the usage of new resources being worked on. -It is not meant to use as a production baseline. -#> - -Configuration Example -{ - param( - [Parameter(Mandatory = $true)] - [PSCredential] - $Credscredential - ) - Import-DscResource -ModuleName Microsoft365DSC - - node localhost - { - AADGroupOwnerConsentSettings 'Example' - { - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true # prerequisite for specifying a constraining group - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Group-Vetted-GroupOwners' - Ensure = 'Present' - Credential = $Credscredential - } - } -} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 deleted file mode 100644 index 813b9d6922..0000000000 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADGroupOwnerConsentSettings.Tests.ps1 +++ /dev/null @@ -1,312 +0,0 @@ -[CmdletBinding()] -param( -) -$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` - -ChildPath '..\..\Unit' ` - -Resolve -$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Microsoft365.psm1' ` - -Resolve) -$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Generic.psm1' ` - -Resolve) -Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\UnitTestHelper.psm1' ` - -Resolve) - -$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` - -DscResource "AADGroupOwnerConsentSettings" -GenericStubModule $GenericStubPath -Describe -Name $Global:DscHelper.DescribeHeader -Fixture { - InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { - Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope - BeforeAll { - - $secpasswd = ConvertTo-SecureString "f@kepassword1" -AsPlainText -Force - $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) - - Mock -CommandName Confirm-M365DSCDependencies -MockWith { - } - - Mock -CommandName Get-PSSession -MockWith { - } - - Mock -CommandName Remove-PSSession -MockWith { - } - - Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -MockWith { - } - - Mock -CommandName Get-MgGroupSettingTemplateGroupSettingTemplate -ParameterFilter {$GroupSettingTemplateId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';DefaultValue=$null}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';DefaultValue=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';DefaultValue=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';DefaultValue=$null} - ) - } - } - - Mock -CommandName Get-MgGroupSetting -MockWith { - } - - Mock -CommandName Get-MgGroup -MockWith { - } - - Mock -CommandName Update-MgGroupSetting -MockWith { - } - - Mock -CommandName New-MgGroupSetting -MockWith { - } - - Mock -CommandName New-M365DSCConnection -MockWith { - return "Credentials" - } - - #Mock Write-Host to hide output during the tests - Mock -CommandName Write-Host -MockWith { - } - } - # Test contexts - Context -Name "The AADGroupOwnerConsentSettings should exist but it DOES NOT" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -MockWith { - return $null - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Create the group from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName New-MgGroupSetting -Exactly 1 - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists and Values are already in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} - ) - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return true from the Test method' { - Test-TargetResource @testParams | Should -Be $true - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are already in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - - Mock -CommandName Get-MgGroup -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return true from the Test method' { - Test-TargetResource @testParams | Should -Be $true - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists and Values are NOT in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $false - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $true - ConstrainGroupSpecificConsentToMembersOfGroupName = '' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = 'Present' - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$false}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value=$null} - ) - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Update the GroupSetting from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 - } - } - - Context -Name "The AADGroupOwnerConsentSettings Exists with a constrain-group and Values are NOT in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - IsSingleInstance = "Yes" - EnableGroupSpecificConsent = $true - BlockUserConsentForRiskyApps = $true - EnableAdminConsentRequests = $false - ConstrainGroupSpecificConsentToMembersOfGroupName = 'Another Fake Group' # value is only relevant if EnableGroupSpecificConsent is true. See example 2 - Ensure = "Present" - Credential = $Credential; - } - - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - - Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - <# - Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Fake Group'"} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Fake Group' - Id = '111-111111-1111-1111-111111' - SecurityEnabled = $true - } - } - #> - Mock -CommandName Get-MgGroup -ParameterFilter {$Filter -eq "DisplayName eq 'Another Fake Group'"} -Mockwith { - return [pscustomobject]@{ - DisplayName = 'Another Fake Group' - Id = '222-111111-2222-2222-111111' - SecurityEnabled = $true - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 - Should -Invoke -CommandName Get-MgGroup -Exactly 1 - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - It 'Should Update the GroupSetting from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Get-MgGroup -Exactly 2 # 1st for Get-TargetResource (pre-existing value), 2nd for Set-TargetResource (new value) - Should -Invoke -CommandName Update-MgGroupSetting -Exactly 1 - } - } - - Context -Name 'ReverseDSC Tests' -Fixture { - BeforeAll { - $Global:CurrentModeIsExport = $true - $Global:PartialExportFileName = "$(New-Guid).partial.ps1" - $testParams = @{ - Credential = $Credential - } - Mock -CommandName Get-MgGroupSetting -ParameterFilter {$GroupSettingId -eq 'dffd5d46-495d-40a9-8e21-954ff55e198a'} -MockWith { - return @{ - DisplayName = 'Consent Policy Settings' - Id = 'dffd5d46-495d-40a9-8e21-954ff55e198a' - Values = @( - [pscustomobject]@{Name='EnableGroupSpecificConsent';Value=$true}, - [pscustomobject]@{Name='BlockUserConsentForRiskyApps';Value=$true}, - [pscustomobject]@{Name='EnableAdminConsentRequests';Value=$false}, - [pscustomobject]@{Name='ConstrainGroupSpecificConsentToMembersOfGroupId';Value='111-111111-1111-1111-111111'} - ) - } - } - Mock -CommandName Get-MgGroup -ParameterFilter {$GroupId -eq '111-111111-1111-1111-111111'} -MockWith { - return [pscustomobject]@{ - Id = '111-111111-1111-1111-111111' - DisplayName = 'Fake Export Group' - SecurityEnabled = $true - } - } - } - It 'Should Reverse Engineer resource from the Export method' { - $result = Export-TargetResource @testParams - Should -Invoke -CommandName Get-MgGroupSetting -Exactly 1 - Should -Invoke -CommandName Get-MgGroup -Exactly 1 - $result | Should -Not -BeNullOrEmpty - } - } - } -} - -Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope