From 46b0c73561190c3668107af21d188059c354928e Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Tue, 1 Oct 2024 15:54:02 +0530 Subject: [PATCH 1/4] Adding support for updating 1 key credential --- .../MSFT_AADApplication/MSFT_AADApplication.psm1 | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 index 636e27a4db..c88da22921 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 @@ -933,7 +933,16 @@ function Set-TargetResource if($needToUpdateKeyCredentials -and $KeyCredentials) { - Write-Warning -Message "KeyCredentials is a readonly property and cannot be configured." + Write-Verbose -Message "Updating for Azure AD Application {$($currentAADApp.DisplayName)} with KeyCredentials:`r`n$($KeyCredentials| Out-String)" + + if((currentAADApp.KeyCredentials.Length -eq 0 -and $KeyCredentials.Length -eq 1) -or (currentAADApp.KeyCredentials.Length -eq 1 -and $KeyCredentials.Length -eq 0)) + { + Update-MgApplication -ApplicationId $currentAADApp.Id -KeyCredentials $KeyCredentials | Out-Null + } + else + { + Write-Warning -Message "KeyCredentials is a readonly property and cannot be configured." + } } } From 9112965abc17f622408a5b019a9070160bce2434 Mon Sep 17 00:00:00 2001 From: "Kartikeya Saxena (from Dev Box)" Date: Thu, 3 Oct 2024 18:18:48 +0530 Subject: [PATCH 2/4] Added Warning message --- .../DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 index c88da22921..d8c5b97231 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 @@ -941,7 +941,7 @@ function Set-TargetResource } else { - Write-Warning -Message "KeyCredentials is a readonly property and cannot be configured." + Write-Warning -Message "KeyCredentials cannot be updated for AAD Applications with more than one KeyCredentials due to technical limitation of Update-MgApplication Cmdlet. Learn more at: https://learn.microsoft.com/en-us/graph/api/application-addkey" } } } From 50c74247bf7e636d45859c7b7f56258cd88b9383 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Thu, 3 Oct 2024 16:54:46 +0200 Subject: [PATCH 3/4] Fix handling of one-property elements in the Settings Catalog --- CHANGELOG.md | 2 + .../Modules/M365DSCDRGUtil.psm1 | 80 ++++++++++++++----- 2 files changed, 61 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a312616ab..5c0c824190 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -85,6 +85,8 @@ * Add support for more complex Intune Settings Catalog properties * Update handling of `Update-IntuneDeviceConfigurationPolicy` to throw on error FIXES [#5055](https://github.com/microsoft/Microsoft365DSC/issues/5055) + * Fixes an issue for the handling of skipped one-property elements in the + Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) * M365DSCResourceGenerator * Update Intune resource generation for the Settings Catalog. * O365ExternalConnection diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 542a206b3d..962544bf28 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -105,7 +105,7 @@ function Rename-M365DSCCimInstanceParameter $subValue = Rename-M365DSCCimInstanceParameter $property -KeyMapping $KeyMapping if ($null -ne $subValue) { - $hashProperties.add($keyName, $subValue) + $hashProperties.Add($keyName, $subValue) } } catch @@ -830,7 +830,7 @@ function Convert-M365DSCDRGComplexTypeToHashtable $propertyName = $key[0].ToString().ToLower() + $key.Substring(1, $key.Length - 1) $propertyValue = $results[$key] $results.remove($key) | Out-Null - $results.add($propertyName, $propertyValue) + $results.Add($propertyName, $propertyValue) } } } @@ -1015,11 +1015,11 @@ function Get-SettingCatalogPolicySettingsFromTemplate $settingKey = $DSCParams.keys | Where-Object -FilterScript { $templateSetting.settingDefinitionId -like "*$($_)" } if ((-not [String]::IsNullOrEmpty($settingKey)) -and $DSCParams."$settingKey") { - $setting.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') + $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') $myFormattedSetting = Format-M365DSCParamsToSettingInstance -DSCParams @{$settingKey = $DSCParams."$settingKey" } ` -TemplateSetting $templateSetting - $setting.add('settingInstance', $myFormattedSetting) + $setting.Add('settingInstance', $myFormattedSetting) $settings += $setting $DSCParams.Remove($settingKey) | Out-Null } @@ -1033,23 +1033,23 @@ function Get-SettingCatalogPolicySettingsFromTemplate foreach ($groupCollectionTemplateSetting in $groupCollectionTemplateSettings) { $setting = @{} - $setting.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') + $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') $settingInstance = [ordered]@{} - $settingInstance.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance') - $settingInstance.add('settingDefinitionId', $groupCollectionTemplateSetting.settingDefinitionId) - $settingInstance.add('settingInstanceTemplateReference', @{ + $settingInstance.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance') + $settingInstance.Add('settingDefinitionId', $groupCollectionTemplateSetting.settingDefinitionId) + $settingInstance.Add('settingInstanceTemplateReference', @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingInstanceTemplateReference' 'settingInstanceTemplateId' = $groupCollectionTemplateSetting.settingInstanceTemplateId }) $groupSettingCollectionValues = @() $groupSettingCollectionValueChildren = @() $groupSettingCollectionValue = @{} - $groupSettingCollectionValue.add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingValue') + $groupSettingCollectionValue.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingValue') $settingValueTemplateId = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.settingValueTemplateId if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) { - $groupSettingCollectionValue.add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) + $groupSettingCollectionValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) } foreach ($key in $DSCParams.keys) @@ -1067,10 +1067,10 @@ function Get-SettingCatalogPolicySettingsFromTemplate $groupSettingCollectionValueChildren += $groupSettingCollectionValueChild } } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) + $groupSettingCollectionValue.Add('children', $groupSettingCollectionValueChildren) $groupSettingCollectionValues += $groupSettingCollectionValue - $settingInstance.add('groupSettingCollectionValue', $groupSettingCollectionValues) - $setting.add('settingInstance', $settingInstance) + $settingInstance.Add('groupSettingCollectionValue', $groupSettingCollectionValues) + $setting.Add('settingInstance', $settingInstance) if ($setting.settingInstance.groupSettingCollectionValue.children.count -gt 0) { @@ -1202,7 +1202,7 @@ function ConvertTo-IntunePolicyAssignment } if ($assignment.dataType -like '*CollectionAssignmentTarget') { - $target.add('collectionId', $assignment.collectionId) + $target.Add('collectionId', $assignment.collectionId) } elseif ($assignment.dataType -like '*GroupAssignmentTarget') { @@ -1401,7 +1401,7 @@ function Update-DeviceConfigurationPolicyAssignment #Skipping assignment if group not found from either groupId or groupDisplayName if ($null -ne $group) { - $formattedTarget.add('groupId',$group.Id) + $formattedTarget.Add('groupId',$group.Id) } } if ($target.collectionId) @@ -1735,18 +1735,56 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue if ($childSettingValue.Keys.Count -gt 0) { - if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + # If only one child item is allowed but we have multiple values, we need to create an object for each child + # Happens e.g. for the IntuneDeviceControlPolicyWindows10 resource --> {ruleid} and {ruleid}_ruledata definitions + if ($childSettingValue.groupSettingCollectionValue.Count -gt 1 -and + $childDefinition.AdditionalProperties.maximumCount -eq 1 -and + $groupSettingCollectionDefinitionChildren.Count -eq 1) { - $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + $childSettingValueOld = $childSettingValue + $childSettingValue = @() + foreach ($childSettingValueItem in $childSettingValueOld.groupSettingCollectionValue) + { + $childSettingValueInner = @{ + children = @() + } + $childSettingValueItem.Add('@odata.type', $childSettingType) + $childSettingValueInner.children += @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = $childSettingValueItem.children + } + ) + settingDefinitionId = $childDefinition.Id + } + if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + { + $childSettingValueInner.children[0].groupSettingCollectionValue.settingInstanceTemplateReference = @{ + 'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId + } + } + $childSettingValue += $childSettingValueInner + } + $groupSettingCollectionValue += $childSettingValue } - if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + else { - $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) + if ($childSettingValue.Keys -notcontains 'settingDefinitionId') + { + $childSettingValue.Add('settingDefinitionId', $childDefinition.Id) + } + if (-not [string]::IsNullOrEmpty($childSettingInstanceTemplate.settingInstanceTemplateId)) + { + $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) + } + $childSettingValue.Add('@odata.type', $childSettingType) + $groupSettingCollectionValueChildren += $childSettingValue } - $childSettingValue.Add('@odata.type', $childSettingType) - $groupSettingCollectionValueChildren += $childSettingValue } } + + # Does not happen for wrapped children elements if ($groupSettingCollectionValueChildren.Count -gt 0) { $groupSettingCollectionValue += @{ From 61627d57e0de3d9fc90449406ab6e54d24df60a1 Mon Sep 17 00:00:00 2001 From: Dan Lag Date: Thu, 3 Oct 2024 11:03:36 -0400 Subject: [PATCH 4/4] Added support for ApplicationSecret --- CHANGELOG.md | 5 +++++ .../MSFT_AADEntitlementManagementSettings.psm1 | 14 ++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2196377267..83dd9bc7fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADEntitlementManagementSettings + * Added support for ApplicationSecret + # 1.24.1002.1 * AADAdministrativeUnit diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 index f145e6744d..7ffb6e65bc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADEntitlementManagementSettings/MSFT_AADEntitlementManagementSettings.psm1 @@ -28,6 +28,10 @@ function Get-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -72,6 +76,7 @@ function Get-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens @@ -120,6 +125,10 @@ function Set-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -181,6 +190,10 @@ function Test-TargetResource [System.String] $TenantId, + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + [Parameter()] [System.String] $CertificateThumbprint, @@ -281,6 +294,7 @@ function Export-TargetResource Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId + ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens