Merge pull request #5209 from NikCharlebois/SPOTenantSettings

SPOTenantSettings

CHANGELOG.md

@@ -6,6 +6,12 @@
  * Initial release.
 * AADIdentityGovernanceProgram
  * Initial release.
+* SPOTenantSettings
+ * Added support for AllowSelectSGsInODBListInTenant,
+ DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList,
+ AllowSelectSecurityGroupsInSPSitesList,
+ ExemptNativeUsersFromTenantLevelRestricedAccessControl properties.
+ * TenantDefaultTimezone changed to String instead of Array.
 * M365DSCDRGUtil
  * Fixes an issue where non-unique properties were not combined
  properly with their respective parent setting.

Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1

@@ -106,6 +106,26 @@ function Get-TargetResource
  [System.String]
  $TenantDefaultTimezone,
 
+ [Parameter()]
+ [System.Boolean]
+ $ExemptNativeUsersFromTenantLevelRestricedAccessControl,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSecurityGroupsInSPSitesList,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSecurityGroupsInSPSitesList,
+
  [Parameter()]
  [ValidateSet('Present', 'Absent')]
  [System.String]
@@ -184,41 +204,56 @@ function Get-TargetResource
  $MaxCompat = $CompatibilityRange[1]
  }
 
+ # Additional Properties via REST
+ $parametersToRetrieve = @('ExemptNativeUsersFromTenantLevelRestricedAccessControl',
+ 'AllowSelectSGsInODBListInTenant',
+ 'DenySelectSGsInODBListInTenant',
+ 'DenySelectSecurityGroupsInSPSitesList',
+ 'AllowSelectSecurityGroupsInSPSitesList')
+
+ $response = Invoke-PnPSPRestMethod -Method Get `
+ -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant?`$select=$($parametersToRetrieve -join ',')"
+
+
  return @{
- IsSingleInstance = 'Yes'
- MinCompatibilityLevel = $MinCompat
- MaxCompatibilityLevel = $MaxCompat
- SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN
- OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled
- LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled
- SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain
- UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView
- #UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled
- PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled
- PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes
- UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker
- NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled
- OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification
- ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients
- FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled
- HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes
- HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite
- MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault
- DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds
- SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled
- CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled
- EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration
- TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone
- Credential = $Credential
- ApplicationId = $ApplicationId
- TenantId = $TenantId
- ApplicationSecret = $ApplicationSecret
- CertificatePassword = $CertificatePassword
- CertificatePath = $CertificatePath
- CertificateThumbprint = $CertificateThumbprint
- Managedidentity = $ManagedIdentity.IsPresent
- Ensure = 'Present'
- AccessTokens = $AccessTokens
+ IsSingleInstance = 'Yes'
+ ExemptNativeUsersFromTenantLevelRestricedAccessControl = $response.ExemptNativeUsersFromTenantLevelRestricedAccessControl
+ AllowSelectSGsInODBListInTenant = $response.AllowSelectSGsInODBListInTenant
+ DenySelectSGsInODBListInTenant = $response.DenySelectSGsInODBListInTenant
+ DenySelectSecurityGroupsInSPSitesList = $response.DenySelectSecurityGroupsInSPSitesList
+ AllowSelectSecurityGroupsInSPSitesList = $response.AllowSelectSecurityGroupsInSPSitesList
+ MinCompatibilityLevel = $MinCompat
+ MaxCompatibilityLevel = $MaxCompat
+ SearchResolveExactEmailOrUPN = $SPOTenantSettings.SearchResolveExactEmailOrUPN
+ OfficeClientADALDisabled = $SPOTenantSettings.OfficeClientADALDisabled
+ LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled
+ SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain
+ UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView
+ PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled
+ PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes
+ UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker
+ NotificationsInSharePointEnabled = $SPOTenantSettings.NotificationsInSharePointEnabled
+ OwnerAnonymousNotification = $SPOTenantSettings.OwnerAnonymousNotification
+ ApplyAppEnforcedRestrictionsToAdHocRecipients = $SPOTenantSettings.ApplyAppEnforcedRestrictionsToAdHocRecipients
+ FilePickerExternalImageSearchEnabled = $SPOTenantSettings.FilePickerExternalImageSearchEnabled
+ HideDefaultThemes = $SPOTenantSettings.HideDefaultThemes
+ HideSyncButtonOnTeamSite = $SPOTenantSettings.HideSyncButtonOnTeamSite
+ MarkNewFilesSensitiveByDefault = $SPOTenantSettings.MarkNewFilesSensitiveByDefault
+ DisabledWebPartIds = [String[]]$SPOTenantSettings.DisabledWebPartIds
+ SocialBarOnSitePagesDisabled = $SPOTenantSettings.SocialBarOnSitePagesDisabled
+ CommentsOnSitePagesDisabled = $SPOTenantSettings.CommentsOnSitePagesDisabled
+ EnableAIPIntegration = $SPOTenantSettings.EnableAIPIntegration
+ TenantDefaultTimezone = $SPOTenantGraphSettings.TenantDefaultTimeZone
+ Credential = $Credential
+ ApplicationId = $ApplicationId
+ TenantId = $TenantId
+ ApplicationSecret = $ApplicationSecret
+ CertificatePassword = $CertificatePassword
+ CertificatePath = $CertificatePath
+ CertificateThumbprint = $CertificateThumbprint
+ Managedidentity = $ManagedIdentity.IsPresent
+ Ensure = 'Present'
+ AccessTokens = $AccessTokens
  }
  }
  catch
@@ -341,6 +376,26 @@ function Set-TargetResource
  [System.String]
  $TenantDefaultTimezone,
 
+ [Parameter()]
+ [System.Boolean]
+ $ExemptNativeUsersFromTenantLevelRestricedAccessControl,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSecurityGroupsInSPSitesList,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSecurityGroupsInSPSitesList,
+
  [Parameter()]
  [ValidateSet('Present', 'Absent')]
  [System.String]
@@ -416,6 +471,11 @@ function Set-TargetResource
  $CurrentParameters.Remove('ManagedIdentity') | Out-Null
  $CurrentParameters.Remove('ApplicationSecret') | Out-Null
  $CurrentParameters.Remove('AccessTokens') | Out-Null
+ $CurrentParameters.Remove('ExemptNativeUsersFromTenantLevelRestricedAccessControl') | Out-Null
+ $CurrentParameters.Remove('AllowSelectSGsInODBListInTenant') | Out-Null
+ $CurrentParameters.Remove('DenySelectSGsInODBListInTenant') | Out-Null
+ $CurrentParameters.Remove('DenySelectSecurityGroupsInSPSitesList') | Out-Null
+ $CurrentParameters.Remove('AllowSelectSecurityGroupsInSPSitesList') | Out-Null
 
  $CurrentParameters.Remove('TenantDefaultTimezone') | Out-Null # this one is updated separately using Graph
  if ($CurrentParameters.Keys.Contains('UserVoiceForFeedbackEnabled'))
@@ -435,6 +495,62 @@ function Set-TargetResource
  {
  $tenantGraph = Update-MgAdminSharepointSetting -TenantDefaultTimezone $TenantDefaultTimezone -ErrorAction Stop
  }
+
+ # Updating via REST
+ try
+ {
+ $paramsToUpdate = @{}
+ $needToUpdate = $false
+
+ if ($null -ne $ExemptNativeUsersFromTenantLevelRestricedAccessControl)
+ {
+ $needToUpdate = $true
+ $paramsToUpdate.Add("ExemptNativeUsersFromTenantLevelRestricedAccessControl", $ExemptNativeUsersFromTenantLevelRestricedAccessControl)
+ }
+
+ if ($null -ne $AllowSelectSGsInODBListInTenant)
+ {
+ $needToUpdate = $true
+ $paramsToUpdate.Add("AllowSelectSGsInODBListInTenant", $AllowSelectSGsInODBListInTenant)
+ }
+
+ if ($null -ne $DenySelectSGsInODBListInTenant)
+ {
+ $needToUpdate = $true
+ $paramsToUpdate.Add("DenySelectSGsInODBListInTenant", $DenySelectSGsInODBListInTenant)
+ }
+
+ if ($null -ne $DenySelectSecurityGroupsInSPSitesList)
+ {
+ $needToUpdate = $true
+ $paramsToUpdate.Add("DenySelectSecurityGroupsInSPSitesList", $DenySelectSecurityGroupsInSPSitesList)
+ }
+
+ if ($null -ne $AllowSelectSecurityGroupsInSPSitesList)
+ {
+ $needToUpdate = $true
+ $paramsToUpdate.Add("AllowSelectSecurityGroupsInSPSitesList", $AllowSelectSecurityGroupsInSPSitesList)
+ }
+
+ if ($needToUpdate)
+ {
+ Write-Verbose -Message "Updating properties via REST PATCH call."
+ Invoke-PnPSPRestMethod -Method PATCH `
+ -Url "$($Global:MSCloudLoginConnectionProfile.PnP.AdminUrl)/_api/SPO.Tenant" `
+ -Content $paramsToUpdate
+ }
+ }
+ catch
+ {
+ if ($_.Exception.Message.Contains("The requested operation is part of an experimental feature that is not supported in the current environment."))
+ {
+ Write-Verbose -Message "Updating via REST: The associated feature is not available in the given tenant."
+ }
+ else
+ {
+ throw $_
+ }
+ }
 }
 
 function Test-TargetResource
@@ -541,6 +657,26 @@ function Test-TargetResource
  [System.String]
  $TenantDefaultTimezone,
 
+ [Parameter()]
+ [System.Boolean]
+ $ExemptNativeUsersFromTenantLevelRestricedAccessControl,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSGsInODBListInTenant,
+
+ [Parameter()]
+ [System.String[]]
+ $DenySelectSecurityGroupsInSPSitesList,
+
+ [Parameter()]
+ [System.String[]]
+ $AllowSelectSecurityGroupsInSPSitesList,
+
  [Parameter()]
  [ValidateSet('Present', 'Absent')]
  [System.String]

Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.schema.mof

@@ -24,6 +24,11 @@ class MSFT_SPOTenantSettings : OMI_BaseResource
  [Write, Description("Disables or enables the Social Bar. It will give users the ability to like a page, see the number of views, likes, and comments on a page, and see the people who have liked a page.")] boolean SocialBarOnSitePagesDisabled;
  [Write, Description("Set to false to enable a comment section on all site pages, users who have access to the pages can leave comments. Set to true to disable this feature.")] boolean CommentsOnSitePagesDisabled;
  [Write, Description("Boolean indicating if Azure Information Protection (AIP) should be enabled on the tenant.")] boolean EnableAIPIntegration;
+ [Write, Description("Determines whether or not we need to include external participants in shared channels for SharePoint access restriction.")] Boolean ExemptNativeUsersFromTenantLevelRestricedAccessControl;
+ [Write, Description("List of security groups to include in OneDrive access restrictions")] String AllowSelectSGsInODBListInTenant[];
+ [Write, Description("List of security groups to exclude in OneDrive access restrictions")] String DenySelectSGsInODBListInTenant[];
+ [Write, Description("List of security groups to exclude in SharePoint access restrictions")] String DenySelectSecurityGroupsInSPSitesList[];
+ [Write, Description("List of security groups to include in SharePoint access restrictions.")] String AllowSelectSecurityGroupsInSPSitesList[];
  [Write, Description("The default timezone of a tenant for newly created sites.")] String TenantDefaultTimezone;
  [Write, Description("Only accepted value is 'Present'."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
  [Write, Description("Credentials of the account to authenticate with."), EmbeddedInstance("MSFT_Credential")] string Credential;

Tests/Unit/Microsoft365DSC/Microsoft365DSC.SPOTenantSettings.Tests.ps1

@@ -36,6 +36,10 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture {
  return $null
  }
 
+ Mock -CommandName Invoke-PnPSPRestMethod -MockWith {
+ return $null
+ }
+
  # Mock Write-Host to hide output during the tests
  Mock -CommandName Write-Host -MockWith {
  }

Tests/Unit/Stubs/Microsoft365.psm1

@@ -97621,3 +97621,20 @@ function Stop-MgBetaIdentityGovernanceAccessReviewDefinition
 
 #endregion
 
+function Invoke-PnPSPRestMethod
+{
+ [CmdletBinding()]
+ param(
+ [Parameter()]
+ [System.String]
+ $Method,
+
+ [Parameter()]
+ [System.String]
+ $Url,
+
+ [Parameter()]
+ [System.Object]
+ $Content
+ )
+}