Merge branch 'Dev' into feat/intune-asrappbrowserpolicy-windows10

CHANGELOG.md

@@ -2,6 +2,14 @@
 
 # UNRELEASED
 
+* IntuneAppAndBrowserIsolationPolicyWindows10
+  * Initial release.
+    FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028)
+
+# 1.24.1002.1
+
+* AADAdministrativeUnit
+  * Added support for property IsMemberManagementRestricted.
 * AADApplication
   * Added AppRoles
   * Added AuthenticationBehavior
@@ -18,8 +26,12 @@
 * AADFeatureRolloutPolicy
   * Initial release
 * AADGroup
+  * Fixes issue with incorrect removal of assigned license(s)
+    FIXES [#5128](https://github.com/microsoft/Microsoft365DSC/issues/5128)
   * Fixes logic to evaluate license assignments and disabled plans.
     FIXES [#5101](https://github.com/microsoft/Microsoft365DSC/issues/5101)
+  * Fixes issue with code that is never executed
+    FIXES [#5001](https://github.com/microsoft/Microsoft365DSC/issues/5001)
   * Adds support to assign Service Principal as members or owners.
     FIXES [#4972](https://github.com/microsoft/Microsoft365DSC/issues/4972)
 * AADPasswordRuleSettings
@@ -38,6 +50,10 @@
   * Use correct type integer for variable `PhishThresholdLevel`
 * EXOArcConfig
   * Initial Release.
+* EXOAuthenticationPolicy
+  * If policy needs changes then recreate it to avoid issue with
+    `Set-AuthenticationPolicy` cmdlet
+    FIXES [#4819](https://github.com/microsoft/Microsoft365DSC/issues/4819)
 * EXODnssecForVerifiedDomain
   * Initial Release.
 * EXOEmailTenantSettings
@@ -63,11 +79,13 @@
 * IntuneAntivirusPolicyWindows10SettingCatalog
   * Fixes an issue with invalid parameter definition.
     FIXES [#5015](https://github.com/microsoft/Microsoft365DSC/issues/5015)
-* IntuneAppAndBrowserIsolationPolicyWindows10
-  * Initial release.
-    FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028)
+  * Fixes an issue where the `AccessTokens` parameter was not available.
+    FIXES [#5121](https://github.com/microsoft/Microsoft365DSC/issues/5121)
 * IntuneAppCategory
   * Initial release.
+* IntuneAppProtectionPolicyiOS
+  * Improve `TargetedAppManagementLevels` property to specify multiple values.
+    FIXES [#5032](https://github.com/microsoft/Microsoft365DSC/issues/5032)
 * IntuneDeviceCompliancePolicyWindows10
   * Fixes an issue where the property `ValidOperatingSystemBuildRanges` was
     not exported properly.
@@ -123,7 +141,8 @@
 * DEPENDENCIES
   * Updated DSCParser to version 2.0.0.10.
   * Updated Microsoft.Graph to version 2.23.0.
-  * Added dependencies on Az.Accounts, Az.Resources and Az.SecurityInsights
+  * Added dependencies on Az.Accounts, Az.Resources, Az.ResourceGraph
+    and Az.SecurityInsights.
   * Updated DSCParser to version 2.0.0.9.
   * Updated MSCloudLoginAssistant to version 1.1.25.
   * Added dependency on Microsoft.Graph.Beta.Search.

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.psm1

@@ -22,6 +22,10 @@ function Get-TargetResource
         [System.String]
         $Visibility,
 
+        [Parameter()]
+        [System.Boolean]
+        $IsMemberManagementRestricted,
+
         [Parameter()]
         [validateset('Assigned', 'Dynamic')]
         [System.String]
@@ -143,18 +147,19 @@ function Get-TargetResource
         Write-Verbose -Message "An Azure AD Administrative Unit with Id {$Id} and DisplayName {$DisplayName} was found."
         $results = @{
             #region resource generator code
-            Description           = $getValue.Description
-            DisplayName           = $getValue.DisplayName
-            Visibility            = $getValue.Visibility
-            Id                    = $getValue.Id
-            Ensure                = 'Present'
-            Credential            = $Credential
-            ApplicationId         = $ApplicationId
-            TenantId              = $TenantId
-            ApplicationSecret     = $ApplicationSecret
-            CertificateThumbprint = $CertificateThumbprint
-            Managedidentity       = $ManagedIdentity.IsPresent
-            AccessTokens          = $AccessTokens
+            Description                  = $getValue.Description
+            DisplayName                  = $getValue.DisplayName
+            Visibility                   = $getValue.Visibility
+            IsMemberManagementRestricted = $getValue.IsMemberManagementRestricted
+            Id                           = $getValue.Id
+            Ensure                       = 'Present'
+            Credential                   = $Credential
+            ApplicationId                = $ApplicationId
+            TenantId                     = $TenantId
+            ApplicationSecret            = $ApplicationSecret
+            CertificateThumbprint        = $CertificateThumbprint
+            Managedidentity              = $ManagedIdentity.IsPresent
+            AccessTokens                 = $AccessTokens
             #endregion
         }
 
@@ -293,6 +298,10 @@ function Set-TargetResource
         [System.String]
         $Visibility,
 
+        [Parameter()]
+        [System.Boolean]
+        $IsMemberManagementRestricted,
+
         [Parameter()]
         [validateset('Assigned', 'Dynamic')]
         [System.String]
@@ -352,7 +361,7 @@ function Set-TargetResource
     try
     {
         $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-            -InboundParameters $PSBoundParameters `
+            -InboundParameters $PSBoundParameters
     }
     catch
     {
@@ -547,11 +556,7 @@ function Set-TargetResource
         #region resource generator code
         Write-Verbose -Message "Creating new Administrative Unit with: $(Convert-M365DscHashtableToString -Hashtable $CreateParameters)"
 
-        $jsonParams = ConvertTo-Json $CreateParameters
-
-        # TODO - Replace by cmdlet call which has an issue in 2.11.1
-        $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + 'beta/administrativeUnits'
-        $policy = Invoke-MgGraphRequest -Method POST -Uri $url -Body $jsonParams
+        $policy = New-MgBetaDirectoryAdministrativeUnit @CreateParameters
 
         if ($MembershipType -ne 'Dynamic')
         {
@@ -599,12 +604,8 @@ function Set-TargetResource
         $UpdateParameters.Remove('ScopedRoleMembers') | Out-Null
 
         #region resource generator code
-        $jsonParams = ConvertTo-Json $UpdateParameters
-        $url = $Global:MSCloudLoginConnectionProfile.MicrosoftGraph.ResourceUrl + "beta/administrativeUnits/$($currentInstance.Id)"
-        Invoke-MgGraphRequest -Method PATCH -Uri $url -Body $jsonParams
-        <#Update-MgBetaDirectoryAdministrativeUnit @UpdateParameters `
-            -AdministrativeUnitId $currentInstance.Id #>
-
+        Update-MgBetaDirectoryAdministrativeUnit @UpdateParameters `
+            -AdministrativeUnitId $currentInstance.Id
         #endregion
 
         if ($MembershipType -ne 'Dynamic')
@@ -818,6 +819,10 @@ function Test-TargetResource
         [System.String]
         $Visibility,
 
+        [Parameter()]
+        [System.Boolean]
+        $IsMemberManagementRestricted,
+
         [Parameter()]
         [validateset('Assigned', 'Dynamic')]
         [System.String]

Modules/Microsoft365DSC/DSCResources/MSFT_AADAdministrativeUnit/MSFT_AADAdministrativeUnit.schema.mof

@@ -18,6 +18,7 @@ class MSFT_AADAdministrativeUnit : OMI_BaseResource
     [Write, Description("Object-Id of the Administrative Unit")] String Id;
     [Write, Description("Description of the Administrative Unit")] String Description;
     [Write, Description("Visibility of the Administrative Unit. Specify HiddenMembership if members of the AU are hidden")] String Visibility;
+    [Write, Description("Indicates whether the management rights on resources in the administrative units should be restricted to ONLY the administrators scoped on the administrative unit object.")] Boolean IsMemberManagementRestricted;
     [Write, Description("Specify membership type. Possible values are Assigned and Dynamic. Note that the functionality is currently in preview.")] String MembershipType;
     [Write, Description("Specify membership rule. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.")] String MembershipRule;
     [Write, Description("Specify dynamic membership-rule processing-state. Valid values are 'On' and 'Paused'. Requires that MembershipType is set to Dynamic. Note that the functionality is currently in preview.")] String MembershipRuleProcessingState;

Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1

@@ -933,7 +933,16 @@ function Set-TargetResource
 
     if($needToUpdateKeyCredentials -and $KeyCredentials)
     {
-        Write-Warning -Message "KeyCredentials is a readonly property and cannot be configured."
+        Write-Verbose -Message "Updating for Azure AD Application {$($currentAADApp.DisplayName)} with KeyCredentials:`r`n$($KeyCredentials| Out-String)"
+
+        if((currentAADApp.KeyCredentials.Length -eq 0 -and $KeyCredentials.Length -eq 1) -or (currentAADApp.KeyCredentials.Length -eq 1 -and $KeyCredentials.Length -eq 0))
+        {
+            Update-MgApplication -ApplicationId $currentAADApp.Id -KeyCredentials $KeyCredentials | Out-Null
+        }
+        else
+        {
+            Write-Warning -Message "KeyCredentials cannot be updated for AAD Applications with more than one KeyCredentials due to technical limitation of Update-MgApplication Cmdlet. Learn more at: https://learn.microsoft.com/en-us/graph/api/application-addkey"
+        }
     }
 }
 

Modules/Microsoft365DSC/DSCResources/MSFT_AADGroup/MSFT_AADGroup.psm1

@@ -591,10 +591,6 @@ function Set-TargetResource
                     -Source $MyInvocation.MyCommand.ModuleName
             }
         }
-        if ($assignedLicensesGUIDs.Length -gt 0)
-        {
-            Set-MgGroupLicense -GroupId $currentGroup.Id -AddLicenses $licensesToAdd -RemoveLicenses @()
-        }
     }
     if ($Ensure -eq 'Present')
     {
@@ -620,7 +616,7 @@ function Set-TargetResource
                 Update-MgGroup @currentParameters | Out-Null
             }
 
-            if (($licensesToAdd.Length -gt 0 -or $licensesToRemove.Length -gt 0) -and $AssignedLicenses -ne $null)
+            if (($licensesToAdd.Length -gt 0 -or $licensesToRemove.Length -gt 0) -and $PSBoundParameters.ContainsKey('AssignedLicenses'))
             {
                 try
                 {
@@ -1088,11 +1084,11 @@ function Test-TargetResource
         try
         {
             if ($null -ne $CurrentValues.AssignedLicenses -and $CurrentValues.AssignedLicenses.Length -gt 0 -and `
-                $null -eq $AssignedLicenses)
+                ($PSBoundParameters.ContainsKey('AssignedLicenses') -and $null -eq $AssignedLicenses))
             {
-                Write-Verbose -Message "The group currently has licenses assigned but it shouldn't"
+                Write-Verbose -Message "The group {$DisplayName} currently has licenses assigned but it shouldn't"
                 Write-Verbose -Message "Test-TargetResource returned $false"
-                $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThe group should not have any licenses assigned but instead contained {$($CurrentValues.AssignedLicenses.SkuId)}"
+                $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThe group should not have any licenses assigned but instead contained {$($CurrentValues.AssignedLicenses.SkuId -join ',')}"
                 Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
                     -EventID 1 -Source $($MyInvocation.MyCommand.Source)
 
@@ -1101,59 +1097,90 @@ function Test-TargetResource
             elseif ($null -eq $CurrentValues.AssignedLicenses -and $null -ne $AssignedLicenses -and `
                     $AssignedLicenses.Length -gt 0)
             {
-                Write-Verbose -Message "The group currently doesn't have licenses assigned but it should"
+                Write-Verbose -Message "The group {$DisplayName} currently doesn't have licenses assigned but it should"
                 Write-Verbose -Message "Test-TargetResource returned $false"
-                $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThe group doesn't not have any licenses assigned but should have {$($CurrentValues.AssignedLicenses.SkuId)}"
+                $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThe group doesn't not have any licenses assigned but should have {$($CurrentValues.AssignedLicenses.SkuId -join ',')}"
                 Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
                     -EventID 1 -Source $($MyInvocation.MyCommand.Source)
 
                 return $false
             }
             elseif ($CurrentValues.AssignedLicenses.Length -gt 0 -and $AssignedLicenses.Length -gt 0)
             {
-                Write-Verbose -Message "Current assigned licenses and desired assigned licenses are not null"
+                Write-Verbose -Message "Current assigned licenses and desired assigned licenses for group {$DisplayName} are not null and will be compared"
                 $licensesDiff = Compare-Object -ReferenceObject ($CurrentValues.AssignedLicenses.SkuId) -DifferenceObject ($AssignedLicenses.SkuId)
                 if ($null -ne $licensesDiff)
                 {
-                    Write-Verbose -Message "AssignedLicenses differ: $($licensesDiff | Out-String)"
+                    Write-Verbose -Message "AssignedLicenses differ for group {$DisplayName}: $($licensesDiff | Out-String)"
                     Write-Verbose -Message "Test-TargetResource returned $false"
-                    $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThey should contain {$($AssignedLicenses.SkuId)} but instead contained {$($CurrentValues.AssignedLicenses.SkuId)}"
+                    $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThey should contain {$($AssignedLicenses.SkuId -join ',')} but instead contained {$($CurrentValues.AssignedLicenses.SkuId -join ',')}"
                     Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
                         -EventID 1 -Source $($MyInvocation.MyCommand.Source)
 
                     return $false
                 }
                 else
                 {
-                    Write-Verbose -Message 'AssignedLicenses for Azure AD Group are the same'
+                    Write-Verbose -Message "AssignedLicenses for Azure AD Group {$DisplayName} are the same, checking DisabledPlans"
                 }
 
                 # Disabled Plans
-                $licensesDiff = Compare-Object -ReferenceObject ($CurrentValues.AssignedLicenses.DisabledPlans) -DifferenceObject ($AssignedLicenses.DisabledPlans)
-                if ($null -ne $licensesDiff)
+                #Compare DisabledPlans for each SkuId - all SkuId's are processed regardless of result
+                $result = $true
+                foreach ($assignedLicense in $AssignedLicenses)
                 {
-                    Write-Verbose -Message "DisabledPlans differ: $($licensesDiff | Out-String)"
-                    Write-Verbose -Message "Test-TargetResource returned $false"
-                    $EventMessage = "Disabled Plans for Azure AD Group Licenses {$DisplayName} were not in the desired state.`r`n" + `
-                        "They should contain {$($AssignedLicenses.DisabledPlans)} but instead contained {$($CurrentValues.AssignedLicenses.DisabledPlans)}"
-                    Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
-                        -EventID 1 -Source $($MyInvocation.MyCommand.Source)
-
-                    return $false
+                    Write-Verbose "Compare DisabledPlans for SkuId $($assignedLicense.SkuId) in group {$DisplayName}"
+                    $currentLicense = $CurrentValues.AssignedLicenses | Where-Object -FilterScript {$_.SkuId -eq $assignedLicense.SkuId}
+                    if ($assignedLicense.DisabledPlans.Count -ne 0 -or $currentLicense.DisabledPlans.Count -ne 0)
+                    {
+                        try {
+                            $licensesDiff = Compare-Object -ReferenceObject $assignedLicense.DisabledPlans -DifferenceObject $currentLicense.DisabledPlans
+                            if ($null -ne $licensesDiff)
+                            {
+                                Write-Verbose -Message "DisabledPlans for SkuId $($assignedLicense.SkuId) differ: $($licensesDiff | Out-String)"
+                                Write-Verbose -Message "Test-TargetResource returned $false"
+                                $EventMessage = "Disabled Plans for Azure AD Group Licenses {$DisplayName} SkuId $($assignedLicense.SkuId) were not in the desired state.`r`n" + `
+                                    "They should contain {$($assignedLicense.DisabledPlans -join ',')} but instead contained {$($currentLicense.DisabledPlans -join ',')}"
+                                Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
+                                    -EventID 1 -Source $($MyInvocation.MyCommand.Source)
+
+                                $result = $false
+                            }
+                            else
+                            {
+                                Write-Verbose -Message "DisabledPlans for SkuId $($assignedLicense.SkuId) are the same"
+                            }
+                        }
+                        catch
+                        {
+                            Write-Verbose -Message "Test-TargetResource returned `$false (DisabledPlans: $($_.Exception.Message))"
+                            $result = $false
+                        }
+                    }
                 }
-                else
+                if ($true -ne $result)
                 {
-                    Write-Verbose -Message 'DisabledPlans for Azure AD Group Licensing are the same'
+                    return $result
                 }
             }
+            elseif ($PSBoundParameters.ContainsKey('AssignedLicenses'))
+            {
+                Write-Verbose -Message "The group {$DisplayName} currently has licenses assigned but it shouldn't have"
+                Write-Verbose -Message "Test-TargetResource returned $false"
+                $EventMessage = "Assigned Licenses for Azure AD Group {$DisplayName} were not in the desired state.`r`nThe group has licenses assigned but shouldn't have {$($CurrentValues.AssignedLicenses.SkuId)}"
+                Add-M365DSCEvent -Message $EventMessage -EntryType 'Warning' `
+                    -EventID 1 -Source $($MyInvocation.MyCommand.Source)
+
+                return $false
+            }
             else
             {
-                Write-Verbose -Message "Both the current and desired assigned licenses lists are empty."
+                Write-Verbose -Message "Both the current and desired assigned licenses lists for group {$DisplayName} are empty or not specified."
             }
         }
         catch
         {
-            Write-Verbose -Message "Error evaluating the AssignedLicenses: $_"
+            Write-Verbose -Message "Error evaluating the AssignedLicenses for group {$DisplayName}: $_"
             Write-Verbose -Message "Test-TargetResource returned $false"
             return $false
         }

Modules/Microsoft365DSC/DSCResources/MSFT_ADOOrganizationOwner/MSFT_ADOOrganizationOwner.psm1

@@ -281,9 +281,10 @@ function Export-TargetResource
 
         $i = 1
         $dscContent = ''
-        if ($accounts.Length -eq 0)
+        if ($accounts.count -eq 0)
         {
             Write-Host $Global:M365DSCEmojiGreenCheckMark
+            return ''
         }
         else
         {

Modules/Microsoft365DSC/DSCResources/MSFT_ADOPermissionGroup/MSFT_ADOPermissionGroup.psm1

@@ -482,9 +482,10 @@ function Export-TargetResource
 
         $i = 1
         $dscContent = ''
-        if ($accounts.Length -eq 0)
+        if ($accounts.count -eq 0)
         {
             Write-Host $Global:M365DSCEmojiGreenCheckMark
+            return ''
         }
         else
         {