diff --git a/CHANGELOG.md b/CHANGELOG.md index b7e72031d9..1b25c4e3f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* IntuneDeviceEnrollmentPlatformRestriction + * Added Priority parameter + FIXES [#4081](https://github.com/microsoft/Microsoft365DSC/issues/4081) * TeamsMeetingPolicy * Ignore the AllowUserToJoinExternalMeeting parameterfor drift evaluation since it doesn't do anything based on official documentation. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 7214303fba..b6f2f20f3d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -57,6 +57,10 @@ function Get-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] @@ -107,7 +111,12 @@ function Get-TargetResource try { - $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction silentlyContinue + try { + $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Identity -ErrorAction Stop + } + catch { + $config = $null + } if ($null -eq $config) { @@ -127,6 +136,7 @@ function Get-TargetResource DisplayName = $config.DisplayName Description = $config.Description DeviceEnrollmentConfigurationType = $config.DeviceEnrollmentConfigurationType.toString() + Priority = $config.Priority Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -229,6 +239,10 @@ function Set-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] @@ -258,6 +272,7 @@ function Set-TargetResource [Switch] $ManagedIdentity ) + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters @@ -276,6 +291,12 @@ function Set-TargetResource $currentCategory = Get-TargetResource @PSBoundParameters $PSBoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters $PSBoundParameters.Remove('Identity') | Out-Null + $PriorityPresent = $false + if ($PSBoundParameters.Keys.Contains('Priority')) + { + $PriorityPresent = $true + $PSBoundParameters.Remove('Priority') | Out-Null + } if ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Absent') { @@ -332,10 +353,19 @@ function Set-TargetResource $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.id ` + -DeviceConfigurationPolicyId $policy.Id ` -Targets $assignmentsHash ` -Repository 'deviceManagement/deviceEnrollmentConfigurations' } + + if ($PriorityPresent -and $Priority -ne $policy.Priority) + { + $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $policy.Id + $Body = @{ + priority = $Priority + } + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body + } } } elseif ($Ensure -eq 'Present' -and $currentCategory.Ensure -eq 'Present') @@ -380,29 +410,36 @@ function Set-TargetResource #Write-Verbose ($PSBoundParameters | ConvertTo-Json -Depth 20) Update-MgBetaDeviceManagementDeviceEnrollmentConfiguration ` -BodyParameter ([hashtable]$PSBoundParameters) ` - -DeviceEnrollmentConfigurationId $Identity + -DeviceEnrollmentConfigurationId $currentCategory.Identity #Assignments from DefaultPolicy are not editable and will raise an alert - if ($Identity -notlike '*_DefaultPlatformRestrictions') + if ($currentCategory.Identity -notlike '*_DefaultPlatformRestrictions') { if ($null -ne $Assignments -and $Assignments -ne @()) { $assignmentsHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignments Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $Identity ` - -Targets $assignmentsHash ` - -Repository 'deviceManagement/deviceEnrollmentConfigurations' + -DeviceConfigurationPolicyId $currentCategory.Identity ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceEnrollmentConfigurations' + } + + if ($PriorityPresent -and $Priority -ne $currentCategory.Priority) + { + $Uri = "/beta/deviceManagement/deviceEnrollmentConfigurations/{0}/setPriority" -f $currentCategory.Identity + $Body = @{ + priority = $Priority + } + Invoke-MgGraphRequest -Method POST -Uri $Uri -Body $Body } } } elseif ($Ensure -eq 'Absent' -and $currentCategory.Ensure -eq 'Present') { Write-Verbose -Message "Removing Device Enrollment Platform Restriction {$DisplayName}" - $config = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter "displayName eq '$DisplayName'" ` - | Where-Object -FilterScript { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration' } - Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $config.id + Remove-MgBetaDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $currentCategory.Identity } } @@ -465,6 +502,10 @@ function Test-TargetResource [Microsoft.Management.Infrastructure.CimInstance[]] $Assignments, + [Parameter()] + [System.Int32] + $Priority, + [Parameter()] [System.String] [ValidateSet('Absent', 'Present')] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof index 673102cc1e..86c13038c2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.schema.mof @@ -36,6 +36,7 @@ class MSFT_IntuneDeviceEnrollmentPlatformRestriction : OMI_BaseResource [Write, Description("Mac restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacRestriction; [Write, Description("Mac OS restrictions based on platform, platform operating system version, and device ownership."), EmbeddedInstance("MSFT_DeviceEnrollmentPlatformRestriction")] string MacOSRestriction; [Write, Description("Assignments of the policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] string Assignments[]; + [Write, Description("Priority is used when a user exists in multiple groups that are assigned enrollment configuration. Users are subject only to the configuration with the lowest priority value. Inherited from deviceEnrollmentConfiguration.")] UInt32 Priority; [Write, Description("Present ensures the restriction exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;