From a0e1bce38743c9811608d6d68de7cb5243644cbf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Tue, 17 Dec 2024 12:55:29 +0100 Subject: [PATCH 1/7] Add disableResilienceDefaults --- CHANGELOG.md | 2 ++ .../MSFT_AADConditionalAccessPolicy.psm1 | 20 ++++++++++++++++++- ...MSFT_AADConditionalAccessPolicy.schema.mof | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae5a5ea19e..b09d8073bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ * AADApplication * Added support for Oauth2PermissionScopes. +* AADConditionalAccessPolicy + * Add disableResilienceDefaults * TeamsMeetingPolicy * FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550) * MISC diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 7f81b5de49..5ae25c1ab6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -199,6 +199,10 @@ function Get-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $disableResilienceDefaultsIsEnabled, + [Parameter()] [System.String] $TermsOfUse, @@ -706,6 +710,8 @@ function Get-TargetResource SignInFrequencyInterval = $SignInFrequencyIntervalValue #no translation needed PersistentBrowserIsEnabled = $false -or $Policy.SessionControls.PersistentBrowser.IsEnabled + #no translation needed + disableResilienceDefaultsIsEnabled = $false -or $Policy.SessionControls.disableResilienceDefaults.IsEnabled #make false if undefined, true if true PersistentBrowserMode = [System.String]$Policy.SessionControls.PersistentBrowser.Mode #no translation needed @@ -929,6 +935,10 @@ function Set-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $disableResilienceDefaultsIsEnabled, + [Parameter()] [System.String] $TermsOfUse, @@ -1735,7 +1745,7 @@ function Set-TargetResource $NewParameters.Add('grantControls', $GrantControls) } - if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled) + if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled -or $disableResilienceDefaultsIsEnabled) { Write-Verbose -Message 'Set-Targetresource: process session controls' $sessioncontrols = $null @@ -1802,6 +1812,10 @@ function Set-TargetResource $sessioncontrols.persistentBrowser.isEnabled = $true $sessioncontrols.persistentBrowser.mode = $PersistentBrowserMode } + if ($disableResilienceDefaultsIsEnabled) + { + $sessioncontrols.Add('disableResilienceDefaults', $true) + } $NewParameters.Add('sessionControls', $sessioncontrols) #add SessionControls to the parameter list } @@ -2087,6 +2101,10 @@ function Test-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $disableResilienceDefaults, + [Parameter()] [System.String] $TermsOfUse, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index a58e7239c3..cf5e1a9597 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -46,6 +46,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Specifies, whether sign-in frequency is enforced by the Policy.")] Boolean SignInFrequencyIsEnabled; [Write, Description("Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue."), ValueMap{"timeBased","everyTime","unknownFutureValue"}, Values{"timeBased","everyTime","unknownFutureValue"}] String SignInFrequencyInterval; [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled; + [Write, Description("Specifies, if disableResilienceDefaults is enabled.")] Boolean disableResilienceDefaultsIsEnabled; [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode; [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods; @@ -60,4 +61,3 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; - From 211438feae9941884d219314acba5305d191f1f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:12:37 +0100 Subject: [PATCH 2/7] Rename disableResilienceDefaults parameter to DisableResilienceDefaults for consistency --- .../MSFT_AADConditionalAccessPolicy.psm1 | 10 +++++----- .../MSFT_AADConditionalAccessPolicy.schema.mof | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 5ae25c1ab6..88254ca443 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -201,7 +201,7 @@ function Get-TargetResource [Parameter()] [System.Boolean] - $disableResilienceDefaultsIsEnabled, + $DisableResilienceDefaultsIsEnabled, [Parameter()] [System.String] @@ -711,7 +711,7 @@ function Get-TargetResource #no translation needed PersistentBrowserIsEnabled = $false -or $Policy.SessionControls.PersistentBrowser.IsEnabled #no translation needed - disableResilienceDefaultsIsEnabled = $false -or $Policy.SessionControls.disableResilienceDefaults.IsEnabled + DisableResilienceDefaultsIsEnabled = $false -or $Policy.SessionControls.disableResilienceDefaults.IsEnabled #make false if undefined, true if true PersistentBrowserMode = [System.String]$Policy.SessionControls.PersistentBrowser.Mode #no translation needed @@ -937,7 +937,7 @@ function Set-TargetResource [Parameter()] [System.Boolean] - $disableResilienceDefaultsIsEnabled, + $DisableResilienceDefaultsIsEnabled, [Parameter()] [System.String] @@ -1745,7 +1745,7 @@ function Set-TargetResource $NewParameters.Add('grantControls', $GrantControls) } - if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled -or $disableResilienceDefaultsIsEnabled) + if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled -or $DisableResilienceDefaultsIsEnabled) { Write-Verbose -Message 'Set-Targetresource: process session controls' $sessioncontrols = $null @@ -1812,7 +1812,7 @@ function Set-TargetResource $sessioncontrols.persistentBrowser.isEnabled = $true $sessioncontrols.persistentBrowser.mode = $PersistentBrowserMode } - if ($disableResilienceDefaultsIsEnabled) + if ($DisableResilienceDefaultsIsEnabled) { $sessioncontrols.Add('disableResilienceDefaults', $true) } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index cf5e1a9597..556ec8f895 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -46,8 +46,8 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Specifies, whether sign-in frequency is enforced by the Policy.")] Boolean SignInFrequencyIsEnabled; [Write, Description("Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue."), ValueMap{"timeBased","everyTime","unknownFutureValue"}, Values{"timeBased","everyTime","unknownFutureValue"}] String SignInFrequencyInterval; [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled; - [Write, Description("Specifies, if disableResilienceDefaults is enabled.")] Boolean disableResilienceDefaultsIsEnabled; [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode; + [Write, Description("Specifies, if DisableResilienceDefaults is enabled.")] Boolean DisableResilienceDefaultsIsEnabled; [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods; [Write, Description("Authentication context class references.")] String AuthenticationContexts[]; From f52f6a0ee6efc00a480c1ab487f415d323fe190e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:12:58 +0100 Subject: [PATCH 3/7] Update docs to include DisableResilienceDefaultsIsEnabled --- docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 90b5dd515f..489253d06c 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -50,6 +50,7 @@ | **SignInFrequencyInterval** | Write | String | Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue. | `timeBased`, `everyTime`, `unknownFutureValue` | | **PersistentBrowserIsEnabled** | Write | Boolean | Specifies, whether Browser Persistence is controlled by the Policy. | | | **PersistentBrowserMode** | Write | String | Specifies, what Browser Persistence control is enforced by the Policy. | `Always`, `Never`, `` | +| **DisableResilienceDefaultsIsEnabled** | Write | Boolean | Specifies, if DisableResilienceDefaults is enabled. | | | **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | | | **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. | | | **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | | From cd2e3c625ad0ba63ce747c96c4de1be367995bf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:13:09 +0100 Subject: [PATCH 4/7] Add DisableResilienceDefaultsIsEnabled to schema --- Modules/Microsoft365DSC/SchemaDefinition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 6f53ed673c..9e40bc7bc8 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -3522,6 +3522,11 @@ "Name": "PersistentBrowserMode", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "DisableResilienceDefaultsIsEnabled", + "Option": "Write" + }, { "CIMType": "String", "Name": "AuthenticationStrength", From d707fd7543f662d8b933930108fd015c8319b4f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:13:24 +0100 Subject: [PATCH 5/7] Add DisableResilienceDefaultsIsEnabled unit test --- .../Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 index 44e159540e..231a4f1c18 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 @@ -83,6 +83,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -178,6 +179,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -450,6 +452,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -615,6 +618,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeUsers = 'All' PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 From e942bf5a2a62ad764cdb0e4bde0b354005bfca3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Wed, 8 Jan 2025 13:31:37 +0100 Subject: [PATCH 6/7] Fix Parameter Name --- .../MSFT_AADConditionalAccessPolicy.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 88254ca443..0ee0fdacb8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -2103,7 +2103,7 @@ function Test-TargetResource [Parameter()] [System.Boolean] - $disableResilienceDefaults, + $DisableResilienceDefaultsIsEnabled, [Parameter()] [System.String] From 5cf075d306b399aebfe1be47125eb2167e2b2f7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BChler?= <{ID}+{username}@users.noreply.github.com> Date: Wed, 8 Jan 2025 16:11:15 +0100 Subject: [PATCH 7/7] Add disableResilienceDefaults to ReverseDSC Tests --- ...oft365DSC.AADConditionalAccessPolicy.Tests.ps1 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 index 231a4f1c18..1b197de097 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 @@ -256,6 +256,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -374,6 +377,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -551,6 +557,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -695,6 +704,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -812,6 +824,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } }