DSCResources/MSFT_EXOAntiPhishPolicy/MSFT_EXOAntiPhishPolicy.psm1
|
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter()] [System.String] $AdminDisplayName, [Parameter()] [ValidateSet('MoveToJmf', 'Quarantine')] [System.String] $AuthenticationFailAction = 'MoveToJmf', [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $EnableAntispoofEnforcement = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSafetyTip = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSoftPassSafetyTip = $false, [Parameter()] [System.Boolean] $EnableMailboxIntelligence = $true, [Parameter()] [System.Boolean] $EnableOrganizationDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableSimilarDomainsSafetyTips = $false, [Parameter()] [System.Boolean] $EnableSimilarUsersSafetyTips = $false, [Parameter()] [System.Boolean] $EnableTargetedDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableTargetedUserProtection = $false, [Parameter()] [System.Boolean] $EnableUnusualCharactersSafetyTips = $false, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [System.String[]] $ExcludedDomains = @(), [Parameter()] [System.String[]] $ExcludedSenders = @(), [Parameter()] [System.Boolean] $MakeDefault = $false, [Parameter()] [ValidateSet('1', '2', '3', '4')] [System.String] $PhishThresholdLevel = '1', [Parameter()] [System.String[]] $TargetedDomainActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedDomainProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedDomainsToProtect = @(), [Parameter()] [System.String[]] $TargetedUserActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedUserProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedUsersToProtect = @(), [Parameter()] [System.Boolean] $TreatSoftPassAsAuthenticated = $true, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) Write-Verbose -Message "Getting configuration of AntiPhishPolicy for $Identity" #region Telemetry $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $MyInvocation.MyCommand.ModuleName) $data.Add("Method", $MyInvocation.MyCommand) Add-M365DSCTelemetryEvent -Data $data #endregion Test-MSCloudLogin -CloudCredential $GlobalAdminAccount ` -Platform ExchangeOnline $AntiPhishPolicies = Get-AntiPhishPolicy $AntiPhishPolicy = $AntiPhishPolicies | Where-Object -FilterScript { $_.Identity -eq $Identity } if ($null -eq $AntiPhishPolicy) { Write-Verbose -Message "AntiPhishPolicy $($Identity) does not exist." $result = $PSBoundParameters $result.Ensure = 'Absent' return $result } else { $PhishThresholdLevelValue = $AntiPhishPolicy.PhishThresholdLevel if ([System.String]::IsNullOrEmpty($PhishThresholdLevelValue)) { $PhishThresholdLevelValue = '1' } $TargetedUserProtectionActionValue = $AntiPhishPolicy.TargetedUserProtectionAction if ([System.String]::IsNullOrEmpty($TargetedUserProtectionActionValue)) { $TargetedUserProtectionActionValue = 'NoAction' } $result = @{ Identity = $Identity AdminDisplayName = $AntiPhishPolicy.AdminDisplayName AuthenticationFailAction = $AntiPhishPolicy.AuthenticationFailAction Enabled = $AntiPhishPolicy.Enabled EnableAntispoofEnforcement = $AntiPhishPolicy.EnableAntispoofEnforcement EnableAuthenticationSafetyTip = $AntiPhishPolicy.EnableAuthenticationSafetyTip EnableAuthenticationSoftPassSafetyTip = $AntiPhishPolicy.EnableAuthenticationSoftPassSafetyTip EnableMailboxIntelligence = $AntiPhishPolicy.EnableMailboxIntelligence EnableOrganizationDomainsProtection = $AntiPhishPolicy.EnableOrganizationDomainsProtection EnableSimilarDomainsSafetyTips = $AntiPhishPolicy.EnableSimilarDomainsSafetyTips EnableSimilarUsersSafetyTips = $AntiPhishPolicy.EnableSimilarUsersSafetyTips EnableTargetedDomainsProtection = $AntiPhishPolicy.EnableTargetedDomainsProtection EnableTargetedUserProtection = $AntiPhishPolicy.EnableTargetedUserProtection EnableUnusualCharactersSafetyTips = $AntiPhishPolicy.EnableUnusualCharactersSafetyTips ExcludedDomains = $AntiPhishPolicy.ExcludedDomains ExcludedSenders = $AntiPhishPolicy.ExcludedSenders MakeDefault = $AntiPhishPolicy.MakeDefault PhishThresholdLevel = $PhishThresholdLevelValue TargetedDomainActionRecipients = $AntiPhishPolicy.TargetedDomainActionRecipients TargetedDomainProtectionAction = $TargetedDomainProtectionAction TargetedDomainsToProtect = $AntiPhishPolicy.TargetedDomainsToProtect TargetedUserActionRecipients = $AntiPhishPolicy.TargetedUserActionRecipients TargetedUserProtectionAction = $TargetedUserProtectionActionValue TargetedUsersToProtect = $AntiPhishPolicy.TargetedUsersToProtect TreatSoftPassAsAuthenticated = $AntiPhishPolicy.TreatSoftPassAsAuthenticated GlobalAdminAccount = $GlobalAdminAccount Ensure = 'Present' } Write-Verbose -Message "Found AntiPhishPolicy $($Identity)" Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" return $result } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter()] [System.String] $AdminDisplayName, [Parameter()] [ValidateSet('MoveToJmf', 'Quarantine')] [System.String] $AuthenticationFailAction = 'MoveToJmf', [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $EnableAntispoofEnforcement = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSafetyTip = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSoftPassSafetyTip = $false, [Parameter()] [System.Boolean] $EnableMailboxIntelligence = $true, [Parameter()] [System.Boolean] $EnableOrganizationDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableSimilarDomainsSafetyTips = $false, [Parameter()] [System.Boolean] $EnableSimilarUsersSafetyTips = $false, [Parameter()] [System.Boolean] $EnableTargetedDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableTargetedUserProtection = $false, [Parameter()] [System.Boolean] $EnableUnusualCharactersSafetyTips = $false, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [System.String[]] $ExcludedDomains = @(), [Parameter()] [System.String[]] $ExcludedSenders = @(), [Parameter()] [System.Boolean] $MakeDefault = $false, [Parameter()] [ValidateSet('1', '2', '3', '4')] [System.String] $PhishThresholdLevel = '1', [Parameter()] [System.String[]] $TargetedDomainActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedDomainProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedDomainsToProtect = @(), [Parameter()] [System.String[]] $TargetedUserActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedUserProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedUsersToProtect = @(), [Parameter()] [System.Boolean] $TreatSoftPassAsAuthenticated = $true, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) Write-Verbose -Message "Setting configuration of AntiPhishPolicy for $Identity" #region Telemetry $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $MyInvocation.MyCommand.ModuleName) $data.Add("Method", $MyInvocation.MyCommand) Add-M365DSCTelemetryEvent -Data $data #endregion Test-MSCloudLogin -CloudCredential $GlobalAdminAccount ` -Platform ExchangeOnline $AntiPhishPolicies = Get-AntiPhishPolicy $AntiPhishPolicy = $AntiPhishPolicies | Where-Object -FilterScript { $_.Identity -eq $Identity } if (('Present' -eq $Ensure ) -and (-not $AntiPhishPolicy)) { New-EXOAntiPhishPolicy -AntiPhishPolicyParams $PSBoundParameters } if (('Present' -eq $Ensure ) -and ($AntiPhishPolicy)) { # The Set-AntiphishPolicy cmdlet doesn't account for more than 80% of the parameters # defined by the New-AntiphishPolicy one. Therefore we need to delete the existing # policy and recreate it in order to make sure the parameters all match the desired # state specified; Remove-AntiPhishPolicy -Identity $Identity -Confirm:$false -Force New-EXOAntiPhishPolicy -AntiPhishPolicyParams $PSBoundParameters } if (('Absent' -eq $Ensure ) -and ($AntiPhishPolicy)) { Write-Verbose -Message "Removing AntiPhishPolicy $($Identity)" Remove-AntiPhishPolicy -Identity $Identity -Confirm:$false -Force } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $Identity, [Parameter()] [System.String] $AdminDisplayName, [Parameter()] [ValidateSet('MoveToJmf', 'Quarantine')] [System.String] $AuthenticationFailAction = 'MoveToJmf', [Parameter()] [System.Boolean] $Enabled = $true, [Parameter()] [System.Boolean] $EnableAntispoofEnforcement = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSafetyTip = $true, [Parameter()] [System.Boolean] $EnableAuthenticationSoftPassSafetyTip = $false, [Parameter()] [System.Boolean] $EnableMailboxIntelligence = $true, [Parameter()] [System.Boolean] $EnableOrganizationDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableSimilarDomainsSafetyTips = $false, [Parameter()] [System.Boolean] $EnableSimilarUsersSafetyTips = $false, [Parameter()] [System.Boolean] $EnableTargetedDomainsProtection = $false, [Parameter()] [System.Boolean] $EnableTargetedUserProtection = $false, [Parameter()] [System.Boolean] $EnableUnusualCharactersSafetyTips = $false, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [System.String[]] $ExcludedDomains = @(), [Parameter()] [System.String[]] $ExcludedSenders = @(), [Parameter()] [System.Boolean] $MakeDefault = $false, [Parameter()] [ValidateSet('1', '2', '3', '4')] [System.String] $PhishThresholdLevel = '1', [Parameter()] [System.String[]] $TargetedDomainActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedDomainProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedDomainsToProtect = @(), [Parameter()] [System.String[]] $TargetedUserActionRecipients = @(), [Parameter()] [ValidateSet('BccMessage', 'Delete', 'MoveToJmf', 'NoAction', 'Quarantine', 'Redirect')] [System.String] $TargetedUserProtectionAction = 'NoAction', [Parameter()] [System.String[]] $TargetedUsersToProtect = @(), [Parameter()] [System.Boolean] $TreatSoftPassAsAuthenticated = $true, [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) Write-Verbose -Message "Testing configuration of AntiPhishPolicy for $Identity" $CurrentValues = Get-TargetResource @PSBoundParameters Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = $PSBoundParameters $ValuesToCheck.Remove('GlobalAdminAccount') | Out-Null $TestResult = Test-Microsoft365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter(Mandatory = $true)] [System.Management.Automation.PSCredential] $GlobalAdminAccount ) $InformationPreference = "Continue" #region Telemetry $data = [System.Collections.Generic.Dictionary[[String], [String]]]::new() $data.Add("Resource", $MyInvocation.MyCommand.ModuleName) $data.Add("Method", $MyInvocation.MyCommand) Add-M365DSCTelemetryEvent -Data $data #endregion Test-MSCloudLogin -CloudCredential $GlobalAdminAccount ` -Platform ExchangeOnline ` -ErrorAction SilentlyContinue $AntiPhishPolicies = Get-AntiPhishPolicy $content = "" $i = 1 $PolicyCount = $AntiPhishPolicies.Length if ($null -eq $PolicyCount) { $PolicyCount = 1 } foreach ($Policy in $AntiPhishPolicies) { Write-Information " [$i/$PolicyCount] $($Policy.Identity)" $Params = @{ Identity = $Policy.Identity GlobalAdminAccount = $GlobalAdminAccount } $result = Get-TargetResource @Params $result.GlobalAdminAccount = Resolve-Credentials -UserName "globaladmin" $content += " EXOAntiPhishPolicy " + (New-GUID).ToString() + "`r`n" $content += " {`r`n" $currentDSCBlock = Get-DSCBlock -Params $result -ModulePath $PSScriptRoot $content += Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "GlobalAdminAccount" $content += " }`r`n" $i++ } return $content } Export-ModuleMember -Function *-TargetResource |