DSCResources/MSFT_AADRoleManagementPolicyRule/MSFT_AADRoleManagementPolicyRule.psm1
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $id, [Parameter(Mandatory = $true)] [System.String] $roleDisplayName, [Parameter()] [System.String] $ruleType, [Parameter()] [System.String] $policyId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $expirationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $notificationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $enablementRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $approvalRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $authenticationContextRule, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) try { $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $nullResult = $PSBoundParameters $getValue = $null $role = Get-MgBetaRoleManagementDirectoryRoleDefinition -All -Filter "DisplayName eq '$($roleDisplayName)'" if ($null -eq $role) { Write-Verbose -Message "Could not find an Azure AD Role Management Definition with DisplayName {$roleDisplayName}" return $nullResult } $assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'" if ($null -eq $assignment) { Write-Verbose -Message "Could not find an Azure AD Role Management Policy Assignment with RoleDefinitionId {$role.Id}" return $nullResult } $policyId = $assignment.PolicyId $getValue = Get-MgBetaPolicyRoleManagementPolicyRule ` -UnifiedRoleManagementPolicyId $policyId ` -UnifiedRoleManagementPolicyRuleId $id -ErrorAction SilentlyContinue if ($null -eq $getValue) { Write-Verbose -Message "Could not find an Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId}." return $nullResult } Write-Verbose -Message "An Azure AD Role Management Policy Rule with Id {$id} and PolicyId {$policyId} was found" $rule = Get-M365DSCRoleManagementPolicyRuleObject -Rule $getValue $results = @{ id = $id policyId = $policyId roleDisplayName = $roleDisplayName ruleType = $rule.ruleType expirationRule = $rule.expirationRule notificationRule = $rule.notificationRule enablementRule = $rule.enablementRule approvalRule = $rule.approvalRule authenticationContextRule = $rule.authenticationContextRule Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent } return [System.Collections.Hashtable] $results } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return $nullResult } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $id, [Parameter(Mandatory = $true)] [System.String] $roleDisplayName, [Parameter()] [System.String] $ruleType, [Parameter()] [System.String] $policyId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $expirationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $notificationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $enablementRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $approvalRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $authenticationContextRule, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $currentInstance = Get-TargetResource @PSBoundParameters $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters Write-Verbose -Message "Updating the Azure AD Role Management Policy Rule with Id {$($currentInstance.Id)}" $body = @{ '@odata.type' = $ruleType } if ($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule') { $expirationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $expirationRule # add all the properties to the body foreach ($key in $expirationRuleHashmap.Keys) { $body.Add($key, $expirationRuleHashmap.$key) } } if ($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule') { $notificationRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $notificationRule # add all the properties to the body foreach ($key in $notificationRuleHashmap.Keys) { $body.Add($key, $notificationRuleHashmap.$key) } } if ($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule') { $enablementRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $enablementRule # add all the properties to the body foreach ($key in $enablementRuleHashmap.Keys) { $body.Add($key, $enablementRuleHashmap.$key) } } if ($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule') { $approvalRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $approvalRule # add all the properties to the body foreach ($key in $approvalRuleHashmap.Keys) { $body.Add($key, $approvalRuleHashmap.$key) } } if ($ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule') { $authenticationContextRuleHashmap = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $authenticationContextRule # add all the properties to the body foreach ($key in $authenticationContextRuleHashmap.Keys) { $body.Add($key, $authenticationContextRuleHashmap.$key) } } Update-MgBetaPolicyRoleManagementPolicyRule ` -UnifiedRoleManagementPolicyId $currentInstance.policyId ` -UnifiedRoleManagementPolicyRuleId $currentInstance.Id ` -BodyParameter $body #endregion } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $id, [Parameter(Mandatory = $true)] [System.String] $roleDisplayName, [Parameter()] [System.String] $ruleType, [Parameter()] [System.String] $policyId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $expirationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $notificationRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $enablementRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $approvalRule, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $authenticationContextRule, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of the Azure AD Role Management Policy Rule with Id {$Id} and DisplayName {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() $testResult = $true #Compare Cim instances foreach ($key in $PSBoundParameters.Keys) { $source = $PSBoundParameters.$key $target = $CurrentValues.$key if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') { $testResult = Compare-M365DSCComplexObject ` -Source ($source) ` -Target ($target) if (-not $testResult) { break } $ValuesToCheck.Remove($key) | Out-Null } } $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" if ($testResult) { $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } Write-Verbose -Message "Test-TargetResource returned $testResult" return $testResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter()] [System.String] $Filter, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity, [Parameter()] [System.String[]] $AccessTokens ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $dscContent = [System.Text.StringBuilder]::new() Write-Host "`r`n" -NoNewline try { [array] $roles = Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter $Filter -All $j = 1 foreach ($role in $roles) { $assignment = Get-MgBetaPolicyRoleManagementPolicyAssignment -Filter "RoleDefinitionId eq '$($role.Id)' and scopeId eq '/' and scopeType eq 'DirectoryRole'" $policyId = $assignment.PolicyId $rules = Get-MgBetaPolicyRoleManagementPolicyRule ` -UnifiedRoleManagementPolicyId $policyId Write-Host " |---[$j/$($roles.Count)] $($role.displayName)" $i = 1 foreach ($rule in $rules) { if ($null -ne $Global:M365DSCExportResourceInstancesCount) { $Global:M365DSCExportResourceInstancesCount++ } Write-Host " |---[$i/$($rules.Count)] $($role.displayName)_$($rule.id)" -NoNewline $Params = @{ roleDisplayName = $role.displayName id = $rule.id ApplicationId = $ApplicationId TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint ApplicationSecret = $ApplicationSecret Credential = $Credential Managedidentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } $Results = Get-TargetResource @Params $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results if ($null -ne $Results.expirationRule) { $complexMapping = @( @{ Name = 'expirationRule' CimInstanceName = 'AADRoleManagementPolicyExpirationRule' IsRequired = $False } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.expirationRule` -CIMInstanceName 'AADRoleManagementPolicyExpirationRule' ` -ComplexTypeMapping $complexMapping if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.expirationRule = $complexTypeStringResult } else { $Results.Remove('expirationRule') | Out-Null } } if ($null -ne $Results.notificationRule) { $complexMapping = @( @{ Name = 'notificationRule' CimInstanceName = 'AADRoleManagementPolicyNotificationRule' IsRequired = $False } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.notificationRule` -CIMInstanceName 'AADRoleManagementPolicyNotificationRule' ` -ComplexTypeMapping $complexMapping if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.notificationRule = $complexTypeStringResult } else { $Results.Remove('notificationRule') | Out-Null } } if ($null -ne $Results.enablementRule) { $complexMapping = @( @{ Name = 'enablementRule' CimInstanceName = 'AADRoleManagementPolicyEnablementRule' IsRequired = $False } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.enablementRule` -CIMInstanceName 'AADRoleManagementPolicyEnablementRule' ` -ComplexTypeMapping $complexMapping if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.enablementRule = $complexTypeStringResult } else { $Results.Remove('enablementRule') | Out-Null } } if ($null -ne $Results.authenticationContextRule) { $complexMapping = @( @{ Name = 'authenticationContextRule' CimInstanceName = 'AADRoleManagementPolicyAuthenticationContextRule' IsRequired = $False } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.authenticationContextRule` -CIMInstanceName 'AADRoleManagementPolicyAuthenticationContextRule' ` -ComplexTypeMapping $complexMapping if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.authenticationContextRule = $complexTypeStringResult } else { $Results.Remove('authenticationContextRule') | Out-Null } } if ($null -ne $Results.approvalRule) { $complexMapping = @( @{ Name = 'approvalRule' CimInstanceName = 'AADRoleManagementPolicyApprovalRule' IsRequired = $False } @{ Name = 'setting' CimInstanceName = 'AADRoleManagementPolicyApprovalSettings' IsRequired = $False } @{ Name = 'approvalStages' CimInstanceName = 'AADRoleManagementPolicyApprovalStage' IsRequired = $False } @{ Name = 'escalationApprovers' CimInstanceName = 'AADRoleManagementPolicySubjectSet' IsRequired = $False } @{ Name = 'primaryApprovers' CimInstanceName = 'AADRoleManagementPolicySubjectSet' IsRequired = $False } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.approvalRule` -CIMInstanceName 'AADRoleManagementPolicyApprovalRule' ` -ComplexTypeMapping $complexMapping if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.approvalRule = $complexTypeStringResult } else { $Results.Remove('approvalRule') | Out-Null } } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential if ($Results.expirationRule) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'expirationRule' -IsCIMArray:$false } if ($Results.notificationRule) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'notificationRule' -IsCIMArray:$false } if ($Results.enablementRule) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'enablementRule' -IsCIMArray:$false } if ($Results.approvalRule) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'approvalRule' -IsCIMArray:$false } if ($Results.authenticationContextRule) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'authenticationContextRule' -IsCIMArray:$false } $dscContent.Append($currentDSCBlock) | Out-Null Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName Write-Host $Global:M365DSCEmojiGreenCheckMark $i++ } $j++ } return $dscContent.ToString() } catch { Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return '' } } function Get-M365DSCRoleManagementPolicyRuleObject { [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter()] $Rule ) if ($null -eq $Rule) { return $null } $odataType = '@odata.type' $values = @{ id = $Rule.id ruleType = $Rule.AdditionalProperties.$odataType } if ($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyExpirationRule') { $expirationRule = @{ isExpirationRequired = $Rule.AdditionalProperties.isExpirationRequired maximumDuration = $Rule.AdditionalProperties.maximumDuration } $values.Add('expirationRule', $expirationRule) } if ($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyNotificationRule') { $notificationRule = @{ notificationType = $Rule.AdditionalProperties.notificationType recipientType = $Rule.AdditionalProperties.recipientType notificationLevel = $Rule.AdditionalProperties.notificationLevel isDefaultRecipientsEnabled = $Rule.AdditionalProperties.isDefaultRecipientsEnabled notificationRecipients = [array]$Rule.AdditionalProperties.notificationRecipients } $values.Add('notificationRule', $notificationRule) } if ($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyEnablementRule') { $enablementRule = @{ enabledRules = [array]$Rule.AdditionalProperties.enabledRules } $values.Add('enablementRule', $enablementRule) } if ($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyApprovalRule') { $approvalStages = @() foreach ($stage in $Rule.AdditionalProperties.setting.approvalStages) { $primaryApprovers = @() foreach ($approver in $stage.primaryApprovers) { $primaryApprover = @{ odataType = $approver.$odataType } $primaryApprovers += $primaryApprover } $escalationApprovers = @() foreach ($approver in $stage.escalationApprovers) { $escalationApprover = @{ odataType = $approver.$odataType } $escalationApprovers += $escalationApprover } $approvalStage = @{ approvalStageTimeOutInDays = $stage.approvalStageTimeOutInDays escalationTimeInMinutes = $stage.escalationTimeInMinutes isApproverJustificationRequired = $stage.isApproverJustificationRequired isEscalationEnabled = $stage.isEscalationEnabled escalationApprovers = [array]$escalationApprovers primaryApprovers = [array]$primaryApprovers } $approvalStages += $approvalStage } $setting = @{ approvalMode = $Rule.AdditionalProperties.setting.approvalMode isApprovalRequired = $Rule.AdditionalProperties.setting.isApprovalRequired isApprovalRequiredForExtension = $Rule.AdditionalProperties.setting.isApprovalRequiredForExtension isRequestorJustificationRequired = $Rule.AdditionalProperties.setting.isRequestorJustificationRequired approvalStages = [array]$approvalStages } $approvalRule = @{ setting = $setting } $values.Add('approvalRule', $approvalRule) } if ($values.ruleType -eq '#microsoft.graph.unifiedRoleManagementPolicyAuthenticationContextRule') { $authenticationContextRule = @{ isEnabled = $Rule.AdditionalProperties.isEnabled claimValue = $Rule.AdditionalProperties.claimValue } $values.Add('authenticationContextRule', $authenticationContextRule) } return $values } Export-ModuleMember -Function *-TargetResource |