diff --git a/CHANGELOG.md b/CHANGELOG.md index 5404b8bd42..1ea65e05e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ * AADAuthenticationRequirement * Changed Export logic to extract instances from all users. +* AADConditionalAccessPolicy + * Add disableResilienceDefaults * AADOrganizationCertificateBasedAuthConfiguration * Fixed the primary key of the resource. FIXES [#5523](https://github.com/microsoft/Microsoft365DSC/issues/5523) @@ -24,11 +26,11 @@ * Fixes comparison issue for permissions. * EXOTransportRule * Fixes issue extracting arrays in Get-TargetResource. - * FIXES [#5575](https://github.com/microsoft/Microsoft365DSC/issues/5575) + FIXES [#5575](https://github.com/microsoft/Microsoft365DSC/issues/5575) * TeamsMeetingPolicy * Adds support for additional Copilot setting value. - * FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573) - * FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550) + FIXES [#5573](https://github.com/microsoft/Microsoft365DSC/issues/5573) + FIXES [#5550](https://github.com/microsoft/Microsoft365DSC/issues/5550) * MISC * Fixed the Fabric web request to use basic parsing. * Reset only necessary authentication context. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 7f81b5de49..0ee0fdacb8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -199,6 +199,10 @@ function Get-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $DisableResilienceDefaultsIsEnabled, + [Parameter()] [System.String] $TermsOfUse, @@ -706,6 +710,8 @@ function Get-TargetResource SignInFrequencyInterval = $SignInFrequencyIntervalValue #no translation needed PersistentBrowserIsEnabled = $false -or $Policy.SessionControls.PersistentBrowser.IsEnabled + #no translation needed + DisableResilienceDefaultsIsEnabled = $false -or $Policy.SessionControls.disableResilienceDefaults.IsEnabled #make false if undefined, true if true PersistentBrowserMode = [System.String]$Policy.SessionControls.PersistentBrowser.Mode #no translation needed @@ -929,6 +935,10 @@ function Set-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $DisableResilienceDefaultsIsEnabled, + [Parameter()] [System.String] $TermsOfUse, @@ -1735,7 +1745,7 @@ function Set-TargetResource $NewParameters.Add('grantControls', $GrantControls) } - if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled) + if ($ApplicationEnforcedRestrictionsIsEnabled -or $CloudAppSecurityIsEnabled -or $SignInFrequencyIsEnabled -or $PersistentBrowserIsEnabled -or $DisableResilienceDefaultsIsEnabled) { Write-Verbose -Message 'Set-Targetresource: process session controls' $sessioncontrols = $null @@ -1802,6 +1812,10 @@ function Set-TargetResource $sessioncontrols.persistentBrowser.isEnabled = $true $sessioncontrols.persistentBrowser.mode = $PersistentBrowserMode } + if ($DisableResilienceDefaultsIsEnabled) + { + $sessioncontrols.Add('disableResilienceDefaults', $true) + } $NewParameters.Add('sessionControls', $sessioncontrols) #add SessionControls to the parameter list } @@ -2087,6 +2101,10 @@ function Test-TargetResource [System.Boolean] $PersistentBrowserIsEnabled, + [Parameter()] + [System.Boolean] + $DisableResilienceDefaultsIsEnabled, + [Parameter()] [System.String] $TermsOfUse, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index a58e7239c3..556ec8f895 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -47,6 +47,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue."), ValueMap{"timeBased","everyTime","unknownFutureValue"}, Values{"timeBased","everyTime","unknownFutureValue"}] String SignInFrequencyInterval; [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled; [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode; + [Write, Description("Specifies, if DisableResilienceDefaults is enabled.")] Boolean DisableResilienceDefaultsIsEnabled; [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods; [Write, Description("Authentication context class references.")] String AuthenticationContexts[]; @@ -60,4 +61,3 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; - diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 6f53ed673c..9e40bc7bc8 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -3522,6 +3522,11 @@ "Name": "PersistentBrowserMode", "Option": "Write" }, + { + "CIMType": "Boolean", + "Name": "DisableResilienceDefaultsIsEnabled", + "Option": "Write" + }, { "CIMType": "String", "Name": "AuthenticationStrength", diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 index 44e159540e..1b197de097 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 @@ -83,6 +83,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -178,6 +179,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -254,6 +256,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -372,6 +377,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -450,6 +458,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeGuestOrExternalUserTypes = @('b2bCollaborationGuest') PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -548,6 +557,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -615,6 +627,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IncludeUsers = 'All' PersistentBrowserIsEnabled = $True PersistentBrowserMode = 'Always' + DisableResilienceDefaultsIsEnabled = $True SignInFrequencyIsEnabled = $True SignInFrequencyType = 'Days' SignInFrequencyValue = 5 @@ -691,6 +704,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } @@ -808,6 +824,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { IsEnabled = $True Mode = 'Always' } + disableResilienceDefaults = @{ + IsEnabled = $True + } } } } diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 90b5dd515f..489253d06c 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -50,6 +50,7 @@ | **SignInFrequencyInterval** | Write | String | Sign in frequency interval. Possible values are: timeBased, everyTime and unknownFutureValue. | `timeBased`, `everyTime`, `unknownFutureValue` | | **PersistentBrowserIsEnabled** | Write | Boolean | Specifies, whether Browser Persistence is controlled by the Policy. | | | **PersistentBrowserMode** | Write | String | Specifies, what Browser Persistence control is enforced by the Policy. | `Always`, `Never`, `` | +| **DisableResilienceDefaultsIsEnabled** | Write | Boolean | Specifies, if DisableResilienceDefaults is enabled. | | | **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | | | **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. | | | **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | |