functions/conditionalAccessPolicies/Register-TmfConditionalAccessPolicy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
function Register-TmfConditionalAccessPolicy
{
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true)]
        [string] $displayName,
        [string[]] $oldNames,

        # Conditions
        [string[]] $includeUsers,
        [string[]] $excludeUsers,
        [string[]] $includeGroups,
        [string[]] $excludeGroups,
        [string[]] $includeRoles,
        [string[]] $includeApplications,
        [string[]] $excludeApplications,
        [string[]] $includeLocations,
        [string[]] $excludeLocations,
        [ValidateSet("android", "iOS", "windows", "windowsPhone", "macOS", "all")]
        [string[]] $includePlatforms,
        [ValidateSet("android", "iOS", "windows", "windowsPhone", "macOS", "all")]
        [string[]] $excludePlatforms,
        
        [ValidateSet("all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other")]
        [string[]] $clientAppTypes,
        [ValidateSet("low", "medium", "high", "hidden", "none")]
        [string[]] $userRiskLevels,
        [ValidateSet("low", "medium", "high", "hidden", "none")]
        [string[]] $signInRiskLevels,

        # Grant Controls
        [ValidateSet("block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange", "unknownFutureValue")]
        [string[]] $builtInControls,
        [string[]] $customAuthenticationFactors,        
        [ValidateSet("AND", "OR")]
        [string] $operator,
        [string[]] $termsOfUse,
        
        [Parameter(Mandatory = $true)]
        [ValidateSet("enabled", "disabled", "enabledForReportingButNotEnforced")]
        [string] $state,

        [bool] $present = $true,
        [string] $sourceConfig = "<Custom>",

        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )
    
    begin
    {
        $resourceName = "conditionalAccessPolicies"
        if (!$script:desiredConfiguration[$resourceName]) {
            $script:desiredConfiguration[$resourceName] = @()
        }

        if ($script:desiredConfiguration[$resourceName].displayName -contains $displayName) {            
            $alreadyLoaded = $script:desiredConfiguration[$resourceName] | Where-Object {$_.displayName -eq $displayName}
        }

        try {
            if (($buildInControls -and -not $operator) -or ($termsOfUse -and -not $operator)) {
                throw "You need to provide an operator (AND or OR) if you want to use buildInControls or termsofUse."
            }
        }
        catch {
            Write-PSFMessage -Level Error -String 'TMF.Register.PropertySetNotPossible' -StringValues $displayName, "ConditionalAccess" -Tag "failed" -ErrorRecord $_ -FunctionName $Cmdlet.CommandRuntime            
            $cmdlet.ThrowTerminatingError($_)
        }
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }                

        $object = [PSCustomObject] @{
            displayName = $displayName
            state = $state
            present = $present
            sourceConfig = $sourceConfig
        }

        if ($PSBoundParameters.ContainsKey("oldNames")) {
            Add-Member -InputObject $object -MemberType NoteProperty -Name "oldNames" -Value @($oldNames | ForEach-Object {Resolve-String $_})
        }
        
        @(
            "includeUsers", "excludeUsers", "includeGroups", "excludeGroups",
            "includeRoles", "includeApplications", "excludeApplications",
            "includeLocations", "excludeLocations", "includePlatforms", "excludePlatforms",
            "clientAppTypes", "userRiskLevels", "signInRiskLevels", "builtInControls",
            "customAuthenticationFactors", "operator", "termsOfUse"
        ) | ForEach-Object {
            if ($PSBoundParameters.ContainsKey($_)) {            
                Add-Member -InputObject $object -MemberType NoteProperty -Name $_ -Value $PSBoundParameters[$_]
            }
        }

        Add-Member -InputObject $object -MemberType ScriptMethod -Name Properties -Value { ($this | Get-Member -MemberType NoteProperty).Name }

        if ($alreadyLoaded) {
            $script:desiredConfiguration[$resourceName][$script:desiredConfiguration[$resourceName].IndexOf($alreadyLoaded)] = $object
        }
        else {
            $script:desiredConfiguration[$resourceName] += $object
        }        
    }
}