functions/conditionalAccessPolicies/Test-TmfConditionalAccessPolicy.ps1

function Test-TmfConditionalAccessPolicy
{
    <#
        .SYNOPSIS
            Test desired configuration against a Tenant.
        .DESCRIPTION
            Compare current configuration of a resource type with the desired configuration.
            Return a result object with the required changes and actions.
    #>

    [CmdletBinding()]
    Param (
        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )
    
    begin
    {
        Test-GraphConnection -Cmdlet $Cmdlet
        $resourceName = "conditionalAccessPolicies"
        $tenant = Get-MgOrganization -Property displayName, Id
        
        $resolveFunctionMapping = @{
            "Users" = (Get-Command Resolve-User)
            "Groups" = (Get-Command Resolve-Group)
            "Applications" = (Get-Command Resolve-Application)
            "Roles" = (Get-Command Resolve-DirectoryRole)
            "Locations" = (Get-Command Resolve-NamedLocation)
            "Platforms" = "DirectCompare"
        }
        $conditionPropertyRegex = [regex]"^(include|exclude)($($resolveFunctionMapping.Keys -join "|"))$"
    }
    process
    {
        foreach ($definition in $script:desiredConfiguration[$resourceName]) {
            foreach ($property in $definition.Properties()) {
                if ($definition.$property.GetType().Name -eq "String") {
                    $definition.$property = Resolve-String -Text $definition.$property
                }
            }

            $result = @{
                Tenant = $tenant.displayName
                TenantId = $tenant.Id
                ResourceType = 'ConditionalAccessPolicy'
                ResourceName = (Resolve-String -Text $definition.displayName)
                DesiredConfiguration = $definition
            }

            if ("oldNames" -in $definition.Properties()) {                
                $filter = ($definition.oldNames + $definition.displayName | Foreach-Object {
                    "(displayName eq '{0}')" -f [System.Web.HttpUtility]::UrlEncode($_)
                }) -join " or "
            }
            else {
                $filter = "(displayName eq '{0}')" -f [System.Web.HttpUtility]::UrlEncode($definition.displayName)
            }
            try {
                $resource = (Invoke-MgGraphRequest -Method GET -Uri ("$script:graphBaseUrl/identity/conditionalAccess/policies?`$filter={0}" -f $filter)).Value
            }
            catch {
                Write-PSFMessage -Level Warning -String 'TMF.Error.QueryWithFilterFailed' -StringValues $filter -Tag 'failed'
                $exception = New-Object System.Data.DataException("Query with filter $filter against Microsoft Graph failed. Error: $_")
                $errorID = 'QueryWithFilterFailed'
                $category = [System.Management.Automation.ErrorCategory]::NotSpecified
                $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet)
                $cmdlet.ThrowTerminatingError($recordObject)
            }
            
            switch ($resource.Count) {
                0 {
                    if ($definition.present) {                    
                        $result = New-TestResult @result -ActionType "Create"
                    }
                    else {                    
                        $result = New-TestResult @result -ActionType "NoActionRequired"
                    }
                }
                1 {
                    $result["GraphResource"] = $resource
                    if ($definition.present) {
                        $changes = @()
                        foreach ($property in ($definition.Properties() | Where-Object {$_ -notin "oldNames", "present", "sourceConfig"})) {
                            $change = [PSCustomObject] @{
                                Property = $property                                        
                                Actions = $null
                            }

                            $conditionPropertyMatch = $conditionPropertyRegex.Match($property)
                            $propertyTargetResourceType = $conditionPropertyMatch.Groups[2].Value

                            if ($propertyTargetResourceType -in @("Users", "Groups", "Roles")) {
                                $change.Actions = Compare-ResourceList -ReferenceList $resource.conditions.users.$property `
                                                        -DifferenceList $($definition.$property | ForEach-Object {& $resolveFunctionMapping[$propertyTargetResourceType] -InputReference $_ -Cmdlet $Cmdlet}) `
                                                        -Cmdlet $PSCmdlet -ReturnSetAction
                            }
                            elseif ($propertyTargetResourceType -in $resolveFunctionMapping.Keys) {
                                if ($resolveFunctionMapping[$propertyTargetResourceType] -eq "DirectCompare") {                                    
                                    if (Compare-Object -ReferenceObject $resource.conditions.$($propertyTargetResourceType.toLower()).$property -DifferenceObject $definition.$property) {
                                        $change.Actions = @{"Set" = $definition.$property}
                                    }
                                }
                                else {
                                    $change.Actions = Compare-ResourceList -ReferenceList $resource.conditions.$($propertyTargetResourceType.toLower()).$property `
                                                        -DifferenceList $($definition.$property | ForEach-Object {& $resolveFunctionMapping[$propertyTargetResourceType] -InputReference $_ -Cmdlet $Cmdlet}) `
                                                        -Cmdlet $PSCmdlet -ReturnSetAction
                                }                                
                            }
                            elseif ($property -in @("clientAppTypes", "userRiskLevels", "signInRiskLevels")) {
                                if (Compare-Object -ReferenceObject $resource.conditions.$property -DifferenceObject $definition.$property) {
                                    $change.Actions = @{"Set" = $definition.$property}
                                }
                            }
                            elseif ($property -in @("builtInControls", "customAuthenticationFactors", "operator")) {
                                if (Compare-Object -ReferenceObject $resource.grantControls.$property -DifferenceObject $definition.$property) {
                                    $change.Actions = @{"Set" = $definition.$property}
                                }
                            }
                            elseif ($property -eq "termsOfUse") {
                                $change.Actions = Compare-ResourceList -ReferenceList $resource.grantControls.$property `
                                    -DifferenceList $($definition.$property | ForEach-Object {Resolve-Agreement -InputReference $_ -Cmdlet $Cmdlet}) `
                                    -Cmdlet $PSCmdlet -ReturnSetAction
                            }
                            else {
                                if ($definition.$property -ne $resource.$property) {
                                    $change.Actions = @{"Set" = $definition.$property}
                                }
                            }
                            if ($change.Actions) {$changes += $change}
                        }
    
                        if ($changes.count -gt 0) { $result = New-TestResult @result -Changes $changes -ActionType "Update"}
                        else { $result = New-TestResult @result -ActionType "NoActionRequired" }
                    }
                    else {
                        $result = New-TestResult @result -ActionType "Delete"
                    }
                }
                default {
                    Write-PSFMessage -Level Warning -String 'TMF.Test.MultipleResourcesError' -StringValues $resourceName, $definition.displayName -Tag 'failed'
                    $exception = New-Object System.Data.DataException("Query returned multiple results. Cannot decide which resource to test.")
                    $errorID = 'MultipleResourcesError'
                    $category = [System.Management.Automation.ErrorCategory]::NotSpecified
                    $recordObject = New-Object System.Management.Automation.ErrorRecord($exception, $errorID, $category, $Cmdlet)
                    $cmdlet.ThrowTerminatingError($recordObject)
                }
            }
            
            $result
        }
    }
}