functions/conditionalAccessPolicies/Register-TmfConditionalAccessPolicy.ps1
function Register-TmfConditionalAccessPolicy { [CmdletBinding()] Param ( [Parameter(Mandatory = $true)] [string] $displayName, [string[]] $oldNames, # Conditions [string[]] $includeUsers, [string[]] $excludeUsers, [string[]] $includeGroups, [string[]] $excludeGroups, [string[]] $includeRoles, [string[]] $excludeRoles, [string[]] $includeApplications, [string[]] $excludeApplications, [string[]] $includeLocations, [string[]] $excludeLocations, [ValidateSet("android", "iOS", "windows", "windowsPhone", "macOS", "all")] [string[]] $includePlatforms, [ValidateSet("android", "iOS", "windows", "windowsPhone", "macOS", "all")] [string[]] $excludePlatforms, [ValidateSet("all", "browser", "mobileAppsAndDesktopClients", "exchangeActiveSync", "easSupported", "other")] [string[]] $clientAppTypes, [ValidateSet("low", "medium", "high", "hidden", "none")] [string[]] $userRiskLevels, [ValidateSet("low", "medium", "high", "hidden", "none")] [string[]] $signInRiskLevels, # Grant Controls [ValidateSet("block", "mfa", "compliantDevice", "domainJoinedDevice", "approvedApplication", "compliantApplication", "passwordChange", "unknownFutureValue")] [string[]] $builtInControls, [string[]] $customAuthenticationFactors, [ValidateSet("AND", "OR")] [string] $operator, [string[]] $termsOfUse, [Parameter(Mandatory = $true)] [ValidateSet("enabled", "disabled", "enabledForReportingButNotEnforced")] [string] $state, [bool] $present = $true, [string] $sourceConfig = "<Custom>", [System.Management.Automation.PSCmdlet] $Cmdlet = $PSCmdlet ) begin { $resourceName = "conditionalAccessPolicies" if (!$script:desiredConfiguration[$resourceName]) { $script:desiredConfiguration[$resourceName] = @() } if ($script:desiredConfiguration[$resourceName].displayName -contains $displayName) { $alreadyLoaded = $script:desiredConfiguration[$resourceName] | Where-Object {$_.displayName -eq $displayName} } try { if (($buildInControls -and -not $operator) -or ($termsOfUse -and -not $operator)) { throw "You need to provide an operator (AND or OR) if you want to use buildInControls or termsofUse." } } catch { Write-PSFMessage -Level Error -String 'TMF.Register.PropertySetNotPossible' -StringValues $displayName, "ConditionalAccess" -Tag "failed" -ErrorRecord $_ -FunctionName $Cmdlet.CommandRuntime $cmdlet.ThrowTerminatingError($_) } } process { if (Test-PSFFunctionInterrupt) { return } $object = [PSCustomObject] @{ displayName = $displayName state = $state present = $present sourceConfig = $sourceConfig } if ($PSBoundParameters.ContainsKey("oldNames")) { Add-Member -InputObject $object -MemberType NoteProperty -Name "oldNames" -Value @($oldNames | ForEach-Object {Resolve-String $_}) } @( "includeUsers", "excludeUsers", "includeGroups", "excludeGroups", "includeRoles", "excludeRoles", "includeApplications", "excludeApplications", "includeLocations", "excludeLocations", "includePlatforms", "excludePlatforms", "clientAppTypes", "userRiskLevels", "signInRiskLevels", "builtInControls", "customAuthenticationFactors", "operator", "termsOfUse" ) | ForEach-Object { if ($PSBoundParameters.ContainsKey($_)) { Add-Member -InputObject $object -MemberType NoteProperty -Name $_ -Value $PSBoundParameters[$_] } } Add-Member -InputObject $object -MemberType ScriptMethod -Name Properties -Value { ($this | Get-Member -MemberType NoteProperty).Name } if ($alreadyLoaded) { $script:desiredConfiguration[$resourceName][$script:desiredConfiguration[$resourceName].IndexOf($alreadyLoaded)] = $object } else { $script:desiredConfiguration[$resourceName] += $object } } } |