functions/conditionalAccessPolicies/Invoke-TmfConditionalAccessPolicy.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
function Invoke-TmfConditionalAccessPolicy
{
    <#
        .SYNOPSIS
            Performs the required actions for a resource type against the connected Tenant.
    #>

    [CmdletBinding()]
    Param (
        [System.Management.Automation.PSCmdlet]
        $Cmdlet = $PSCmdlet
    )
    
    begin
    {
        $resourceName = "conditionalAccessPolicies"
        if (!$script:desiredConfiguration[$resourceName]) {
            Stop-PSFFunction -String "TMF.NoDefinitions" -StringValues "ConditionalAccessPolicy"
            return
        }
        Test-GraphConnection -Cmdlet $Cmdlet

        $resolveFunctionMapping = @{
            "Users" = (Get-Command Resolve-User)
            "Groups" = (Get-Command Resolve-Group)
            "Applications" = (Get-Command Resolve-Application)
            "Roles" = (Get-Command Resolve-DirectoryRoleTemplate)
            "Locations" = (Get-Command Resolve-NamedLocation)
            "Platforms" = "DirectCompare"
        }
        $conditionPropertyRegex = [regex]"^(include|exclude)($($resolveFunctionMapping.Keys -join "|"))$"
    }
    process
    {
        if (Test-PSFFunctionInterrupt) { return }
        $testResults = Test-TmfConditionalAccessPolicy -Cmdlet $Cmdlet

        foreach ($result in $testResults) {
            Beautify-TmfTestResult -TestResult $result -FunctionName $MyInvocation.MyCommand
            switch ($result.ActionType) {
                "Create" {
                    $requestUrl = "$script:graphBaseUrl/identity/conditionalAccess/policies"
                    $requestMethod = "POST"
                    $requestBody = @{                        
                        "displayName" = $result.DesiredConfiguration.displayName
                        "state" = $result.DesiredConfiguration.state
                        "conditions" = @{}
                    }
                    try {
                        
                        foreach ($property in ($result.DesiredConfiguration.Properties() | Where-Object {$_ -notin @("displayName", "state", "present", "sourceConfig")})) {
                            $conditionPropertyMatch = $conditionPropertyRegex.Match($property)
                            if ($conditionPropertyMatch.Success) {
                                # Condition properties
                                if ($conditionPropertyMatch.Groups[2].Value -in @("Users", "Groups", "Roles")) {
                                    $conditionChildProperty = "users"    
                                }
                                else {
                                    $conditionChildProperty = $conditionPropertyMatch.Groups[2].Value.ToLower()
                                }
                                
                                if (-Not $requestBody["conditions"][$conditionChildProperty]) { $requestBody["conditions"][$conditionChildProperty] = @{} }
                                if ($resolveFunctionMapping[$conditionPropertyMatch.Groups[2].Value] -eq "DirectCompare") {
                                    $requestBody["conditions"][$conditionChildProperty][$property] = @($result.DesiredConfiguration.$property)
                                }
                                else {
                                    $requestBody["conditions"][$conditionChildProperty][$property] = @($result.DesiredConfiguration.$property | ForEach-Object { & $resolveFunctionMapping[$conditionPropertyMatch.Groups[2].Value] -InputReference $_})                                
                                }                                
                            }
                            elseif ($property -in @("clientAppTypes", "signInRiskLevels", "userRiskLevels")) {
                                $requestBody["conditions"][$property] = $result.DesiredConfiguration.$property
                            }
                            elseif ($property -in @("operator", "builtInControls", "customAuthenticationFactors", "termsOfUse")) {
                                if (-Not $requestBody["grantControls"]) { $requestBody["grantControls"] = @{} }                                
                                if ($property -eq "termsOfUse") {
                                    $requestBody["grantControls"][$property] = @($result.DesiredConfiguration.$property | ForEach-Object {Resolve-Agreement -InputReference $_ -Cmdlet $Cmdlet})
                                }
                                else {
                                    $requestBody["grantControls"][$property] = $result.DesiredConfiguration.$property
                                }
                            }
                        }
                        
                        $requestBody = $requestBody | ConvertTo-Json -ErrorAction Stop -Depth 8
                        Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody
                        Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody | Out-Null
                    }
                    catch {
                        Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                        throw $_
                    }
                }
                "Delete" {
                    $requestUrl = "$script:graphBaseUrl/identity/conditionalAccess/policies/{0}" -f $result.GraphResource.Id
                    $requestMethod = "DELETE"
                    try {
                        Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequest" -StringValues $requestMethod, $requestUrl
                        Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl
                    }
                    catch {
                        Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                        throw $_
                    }
                }
                "Update" {                    
                    $requestUrl = "$script:graphBaseUrl/identity/conditionalAccess/policies/{0}" -f $result.GraphResource.Id
                    $requestMethod = "PATCH"
                    $requestBody = @{}
                    try {
                        foreach ($change in $result.Changes) {
                            $conditionPropertyMatch = $conditionPropertyRegex.Match($change.property)
                            foreach ($action in $change.Actions.Keys) {
                                switch ($action) {
                                    "Set" {
                                        if ($conditionPropertyMatch.Success) {
                                            if (-Not $requestBody["conditions"]) { $requestBody["conditions"] = @{} }
                                            # Condition properties
                                            if ($conditionPropertyMatch.Groups[2].Value -in @("Users", "Groups", "Roles")) {
                                                $conditionChildProperty = "users"    
                                            }
                                            else {
                                                $conditionChildProperty = $conditionPropertyMatch.Groups[2].Value.ToLower()
                                            }
                                            
                                            if (-Not $requestBody["conditions"][$conditionChildProperty]) { $requestBody["conditions"][$conditionChildProperty] = @{} }
                                            $requestBody["conditions"][$conditionChildProperty][$change.property] = @($change.Actions[$action])
                                        }
                                        elseif ($change.property -in @("clientAppTypes", "signInRiskLevels", "userRiskLevels")) {
                                            if (-Not $requestBody["conditions"]) { $requestBody["conditions"] = @{} }
                                            $requestBody["conditions"][$change.property] = $change.Actions[$action]
                                        }
                                        elseif ($change.property -in @("operator", "builtInControls", "customAuthenticationFactors", "termsOfUse")) {
                                            if (-Not $requestBody["grantControls"]) { $requestBody["grantControls"] = @{} }
                                            $requestBody["grantControls"][$change.property] = $change.Actions[$action]
                                        }
                                        else {
                                            $requestBody[$change.property] = $change.Actions[$action]
                                        }
                                    }                                    
                                }
                            }
                        }

                        if ($requestBody.Keys -gt 0) {
                            $requestBody = $requestBody | ConvertTo-Json -ErrorAction Stop -Depth 8
                            Write-PSFMessage -Level Verbose -String "TMF.Invoke.SendingRequestWithBody" -StringValues $requestMethod, $requestUrl, $requestBody
                            Invoke-MgGraphRequest -Method $requestMethod -Uri $requestUrl -Body $requestBody
                        }
                    }
                    catch {
                        Write-PSFMessage -Level Error -String "TMF.Invoke.ActionFailed" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, $result.ActionType
                        throw $_
                    }
                }
                "NoActionRequired" { }
                default {
                    Write-PSFMessage -Level Warning -String "TMF.Invoke.ActionTypeUnknown" -StringValues $result.ActionType
                }                
            }
            Write-PSFMessage -Level Host -String "TMF.Invoke.ActionCompleted" -StringValues $result.Tenant, $result.ResourceType, $result.ResourceName, (Get-ActionColor -Action $result.ActionType), $result.ActionType
        }        
    }
    end
    {
        
    }
}