Merge branch 'Dev' into fix/permissions

Author: FabienTschanz

CHANGELOG.md

@@ -6,6 +6,18 @@
   * Fixed an issue where empty `PolicyRules` would throw an exception during Get.
 * EXOPlace
   * Fixes an issue with the export where it was trying to export RoomList.
+* IntuneAppConfigurationDevicePolicy
+  * Added error handling with message if targeted app doesn't exist.
+* IntuneAppProtectionPolicyAndroid
+  * Fixed several issues when creating and updating the policy.
+    FIXES [#6746](https://github.com/microsoft/Microsoft365DSC/issues/6746)
+* IntuneAppProtectionPolicyiOS
+  * Fixed several issues when creating and updating the policy.
+* IntuneAzureNetworkConnectionWindows365
+  * Fixed the name of the Azure permission provider.
+* IntuneDeviceCompliancePolicyAndroidDeviceOwner
+  * Fixed an issue where a JSON serialization warning was outputted
+    due to the object depth exceeding two levels.
 * TeamsChannel
   * Updated required permissions for read / update.
 * TeamsEmergencyCallRoutingPolicy

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationDevicePolicy/MSFT_IntuneAppConfigurationDevicePolicy.psm1

@@ -204,7 +204,13 @@ function Get-TargetResource
         $targetedApps = @()
         foreach ($targetedApp in $getValue.TargetedMobileApps)
         {
-            $app = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $targetedApp
+            $app = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $targetedApp -ErrorAction SilentlyContinue
+            if ($null -eq $app)
+            {
+                Write-Warning -Message "App [$targetedApp] was not found. Please make sure the targeted app exists."
+                continue
+            }
+
             if ($platform -eq 'android')
             {
                 $targetedApps += $app.AdditionalProperties.packageId

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/MSFT_IntuneAppProtectionPolicyAndroid.psm1

@@ -445,9 +445,12 @@ function Get-TargetResource
         $policyApps = Get-MgBetaDeviceAppManagementAndroidManagedAppProtectionApp -AndroidManagedAppProtectionId $Id
 
         $appsArray = @()
-        foreach ($app in $policyApps)
+        if ($policy.AppGroupType -eq 'selectedPublicApps')
         {
-            $appsArray += $app.MobileAppIdentifier.AdditionalProperties.packageId
+            foreach ($app in $policyApps)
+            {
+                $appsArray += $app.MobileAppIdentifier.AdditionalProperties.packageId
+            }
         }
 
         $assignmentsValues = Get-MgBetaDeviceAppManagementAndroidManagedAppProtectionAssignment -AndroidManagedAppProtectionId $policy.Id
@@ -1017,7 +1020,7 @@ function Set-TargetResource
     $BoundParameters.CustomBrowserDisplayName = $ManagedBrowserValuesHash.CustomBrowserDisplayName
     $BoundParameters.CustomBrowserPackageId = $ManagedBrowserValuesHash.CustomBrowserPackageId
 
-    if (($Ensure -eq 'Present') -and ($currentPolicy.Ensure -eq 'Absent'))
+    if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent')
     {
         $createParameters = ([Hashtable]$BoundParameters).Clone()
         $createParameters.Remove('Id') | Out-Null
@@ -1029,9 +1032,9 @@ function Set-TargetResource
 
         if ($newPolicy.Id)
         {
-            Write-Verbose -Message "Update targetApps for Android App Protection Policy with Id {$($newpolicy.Id)} and DisplayName {$DisplayName}"
-            $targetApps = Get-IntuneAppProtectionPolicyAndroidAppsToHashtable -Apps $Apps
-            $Url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/deviceAppManagement/androidManagedAppProtections('$($policy.Id)')/targetApps"
+            Write-Verbose -Message "Update targetApps for Android App Protection Policy with Id {$($newPolicy.Id)} and DisplayName {$DisplayName}"
+            $targetApps = Get-IntuneAppProtectionPolicyAndroidAppsToHashtable -Apps $Apps -AppGroupType $AppGroupType
+            $Url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/deviceAppManagement/androidManagedAppProtections('$($newPolicy.Id)')/targetApps"
             Invoke-MgGraphRequest -Method POST -Uri $Url -Body $targetApps
 
             $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments
@@ -1041,7 +1044,7 @@ function Set-TargetResource
                 -Repository 'deviceAppManagement/androidManagedAppProtections'
         }
     }
-    elseif (($Ensure -eq 'Present') -and ($currentPolicy.Ensure -eq 'Present'))
+    elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present')
     {
         $updateParameters = ([Hashtable]$BoundParameters).Clone()
         $updateParameters.Remove('Id') | Out-Null
@@ -1052,7 +1055,7 @@ function Set-TargetResource
         Update-MgBetaDeviceAppManagementAndroidManagedAppProtection -AndroidManagedAppProtectionId $currentPolicy.Id -BodyParameter $updateParameters
 
         Write-Verbose -Message "Update targetApps for Android App Protection Policy with Id {$($currentPolicy.Id)} and DisplayName {$DisplayName}"
-        $targetApps = Get-IntuneAppProtectionPolicyAndroidAppsToHashtable -Apps $Apps
+        $targetApps = Get-IntuneAppProtectionPolicyAndroidAppsToHashtable -Apps $Apps -AppGroupType $AppGroupType
         $Url = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "beta/deviceAppManagement/androidManagedAppProtections('$($currentPolicy.Id)')/targetApps"
         Invoke-MgGraphRequest -Method POST -Uri $Url -Body $targetApps
 
@@ -1457,8 +1460,17 @@ function Test-TargetResource
     Add-M365DSCTelemetryEvent -Data $data
     #endregion
 
+    $postProcessingScript = {
+        param($DesiredValues, $CurrentValues, $ValuesToCheck, $ignore)
+        if ($DesiredValues.AppGroupType -ne 'SelectedPublicApps')
+        {
+            $ValuesToCheck.Remove('Apps')
+        }
+        return [System.Tuple[Hashtable, Hashtable, Hashtable]]::new($DesiredValues, $CurrentValues, $ValuesToCheck)
+    }
     $result = Test-M365DSCTargetResource -DesiredValues $PSBoundParameters `
-                                         -ResourceName $($MyInvocation.MyCommand.Source).Replace('MSFT_', '')
+                                         -ResourceName $($MyInvocation.MyCommand.Source).Replace('MSFT_', '') `
+                                         -PostProcessing $postProcessingScript
     return $result
 }
 
@@ -1611,26 +1623,67 @@ function Get-IntuneAppProtectionPolicyAndroidAppsToHashtable
 {
     [CmdletBinding()]
     [OutputType([System.Collections.Hashtable])]
-    param(
+    param
+    (
         [Parameter(Mandatory = $true)]
+        [AllowEmptyCollection()]
         [System.String[]]
-        $Apps
+        $Apps,
+
+        [Parameter(Mandatory = $true)]
+        [ValidateSet('selectedPublicApps', 'allCoreMicrosoftApps', 'allMicrosoftApps','allApps')]
+        [System.String]
+        $AppGroupType
     )
 
     $formattedApps = @()
+    $allApps = (Get-MgBetaDeviceAppManagementManagedAppStatus -ManagedAppStatusId managedAppList).AdditionalProperties.content.appList | Where-Object {
+        $_.appIdentifier.'@odata.type' -eq '#microsoft.graph.androidMobileAppIdentifier'
+    }
+
+    switch ($AppGroupType)
+    {
+        'selectedPublicApps'
+        {
+            if ($Apps.Count -eq 0)
+            {
+                throw "AppGroupType is set to 'selectedPublicApps' but no Apps were provided."
+            }
+        }
+        'allCoreMicrosoftApps'
+        {
+            $Apps = $allApps | Where-Object appGroups -EQ 'coreMicrosoft' | ForEach-Object {
+                $_.appIdentifier.bundleId
+            }
+        }
+        'allMicrosoftApps'
+        {
+            $Apps = $allApps | Where-Object appGroups -EQ 'microsoft' | ForEach-Object {
+                $_.appIdentifier.bundleId
+            }
+        }
+        'allApps'
+        {
+            $Apps = $allApps | ForEach-Object {
+                $_.appIdentifier.bundleId
+            }
+        }
+    }
+
     foreach ($app in $Apps)
     {
         $formattedApps += @{
             id                  = $app + '.android'
             mobileAppIdentifier = @{
-                '@odata.type' = '#microsoft.graph.AndroidMobileAppIdentifier'
+                '@odata.type' = '#microsoft.graph.androidMobileAppIdentifier'
                 packageId     = $app
             }
         }
     }
 
     return @{
         apps = $formattedApps
+        appGroupType = $AppGroupType
     }
 }
 

Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppProtectionPolicyAndroid/settings.json

@@ -70,6 +70,7 @@
         "Get-MgBetaDeviceAppManagementAndroidManagedAppProtection",
         "Get-MgBetaDeviceAppManagementAndroidManagedAppProtectionApp",
         "Get-MgBetaDeviceAppManagementAndroidManagedAppProtectionAssignment",
+        "Get-MgBetaDeviceAppManagementManagedAppStatus",
         "New-MgBetaDeviceAppManagementAndroidManagedAppProtection",
         "Remove-MgBetaDeviceAppManagementAndroidManagedAppProtection",
         "Update-MgBetaDeviceAppManagementAndroidManagedAppProtection"
@@ -82,4 +83,4 @@
       ]
     }
   ]
-}
+}