Skip to content

Commit

Permalink
Merge pull request #5291 from NikCharlebois/AADNetworkAccessSettingCr…
Browse files Browse the repository at this point in the history
…ossTenantAccess

AADNetworkAccessSettingCrossTenantAccess - Initial Release
  • Loading branch information
NikCharlebois authored Oct 29, 2024
2 parents 0cab350 + bfe6714 commit 05cabc0
Show file tree
Hide file tree
Showing 9 changed files with 596 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
* Fixed issue where duplicate names were not detected correctly.
* AADNetworkAccessForwardingProfile
* Initial release.
* AADNetworkAccessSettingCrossTenantAccess
* Initial release.
* AADOrganizationCertificateBasedAuthConfiguration
* Initial release.
* AADSocialIdentityProvider
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ function Get-TargetResource
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$nullResults = $PSBoundParameters
try
{
$instance = Get-MgBetaNetworkAccessSettingEnrichedAuditLog
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,307 @@
function Get-TargetResource
{
[CmdletBinding()]
[OutputType([System.Collections.Hashtable])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,

[Parameter()]
[System.String]
$NetworkPacketTaggingStatus,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity,

[Parameter()]
[System.String[]]
$AccessTokens
)

New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters | Out-Null

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$nullResult = $PSBoundParameters
try
{
$instance = Get-MgBetaNetworkAccessSettingCrossTenantAccess
$results = @{
IsSingleInstance = 'Yes'
NetworkPacketTaggingStatus = $instance.NetworkPacketTaggingStatus
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}
return [System.Collections.Hashtable] $results
}
catch
{
Write-Verbose -Message $_
New-M365DSCLogEntry -Message 'Error retrieving data:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

return $nullResult
}
}

function Set-TargetResource
{
[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,

[Parameter(Mandatory = $true)]
[System.String]
$NetworkPacketTaggingStatus,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity,

[Parameter()]
[System.String[]]
$AccessTokens
)

$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

Write-Verbose -Message "Updating the Cross Tenant Access Settings"
Update-MgBetaNetworkAccessSettingCrossTenantAccess -NetworkPacketTaggingStatus $NetworkPacketTaggingStatus
}

function Test-TargetResource
{
[CmdletBinding()]
[OutputType([System.Boolean])]
param
(
[Parameter(Mandatory = $true)]
[System.String]
$IsSingleInstance,

[Parameter(Mandatory = $true)]
[System.String]
$NetworkPacketTaggingStatus,

[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity,

[Parameter()]
[System.String[]]
$AccessTokens
)

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

$CurrentValues = Get-TargetResource @PSBoundParameters
$ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone()

Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)"
Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)"

$testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues `
-Source $($MyInvocation.MyCommand.Source) `
-DesiredValues $PSBoundParameters `
-ValuesToCheck $ValuesToCheck.Keys

Write-Verbose -Message "Test-TargetResource returned $testResult"

return $testResult
}

function Export-TargetResource
{
[CmdletBinding()]
[OutputType([System.String])]
param
(
[Parameter()]
[System.Management.Automation.PSCredential]
$Credential,

[Parameter()]
[System.String]
$ApplicationId,

[Parameter()]
[System.String]
$TenantId,

[Parameter()]
[System.Management.Automation.PSCredential]
$ApplicationSecret,

[Parameter()]
[System.String]
$CertificateThumbprint,

[Parameter()]
[Switch]
$ManagedIdentity,

[Parameter()]
[System.String[]]
$AccessTokens
)

$ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' `
-InboundParameters $PSBoundParameters

#Ensure the proper dependencies are installed in the current environment.
Confirm-M365DSCDependencies

#region Telemetry
$ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '')
$CommandName = $MyInvocation.MyCommand
$data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName `
-CommandName $CommandName `
-Parameters $PSBoundParameters
Add-M365DSCTelemetryEvent -Data $data
#endregion

try
{
$Script:ExportMode = $true

if ($null -ne $Global:M365DSCExportResourceInstancesCount)
{
$Global:M365DSCExportResourceInstancesCount++
}

$params = @{
IsSingleInstance = 'Yes'
Credential = $Credential
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
ManagedIdentity = $ManagedIdentity.IsPresent
AccessTokens = $AccessTokens
}

$Results = Get-TargetResource @Params
$Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode `
-Results $Results

$currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName `
-ConnectionMode $ConnectionMode `
-ModulePath $PSScriptRoot `
-Results $Results `
-Credential $Credential
$dscContent += $currentDSCBlock
Save-M365DSCPartialExport -Content $currentDSCBlock `
-FileName $Global:PartialExportFileName
$i++
Write-Host $Global:M365DSCEmojiGreenCheckMark
return $dscContent
}
catch
{
Write-Host $Global:M365DSCEmojiRedX

New-M365DSCLogEntry -Message 'Error during Export:' `
-Exception $_ `
-Source $($MyInvocation.MyCommand.Source) `
-TenantId $TenantId `
-Credential $Credential

return ''
}
}

Export-ModuleMember -Function *-TargetResource
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
[ClassVersion("1.0.0.0"), FriendlyName("AADNetworkAccessSettingCrossTenantAccess")]
class MSFT_AADNetworkAccessSettingCrossTenantAccess : OMI_BaseResource
{
[Key, Description("Only valid value is 'Yes'."), ValueMap{"Yes"}, Values{"Yes"}] String IsSingleInstance;
[Write, Description("Enable Tenant Restrictions for Entra ID (covering all cloud apps). Accepted values are enabled or disabled.")] String NetworkPacketTaggingStatus;
[Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure;
[Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential;
[Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId;
[Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId;
[Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint;
[Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity;
[Write, Description("Access token used for authentication.")] String AccessTokens[];
};
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

# AADNetworkAccessSettingCrossTenantAccess

## Description

Configures the universal tenant restrictions in Entra Id
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"resourceName": "AADNetworkAccessSettingCrossTenantAccess",
"description": "Configures the universal tenant restrictions in Entra Id.",
"roles": {
"read": [],
"update": []
},
"permissions": {
"graph": {
"delegated": {
"read": [],
"update": []
},
"application": {
"read": [
{
"name": "NetworkAccess.Read.All"
}
],
"update": [
{
"name": "NetworkAccess.ReadWrite.All"
}
]
}
}
}
}
Loading

0 comments on commit 05cabc0

Please sign in to comment.