search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.61k stars 500 forks source link

Is it possible to programmatically link assignments for Intune Policies? #2947

Open powershellpr0mpt opened 1 year ago

powershellpr0mpt commented 1 year ago

When creating a Windows 10 Compliance Policy in Intune, I can easily do that using the provided resources. The same goes for an Azure AD Group.

I want to automatically assign this policy to a group which I will create in the same configuration. However the Assignments property requires the groupId property to assign the policy to a group.

Is there any way to link these 2 without knowing the groupId in advance?

Example configuration

# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $Credential
)

configuration CompliancePolicy {
param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    if ($null -eq $Credential)
    {
        <# Credentials #>
        $Credscredential = Get-Credential -Message "Credentials"

    }
    else
    {
        $CredsCredential = $Credential
    }

    $OrganizationName = $CredsCredential.UserName.Split('@')[1]

    Import-DscResource -ModuleName 'Microsoft365DSC'

    node localhost {
        IntuneDeviceCompliancePolicyWindows10 "Test-Windows10-Compliance-policy"
        {
            ActiveFirewallRequired                      = $False;
            AntiSpywareRequired                         = $False;
            AntivirusRequired                           = $False;
            Assignments                                 = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '<Get groupId from dependant created group>'
                });
            BitLockerEnabled                            = $True;
            CodeIntegrityEnabled                        = $True;
            ConfigurationManagerComplianceRequired      = $False;
            DefenderEnabled                             = $False;
            Description                                 = "This is the default compliance policy for all Windows 10 devices.";
            DeviceThreatProtectionEnabled               = $True;
            DeviceThreatProtectionRequiredSecurityLevel = "medium";
            DisplayName                                 = ""Test-Windows10-Compliance-policy"";
            EarlyLaunchAntiMalwareDriverEnabled         = $False;
            PasswordBlockSimple                         = $True;
            PasswordMinimumCharacterSetCount            = 2;
            PasswordMinutesOfInactivityBeforeLock       = 5;
            PasswordRequired                            = $True;
            PasswordRequiredToUnlockFromIdle            = $False;
            PasswordRequiredType                        = "alphanumeric";
            RequireHealthyDeviceReport                  = $False;
            RTPEnabled                                  = $False;
            SecureBootEnabled                           = $True;
            SignatureOutOfDate                          = $False;
            StorageRequireEncryption                    = $True;
            ValidOperatingSystemBuildRanges             = @();
            Credential                                  = $Credscredential;
            Ensure                                      = "Present";
            DependsOn                                   = "[AADGroup]W10-Compliance"
        }
        AADGroup "W10-Compliance" {
            DisplayName           = "W10-Compliance"
            MailNickname          = "W10-Compliance"
            Description           = W10-Compliance group'
            GroupTypes            = @()
            MailEnabled           = $False
            SecurityEnabled       = $True
            Credential                                  = $Credscredential;
            Ensure                                      = "Present";
        }
    }
}

CompliancePolicy
andikrueger commented 1 year ago

This is one of the challenges with objects within M365 and Azure. The ID of those is created during the initial add of the resource. We see this challenge across various resources on how to handle the need to have a unique ID for objects that might not exist in the first place... see 2006 for more information about the challenge of handling keys within resources.

I can think of two possible solutions for your challenge.

  1. Add a function to the configuration. This function would grab the ID of a group based on the display name.
  2. Rewrite the resource to support either GUIDs or DisplayNames to reference a group.

The second option would also help in scenarios with exporting/import use-cases.

powershellpr0mpt commented 1 year ago

That's what I feared... But it makes a lot of sense.

For future reference, I'll tag #2006 for easy reference. Also, I'll be looking into option 2, but fear this might take a while (only just started playing with M365DSC a month, still need to find out exactly how the moving parts interact).

I see a lot of potential when I can get this to work, as it can be re-used in a lot of other resources, but not fully familiar with the process yet. Thanks for the heads up @andikrueger