cqrenet/macOS_IntuneManagement
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

3.9.4

Browse Source
This commit is contained in:
Mikael Karlsson
2023-12-18 19:37:17 +11:00
parent 83c845fc33
commit 6ac211a2bf
4 changed files with 382 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CloudAPIPowerShellManagement.psd1
View File

@@ -12,7 +12,7 @@
RootModule = 'CloudAPIPowerShellManagement.psm1'
# Version number of this module.
ModuleVersion = '3.9.3'
ModuleVersion = '3.9.4'
# Supported PSEditions
# CompatiblePSEditions = @()

139
Extensions/DocumentationCustom.psm1
View File

@@ -10,7 +10,7 @@ This module will also document some objects based on PowerShell functions
function Get-ModuleVersion
{
'1.6.2'
'1.6.3'
}
function Invoke-InitializeModule
@@ -2241,6 +2241,137 @@ function Invoke-CDDocumentConditionalAccess
Add-BasicAdditionalValues $obj $objectType
$includeLabel = Get-LanguageString "AzureCA.userSelectionBladeIncludeTabTitle"
$excludeLabel = Get-LanguageString "AzureCA.userSelectionBladeExcludeTabTitle"
if($obj.conditions.clientApplications.includeServicePrincipals -or $obj.conditions.clientApplications.excludeServicePrincipals)
{
###################################################
# Workload
###################################################
$ids = @()
foreach($id in ($obj.conditions.clientApplications.includeServicePrincipals + $obj.conditions.clientApplications.excludeServicePrincipals))
{
if($id -in $ids) { continue }
elseif($id -eq "ServicePrincipalsInMyTenant") { continue }
$ids += $id
}
$category = Get-LanguageString "AzureCA.workloadIdentities"
$idInfo = $null
if($ids.Count -gt 0)
{
$ht = @{}
$ht.Add("ids", @($ids | Unique))
$body = $ht | ConvertTo-Json
# ToDo: Get from MigFile for Offline
$idInfo = (Invoke-GraphRequest -Url "/directoryObjects/getByIds?`$select=displayName,id" -Content $body -Method "Post").Value
}
if((($obj.conditions.clientApplications.includeServicePrincipals | Where { $_ -eq "ServicePrincipalsInMyTenant"}) -ne $null))
{
Add-CustomSettingObject ([PSCustomObject]@{
Name = $includeLabel
Value = Get-LanguageString "AzureCA.servicePrincipalRadioAll"
Category = $category
SubCategory = $includeLabel
EntityKey = "includeServicePrincipals"
})
}
elseif((($obj.conditions.clientApplications.includeServicePrincipals | Where { $_ -eq "None"}) -ne $null))
{
Add-CustomSettingObject ([PSCustomObject]@{
Name = $includeLabel
Value = Get-LanguageString "AzureCA.chooseApplicationsNone"
Category = $category
SubCategory = $includeLabel
EntityKey = "includeServicePrincipals"
})
}
elseif($ids.Count -gt 0 -and $obj.conditions.clientApplications.includeServicePrincipals)
{
#$category = Get-LanguageString "AzureCA.selectedSP"
$tmpObjs = @()
foreach($id in ($obj.conditions.clientApplications.includeServicePrincipals))
{
$idObj = $idInfo | Where Id -eq $id
$tmpObjs += ?? $idObj.displayName $id
}
if($tmpObjs.count -gt 0)
{
Add-CustomSettingObject ([PSCustomObject]@{
Name = $category
Value = $tmpObjs -join $script:objectSeparator
Category = $category
SubCategory = $includeLabel
EntityKey = "includeServicePrincipals"
})
}
}
if($obj.conditions.clientApplications.servicePrincipalFilter)
{
if($obj.conditions.clientApplications.servicePrincipalFilter.mode -eq "include")
{
$filterMode = "included"
}
else
{
$filterMode = "excluded"
}
#AzureCA.PolicyBlade.Conditions.DeviceAttributes.AssignmentFilter.Blade
#AzureCA.PolicyBlade.Conditions.DeviceAttributes.Blade.title
Add-CustomSettingObject ([PSCustomObject]@{
Name = Get-LanguageString "AzureCA.PolicyBlade.Conditions.DeviceAttributes.Blade.AppliesTo.$filterMode"
Value = $obj.conditions.clientApplications.servicePrincipalFilter.rule
Category = $category
SubCategory = Get-LanguageString "AzureCA.PolicyBlade.Conditions.DeviceAttributes.Blade.title"
EntityKey = "excludeServicePrincipalDevices"
})
}
if((($obj.conditions.clientApplications.excludeServicePrincipals | Where { $_ -eq "ServicePrincipalsInMyTenant"}) -ne $null))
{
Add-CustomSettingObject ([PSCustomObject]@{
Name = $includeLabel
Value = Get-LanguageString "AzureCA.servicePrincipalRadioAll"
Category = $category
SubCategory = $excludeLabel
EntityKey = "excludeServicePrincipals"
})
}
elseif($ids.Count -gt 0)
{
#$category = Get-LanguageString "AzureCA.selectedSP"
$tmpObjs = @()
foreach($id in ($obj.conditions.clientApplications.excludeServicePrincipals))
{
$idObj = $idInfo | Where Id -eq $id
$tmpObjs += ?? $idObj.displayName $id
}
if($tmpObjs.count -gt 0)
{
Add-CustomSettingObject ([PSCustomObject]@{
Name = $category
Value = $tmpObjs -join $script:objectSeparator
Category = $category
SubCategory = $excludeLabel
EntityKey = "excludeServicePrincipals"
})
}
}
}
else
{
###################################################
# User and groups
###################################################
@@ -2281,9 +2412,6 @@ function Invoke-CDDocumentConditionalAccess
$script:allAadRoles =(Invoke-GraphRequest -url "/directoryRoleTemplates?`$select=Id,displayName" -ODataMetadata "minimal").value
}
$includeLabel = Get-LanguageString "AzureCA.userSelectionBladeIncludeTabTitle"
$excludeLabel = Get-LanguageString "AzureCA.userSelectionBladeExcludeTabTitle"
$category = Get-LanguageString "AzureCA.usersGroupsLabel"
if((($obj.conditions.users.includeUsers | Where { $_ -eq "All"}) -ne $null))
@@ -2411,6 +2539,7 @@ function Invoke-CDDocumentConditionalAccess
EntityKey = "excludeUsersGroups"
})
}
}
###################################################
# Cloud apps or actions
@@ -2753,7 +2882,7 @@ function Invoke-CDDocumentConditionalAccess
}
else
{
$filterMode = "included"
$filterMode = "excluded"
}
#AzureCA.PolicyBlade.Conditions.DeviceAttributes.AssignmentFilter.Blade

121
Extensions/IntuneFilterUsage.psm1
View File

@@ -9,7 +9,7 @@ Module for listing Intune assignment filter usage
#>
function Get-ModuleVersion
{
'1.0.0'
'1.1.0'
}
function Invoke-InitializeModule
@@ -102,6 +102,8 @@ function Get-EMIntuneFilterUsage
{
Write-Status "Get payloads for filter $($filter.displayName)"
$payloadsManual = @()
$payloads = (Invoke-GraphRequest -Url "$($objectType.API)/$($filter.ID)/payloads").value
$batchObjs = @()
@@ -136,10 +138,48 @@ function Get-EMIntuneFilterUsage
$payloadsObj.Requests += [ordered]@{
id = "$($guid)_mobileApps"
method = "GET"
url = "//deviceAppManagement/mobileApps/$($payload.payloadId)/?`$select=displayName"
url = "/deviceAppManagement/mobileApps/$($payload.payloadId)/?`$select=displayName"
headers = @{"x-ms-command-name"="AssignmentFilterPayloadProxy_resolvePayloadNames_BatchItem"}
}
}
elseif($payload.payloadType -eq "deviceManagmentConfigurationAndCompliancePolicy")
{
$payloadsObj.Requests += [ordered]@{
id = "$($guid)_configurationPolicies"
method = "GET"
url = "/deviceManagement/configurationPolicies/$($payload.payloadId)/?`$select=name,platforms,technologies,templateReference"
headers = @{"x-ms-command-name"="AssignmentFilterPayloadProxy_resolvePayloadNames_BatchItem"}
}
}
elseif($payload.payloadType -eq "groupPolicyConfiguration")
{
$payloadsObj.Requests += [ordered]@{
id = "$($guid)_groupPolicyConfigurations"
method = "GET"
url = "/deviceManagement/groupPolicyConfigurations/$($payload.payloadId)/?`$select=displayName"
headers = @{"x-ms-command-name"="AssignmentFilterPayloadProxy_resolvePayloadNames_BatchItem"}
}
}
elseif($payload.payloadType -eq "enrollmentConfiguration")
{
if(-not $script:enrolmentConfigurations)
{
$script:enrolmentConfigurations = @()
$script:enrolmentConfigurations += (Invoke-GraphRequest -Url "/deviceManagement/deviceEnrollmentConfigurations?`$select=displayName,id,deviceEnrollmentConfigurationType").value
$script:enrolmentConfigurations += (Invoke-GraphRequest -Url "/deviceManagement/deviceEnrollmentConfigurations?`$select=displayName,id,deviceEnrollmentConfigurationType&`$filter=deviceEnrollmentConfigurationType eq 'EnrollmentNotificationsConfiguration'").value
}
$payloadsManual += $payload
<#
$payloadsObj.Requests += [ordered]@{
id = "$($guid)_enrollmentConfiguration"
method = "GET"
url = "/deviceManagement/deviceEnrollmentConfigurations/$($enrolmentConfig.Id)/?`$select=displayName"
headers = @{"x-ms-command-name"="AssignmentFilterPayloadProxy_resolvePayloadNames_BatchItem"}
}
#>
}
else
{
$payloadsObj.Requests += [ordered]@{
@@ -169,14 +209,8 @@ function Get-EMIntuneFilterUsage
{
$objName = Get-GraphObjectName $filter $objectType
$responses = Invoke-GraphBatchRequest $batchObjs.Requests $objName -SkipWarnings
<#
$batchObj = [ordered]@{
requests = @($batchObjs.Requests)
}
$responses = (Invoke-GraphRequest -Url "`$batch" -Body ($batchObj | ConvertTo-Json -Depth 50 -Compress) -Method "POST").responses
#>
foreach($response in ($responses | Where Status -eq 200))
foreach($response in ($responses | Where Status -lt 300))
{
$payload = ($batchObjs | Where { $response.id -like "$($_.ID)*"}).Payload
@@ -198,6 +232,14 @@ function Get-EMIntuneFilterUsage
{
$typeStr = "Proactive Remediations"
}
elseif($payload.payloadType -eq "groupPolicyConfiguration")
{
$typeStr = "Settings Catalog"
}
elseif($payload.payloadType -eq "deviceManagmentConfigurationAndCompliancePolicy")
{
$typeStr = "Administrative Templates"
}
else
{
$typeStr = (Get-PolicyTypeName $response.body.'@odata.type' $payload.payloadType)
@@ -209,7 +251,7 @@ function Get-EMIntuneFilterUsage
FiterObject = $filter
PayloadObject = $payload
FilterName = $filter.displayName
PolicyName = $response.body.displayName
PolicyName = ?? $response.body.Name $response.body.displayName
Type = $response.body.'@odata.type'
PayloadType = $typeStr
Mode = $filterType
@@ -217,6 +259,54 @@ function Get-EMIntuneFilterUsage
GroupName = $payload.groupId
}
}
foreach($response in ($responses | Where Status -ge 300))
{
$payload = ($batchObjs | Where { $response.id -like "$($_.ID)*"}).Payload
Write-Log "Failed to get info for payload with id $($payload.payloadId) of type $($payload.payloadType). Might be deleted or not supported." 2
}
}
foreach($payload in $payloadsManual)
{
$payloadPolicy = $script:enrolmentConfigurations | Where Id -like "$($payload.payloadId)*" | Select -First 1
if($payloadPolicy)
{
if($payloadPolicy.deviceEnrollmentConfigurationType -eq "enrollmentNotificationsConfiguration")
{
$typeStr = "Enrollment notifications"
}
elseif($payloadPolicy.deviceEnrollmentConfigurationType -eq "windows10EnrollmentCompletionPageConfiguration")
{
$typeStr = "Enrollment Status Page"
}
else
{
$typeStr = (Get-PolicyTypeName $payloadPolicy.body.'@odata.type' $payload.payloadType)
}
if($payload.assignmentFilterType -eq "Include")
{
$filterType = "Include"
}
else
{
$filterType = "Exclude"
}
$script:objFilterUsage += [PSCustomObject]@{
FiterObject = $filter
PayloadObject = $payload
FilterName = $filter.displayName
PolicyName = ?? $payloadPolicy.Name $payloadPolicy.displayName
Type = $payloadPolicy.'@odata.type'
PayloadType = $typeStr
Mode = $filterType
GroupID = $payload.groupId
GroupName = $payload.groupId
}
}
}
}
@@ -240,13 +330,13 @@ function Get-EMIntuneFilterUsage
if($groupObjs.Count -gt 0)
{
$responses = Invoke-GraphBatchRequest $groupObjs "Groups"
<#
$batchObj = [ordered]@{
requests = @($groupObjs)
}
$responses = (Invoke-GraphRequest -Url "`$batch" -Body ($batchObj | ConvertTo-Json -Depth 50 -Compress) -Method "POST").responses
#>
foreach($response in ($responses | Where Status -eq 200))
{
if($response.body.displayName -and $response.body.id -and $loadedGroups.ContainsKey($response.body.id) -eq $false)
@@ -258,13 +348,16 @@ function Get-EMIntuneFilterUsage
foreach($groupID in $loadedGroups.Keys)
{
$filterObj = $script:objFilterUsage | WHere GroupID -eq $groupID
if($filterObj -and $loadedGroups[$groupID])
$filterObjs = $script:objFilterUsage | WHere GroupID -eq $groupID
if($filterObjs -and $loadedGroups[$groupID])
{
foreach($filterObj in $filterObjs) {
$filterObj.GroupName = $loadedGroups[$groupID]
}
}
}
$script:enrolmentConfigurations = $null
}
Add-XamlEvent $script:frmIntuneFilterUsage "txtIntuneFilterUsageFilter" "Add_LostFocus" ({
Invoke-IntueFilterUsageBoxChanged $this

14
ReleaseNotes.md
View File

@@ -1,4 +1,18 @@
# Release Notes
## 3.9.4 - 2023-12-18
**Fixes**
- **Get Assignment Filter usage**<br />
- All policies that supports filter should now be collected<br />
Please create an issue if not all expected filters are listed<br />
Based on [Issue 141](https://github.com/Micke-K/IntuneManagement/issues/141)<br />
**NOTE:** Start the tool from: Views -> Intune Tools -> Intune Filter Usage<br />
- **Documentation**<br />
- Added support for documenting Conditional Access policies based on Workloads<br />
Not 100% tested. Please report if not documented correctly<br />
<br />
## 3.9.3 - 2023-12-11
**New features**