AADAdministrativeUnit - fixes #4437

[salbeck-sit]

Pull Request (PR) description

Update AADAdministrativeUnit to handle omitted Ensure and/or Id in config

This Pull Request (PR) fixes the following issues

Fixes #4437

[salbeck-sit]

The following lines (original 105..115) have been removed:

    #region resource generator code
    if (-Not [string]::IsNullOrEmpty($Id))
    {
        $getValue = Get-MgBetaDirectoryAdministrativeUnit -AdministrativeUnitId $Id -ErrorAction Stop
    }

    if (-not $getValue -and -Not [string]::IsNullOrEmpty($DisplayName))
    {
        $getValue = Get-MgBetaDirectoryAdministrativeUnit -Filter "DisplayName eq '$DisplayName'" -ErrorAction Stop
    }
    #endregion

The issue is that "Get-MgBetaDirectoryAdministrativeUnit -AdministrativeId $Id -ErrorAction Stop" will throw an exception if the AU doesn't exist. This exception translates into the AU is reported as not being found which in turn results in a new AU being created regardless of existence of an AU with the same DisplayName.
The update tries to get the AU using ID but doesn't throw, then goes on to get the AU using DisplayName if it doesn't exist.
This in turn ensures (sic) that an AU will only be created if an AU with the same DisplayName doesn't exist.
The basic issue is using an export from a different tenant where the ID may be different.

[ricmestre]

@salbeck-sit You need to call the cmdlets with ErrorAction = SilentlyContinue so it doesn't bounce into the catch section, please check the example below from L1044..L1067.

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10/MSFT_IntuneDeviceConfigurationEndpointProtectionPolicyWindows10.psm1

Line 1044 in 8dda400

$getValue = $null

[salbeck-sit]

That is exactly what is left after the 'offending' lines were removed. It seems that this was added in an effort to optimize performance but the older code-block wasn't removed. It is now. The current code now contains the following:

    $getValue = $null
    #region resource generator code
    if (-not [string]::IsNullOrEmpty($Id))
    {
        if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
        {
            $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.Id -eq $Id}
        }
        else
        {
            $getValue = Get-MgBetaDirectoryAdministrativeUnit -AdministrativeUnitId $Id -ErrorAction SilentlyContinue
        }
    }

    if ($null -eq $getValue -and -not [string]::IsNullOrEmpty($DisplayName))
    {
        Write-Verbose -Message "Could not find an Azure AD Administrative Unit with Id {$Id}"
        if (-Not [string]::IsNullOrEmpty($DisplayName))
        {
            if ($null -ne $Script:exportedInstances -and $Script:ExportMode)
            {
                $getValue = $Script:exportedInstances | Where-Object -FilterScript {$_.DisplayName -eq $DisplayName}
            }
            else
            {
                $getValue = Get-MgBetaDirectoryAdministrativeUnit -Filter "DisplayName eq '$DisplayName'" -ErrorAction Stop
            }
        }
    }
    #endregion

Note that -EA Stop doesn't throw when -Filter is used and a resource isn't found.