Updated documentation and AADNamedLocationPolicy

ykuijs · Jan 14, 2025 · 7fb1aec · 7fb1aec
1 parent e84a8cf
commit 7fb1aec
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 27 deletions.
diff --git a/...Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1 b/...Microsoft365DSC/DSCResources/MSFT_AADNamedLocationPolicy/MSFT_AADNamedLocationPolicy.psm1
@@ -104,11 +104,12 @@ function Get-TargetResource
         {
             Write-Verbose -Message "Could not retrieve AAD Named Location by ID {$Id}"
         }
+
         if ($null -eq $NamedLocation)
         {
             try
             {
-                $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
+                $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction Stop | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
                 if ($NamedLocation.Length -gt 1)
                 {
                     throw "More than one instance of a Named Location Policy with name {$DisplayName} was found. Please provide the ID parameter."
@@ -125,8 +126,10 @@ function Get-TargetResource
                 return $nullReturn
             }
         }
+
         if ($null -eq $NamedLocation)
         {
+            Write-Verbose "No existing AAD Named Location found with DisplayName {$DisplayName}"
             return $nullReturn
         }
         else
@@ -254,26 +257,6 @@ function Set-TargetResource
     Add-M365DSCTelemetryEvent -Data $data
     #endregion
 
-    try
-    {
-        if ($Id)
-        {
-            $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -NamedLocationId $Id -ErrorAction Stop
-        }
-    }
-    catch
-    {
-        Write-Verbose -Message "Could not retrieve AAD Named Location by ID {$Id}"
-    }
-    if ($null -eq $NamedLocation)
-    {
-        $NamedLocation = Get-MgBetaIdentityConditionalAccessNamedLocation -ErrorAction SilentlyContinue | Where-Object -FilterScript { $_.DisplayName -eq $DisplayName }
-        if ($NamedLocation.Length -gt 1)
-        {
-            throw "More than one instance of a Named Location Policy with name {$DisplayName} was found. Please provide the ID parameter."
-        }
-    }
-
     $currentAADNamedLocation = Get-TargetResource @PSBoundParameters
 
     $desiredValues = @{
@@ -312,24 +295,25 @@ function Set-TargetResource
     if ($Ensure -eq 'Present' -and $currentAADNamedLocation.Ensure -eq 'Absent')
     {
         $VerboseAttributes = ($desiredValues | Out-String)
-        Write-Verbose -Message "Creating New AAD Named Location {$Displayname)} with attributes: $VerboseAttributes"
+        Write-Verbose -Message "Creating New AAD Named Location {$Displayname} with attributes: $VerboseAttributes"
+
         $JSONValue = ConvertTo-Json $desiredValues | Out-String
         Write-Verbose -Message "JSON: $JSONValue"
+
         $APIUrl = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + 'v1.0/identity/conditionalAccess/namedLocations'
         Invoke-MgGraphRequest -Method POST `
             -Uri $APIUrl `
             -Body $JSONValue | Out-Null
     }
     # Named Location should exist and will be configured to desired state
-    elseif ($Ensure -eq 'Present' -and $CurrentAADNamedLocation.Ensure -eq 'Present')
+    elseif ($Ensure -eq 'Present' -and $currentAADNamedLocation.Ensure -eq 'Present')
     {
         $VerboseAttributes = ($desiredValues | Out-String)
-        Write-Verbose -Message "Updating existing AAD Named Location {$Displayname)} with attributes: $VerboseAttributes"
+        Write-Verbose -Message "Updating existing AAD Named Location {$Displayname} with attributes: $VerboseAttributes"
 
-        $VerboseAttributes = ($desiredValues | Out-String)
-        Write-Verbose -Message "Updating AAD Named Location {$Displayname)} with attributes: $VerboseAttributes"
         $JSONValue = ConvertTo-Json $desiredValues | Out-String
         Write-Verbose -Message "JSON: $JSONValue"
+
         $APIUrl = (Get-MSCloudLoginConnectionProfile -Workload MicrosoftGraph).ResourceUrl + "v1.0/identity/conditionalAccess/namedLocations/$($currentAADNamedLocation.Id)"
         Invoke-MgGraphRequest -Method PATCH `
             -Uri $APIUrl `

diff --git a/docs/docs/user-guide/get-started/authentication-and-permissions.md b/docs/docs/user-guide/get-started/authentication-and-permissions.md
@@ -163,6 +163,8 @@ Use the "<a href="https://pnp.github.io/powershell/cmdlets/Register-PnPManagemen
 
 <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app" target="_blank">Create a new app registration</a> in Azure AD yourself and grant the correct permissions to this app. The documentation on this website for each of the SharePoint Online resources list the permissions needed for the resource.
 
+> Note: Make sure your app has the "Allow Public Client Flows" setting set to "Yes". This is required for SharePoint. More information can be found <a href="https://pnp.github.io/powershell/articles/authentication.html#silent-authentication-with-credentials-for-running-in-pipelines" target="_blank">here</a>
+
 As an alternative, you can use the "<a href="https://pnp.github.io/powershell/cmdlets/Register-PnPAzureADApp.html" target="_blank">Register-PnPAzureADApp</a>" cmdlet to have PnP PowerShell create the app registration for you and grant the correct permissions.
 
 ### Using Application Secret
@@ -205,7 +207,9 @@ Get-M365DSCCompiledPermissionList -ResourceNameList @('EXOAcceptedDomain')
 
 Then make sure your service account is a member of the specified Role Group or has been granted the required roles.
 
-**NOTE:** There are resources, like the <a href="../../../resources/exchange/EXOAddressList/" target="_blank">EXOAddressList</a> which roles by default are not granted to any of the default role groups. Make sure you grant these permissions correctly before using them.
+> **NOTE:** There are resources, like the <a href="../../../resources/exchange/EXOAddressList/" target="_blank">EXOAddressList</a> which roles by default are not granted to any of the default role groups. Make sure you grant these permissions correctly before using them.
+
+When using service principals to authenticate against Exchange, make sure your service principal is created using <a href="https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps#select-and-assign-the-api-permissions-from-the-portal" target="_blank">these instructions</a>.
 
 ## Security and Compliance Center Permissions
 
@@ -353,6 +357,10 @@ From the Export-M365DSCConfiguration GUI the following fields should be used:
 
 ![Export using Certificate Path](/Images/CertPath.png){ align=center width=500 }
 
+## Teams Permissions
+
+When using Service Principals to authenticate against Teams, you have to make sure the correct permissions are configured. Besides the permissions specified in the resource documentation, the service principal also needs to get added to the Teams Administrator role in Entra ID. For more information on App-Only authentication with Teams, check <a href="https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication" target="_blank">here</a>.
+
 ## Using Authentication in DSC configurations
 
 See the next chapter to see how to use the Authentication options in DSC configurations