Public/TenantConfiguration/Baseline/Add-ConfigurationPolicies.ps1
|
function Add-ConfigurationPolicies { param( [Parameter(Mandatory)] [string]$TenantId ) try { Connect-CustomerGraph -CustomerTenantId $TenantId $ConfigurationPolicies = (Invoke-GraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=%28platforms%20eq%20%27windows10%27%20or%20platforms%20eq%20%27macOS%27%20or%20platforms%20eq%20%27iOS%27%29%20and%20%28technologies%20has%20%27mdm%27%20or%20technologies%20has%20%27windows10XManagement%27%20or%20technologies%20has%20%27appleRemoteManagement%27%29').value $ConfigurationPoliciesFiles = Get-ChildItem -Path "$PSScriptRoot\ConfigurationPolicies" -Filter *.json foreach($ConfigurationPolicyFile in $ConfigurationPoliciesFiles) { $ConfigurationPolicy = Get-Content -Path $ConfigurationPolicyFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100 if($ConfigurationPolicies.name -contains $ConfigurationPolicy.name) { Write-Host "Configuration policy '$($ConfigurationPolicy.name)' already exists, not creating.." -ForegroundColor Yellow } else { Write-Host "Creating configuration policy '$($ConfigurationPolicy.name)'.." switch($ConfigurationPolicy.name) { # Manually replace group in JyskIT-Baseline-SEC-LocalUserGroupMembership # TODO: Find a way to dynamically create groups for use inside configuration policies, and not just assigned ones.. "JyskIT-Baseline-SEC-LocalUserGroupMembership" { $GroupName = $ConfigurationPolicy.settings.settingInstance.groupSettingCollectionValue[0].children[0].groupSettingCollectionValue.children[0].choiceSettingValue.children[0].simpleSettingCollectionValue[0].value $Group = Get-MgGroup -Filter "displayName eq '$GroupName'" if($Group -eq $null) { Write-Host "Group '$GroupName' does not exist, creating.." -ForegroundColor Yellow $Group = New-MgGroup -DisplayName $GroupName -MailEnabled:$false -MailNickname $GroupName -SecurityEnabled:$true Write-Host "Created group '$GroupName'." -ForegroundColor Green } $SID = Convert-EntraIDObjectIDToSid -ObjectId $Group.id $ConfigurationPolicy.settings.settingInstance.groupSettingCollectionValue[0].children[0].groupSettingCollectionValue.children[0].choiceSettingValue.children[0].simpleSettingCollectionValue[0].value = $SID Write-Host "Replaced group SID in configuration policy '$($ConfigurationPolicy.name)' with SID $($SID)." -ForegroundColor Green } "JyskIT-Baseline-CONF-OneDrive" { $ConfigurationPolicy.settings[4].settingInstance.choiceSettingValue.children[4].simpleSettingValue.value = $TenantId Write-Host "Replaced tenant id in configuration policy '$($ConfigurationPolicy.name)' with tenant id $($TenantId)." -ForegroundColor Green } "JyskIT-Baseline-SEC-EDR" { Write-Host "You need to onboard the tenant into Microsoft Defender for Endpoint before $($ConfigurationPolicy.name) can be imported." -ForegroundColor Cyan Write-Host "Visit https://security.microsoft.com/smb-onboarding and wait for the onboarding to complete. This can take several minutes." -ForegroundColor Cyan Write-Host "When the wizard appears, skip everything until it is done. Then visit https://security.microsoft.com/securitysettings/endpoints/integration and enable 'Microsoft Intune connection'." -ForegroundColor Cyan Read-Host "When you have completed these steps, you can press ENTER to continue." Add-MobileThreatDefenseConnectors -TenantId $TenantId } } $ConfigurationPolicy = Invoke-GraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -Body $ConfigurationPolicy Write-Host "Created configuration policy '$($ConfigurationPolicy.name)'." -ForegroundColor Green Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$($ConfigurationPolicy.id)/assign" -Body @{ "assignments" = @( @{ "target" = @{ "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" } } ) } Write-Host "Assigned configuration policy '$($ConfigurationPolicy.name)' to all devices." -ForegroundColor Green } } } catch { throw "Failed to create configuration policies: $_" } } |