JyskIT.Automation

0.9.0

Public/TenantConfiguration/Baseline/Add-AppProtectionPolicies.ps1

function Add-AppProtectionPolicies {
    param(
        [Parameter(Mandatory)]
        [string]$TenantId
    )

    try {
        Connect-CustomerGraph -CustomerTenantId $TenantId

        $AppProtectionPolicies = Get-MgDeviceAppManagementManagedAppPolicy -All

        $AllUsersGroup = Get-MgGroup -Filter "displayName eq 'Alle brugere' or displayName eq 'All Users'"

        $AppProtectionPolicyFiles = Get-ChildItem -Path "$PSScriptRoot\AppProtectionPolicies" -Filter *.json
        foreach($AppProtectionPolicyFile in $AppProtectionPolicyFiles) {
            $AppProtectionPolicy = Get-Content -Path $AppProtectionPolicyFile.FullName | ConvertFrom-Json
            if($AppProtectionPolicies.displayName -contains $AppProtectionPolicy.displayName) {
                Write-Host "App protection policy '$($AppProtectionPolicy.displayName)' already exists, not creating.." -ForegroundColor Yellow
            } else {
                if($AppProtectionPolicy.assignments) {
                    foreach($Assignment in $AppProtectionPolicy.assignments) {
                        if($Assignment.target) {
                            if($Assignment.target.groupId -eq "AllUsers") {
                                $Assignment.target.groupId = $AllUsersGroup.Id
                            } else {
                                $Group = Get-MgGroup -Filter "displayName eq '$($Assignment.target.groupId)'" | Select-Object -First 1
                                if($Group) {
                                    $Assignment.target.groupId = $Group.Id
                                }
                                else {
                                    Write-Host "Group '$($Assignment.target.groupId)' not found, creating.." -ForegroundColor Yellow
                                    $Group = New-MgGroup -DisplayName $Assignment.target.groupId -MailEnabled:$false -MailNickname $Assignment.target.groupId -SecurityEnabled:$true
                                    $Assignment.target.groupId = $Group.Id
                                }
                            }
                        }
                    }
                }

                switch ($AppProtectionPolicy."@odata.type") {
                    "#microsoft.graph.iosManagedAppProtection" {$AppProtectionPolicy = [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphiOSManagedAppProtection](Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceAppmanagement/iosManagedAppProtections" -Body ($AppProtectionPolicy | Convert-PSObjectToHashtable))}
                    "#microsoft.graph.androidManagedAppProtection" { $AppProtectionPolicy = [Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAndroidManagedAppProtection](Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceAppmanagement/androidManagedAppProtections" -Body ($AppProtectionPolicy | Convert-PSObjectToHashtable))}
                    Default { throw "Unknown app protection policy type: $($AppProtectionPolicy."@odata.type"), not creating" }
                }
                Write-Host "Created app protection policy '$($AppProtectionPolicy.displayName)'." -ForegroundColor Green
            }
        }
    }
    catch {
        throw "Failed to create app protection policies: $_"
    }
}