config/Baseline/PolicyTypeSettings.ps1
|
New-Variable -Name PolicyTypeSettings -Value @( @{ Type = "Groups" Name = "Groups" Description = "Add Groups to the tenant required for exclusion policies." NameProperty = "displayName" CheckExists = $true Selectable = $false GetCommand = { Get-MgGroup -All } AddCommand = { param($Body) $BodyWithoutMembers = $Body | Select-Object -Property * -ExcludeProperty members | ConvertTo-Json -Depth 100 New-MgGroup -Body $BodyWithoutMembers } AssignCommand = { param($OriginalPolicy, $NewPolicy) foreach ($Member in $OriginalPolicy.members) { New-MgGroupMember -GroupId $NewPolicy.id -DirectoryObjectId $Member -ErrorAction SilentlyContinue } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\Groups" }, @{ Type = "NamedLocations" Name = "Named Locations" Description = "Add named locations to the tenant for Conditional Access policies." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Get-MgIdentityConditionalAccessNamedLocation -All } AddCommand = { param($Body) New-MgIdentityConditionalAccessNamedLocation -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\NamedLocations" }, @{ Type = "AuthenticationStrengths" Name = "Authentication Strengths" Description = "Add authentication strengths to the tenant for Conditional Access policies." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Get-MgPolicyAuthenticationStrengthPolicy -All } AddCommand = { param($Body) New-MgPolicyAuthenticationStrengthPolicy -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\AuthenticationStrengths" }, @{ Type = "ConditionalAccessPolicies" Name = "Conditional Access Policies" Description = "Add conditional access policies to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Get-MgIdentityConditionalAccessPolicy -All } AddCommand = { param($Body) $SecurityDefaults = Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy -ErrorAction Stop if($SecurityDefaults.IsEnabled) { Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -IsEnabled:$false -ErrorAction Stop | Out-Null Write-Host "Security Defaults has been successfully disabled!" -ForegroundColor Green } $BodyWithoutDescription = $Body | Select-Object -Property * -ExcludeProperty description | ConvertTo-Json -Depth 100 New-MgIdentityConditionalAccessPolicy -Body $BodyWithoutDescription } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\ConditionalAccessPolicies" }, @{ Type = "iOSAppProtectionPolicies" Name = "iOS App Protection Policies" Description = "Add iOS app protection policies to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Get-MgDeviceAppManagementiOSManagedAppProtection -All } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceAppmanagement/iosManagedAppProtections' -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\iOSAppProtectionPolicies" }, @{ Type = "AndroidAppProtectionPolicies" Name = "Android App Protection Policies" Description = "Add Android app protection policies to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Get-MgDeviceAppManagementAndroidManagedAppProtection -All } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceAppmanagement/androidManagedAppProtections' -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\AndroidAppProtectionPolicies" }, @{ Type = "CompliancePolicies" Name = "Compliance Policies" Description = "Add device compliance policies to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies' | Select-Object -ExpandProperty value } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies' -Body $Body } AssignCommand = { param($OriginalPolicy, $NewPolicy) Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/$($NewPolicy.id)/assign" -Body @{ assignments = $OriginalPolicy.assignments } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\CompliancePolicies" }, @{ Type = "ConfigurationPolicies" Name = "Configuration Policies" Description = "Add device configuration policies to the tenant." NameProperty = "name" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=%28platforms%20eq%20%27windows10%27%20or%20platforms%20eq%20%27macOS%27%20or%20platforms%20eq%20%27iOS%27%29%20and%20%28technologies%20has%20%27mdm%27%20or%20technologies%20has%20%27windows10XManagement%27%20or%20technologies%20has%20%27appleRemoteManagement%27%29' | Select-Object -ExpandProperty value } AddCommand = { param($Body) if($Body.templateId) { #$BodyWithoutTemplateId = $Body | Select-Object -Property * -ExcludeProperty templateId Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$($Body.templateId)/createInstance" -Body $Body } elseif($Body."@odata.type" -eq "#microsoft.graph.windows10CustomConfiguration" -or $Body."@odata.type" -eq "#microsoft.graph.windowsIdentityProtectionConfiguration") { Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations' -Body $Body } else { Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -Body $Body } } AssignCommand = { param($OriginalPolicy, $NewPolicy) if($OriginalPolicy.templateId) { $OriginalPolicy = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$($NewPolicy.id)/assign" -Body @{ assignments = $OriginalPolicy.assignments } } elseif($Body."@odata.type" -eq "#microsoft.graph.windows10CustomConfiguration" -or $Body."@odata.type" -eq "#microsoft.graph.windowsIdentityProtectionConfiguration") { Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$($NewPolicy.id)/assign" -Body @{ assignments = $OriginalPolicy.assignments } } else { Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$($NewPolicy.id)/assign" -Body @{ assignments = $OriginalPolicy.assignments } } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\ConfigurationPolicies" }, @{ Type = "AuthenticationMethodPolicy" Name = "Authentication Method Policy" Description = "Add authentication method policies to the tenant." NameProperty = "displayName" CheckExists = $false Selectable = $false GetCommand = { Get-MgPolicyAuthenticationMethodPolicy } AddCommand = { param($Body) Update-MgPolicyAuthenticationMethodPolicy -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\AuthenticationMethodsPolicy" }, @{ Type = "AuthorizationPolicy" Name = "Authorization Policy" Description = "Add Authorization Policy to the tenant. (Disallows users to accept untrusted OAUTH2 apps)" NameProperty = "displayName" CheckExists = $false Selectable = $false GetCommand = { Get-MgPolicyAuthorizationPolicy } AddCommand = { param($Body) Update-MgPolicyAuthorizationPolicy -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\AuthorizationPolicy" }, @{ Type = "DeviceRegistrationPolicy" Name = "Device Registration Policy" Description = "Add Device Registration Policy to the tenant. (Allows all users to Intune join devices)" NameProperty = "displayName" CheckExists = $false Selectable = $false GetCommand = { Get-MgPolicyDeviceRegistrationPolicy } AddCommand = { param($Body) Invoke-GraphRequest -Method PUT -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\DeviceRegistrationPolicy" }, @{ Type = "MobileDeviceManagementPolicy" Name = "Mobile Device Management Policy" Description = "Add Mobile Device Management Policy to the tenant. (Sets the MDM authority to Intune)" NameProperty = "displayName" CheckExists = $false Selectable = $false GetCommand = { Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000" } AddCommand = { param($Body) Invoke-GraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000" -Body @{ assignments = $OriginalPolicy.assignments } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\MobileDeviceManagementPolicy" }, @{ Type = "DeviceEnrollmentConfigurations" Name = "Device Enrollment Configurations" Description = "Add Device Enrollment Configurations to the tenant. (Enrollment Status Page, Windows Hello for Business enrollment)" NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" } AddCommand = { param($Body) switch ($Body["@odata.type"]) { "#microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration" { $Id = ((Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations").value | Where-Object { $_.Id -like "*_DefaultWindowsHelloForBusiness" }).Id Update-MgDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $Id -Body $Body } "#microsoft.graph.windows10EnrollmentCompletionPageConfiguration" { Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" -Body $Body } "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile" { Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" -Body $Body } } } AssignCommand = { param($OriginalPolicy, $NewPolicy) switch ($OriginalPolicy["@odata.type"]) { "#microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration" { $AzureADSP = Get-MgServicePrincipal -Filter "appId eq '00000002-0000-0000-c000-000000000000'" $PINResetServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Service Production'" if (!$PINResetServicePrincipal) { $PINResetServicePrincipal = New-MgServicePrincipal -AccountEnabled:$true -AppId "b8456c59-1230-44c7-a4a2-99b085333e84" -DisplayName "Microsoft Pin Reset Service Production" -Homepage "https://cred.microsoft.com" } $PINResetServicePermissionGrantEntraID = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetServicePrincipal.Id)'" if (!$PINResetServicePermissionGrantEntraID) { $PINResetServicePermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "User.Read Directory.Read.All" -ResourceId $AzureADSP.Id } $PINResetClientServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Pin Reset Client Production'" if (!$PINResetClientServicePrincipal) { $PINResetClientServicePrincipal = New-MgServicePrincipal -AccountEnabled:$true -Appid "9115dd05-fad5-4f9c-acc7-305d08b1b04e" -DisplayName "Microsoft Pin Reset Client Production" } $PINResetClientPermissionGrantEntraID = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetClientServicePrincipal.Id)' and resourceId eq '$($AzureADSP.Id)'" if (!$PINResetClientPermissionGrantEntraID) { $PINResetClientPermissionGrantEntraID = New-MgOauth2PermissionGrant -ClientId $PINResetClientServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "User.Read" -ResourceId $AzureADSP.Id } $PINResetClientPermissionGrantResetService = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($PINResetClientServicePrincipal.Id)' and resourceId eq '$($PINResetServicePrincipal.Id)'" if (!$PINResetClientPermissionGrantResetService) { $PINResetClientPermissionGrantResetService = New-MgOauth2PermissionGrant -ClientId $PINResetClientServicePrincipal.Id -ConsentType "AllPrincipals" -Scope "user_impersonation" -ResourceId $PINResetServicePrincipal.Id } Write-Host "Windows Hello for Business PIN Reset configuration created and assigned." } "#microsoft.graph.windows10EnrollmentCompletionPageConfiguration" { Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($NewPolicy.id)/assign" -Body @{ enrollmentConfigurationAssignments = $OriginalPolicy.enrollmentConfigurationAssignments } } "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile" { Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($NewPolicy.id)/assignments"-Body @{ target = $OriginalPolicy.enrollmentConfigurationAssignments.target } | Out-Null } } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\DeviceEnrollmentConfigurations" }, @{ Type = "WindowsAutopilotDeploymentProfiles" Name = "Windows Autopilot Profiles" Description = "Add Windows Autopilot Profiles to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" -Body $Body } AssignCommand = { param($OriginalPolicy, $NewPolicy) Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($NewPolicy.id)/assignments"-Body @{ target = $OriginalPolicy.enrollmentConfigurationAssignments.target } | Out-Null } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\WindowsAutopilotDeploymentProfiles" }, @{ Type = "WindowsUpdateForBusinessConfigurations" Name = "Windows Update For Business Configurations" Description = "Add Windows Update For Business Configurations to the tenant." NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations" | Select-Object -ExpandProperty value } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations' -Body $Body } AssignCommand = { param($OriginalPolicy, $NewPolicy) Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/$($NewPolicy.id)/assign" -Body @{ assignments = $OriginalPolicy.assignments } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\WindowsUpdateForBusinessConfigurations" }, @{ Type = "MobileThreatDefenseConnector" Name = "Mobile Threat Defense Connector" Description = "Add Mobile Threat Defense Connector (For enabling Intune management of Defender for Endpoint devices)." NameProperty = "id" CheckExists = $false Selectable = $false GetCommand = { Invoke-GraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors" | Select-Object -ExpandProperty value } AddCommand = { param($Body) Invoke-GraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/$($Body.id)" -Body $Body } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\MobileThreatDefenseConnector" }, @{ Type = "MobileApps" Name = "Mobile Apps" Description = "Add Mobile Apps to the tenant. (Currently only Microsoft 365 Apps)" NameProperty = "displayName" CheckExists = $true Selectable = $true GetCommand = { Invoke-MgGraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$filter=(isof(%27microsoft.graph.win32CatalogApp%27)%20or%20isof(%27microsoft.graph.windowsStoreApp%27)%20or%20isof(%27microsoft.graph.microsoftStoreForBusinessApp%27)%20or%20isof(%27microsoft.graph.officeSuiteApp%27)%20or%20(isof(%27microsoft.graph.win32LobApp%27)%20and%20not(isof(%27microsoft.graph.win32CatalogApp%27)))%20or%20isof(%27microsoft.graph.windowsMicrosoftEdgeApp%27)%20or%20isof(%27microsoft.graph.windowsPhone81AppX%27)%20or%20isof(%27microsoft.graph.windowsPhone81StoreApp%27)%20or%20isof(%27microsoft.graph.windowsPhoneXAP%27)%20or%20isof(%27microsoft.graph.windowsAppX%27)%20or%20isof(%27microsoft.graph.windowsMobileMSI%27)%20or%20isof(%27microsoft.graph.windowsUniversalAppX%27)%20or%20isof(%27microsoft.graph.webApp%27)%20or%20isof(%27microsoft.graph.windowsWebApp%27)%20or%20isof(%27microsoft.graph.winGetApp%27))%20and%20(microsoft.graph.managedApp/appAvailability%20eq%20null%20or%20microsoft.graph.managedApp/appAvailability%20eq%20%27lineOfBusiness%27%20or%20isAssigned%20eq%20true)&$orderby=displayName&' | Select-Object -ExpandProperty value } AddCommand = { param($Body) Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps' -Body $Body } AssignCommand = { param($OriginalPolicy, $NewPolicy) Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($NewPolicy.id)/assign" -Body @{ mobileAppAssignments = $OriginalPolicy.mobileAppAssignments } } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\MobileApps" }, @{ Type = "ExchangeOnlineProtectionPolicies" Name = "Exchange Online Protection Policies" Description = "Adds the baseline Exchange Online Protection Policies to the tenant. (Quarantine Reports, Safe Links, Safe Attachments, Anti-Phishing)" NameProperty = "displayName" CheckExists = $false Selectable = $false GetCommand = { } AddCommand = { param($Body) } AssignCommand = { param($OriginalPolicy, $NewPolicy) } PolicyFilesPath = "$script:ModuleRoot\Public\Configuration\Baseline\EOPPolicies" } ) -Scope Script -Force |