DSCResources/MSFT_SCSensitivityLabel/MSFT_SCSensitivityLabel.psm1
|
$allTrainableClassifiers = @( [PSCustomObject]@{ Name = "Actuary reports"; Id = "b27df2ee-fd14-4ce9-b02f-4070a5d68132" } [PSCustomObject]@{ Name = "Agreements"; Id = "7f12e403-5335-4da8-a91e-6c2210b7a2b1" } [PSCustomObject]@{ Name = "Asset Management"; Id = "716fb550-90cd-493b-b29b-ceed41ee8a6f" } [PSCustomObject]@{ Name = "Bank statement"; Id = "f426bd16-e42e-4397-824b-f17dedc5bb1c" } [PSCustomObject]@{ Name = "Budget"; Id = "6f207592-f71e-4b4f-8c07-ebc4bd4965b9" } [PSCustomObject]@{ Name = "Business Context"; Id = "08b772df-bf93-457f-be23-b5cbf02005fd" } [PSCustomObject]@{ Name = "Business plan"; Id = "693f8221-ae4e-4612-80f5-746efee167c3" } [PSCustomObject]@{ Name = "Completion Certificates"; Id = "b2580781-286b-4ad2-ab47-84e84ff331e5" } [PSCustomObject]@{ Name = "Compliance policies"; Id = "fdad8089-651b-4877-8b66-be105b2e57da" } [PSCustomObject]@{ Name = "Construction specifications"; Id = "bfde18ef-b4b9-4f30-9965-ef8d00861a2c" } [PSCustomObject]@{ Name = "Control System and SCADA files"; Id = "59f1f471-687d-453b-a73e-0b0e9f350812" } [PSCustomObject]@{ Name = "Corporate Sabotage"; Id = "d88960c3-6101-43d9-9250-8c43c71d638a" } [PSCustomObject]@{ Name = "Credit Report"; Id = "07ce7d30-690a-4a1c-a331-8df9c944f1ab" } [PSCustomObject]@{ Name = "Customer Complaints"; Id = "8137d8fc-fb7a-40db-9009-284f962fde96" } [PSCustomObject]@{ Name = "Customer Files"; Id = "fdff9df2-03ba-4372-be97-82c0d2515118" } [PSCustomObject]@{ Name = "Discrimination"; Id = "a65c4ab6-a155-11eb-921c-6c0b84aa8ea5" } [PSCustomObject]@{ Name = "Employee disciplinary action files"; Id = "769d56c1-e737-4fc1-8673-8c99bbe24a07" } [PSCustomObject]@{ Name = "Employee Insurance files"; Id = "fa982a9f-9454-4885-a2bf-94a155df2f33" } [PSCustomObject]@{ Name = "Employee Pension Records"; Id = "f9ae0bbc-a1e0-4b7e-a96a-eb60b26b4434" } [PSCustomObject]@{ Name = "Employee Stocks and Financial Bond Records"; Id = "a67b2b59-c5f0-4c66-a6c4-ca6973adfd94" } [PSCustomObject]@{ Name = "Employment Agreement"; Id = "2a2baab7-b82c-4166-bbe4-55f9d3fd1129" } [PSCustomObject]@{ Name = "Enterprise Risk Management"; Id = "eed09aae-6f32-47c7-9c99-9d17bad48783" } [PSCustomObject]@{ Name = "Environmental permits and clearances"; Id = "1b7d3e51-0ecf-41bd-9794-966c94a889ba" } [PSCustomObject]@{ Name = "Facility Permits"; Id = "914c5379-9d05-47cb-98f0-f5a2be059b5a" } [PSCustomObject]@{ Name = "factory Incident Investigation reports"; Id = "86186144-d507-4603-bac7-50b56ba05c70" } [PSCustomObject]@{ Name = "Finance"; Id = "1771481d-a337-4dbf-8e64-af8da0cc3ee9" } [PSCustomObject]@{ Name = "Finance policies and procedures"; Id = "6556c5eb-0819-4618-ba2e-59925925655e" } [PSCustomObject]@{ Name = "Financial Audit Reports"; Id = "b04b2a4e-22f8-4024-8adc-e2caaad1c2e2" } [PSCustomObject]@{ Name = "Financial statement"; Id = "c31bfef9-8045-4a35-88a3-74b8681615c2" } [PSCustomObject]@{ Name = "Freight Documents"; Id = "785917ed-db01-43c7-8153-8a6fc393efa3" } [PSCustomObject]@{ Name = "Garnishment"; Id = "65e827c3-f8e8-4bc8-b08c-c31e3132b832" } [PSCustomObject]@{ Name = "Gifts \u0026 entertainment"; Id = "3b3d817a-9190-465b-af2d-9e856f894059" } [PSCustomObject]@{ Name = "Health/Medical forms"; Id = "7cc60f30-9e96-4d51-b26f-3d7a9df56338" } [PSCustomObject]@{ Name = "Healthcare"; Id = "dcbada08-65bf-4561-b140-25d8fee4d143" } [PSCustomObject]@{ Name = "HR"; Id = "11631f87-7ffe-4052-b173-abda16b231f3" } [PSCustomObject]@{ Name = "Invoice"; Id = "bf7df7c3-fce4-4ffd-ab90-26f6463f3a00" } [PSCustomObject]@{ Name = "IP"; Id = "495fad07-d6e4-4da4-9c64-5b9b109a5f59" } [PSCustomObject]@{ Name = "IT"; Id = "77a140be-c29f-4155-9dc4-c3e247e47560" } [PSCustomObject]@{ Name = "IT Infra and Network Security Documents"; Id = "bc55de38-cb72-43e6-952f-8422f584f229" } [PSCustomObject]@{ Name = "Lease Deeds"; Id = "841f54ad-3e31-4ddd-aea0-e7f0cd6b3d18" } [PSCustomObject]@{ Name = "Legal Affairs"; Id = "ba38aa0f-8c86-4c73-87db-95147a0f4420" } [PSCustomObject]@{ Name = "Legal Agreements"; Id = "bee9cefb-88bd-410f-ab3e-67cab21cef46" } [PSCustomObject]@{ Name = "Letter of Credits"; Id = "fd85acd5-59dd-49b2-a4c3-df7075885a82" } [PSCustomObject]@{ Name = "License agreement"; Id = "b399eb17-c9c4-4205-951b-43f38eb8dffe" } [PSCustomObject]@{ Name = "Loan agreements and offer letters"; Id = "5771fa57-34a1-48b3-93df-778b304daa54" } [PSCustomObject]@{ Name = "M&A Files"; Id = "eeffbf7c-fd04-40ef-a156-b37bf61832f7" } [PSCustomObject]@{ Name = "Manufacturing batch records"; Id = "834b2353-509a-4605-b4f1-fc2172a0d97c" } [PSCustomObject]@{ Name = "Marketing Collaterals"; Id = "fcaa6d2a-601c-4bdc-947e-af1178a646ac" } [PSCustomObject]@{ Name = "Meeting notes"; Id = "e7ff9a9e-4689-4192-b927-e6c6bdf099fc" } [PSCustomObject]@{ Name = "Money laundering"; Id = "adbbb20e-b175-46e7-8ba2-cf3f3179d0ed" } [PSCustomObject]@{ Name = "MoU Files (Memorandum of understanding)"; Id = "cb37c277-4b88-49c6-81fb-2eeca8c52bb9" } [PSCustomObject]@{ Name = "Network Design files"; Id = "12587d70-9596-4c21-b09f-f1abe9d6ca13" } [PSCustomObject]@{ Name = "Non disclosure agreement"; Id = "8dfd10db-0c72-4be4-a4f2-f615fe7aeb1c" } [PSCustomObject]@{ Name = "OSHA records"; Id = "b11b771e-7dd1-4434-873a-d648a16e969e" } [PSCustomObject]@{ Name = "Paystub"; Id = "31c11384-2d64-4635-9335-018295c64268" } [PSCustomObject]@{ Name = "Personal Financial Information"; Id = "6901c616-5857-432f-b3da-f5234fa1d342" } [PSCustomObject]@{ Name = "Procurement"; Id = "8fa64a47-6e77-4b4c-91a5-0f67525cebf5" } [PSCustomObject]@{ Name = "Profanity"; Id = "4b0aa61d-37dc-4596-a1f1-fc5a5b21d56b" } [PSCustomObject]@{ Name = "Project documents"; Id = "e062df90-816c-47ca-8913-db647510d3b5" } [PSCustomObject]@{ Name = "Quality assurance files"; Id = "97b1e0d3-7788-4dd4-bb18-48ea77796743" } [PSCustomObject]@{ Name = "Quotation"; Id = "3882e681-c437-42d8-ac75-1f9b7481fe13" } [PSCustomObject]@{ Name = "Regulatory Collusion"; Id = "911b7815-6883-4022-a882-9cbe9462f114" } [PSCustomObject]@{ Name = "Resume"; Id = "14b2da41-0427-47e9-a11b-c924e1d05689" } [PSCustomObject]@{ Name = "Safety Records"; Id = "938fb100-5b1f-4bbb-aba7-73d9c89d086f" } [PSCustomObject]@{ Name = "Sales and revenue"; Id = "9d6b864d-28c6-4be3-a9d0-cd40434a847f" } [PSCustomObject]@{ Name = "Software Product Development Files"; Id = "813aa6d8-0727-48d8-acb7-06e1819ee339" } [PSCustomObject]@{ Name = "Source code"; Id = "8aef6743-61aa-44b9-9ae5-3bb3d77df535" } [PSCustomObject]@{ Name = "Standard Operating Procedures and Manuals"; Id = "32f23ad4-2ca1-4495-8048-8dc567891644" } [PSCustomObject]@{ Name = "Statement of Accounts"; Id = "fe3676a6-0f5d-4990-bb46-9b2b31d7746a" } [PSCustomObject]@{ Name = "Statement of Work"; Id = "611c95f9-b1ef-4253-8b36-d8ae19d02fb0" } [PSCustomObject]@{ Name = "Stock manipulation"; Id = "1140cd79-ad87-4043-a562-c768acacc6ba" } [PSCustomObject]@{ Name = "Strategic planning documents"; Id = "9332b317-2ca4-413a-b983-92a1bd88c6f3" } [PSCustomObject]@{ Name = "Targeted Harassment"; Id = "a02ddb8e-3c93-44ac-87c1-2f682b1cb78e" } [PSCustomObject]@{ Name = "Tax"; Id = "9722b51a-f920-4a81-8390-b188a0692840" } [PSCustomObject]@{ Name = "Threat"; Id = "ef2edb64-6982-4648-b0ad-c0d8a861501b" } [PSCustomObject]@{ Name = "Unauthorized disclosure"; Id = "839aecf8-c67b-4270-8aaf-378127b23b7f" } [PSCustomObject]@{ Name = "Wire transfer"; Id = "05fc5ed0-58ef-4306-b65c-11b0a43895c2" } [PSCustomObject]@{ Name = "Work Schedules"; Id = "25bb9d2d-a5b5-45b1-882e-b2581a183873" } ) function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $true)] [System.String] $Name, [Parameter()] [System.String] $Comment, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $AdvancedSettings, [Parameter()] [System.String] $DisplayName, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $LocaleSettings, [Parameter()] [System.String] $ParentId, [Parameter()] [uint32] $Priority, [Parameter()] [System.String] $Tooltip, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingFooterAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingFooterEnabled, [Parameter()] [System.String] $ApplyContentMarkingFooterFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingFooterFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingFooterMargin, [Parameter()] [System.String] $ApplyContentMarkingFooterText, [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingHeaderAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingHeaderEnabled, [Parameter()] [System.String] $ApplyContentMarkingHeaderFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderMargin, [Parameter()] [System.String] $ApplyContentMarkingHeaderText, [Parameter()] [System.Boolean] $ApplyWaterMarkingEnabled, [Parameter()] [System.String] $ApplyWaterMarkingFontColor, [Parameter()] [System.Int32] $ApplyWaterMarkingFontSize, [Parameter()] [ValidateSet('Horizontal', 'Diagonal')] [System.String] $ApplyWaterMarkingLayout, [Parameter()] [System.String] $ApplyWaterMarkingText, [Parameter()] [ValidateSet('File, Email', 'Site, UnifiedGroup', 'PurviewAssets', 'Teamwork', 'SchematizedData')] [System.String[]] $ContentType, [Parameter()] [System.String] $EncryptionContentExpiredOnDateInDaysOrNever, [Parameter()] [System.Boolean] $EncryptionDoNotForward, [Parameter()] [System.Boolean] $EncryptionEncryptOnly, [Parameter()] [System.Boolean] $EncryptionEnabled, [Parameter()] [System.Int32] $EncryptionOfflineAccessDays, [Parameter()] [System.Boolean] $EncryptionPromptUser, [Parameter()] [System.String] $EncryptionProtectionType, [Parameter()] [System.String] $EncryptionRightsDefinitions, [Parameter()] [System.String] $EncryptionRightsUrl, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowAccessToGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowEmailFromGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowFullAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowLimitedAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionBlockAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionEnabled, [Parameter()] [ValidateSet('Public', 'Private', 'Unspecified')] [System.String] $SiteAndGroupProtectionPrivacy, [Parameter()] [ValidateSet('ExternalUserAndGuestSharing', 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')] [System.String] $SiteAndGroupExternalSharingControlType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AutoLabelingSettings, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [System.String] $CertificatePath, [Parameter()] [System.Management.Automation.PSCredential] $CertificatePassword, [Parameter()] [System.String[]] $AccessTokens ) Write-Verbose -Message "Getting configuration of Sensitivity Label for $Name" if ($Global:CurrentModeIsExport) { $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` -InboundParameters $PSBoundParameters ` -SkipModuleReload $true } else { $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` -InboundParameters $PSBoundParameters } #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $nullReturn = $PSBoundParameters $nullReturn.Ensure = 'Absent' try { try { $label = Get-Label -Identity $Name -ErrorAction SilentlyContinue ` -IncludeDetailedLabelActions } catch { throw $_ } if ($null -eq $label) { Write-Verbose -Message "Sensitivity label $($Name) does not exist." return $nullReturn } else { $parentLabelID = $null if ($null -ne $label.ParentId) { $parentLabel = Get-Label -Identity $label.ParentId -IncludeDetailedLabelActions -ErrorAction 'SilentlyContinue' $parentLabelID = $parentLabel.Name } if ($null -ne $label.LocaleSettings) { $localeSettingsValue = Convert-JSONToLocaleSettings -JSONLocalSettings $label.LocaleSettings } if ($null -ne $label.Settings) { $advancedSettingsValue = Convert-StringToAdvancedSettings -AdvancedSettings $label.Settings } Write-Verbose "Found existing Sensitivity Label $($Name)" [Array]$labelActions = $label.LabelActions $actions = @() foreach ($labelAction in $labelActions) { $action = ConvertFrom-Json ($labelAction | Out-String) $actions += $action } $encryption = ($actions | Where-Object -FilterScript { $_.Type -eq 'encrypt' }).Settings $header = ($actions | Where-Object -FilterScript { $_.Type -eq 'applycontentmarking' -and $_.Subtype -eq 'header' }).Settings $footer = ($actions | Where-Object -FilterScript { $_.Type -eq 'applycontentmarking' -and $_.Subtype -eq 'footer' }).Settings $watermark = ($actions | Where-Object -FilterScript { $_.Type -eq 'applywatermarking' }).Settings $protectgroup = ($actions | Where-Object -FilterScript { $_.Type -eq 'protectgroup' }).Settings $protectsite = ($actions | Where-Object -FilterScript { $_.Type -eq 'protectsite' }).Settings $ApplyContentMarkingFooterTextValue = $null $footerText = ($footer | Where-Object -FilterScript { $_.Key -eq 'text' }).Value if ([System.String]::IsNullOrEmpty($footerText) -eq $false) { $ApplyContentMarkingFooterTextValue = $footerText.Replace('$', '`$') } $ApplyContentMarkingHeaderTextValue = $null $headerText = ($header | Where-Object -FilterScript { $_.Key -eq 'text' }).Value if ([System.String]::IsNullOrEmpty($headerText) -eq $false) { $ApplyContentMarkingHeaderTextValue = $headerText.Replace('$', '`$') } $ApplyWaterMarkingTextValue = $null $watermarkText = ($watermark | Where-Object -FilterScript { $_.Key -eq 'text' }).Value if ([System.String]::IsNullOrEmpty($watermarkText) -eq $false) { $ApplyWaterMarkingTextValue = $watermarkText.Replace('$', '`$') } $currentContentType = @() switch -Regex ($label.ContentType) { 'File, Email' { $currentContentType += 'File, Email' } 'Site, UnifiedGroup' { $currentContentType += 'Site, UnifiedGroup' } 'PurviewAssets' { $currentContentType += 'PurviewAssets' } 'Teamwork' { $currentContentType += 'Teamwork' } 'SchematizedData' { $currentContentType += 'SchematizedData' } } # Encryption $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'disabled' } if ($null -ne $entry) { $encryptionEnabledValue = -not [Boolean]::Parse($entry.Value) } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'contentexpiredondateindaysornever' } if ($null -ne $entry) { $contentExpiredOnDateValue = $entry.Value } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'protectiontype' } if ($null -ne $entry) { $protectionTypeValue = $entry.Value } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'offlineaccessdays' } if ($null -ne $entry) { $offlineAccessDaysValue = $entry.Value } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'rightsdefinitions' } if ($null -ne $entry) { $EncryptionRightsDefinitionsValue = Convert-EncryptionRightDefinition -RightsDefinition $entry.Value } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'donotforward' } if ($null -ne $entry) { $encryptionDoNotForwardValue = [Boolean]::Parse($entry.Value) } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'encryptonly' } if ($null -ne $entry) { $encryptionEncryptOnlyValue = [Boolean]::Parse($entry.Value) } $entry = $encryption | Where-Object -FilterScript { $_.Key -eq 'promptuser' } if ($null -ne $entry) { $encryptionPromptUserValue = [Boolean]::Parse($entry.Value) } # Watermark $entry = $watermark | Where-Object -FilterScript { $_.Key -eq 'disabled' } if ($null -ne $entry) { $watermarkEnabledValue = -not [Boolean]::Parse($entry.Value) } # Watermark Footer $entry = $footer | Where-Object -FilterScript { $_.Key -eq 'disabled' } if ($null -ne $entry) { $footerEnabledValue = -not [Boolean]::Parse($entry.Value) } # Watermark Header $entry = $header | Where-Object -FilterScript { $_.Key -eq 'disabled' } if ($null -ne $entry) { $headerEnabledValue = -not [Boolean]::Parse($entry.Value) } # Site and Group $entry = $protectgroup | Where-Object -FilterScript { $_.Key -eq 'disabled' } if ($null -ne $entry) { $siteAndGroupEnabledValue = -not [Boolean]::Parse($entry.Value) } $entry = $protectgroup | Where-Object -FilterScript { $_.Key -eq 'allowaccesstoguestusers' } if ($null -ne $entry) { $siteAndGroupAccessToGuestUsersValue = [Boolean]::Parse($entry.Value) } $entry = $protectgroup | Where-Object -FilterScript { $_.Key -eq 'allowemailfromguestusers' } if ($null -ne $entry) { $siteAndGroupAllowEmailFromGuestUsers = [Boolean]::Parse($entry.Value) } $entry = $protectsite | Where-Object -FilterScript { $_.Key -eq 'allowfullaccess' } if ($null -ne $entry) { $siteAndGroupAllowFullAccess = [Boolean]::Parse($entry.Value) } $entry = $protectsite | Where-Object -FilterScript { $_.Key -eq 'allowlimitedaccess' } if ($null -ne $entry) { $siteAndGroupAllowLimitedAccess = [Boolean]::Parse($entry.Value) } $entry = $protectsite | Where-Object -FilterScript { $_.Key -eq 'blockaccess' } if ($null -ne $entry) { $siteAndGroupBlockAccess = [Boolean]::Parse($entry.Value) } # Auto Labelling Conditions $getConditions = $null if ([System.String]::IsNullOrEmpty($label.Conditions) -eq $false) { $currConditions = $label.Conditions | ConvertFrom-Json $getConditions = @{ Groups = @() Operator = '' } $operator = $currConditions.PSObject.Properties.Name $getConditions.Operator = $operator $autoApplyType = '' $policyTip = '' $groups = foreach ($group in $currConditions.$($operator)) { $grpObject = @{ Name = '' Operator = '' } $grpOperator = $group.PSObject.Properties.Name $grpObject.Operator = $grpOperator $grpName = '' [array]$sensitiveInformationTypes = foreach ($item in $group.$grpOperator | Where-Object { $_.Key -eq 'CCSI'}) { if ([String]::IsNullOrEmpty($grpName)) { $grpName = ($item.Settings | Where-Object { $_.Key -eq 'groupname' }).Value } if ([String]::IsNullOrEmpty($policyTip)) { $policyTip = ($item.Settings | Where-Object { $_.Key -eq 'policytip' }).Value } if ([String]::IsNullOrEmpty($autoApplyType)) { $autoApplyType = ($item.Settings | Where-Object { $_.Key -eq 'autoapplytype' }).Value } $settingsObject = @{ name = ($item.Settings | Where-Object { $_.Key -eq 'name' }).Value confidencelevel = ($item.Settings | Where-Object { $_.Key -eq 'confidencelevel' }).Value mincount = ($item.Settings | Where-Object { $_.Key -eq 'mincount' }).Value maxcount = ($item.Settings | Where-Object { $_.Key -eq 'maxcount' }).Value } if ($null -ne ($item.Settings | Where-Object { $_.Key -eq 'classifiertype' })) { $settingsObject.classifiertype = ($item.Settings | Where-Object { $_.Key -eq 'classifiertype' }).Value } # return the settings object as output to the sensitiveInformationTypes array $settingsObject } [array]$trainableClassifiers = foreach ($item in $group.$grpOperator | Where-Object { $_.Key -eq 'ContentMatchesModule'}) { if ([String]::IsNullOrEmpty($grpName)) { $grpName = ($item.Settings | Where-Object { $_.Key -eq 'groupname' }).Value } @{ name = ($item.Settings | Where-Object { $_.Key -eq 'name' }).Value id = $item.Value } } $grpObject.Name = $grpName $grpObject.SensitiveInformationType = $sensitiveInformationTypes $grpObject.TrainableClassifier = $trainableClassifiers # return the group object as output to the groups array $grpObject } $getConditions.Groups = $groups if ([System.String]::IsNullOrEmpty($policyTip) -eq $false) { $getConditions.PolicyTip = $policyTip } if ([System.String]::IsNullOrEmpty($autoApplyType) -eq $false) { $getConditions.AutoApplyType = $autoApplyType } else { $getConditions.AutoApplyType = 'Automatic' } } $result = @{ Name = $label.Name Comment = $label.Comment ParentId = $parentLabelID AdvancedSettings = $advancedSettingsValue DisplayName = $label.DisplayName LocaleSettings = $localeSettingsValue Priority = $label.Priority Tooltip = $label.Tooltip Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint CertificatePath = $CertificatePath CertificatePassword = $CertificatePassword Ensure = 'Present' ApplyContentMarkingFooterAlignment = ($footer | Where-Object { $_.Key -eq 'alignment' }).Value ApplyContentMarkingFooterEnabled = $footerEnabledValue ApplyContentMarkingFooterFontColor = ($footer | Where-Object { $_.Key -eq 'fontcolor' }).Value ApplyContentMarkingFooterFontSize = ($footer | Where-Object { $_.Key -eq 'fontsize' }).Value ApplyContentMarkingFooterMargin = ($footer | Where-Object { $_.Key -eq 'margin' }).Value ApplyContentMarkingFooterText = $ApplyContentMarkingFooterTextValue ApplyContentMarkingHeaderAlignment = ($header | Where-Object { $_.Key -eq 'alignment' }).Value ApplyContentMarkingHeaderEnabled = $headerEnabledValue ApplyContentMarkingHeaderFontColor = ($header | Where-Object { $_.Key -eq 'fontcolor' }).Value ApplyContentMarkingHeaderFontSize = ($header | Where-Object { $_.Key -eq 'fontsize' }).Value ApplyContentMarkingHeaderMargin = ($header | Where-Object { $_.Key -eq 'margin' }).Value #TODO ADD HEADER PLACEMENT? ApplyContentMarkingHeaderText = $ApplyContentMarkingHeaderTextValue ApplyWaterMarkingEnabled = $watermarkEnabledValue ApplyWaterMarkingFontColor = ($watermark | Where-Object { $_.Key -eq 'fontcolor' }).Value ApplyWaterMarkingFontSize = ($watermark | Where-Object { $_.Key -eq 'fontsize' }).Value ApplyWaterMarkingLayout = ($watermark | Where-Object { $_.Key -eq 'layout' }).Value ApplyWaterMarkingText = $ApplyWaterMarkingTextValue ContentType = $currentContentType EncryptionContentExpiredOnDateInDaysOrNever = $contentExpiredOnDateValue EncryptionDoNotForward = $encryptionDoNotForwardValue EncryptionEncryptOnly = $encryptionEncryptOnlyValue EncryptionEnabled = $encryptionEnabledValue EncryptionOfflineAccessDays = $offlineAccessDaysValue EncryptionPromptUser = $encryptionPromptUserValue EncryptionProtectionType = $protectionTypeValue EncryptionRightsDefinitions = $EncryptionRightsDefinitionsValue EncryptionRightsUrl = ($encryption | Where-Object { $_.Key -eq 'doublekeyencryptionurl' }).Value SiteAndGroupProtectionAllowAccessToGuestUsers = $siteAndGroupAccessToGuestUsersValue SiteAndGroupProtectionAllowEmailFromGuestUsers = $siteAndGroupAllowEmailFromGuestUsers SiteAndGroupProtectionPrivacy = ($protectgroup | Where-Object { $_.Key -eq 'privacy' }).Value SiteAndGroupProtectionAllowFullAccess = $siteAndGroupAllowFullAccess SiteAndGroupProtectionAllowLimitedAccess = $siteAndGroupAllowLimitedAccess SiteAndGroupProtectionBlockAccess = $siteAndGroupBlockAccess SiteAndGroupProtectionEnabled = $siteAndGroupEnabledValue SiteAndGroupExternalSharingControlType = ($protectsite | Where-Object { $_.Key -eq 'externalsharingcontroltype' }).Value AccessTokens = $AccessTokens AutoLabelingSettings = $getConditions } return $result } } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return $nullReturn } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $true)] [System.String] $Name, [Parameter()] [System.String] $Comment, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $AdvancedSettings, [Parameter()] [System.String] $DisplayName, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $LocaleSettings, [Parameter()] [System.String] $ParentId, [Parameter()] [uint32] $Priority, [Parameter()] [System.String] $Tooltip, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingFooterAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingFooterEnabled, [Parameter()] [System.String] $ApplyContentMarkingFooterFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingFooterFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingFooterMargin, [Parameter()] [System.String] $ApplyContentMarkingFooterText, [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingHeaderAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingHeaderEnabled, [Parameter()] [System.String] $ApplyContentMarkingHeaderFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderMargin, [Parameter()] [System.String] $ApplyContentMarkingHeaderText, [Parameter()] [System.Boolean] $ApplyWaterMarkingEnabled, [Parameter()] [System.String] $ApplyWaterMarkingFontColor, [Parameter()] [System.Int32] $ApplyWaterMarkingFontSize, [Parameter()] [ValidateSet('Horizontal', 'Diagonal')] [System.String] $ApplyWaterMarkingLayout, [Parameter()] [System.String] $ApplyWaterMarkingText, [Parameter()] [ValidateSet('File, Email', 'Site, UnifiedGroup', 'PurviewAssets', 'Teamwork', 'SchematizedData')] [System.String[]] $ContentType, [Parameter()] [System.String] $EncryptionContentExpiredOnDateInDaysOrNever, [Parameter()] [System.Boolean] $EncryptionDoNotForward, [Parameter()] [System.Boolean] $EncryptionEncryptOnly, [Parameter()] [System.Boolean] $EncryptionEnabled, [Parameter()] [System.Int32] $EncryptionOfflineAccessDays, [Parameter()] [System.Boolean] $EncryptionPromptUser, [Parameter()] [System.String] $EncryptionProtectionType, [Parameter()] [System.String] $EncryptionRightsDefinitions, [Parameter()] [System.String] $EncryptionRightsUrl, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowAccessToGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowEmailFromGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowFullAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowLimitedAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionBlockAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionEnabled, [Parameter()] [ValidateSet('Public', 'Private', 'Unspecified')] [System.String] $SiteAndGroupProtectionPrivacy, [Parameter()] [ValidateSet('ExternalUserAndGuestSharing', 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')] [System.String] $SiteAndGroupExternalSharingControlType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AutoLabelingSettings, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [System.String] $CertificatePath, [Parameter()] [System.Management.Automation.PSCredential] $CertificatePassword, [Parameter()] [System.String[]] $AccessTokens ) Write-Verbose -Message "Setting configuration of Sensitivity label for $Name" #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` -InboundParameters $PSBoundParameters $label = Get-TargetResource @PSBoundParameters if (($SiteAndGroupProtectionAllowFullAccess -and $SiteAndGroupProtectionAllowLimitedAccess) -or ` ($SiteAndGroupProtectionAllowFullAccess -and $SiteAndGroupProtectionBlockAccess) -or ` ($SiteAndGroupProtectionBlockAccess -and $SiteAndGroupProtectionAllowLimitedAccess)) { throw '[ERROR] Only one of these values can be set to true: SiteAndGroupProtectionAllowFullAccess, SiteAndGroupProtectionAllowLimitedAccess, SiteAndGroupProtectionBlockAccess' } if ($PSBoundParameters.ContainsKey('EncryptionProtectionType') -and ` ($EncryptionProtectionType -ne 'UserDefined' -and ` ($PSBoundParameters.ContainsKey('EncryptionDoNotForward') -or ` $PSBoundParameters.ContainsKey('EncryptionEncryptOnly') -or ` $PSBoundParameters.ContainsKey('EncryptionPromptUser')))) { Write-Warning -Message "You have specified EncryptionDoNotForward, EncryptionEncryptOnly or EncryptionPromptUser, but EncryptionProtectionType isn't set to UserDefined." } if ('Present' -eq $Ensure -and $PSBoundParameters.ContainsKey('AutoLabelingSettings')) { Write-Verbose 'Generating required JSON string for AutoLabelingSettings' Write-Verbose 'Retrieving all existing Sensitive Information Types' $existingSITs = Get-DlpSensitiveInformationType | Select-Object -Property Name,Id, RulePackId # Convert the AutoLabelingSettings to the correct JSON format, ready to be inserted into the label cmdlets $autoLabelingSettingsHT = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $AutoLabelingSettings Write-Verbose 'Processing all setting groups' [array]$grps = foreach ($group in $autoLabelingSettingsHT.Groups) { $groupCollection = @() Write-Verbose 'Processing all Sensitive Information Types' foreach ($sit in $group.SensitiveInformationType) { $currentSIT = $existingSITs | Where-Object { $_.Name -eq $sit.Name } if ($null -eq $currentSIT) { throw "[ERROR] Provided Sensitive Information Type $($sit.Name) doesn't exist." } [array]$settingsCollection = foreach ($setting in ($sit.Keys | Where-Object { $_ -ne 'id' })) { @{ Key = $setting Value = $sit[$setting] } } $settingsCollection += @{ Key = "rulepackage" Value = $currentSIT.RulePackId } $settingsCollection += @{ Key = "groupname" Value = $group.Name } if ($autoLabelingSettingsHT.ContainsKey("PolicyTip")) { $settingsCollection += @{ Key = "policytip" Value = $autoLabelingSettingsHT.PolicyTip } } if ($autoLabelingSettingsHT.ContainsKey("AutoApplyType") -and $autoLabelingSettingsHT.AutoApplyType -eq 'Recommend') { $settingsCollection += @{ Key = "autoapplytype" Value = $autoLabelingSettingsHT.AutoApplyType } } $groupCollection += @{ Key = 'CCSI' Value = $currentSIT.Id Properties = $null Settings = $settingsCollection } } Write-Verbose 'Processing all Trainable Classifiers' foreach ($trainableClassifier in $group.TrainableClassifier) { $currentTrainableClassifier = $allTrainableClassifiers | Where-Object { $_.Name -eq $trainableClassifier.name } if ($null -ne $currentTrainableClassifier) { if ([String]::IsNullOrEmpty($trainableClassifier.id) -eq $false -and ` $trainableClassifier.id -ne $currentTrainableClassifier.Id) { Write-Verbose ("[WARNING] Provided ID ($($trainableClassifier.id)) does not match the known " + ` "ID ($($currentTrainableClassifier.id)) for trainable classifier '$($trainableClassifier.name)'.") } $requiredId = $currentTrainableClassifier.Id } else { if ([String]::IsNullOrEmpty($trainableClassifier.id)) { throw "[ERROR] Trainable classifier $($trainableClassifier.name) isn't a default classifier and no ID was provided." } $requiredId = $trainableClassifier.id } [array]$settingsCollection = foreach ($key in ($trainableClassifier.Keys | Where-Object { $_ -ne 'id' })) { @{ Key = $key Value = $trainableClassifier[$key] } } $settingsCollection += @{ Key = "groupname" Value = $group.Name } if ($autoLabelingSettingsHT.ContainsKey("PolicyTip")) { $settingsCollection += @{ Key = "policytip" Value = $autoLabelingSettingsHT.PolicyTip } } if ($autoLabelingSettingsHT.ContainsKey("AutoApplyType") -and $autoLabelingSettingsHT.AutoApplyType -eq 'Recommend') { $settingsCollection += @{ Key = "autoapplytype" Value = $autoLabelingSettingsHT.AutoApplyType } } $groupCollection += @{ Key = 'ContentMatchesModule' Value = $requiredId Properties = $null Settings = $settingsCollection } } @{ $group.Operator = $groupCollection } } $desiredAutoLabelingSettings = @{ $autoLabelingSettingsHT.Operator = $grps } Write-Verbose 'Completed generating required JSON string for AutoLabelingSettings' } if (('Present' -eq $Ensure) -and ('Absent' -eq $label.Ensure)) { Write-Verbose -Message "Label {$Name} doesn't already exist, creating it from the Set-TargetResource function." $CreationParams = ([Hashtable]$PSBoundParameters).Clone() if ($PSBoundParameters.ContainsKey('AdvancedSettings')) { $advanced = Convert-CIMToAdvancedSettings $AdvancedSettings $CreationParams['AdvancedSettings'] = $advanced } if ($PSBoundParameters.ContainsKey('LocaleSettings')) { $locale = Convert-CIMToLocaleSettings $LocaleSettings $CreationParams['LocaleSettings'] = $locale } if ($CreationParams.ContainsKey('SiteAndGroupExternalSharingControlType')) { $CreationParams.SiteExternalSharingControlType = $CreationParams.SiteAndGroupExternalSharingControlType $CreationParams.Remove('SiteAndGroupExternalSharingControlType') } if ($PSBoundParameters.ContainsKey('AutoLabelingSettings') -and $null -ne $desiredAutoLabelingSettings) { $CreationParams.Conditions = $desiredAutoLabelingSettings | ConvertTo-Json -Depth 20 $CreationParams.Remove('AutoLabelingSettings') } $CreationParams.Remove('Priority') | Out-Null # Remove authentication parameters $CreationParams.Remove('Ensure') | Out-Null $CreationParams.Remove('Credential') | Out-Null $CreationParams.Remove('ApplicationId') | Out-Null $CreationParams.Remove('TenantId') | Out-Null $CreationParams.Remove('CertificatePath') | Out-Null $CreationParams.Remove('CertificatePassword') | Out-Null $CreationParams.Remove('CertificateThumbprint') | Out-Null $CreationParams.Remove('ManagedIdentity') | Out-Null $CreationParams.Remove('ApplicationSecret') | Out-Null $CreationParams.Remove('AccessTokens') | Out-Null try { Write-Verbose -Message "Creating Label {$Name}" $newLabel = New-Label @CreationParams -ErrorAction Stop ## Can't set priority until label created if ($PSBoundParameters.ContainsKey('Priority') -and $Priority -lt $newLabel.Priority) { Start-Sleep 5 Write-Verbose -Message "Updating the priority for newly created label {$Name}" Set-Label -Identity $Name -priority $Priority -ErrorAction Stop } } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential throw $_ } } elseif (('Present' -eq $Ensure) -and ('Present' -eq $label.Ensure)) { Write-Verbose -Message "Label {$Name} already exist, updating it from the Set-TargetResource function." $SetParams = $PSBoundParameters if ($PSBoundParameters.ContainsKey('AdvancedSettings')) { $advanced = Convert-CIMToAdvancedSettings $AdvancedSettings $SetParams['AdvancedSettings'] = $advanced } if ($PSBoundParameters.ContainsKey('LocaleSettings')) { $locale = Convert-CIMToLocaleSettings $LocaleSettings $SetParams['LocaleSettings'] = $locale } if ($SetParams.ContainsKey('SiteAndGroupExternalSharingControlType')) { $SetParams.SiteExternalSharingControlType = $SetParams.SiteAndGroupExternalSharingControlType $SetParams.Remove('SiteAndGroupExternalSharingControlType') } if ($PSBoundParameters.ContainsKey('AutoLabelingSettings') -and $null -ne $desiredAutoLabelingSettings) { $SetParams.Conditions = $desiredAutoLabelingSettings | ConvertTo-Json -Depth 20 $SetParams.Remove('AutoLabelingSettings') } #Remove unused parameters for Set-Label cmdlet $SetParams.Remove('Name') | Out-Null # Remove authentication parameters $SetParams.Remove('Ensure') | Out-Null $SetParams.Remove('Credential') | Out-Null $SetParams.Remove('ApplicationId') | Out-Null $SetParams.Remove('TenantId') | Out-Null $SetParams.Remove('CertificatePath') | Out-Null $SetParams.Remove('CertificatePassword') | Out-Null $SetParams.Remove('CertificateThumbprint') | Out-Null $SetParams.Remove('ManagedIdentity') | Out-Null $SetParams.Remove('ApplicationSecret') | Out-Null $SetParams.Remove('AccessTokens') | Out-Null try { Set-Label @SetParams -Identity $Name -ErrorAction Stop } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential throw $_ } } elseif (('Absent' -eq $Ensure) -and ('Present' -eq $label.Ensure)) { # If the label exists and it shouldn't, simply remove it;Need to force deletoion Write-Verbose -Message "Deleting Sensitivity label $Name." try { Remove-Label -Identity $Name -Confirm:$false -ErrorAction Stop Remove-Label -Identity $Name -Confirm:$false -forcedeletion:$true -ErrorAction Stop } catch { New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential throw $_ } } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $true)] [System.String] $Name, [Parameter()] [System.String] $Comment, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $AdvancedSettings, [Parameter()] [System.String] $DisplayName, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] $LocaleSettings, [Parameter()] [System.String] $ParentId, [Parameter()] [uint32] $Priority, [Parameter()] [System.String] $Tooltip, [Parameter()] [ValidateSet('Present', 'Absent')] [System.String] $Ensure = 'Present', [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingFooterAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingFooterEnabled, [Parameter()] [System.String] $ApplyContentMarkingFooterFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingFooterFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingFooterMargin, [Parameter()] [System.String] $ApplyContentMarkingFooterText, [Parameter()] [ValidateSet('Left', 'Center', 'Right')] [System.String] $ApplyContentMarkingHeaderAlignment, [Parameter()] [System.Boolean] $ApplyContentMarkingHeaderEnabled, [Parameter()] [System.String] $ApplyContentMarkingHeaderFontColor, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderFontSize, [Parameter()] [System.Int32] $ApplyContentMarkingHeaderMargin, [Parameter()] [System.String] $ApplyContentMarkingHeaderText, [Parameter()] [System.Boolean] $ApplyWaterMarkingEnabled, [Parameter()] [System.String] $ApplyWaterMarkingFontColor, [Parameter()] [System.Int32] $ApplyWaterMarkingFontSize, [Parameter()] [ValidateSet('Horizontal', 'Diagonal')] [System.String] $ApplyWaterMarkingLayout, [Parameter()] [System.String] $ApplyWaterMarkingText, [Parameter()] [ValidateSet('File, Email', 'Site, UnifiedGroup', 'PurviewAssets', 'Teamwork', 'SchematizedData')] [System.String[]] $ContentType, [Parameter()] [System.String] $EncryptionContentExpiredOnDateInDaysOrNever, [Parameter()] [System.Boolean] $EncryptionDoNotForward, [Parameter()] [System.Boolean] $EncryptionEncryptOnly, [Parameter()] [System.Boolean] $EncryptionEnabled, [Parameter()] [System.Int32] $EncryptionOfflineAccessDays, [Parameter()] [System.Boolean] $EncryptionPromptUser, [Parameter()] [System.String] $EncryptionProtectionType, [Parameter()] [System.String] $EncryptionRightsDefinitions, [Parameter()] [System.String] $EncryptionRightsUrl, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowAccessToGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowEmailFromGuestUsers, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowFullAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionAllowLimitedAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionBlockAccess, [Parameter()] [System.Boolean] $SiteAndGroupProtectionEnabled, [Parameter()] [ValidateSet('Public', 'Private', 'Unspecified')] [System.String] $SiteAndGroupProtectionPrivacy, [Parameter()] [ValidateSet('ExternalUserAndGuestSharing', 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')] [System.String] $SiteAndGroupExternalSharingControlType, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance] $AutoLabelingSettings, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [System.String] $CertificatePath, [Parameter()] [System.Management.Automation.PSCredential] $CertificatePassword, [Parameter()] [System.String[]] $AccessTokens ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of Sensitivity label for $Name" $CurrentValues = Get-TargetResource @PSBoundParameters Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = $PSBoundParameters $ValuesToCheck.Remove('AdvancedSettings') | Out-Null $ValuesToCheck.Remove('LocaleSettings') | Out-Null $ValuesToCheck.Remove('AutoLabelingSettings') | Out-Null if ($null -ne $AdvancedSettings -and $null -ne $CurrentValues.AdvancedSettings) { Write-Verbose -Message 'Testing AdvancedSettings' $TestAdvancedSettings = Test-AdvancedSettings -DesiredProperty $AdvancedSettings -CurrentProperty $CurrentValues.AdvancedSettings if ($false -eq $TestAdvancedSettings) { return $false } } if ($null -ne $LocaleSettings -and $null -ne $CurrentValues.LocaleSettings) { Write-Verbose -Message 'Testing LocaleSettings' $localeSettingsSame = Test-LocaleSettings -DesiredProperty $LocaleSettings -CurrentProperty $CurrentValues.LocaleSettings if ($false -eq $localeSettingsSame) { return $false } } if ($null -ne $AutoLabelingSettings -and $null -ne $CurrentValues.AutoLabelingSettings) { Write-Verbose -Message 'Testing AutoLabelingSettings' # Convert the AutoLabelingSettings to the correct JSON format, ready to be inserted into the label cmdlets $autoLabelingSettingsHT = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $AutoLabelingSettings $autoLabelSettingsSame = Test-AutoLabelingSettings -CurrentProperty $CurrentValues.AutoLabelingSettings -DesiredProperty $autoLabelingSettingsHT if ($false -eq $autoLabelSettingsSame) { return $false } } $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [System.String] $CertificatePath, [Parameter()] [System.Management.Automation.PSCredential] $CertificatePassword, [Parameter()] [System.String[]] $AccessTokens ) $ConnectionMode = New-M365DSCConnection -Workload 'SecurityComplianceCenter' ` -InboundParameters $PSBoundParameters ` -SkipModuleReload $true #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion try { [array]$labels = Get-Label -ErrorAction Stop $dscContent = '' $i = 1 if ($labels.Length -eq 0) { Write-Host $Global:M365DSCEmojiGreenCheckMark } else { Write-Host "`r`n" -NoNewline } foreach ($label in $labels) { if ($null -ne $Global:M365DSCExportResourceInstancesCount) { $Global:M365DSCExportResourceInstancesCount++ } Write-Host " |---[$i/$($labels.Count)] $($label.Name)" -NoNewline $Results = Get-TargetResource @PSBoundParameters -Name $label.Name if ($null -ne $Results.AdvancedSettings) { $Results.AdvancedSettings = ConvertTo-AdvancedSettingsString -AdvancedSettings $Results.AdvancedSettings } if ($null -ne $Results.LocaleSettings) { $Results.LocaleSettings = ConvertTo-LocaleSettingsString -LocaleSettings $Results.LocaleSettings } if ($null -ne $Results.AutoLabelingSettings) { $Results.AutoLabelingSettings = ConvertTo-AutoLabelingSettingsString -AutoLabelingSettings $Results.AutoLabelingSettings } $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential if ($null -ne $Results.AdvancedSettings) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AdvancedSettings' } if ($null -ne $Results.LocaleSettings) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'LocaleSettings' } if ($null -ne $Results.AutoLabelingSettings) { $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'AutoLabelingSettings' } Write-Host $Global:M365DSCEmojiGreenCheckMark $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName $i++ } } catch { Write-Host $Global:M365DSCEmojiRedX New-M365DSCLogEntry -Message 'Error during Export:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential return '' } return $dscContent } function Convert-JSONToLocaleSettings { [CmdletBinding()] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param ( [parameter(Mandatory = $true)] $JSONLocalSettings ) $localeSettings = $JSONLocalSettings | ConvertFrom-Json $entries = @() $settings = @() foreach ($localeSetting in $localeSettings) { $result = @{ localeKey = $localeSetting.LocaleKey } foreach ($setting in $localeSetting.Settings) { $entry = @{ Key = $setting.Key Value = $setting.Value -replace "`r" } $settings += $entry } $result.Add('LabelSettings', $settings) $settings = @() $entries += $result $result = @{ } } return $entries } function Convert-StringToAdvancedSettings { [CmdletBinding()] [OutputType([Microsoft.Management.Infrastructure.CimInstance[]])] param ( [parameter(Mandatory = $true)] [System.String[]] $AdvancedSettings ) $settings = @() foreach ($setting in $AdvancedSettings) { $settingString = $setting.Replace('[', '').Replace(']', '') $settingKey = $settingString.Split(',')[0] if ($settingKey -notin @('displayname', 'contenttype', 'tooltip', 'parentid')) { $startPos = $settingString.IndexOf(',', 0) + 1 $valueString = $settingString.Substring($startPos, $settingString.Length - $startPos).Trim() $values = $valueString.Split(',') $entry = @{ Key = $settingKey Value = $values.Trim() } $settings += $entry } } return $settings } function Convert-CIMToAdvancedSettings { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [parameter(Mandatory = $true)] [Microsoft.Management.Infrastructure.CimInstance[]] $AdvancedSettings ) $entry = @{ } foreach ($obj in $AdvancedSettings) { $settingsValues = '' foreach ($objVal in $obj.Value) { $settingsValues += $objVal $settingsValues += ',' } $entry[$obj.Key] = $settingsValues.Substring(0, ($settingsValues.Length - 1)) } return $entry } function Convert-EncryptionRightDefinition { [CmdletBinding()] [OutputType([System.String])] param ( [parameter(Mandatory = $true)] [System.String] $RightsDefinition ) $EncryptionRights = $RightsDefinition | ConvertFrom-Json foreach ($right in $EncryptionRights) { $StringContent += "$($right.Identity):$($right.Rights);" } if ($StringContent.EndsWith(';')) { $StringContent = $StringContent.Substring(0, ($StringContent.Length - 1)) } return $StringContent } function Convert-CIMToLocaleSettings { [CmdletBinding()] [OutputType([System.Collections.ArrayList])] param ( [parameter(Mandatory = $true)] [Microsoft.Management.Infrastructure.CimInstance[]] $localeSettings ) $entry = [System.Collections.ArrayList]@() foreach ($localset in $localeSettings) { $localeEntries = [ordered]@{ localeKey = $localset.LocaleKey } $settings = @() foreach ($setting in $localset.LabelSettings) { $settingEntry = @{ Key = $setting.Key Value = $setting.Value } $settings += $settingEntry } $localeEntries.Add('Settings', $settings) [void]$entry.Add(($localeEntries | ConvertTo-Json)) $localeEntries = @{ } $settings = @( ) } return $entry } function Test-AdvancedSettings { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter (Mandatory = $true)] $DesiredProperty, [Parameter (Mandatory = $true)] $CurrentProperty ) $driftedSetting = @() $foundSettings = $true foreach ($desiredSetting in $DesiredProperty) { $foundKey = $CurrentProperty | Where-Object { $_.Key -eq $desiredSetting.Key } if ($null -ne $foundKey) { if ($desiredSetting.Value -is [Array]) { if ($foundKey.Value -is [Array]) { $diff = Compare-Object -ReferenceObject $foundKey.Value -DifferenceObject $desiredSetting.Value if ($diff.Count -ne 0) { $foundSettings = $false $driftedSetting += $desiredSetting.Key } } else { if ($desiredSetting.Value.Count -ne 1 -or ` $foundKey.Value.ToString() -ne $desiredSetting.Value[0].ToString()) { $foundSettings = $false $driftedSetting += $desiredSetting.Key } } } else { if ($foundKey.Value -is [Array]) { if ($foundKey.Value.Count -ne 1 -or ` $foundKey.Value[0].ToString() -ne $desiredSetting.Value.ToString()) { $foundSettings = $false $driftedSetting += $desiredSetting.Key } } else { if ($foundKey.Value.ToString() -ne $desiredSetting.Value.ToString()) { $foundSettings = $false $driftedSetting += $desiredSetting.Key } } } } else { $foundSettings = $false $driftedSetting += $desiredSetting.Key } } if ($foundSettings -eq $false) { New-M365DSCLogEntry -Message "AdvancedSettings for label $Name do not match: $($driftedSetting -join ', ')" ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential } Write-Verbose -Message "Test AdvancedSettings returns $foundSettings" return $foundSettings } function Test-LocaleSettings { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter (Mandatory = $true)] $DesiredProperty, [Parameter (Mandatory = $true)] $CurrentProperty ) $driftedSetting = @() $foundSettings = $true foreach ($desiredSetting in $DesiredProperty) { $foundKey = $CurrentProperty | Where-Object { $_.LocaleKey -eq $desiredSetting.localeKey } foreach ($setting in $desiredSetting.LabelSettings) { if ($null -ne $foundKey) { if ($setting.Value -is [Array]) { if ($setting.Value.Count -eq 1) { $myLabel = $foundKey.LabelSettings | Where-Object { $_.Key -eq $setting.Key -and $_.Value -eq $setting.Value[0] } } else { $foundSettings = $false $driftedSetting += "$($desiredSetting.localeKey) ($($setting.Key))" } } else { $myLabel = $foundKey.LabelSettings | Where-Object { $_.Key -eq $setting.Key -and $_.Value -eq $setting.Value } } if ($null -eq $myLabel) { $foundSettings = $false $driftedSetting += "$($desiredSetting.localeKey) ($($setting.Key))" } } else { $foundSettings = $false $driftedSetting += "$($desiredSetting.localeKey) ($($setting.Key))" } } } if ($foundSettings -eq $false) { New-M365DSCLogEntry -Message "LocaleSettings for label $Name do not match: $($driftedSetting -join ', ')" ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential } Write-Verbose -Message "Test LocaleSettings returns $foundSettings" return $foundSettings } function Test-AutoLabelingSettings { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter (Mandatory = $true)] [System.Object] $DesiredProperty, [Parameter (Mandatory = $true)] [System.Object] $CurrentProperty ) $foundSettings = $true $driftedSetting = New-Object System.Collections.ArrayList if ($DesiredProperty.Operator -ne $CurrentProperty.Operator) { $null = $driftedSetting.Add("Parameter 'Operator' does not match. Current: '$($CurrentProperty.Operator)'. Desired: '$($DesiredProperty.Operator)'.") $foundSettings = $false } if ($DesiredProperty.AutoApplyType -ne $CurrentProperty.AutoApplyType) { $null = $driftedSetting.Add("Parameter 'AutoApplyType' does not match. Current: '$($CurrentProperty.AutoApplyType)'. Desired: '$($DesiredProperty.AutoApplyType)'.") $foundSettings = $false } if ($DesiredProperty.ContainsKey('PolicyTip') -and $DesiredProperty.PolicyTip -ne $CurrentProperty.PolicyTip) { $null = $driftedSetting.Add("Parameter 'PolicyTip' does not match. Current: '$($CurrentProperty.PolicyTip)'. Desired: '$($DesiredProperty.PolicyTip)'.") $foundSettings = $false } foreach ($group in $DesiredProperty.Groups) { $currentGroup = $CurrentProperty.Groups | Where-Object { $_.Name -eq $group.Name } if ($null -eq $currentGroup) { $null = $driftedSetting.Add("Group '$($group.Name)' not found in the current settings.") $foundSettings = $false continue } if ($group.Operator -ne $currentGroup.Operator) { $null = $driftedSetting.Add("Parameter 'Groups\$($group.Name)\Operator' does not match. Current: '$($currentGroup.Operator)'. Desired: '$($group.Operator)'.") $foundSettings = $false } foreach ($sensitiveinfotype in $group.SensitiveInformationType) { $currentSensitiveInfoType = $currentGroup.SensitiveInformationType | Where-Object { $_.name -eq $sensitiveinfotype.name } if ($null -eq $currentSensitiveInfoType) { $null = $driftedSetting.Add("Sensitive Information Type '$($sensitiveinfotype.name)' not found in the current settings for group '$($group.Name)'.") $foundSettings = $false continue } if ($sensitiveinfotype.ContainsKey('confidencelevel') -and $sensitiveinfotype.confidencelevel -ne $currentSensitiveInfoType.confidencelevel) { $null = $driftedSetting.Add("Parameter 'confidencelevel' does not match for Sensitive Information Type '$($sensitiveinfotype.name)' in group '$($group.Name)'. Current: '$($currentSensitiveInfoType.confidencelevel)'. Desired: '$($sensitiveinfotype.confidencelevel)'.") $foundSettings = $false } if ($sensitiveinfotype.ContainsKey('classifiertype') -and $sensitiveinfotype.classifiertype -ne $currentSensitiveInfoType.classifiertype) { $null = $driftedSetting.Add("Parameter 'classifiertype' does not match for Sensitive Information Type '$($sensitiveinfotype.name)' in group '$($group.Name)'. Current: '$($currentSensitiveInfoType.classifiertype)'. Desired: '$($sensitiveinfotype.classifiertype)'.") $foundSettings = $false } if ($sensitiveinfotype.ContainsKey('mincount') -and $sensitiveinfotype.mincount -ne $currentSensitiveInfoType.mincount) { $null = $driftedSetting.Add("Parameter 'mincount' does not match for Sensitive Information Type '$($sensitiveinfotype.name)' in group '$($group.Name)'. Current: '$($currentSensitiveInfoType.mincount)'. Desired: '$($sensitiveinfotype.mincount)'.") $foundSettings = $false } if ($sensitiveinfotype.ContainsKey('maxcount') -and $sensitiveinfotype.maxcount -ne $currentSensitiveInfoType.maxcount) { $null = $driftedSetting.Add("Parameter 'maxcount' does not match for Sensitive Information Type '$($sensitiveinfotype.name)' in group '$($group.Name)'. Current: '$($currentSensitiveInfoType.maxcount)'. Desired: '$($sensitiveinfotype.maxcount)'.") $foundSettings = $false } } foreach ($trainableClassifier in $group.TrainableClassifier) { $currentTrainableClassifier = $currentGroup.trainableClassifier | Where-Object { $_.name -eq $trainableClassifier.name } if ($null -eq $currentTrainableClassifier) { $null = $driftedSetting.Add("Trainable Classifier '$($trainableClassifier.name)' not found in the current settings for group '$($group.Name)'.") $foundSettings = $false continue } } } foreach ($group in $CurrentProperty.Groups) { $desiredGroup = $DesiredProperty.Groups | Where-Object { $_.Name -eq $group.Name } if ($null -eq $desiredGroup) { $null = $driftedSetting.Add("Group '$($group.Name)' not found in the desired settings.") $foundSettings = $false continue } foreach ($sensitiveinfotype in $group.SensitiveInformationType) { $desiredSensitiveInfoType = $desiredGroup.SensitiveInformationType | Where-Object { $_.name -eq $sensitiveinfotype.name } if ($null -eq $desiredSensitiveInfoType) { $null = $driftedSetting.Add("Sensitive Information Type '$($sensitiveinfotype.name)' not found in the desired settings for group '$($group.Name)'.") $foundSettings = $false continue } } foreach ($trainableClassifier in $group.TrainableClassifier) { $desiredTrainableClassifier = $desiredGroup.trainableClassifier | Where-Object { $_.name -eq $trainableClassifier.name } if ($null -eq $desiredTrainableClassifier) { $null = $driftedSetting.Add("Trainable Classifier '$($trainableClassifier.name)' not found in the desired settings for group '$($group.Name)'.") $foundSettings = $false continue } } } if ($foundSettings -eq $false) { New-M365DSCLogEntry -Message "AutoLabelingSettings for label $Name do not match: `r`n- $($driftedSetting -join '`r`n- ')" ` -Source $($MyInvocation.MyCommand.Source) ` -TenantId $TenantId ` -Credential $Credential } Write-Verbose -Message "Test AutoLabelingSettings returns $foundSettings" return $foundSettings } function ConvertTo-AdvancedSettingsString { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter(Mandatory = $true)] $AdvancedSettings ) $StringContent = "@(`r`n" foreach ($advancedSetting in $AdvancedSettings) { $StringContent += " MSFT_SCLabelSetting`r`n" $StringContent += " {`r`n" $StringContent += " Key = '$($advancedSetting.Key.Replace("'", "''"))'`r`n" $StringContent += " Value = '$($advancedSetting.Value.Replace("'", "''"))'`r`n" $StringContent += " }`r`n" } $StringContent += ' )' return $StringContent } function ConvertTo-LocaleSettingsString { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter(Mandatory = $true)] $LocaleSettings ) $StringContent = "@(`r`n" foreach ($LocaleSetting in $LocaleSettings) { $StringContent += " MSFT_SCLabelLocaleSettings`r`n" $StringContent += " {`r`n" $StringContent += " LocaleKey = '$($LocaleSetting.LocaleKey.Replace("'", "''"))'`r`n" $StringContent += " LabelSettings = @(`r`n" foreach ($Setting in $LocaleSetting.LabelSettings) { $StringContent += " MSFT_SCLabelSetting`r`n" $StringContent += " {`r`n" $StringContent += " Key = '$($Setting.Key.Replace("'", "''"))'`r`n" $StringContent += " Value = '$($Setting.Value.Replace("'", "''"))'`r`n" $StringContent += " }`r`n" } $StringContent += " )`r`n" $StringContent += " }`r`n" } $StringContent += ' )' return $StringContent } function ConvertTo-AutoLabelingSettingsString { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter(Mandatory = $true)] $AutoLabelingSettings ) $StringContent = "" foreach ($autoLabelingSetting in $AutoLabelingSettings) { $StringContent += " MSFT_SCSLAutoLabelingSettings`r`n" $StringContent += " {`r`n" $StringContent += " Operator = '$($autoLabelingSetting.Operator)'`r`n" if ($autoLabelingSetting.ContainsKey('PolicyTip')) { $StringContent += " PolicyTip = '$($autoLabelingSetting.PolicyTip.Replace("'", "''"))'`r`n" } $StringContent += " AutoApplyType = '$($autoLabelingSetting.AutoApplyType)'`r`n" $StringContent += " Groups = @(`r`n" foreach ($Group in $autoLabelingSetting.Groups) { $StringContent += " MSFT_SCSLSensitiveInformationGroup`r`n" $StringContent += " {`r`n" $StringContent += " Name = '$($Group.Name.Replace("'", "''"))'`r`n" $StringContent += " Operator = '$($Group.Operator)'`r`n" if ($Group.ContainsKey('SensitiveInformationType')) { $StringContent += " SensitiveInformationType = @(`r`n" foreach ($sensitiveInformationType in $Group.SensitiveInformationType) { $StringContent += " MSFT_SCSLSensitiveInformationType`r`n" $StringContent += " {`r`n" $StringContent += " name = '$($sensitiveInformationType.name.Replace("'", "''"))'`r`n" if ($sensitiveInformationType.ContainsKey('confidencelevel')) { $StringContent += " confidencelevel = '$($sensitiveInformationType.confidencelevel)'`r`n" } if ($sensitiveInformationType.ContainsKey('classifiertype')) { $StringContent += " classifiertype = '$($sensitiveInformationType.classifiertype)'`r`n" } if ($sensitiveInformationType.ContainsKey('mincount')) { $StringContent += " mincount = '$($sensitiveInformationType.mincount)'`r`n" } if ($sensitiveInformationType.ContainsKey('maxcount')) { $StringContent += " maxcount = '$($sensitiveInformationType.maxcount)'`r`n" } $StringContent += " }`r`n" } $StringContent += " )`r`n" } if ($Group.ContainsKey('TrainableClassifier')) { $StringContent += " TrainableClassifier = @(`r`n" foreach ($trainableClassifier in $Group.TrainableClassifier) { $StringContent += " MSFT_SCSLTrainableClassifiers`r`n" $StringContent += " {`r`n" $StringContent += " name = '$($trainableClassifier.name.Replace("'", "''"))'`r`n" if ($trainableClassifier.ContainsKey('id')) { $StringContent += " id = '$($trainableClassifier.id)'`r`n" } $StringContent += " }`r`n" } $StringContent += " )`r`n" } $StringContent += " }`r`n" } $StringContent += " )`r`n" $StringContent += " }`r`n" } return $StringContent } Export-ModuleMember -Function *-TargetResource |