UCLobbyTeams.psm1
#Region '.\Private\Convert-UcTeamsDeviceType.ps1' -1 function Convert-UcTeamsDeviceType { param ( [string]$DeviceType ) switch ($DeviceType) { "ipPhone" { return "Phone" } "lowCostPhone" { return "Phone" } "teamsRoom" { return "MTR Windows" } "collaborationBar" { return "MTR Android" } "surfaceHub" { return "Surface Hub" } "teamsDisplay" { return "Display" } "touchConsole" { return "Touch Console (MTRA)" } "teamsPanel" { return "Panel" } "sip" { return "SIP Phone" } Default { return $DeviceType} } } #EndRegion '.\Private\Convert-UcTeamsDeviceType.ps1' 18 #Region '.\Private\ConvertTo-IPv4MaskString.ps1' -1 function ConvertTo-IPv4MaskString { param( [parameter(Mandatory = $true)] [ValidateRange(0, 32)] [Int] $MaskBits ) <# .SYNOPSIS Converts a number of bits (0-32) to an IPv4 network mask string (e.g., "255.255.255.0"). .DESCRIPTION Converts a number of bits (0-32) to an IPv4 network mask string (e.g., "255.255.255.0"). .PARAMETER MaskBits Specifies the number of bits in the mask. Credits to: Bill Stewart - https://www.itprotoday.com/powershell/working-ipv4-addresses-powershell #> $mask = ([Math]::Pow(2, $MaskBits) - 1) * [Math]::Pow(2, (32 - $MaskBits)) $bytes = [BitConverter]::GetBytes([UInt32] $mask) (($bytes.Count - 1)..0 | ForEach-Object { [String] $bytes[$_] }) -join "." } #EndRegion '.\Private\ConvertTo-IPv4MaskString.ps1' 24 #Region '.\Private\Get-UcUPNFromString.ps1' -1 function Get-UcUPNFromString { param ( [string]$InputStr ) $regexUPN = "([^|]+@[a-zA-Z0-9_\-\.]+\.[a-zA-Z]*)" try { $RegexTemp = [regex]::Match($InputStr, $regexUPN).captures.groups if ($RegexTemp.Count -ge 2) { $outUPN = $RegexTemp[1].value } return $outUPN } catch { return "" } } #EndRegion '.\Private\Get-UcUPNFromString.ps1' 17 #Region '.\Private\Invoke-UcMgGraphBatch.ps1' -1 function Invoke-UcMgGraphBatch { param( [object]$Requests, [ValidateSet("beta", "v1.0")] [string]$MgProfile, [string]$Activity, [switch]$IncludeBody ) $GraphURI_BetaAPIBatch = "https://graph.microsoft.com/beta/`$batch" $GraphURI_ProdAPIBatch = "https://graph.microsoft.com/v1.0/`$batch" $outBatchResponses = [System.Collections.ArrayList]::new() $tmpGraphRequests = [System.Collections.ArrayList]::new() if ($MgProfile.Equals("beta")) { $GraphURI_Batch = $GraphURI_BetaAPIBatch } else { $GraphURI_Batch = $GraphURI_ProdAPIBatch } #If activity is null then we can use this to get the function that call this function. if (!($Activity)) { $Activity = [string]$(Get-PSCallStack)[1].FunctionName } $g = 1 $batchCount = [int][Math]::Ceiling(($Requests.count / 20)) foreach ($GraphRequest in $Requests) { Write-Progress -Activity $Activity -Status "Running batch $g of $batchCount" [void]$tmpGraphRequests.Add($GraphRequest) if ($tmpGraphRequests.Count -ge 20) { $g++ $grapRequestBody = ' { "requests": ' + ($tmpGraphRequests | ConvertTo-Json) + ' }' $GraphResponses += (Invoke-MgGraphRequest -Method Post -Uri $GraphURI_Batch -Body $grapRequestBody).responses $tmpGraphRequests = [System.Collections.ArrayList]::new() } } if ($tmpGraphRequests.Count -gt 0) { Write-Progress -Activity $Activity -Status "Running batch $g of $batchCount" #TO DO: Look for alternatives instead of doing this. if ($tmpGraphRequests.Count -gt 1) { $grapRequestBody = ' { "requests": ' + ($tmpGraphRequests | ConvertTo-Json) + ' }' } else { $grapRequestBody = ' { "requests": [' + ($tmpGraphRequests | ConvertTo-Json) + '] }' } try{ $GraphResponses += (Invoke-MgGraphRequest -Method Post -Uri $GraphURI_Batch -Body $grapRequestBody).responses } catch { Write-Warning "Error while getting the Graph Request." } } #In some cases we will need the complete graph response, in that case the calling function will have to process pending pages. $attempts = 1 for ($j = 0; $j -lt $GraphResponses.length; $j++) { $ResponseCount = 0 if($IncludeBody){ $outBatchResponses += $GraphResponses[$j] } else { $outBatchResponses += $GraphResponses[$j].body if ($GraphResponses[$j].status -eq "200"){ #Checking if there are more pages available $GraphURI_NextPage = $GraphResponses[$j].body.'@odata.nextLink' $GraphTotalCount = $GraphResponses[$j].body.'@odata.count' $ResponseCount += $GraphResponses[$j].body.value.count while (![string]::IsNullOrEmpty($GraphURI_NextPage)) { try{ $graphNextPageResponse = Invoke-MgGraphRequest -Method Get -Uri $GraphURI_NextPage $outBatchResponses += $graphNextPageResponse $GraphURI_NextPage = $graphNextPageResponse.'@odata.nextLink' $ResponseCount += $graphNextPageResponse.value.count Write-Progress -Activity $Activity -Status "$ResponseCount of $GraphTotalCount" } catch { Write-Warning "Failed to get the next batch page, retrying..." $attempts-- } if($attempts -eq 0){ Write-Warning "Could not get next batch page, skiping it." break } } } else { Write-Warning ("Failed to get Graph Response" + [Environment]::NewLine + ` "Error Code: " + $GraphResponses[$j].status + " " + $GraphResponses[$j].body.error.code + [Environment]::NewLine + ` "Error Message: " + $GraphResponses[$j].body.error.message + [Environment]::NewLine + ` "Request Date: " + $GraphResponses[$j].body.error.innerError.date + [Environment]::NewLine + ` "Request ID: " + $GraphResponses[$j].body.error.innerError.'request-id' + [Environment]::NewLine + ` "Client Request Id: " + $GraphResponses[$j].body.error.innerError.'client-request-id') } } } return $outBatchResponses } #EndRegion '.\Private\Invoke-UcMgGraphBatch.ps1' 97 #Region '.\Private\Test-UcIPAddressInSubnet.ps1' -1 function Test-UcIPaddressInSubnet { <# .SYNOPSIS Check if an IP address is part of an Subnet. .DESCRIPTION Returns true if the given IP address is part of the subnet, false for not or invalid ip address. Contributors: David Paulino .PARAMETER IPAddress IP Address that we want to confirm that belongs to a range. .PARAMETER Subnet Subnet in the IPaddress/SubnetMaskBits. .EXAMPLE PS> Test-UcIPaddressInSubnet -IPAddress 192.168.0.1 -Subnet 192.168.0.0/24 #> param( [Parameter(mandatory = $true)] [string]$IPAddress, [Parameter(mandatory = $true)] [string]$Subnet ) $regExIPAddressSubnet = "^((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9]))\/(3[0-2]|[1-2]{1}[0-9]{1}|[1-9])$" try { [void]($Subnet -match $regExIPAddressSubnet) $IPSubnet = [ipaddress]$Matches[1] $tmpIPAddress = [ipaddress]$IPAddress $subnetMask = ConvertTo-IPv4MaskString $Matches[6] $tmpSubnet = [ipaddress] ($subnetMask) $netidSubnet = [ipaddress]($IPSubnet.address -band $tmpSubnet.address) $netidIPAddress = [ipaddress]($tmpIPAddress.address -band $tmpSubnet.address) return ($netidSubnet.ipaddresstostring -eq $netidIPAddress.ipaddresstostring) } catch { return $false } } #EndRegion '.\Private\Test-UcIPAddressInSubnet.ps1' 42 #Region '.\Private\Test-UcMgGraphConnection.ps1' -1 function Test-UcMgGraphConnection { param( [Parameter(mandatory = $false)] [string[]]$Scopes, [string[]]$AltScopes, [ValidateSet("AppOnly", "Delegated")] [string]$AuthType ) <# .SYNOPSIS Test connection to Microsoft Graph .DESCRIPTION This function will validate if the current connection to Microsoft Graph has the required Scopes. Contributors: Daniel Jelinek, David Paulino Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) .PARAMETER Scopes When present it will get detailed information from Teams Devices .EXAMPLE PS> Connect-UcMgGraph "TeamworkDevice.Read.All","Directory.Read.All" #> #Checking if Microsoft.Graph is installed if (!(Get-Module Microsoft.Graph.Authentication -ListAvailable)) { Write-Warning ("Missing Microsoft.Graph.Authentication PowerShell module. Please install it with:" + [Environment]::NewLine + "Install-Module Microsoft.Graph.Authentication") return $false } $MgGraphContext = Get-MgContext if($AuthType -and $MgGraphContext.AuthType -ne $AuthType){ Write-Warning ("Wrong Permission Type: " + $MgGraphContext.AuthType + ", this PowerShell cmdlet requires: $AuthType") return $false } #Checking if we have the required scopes. $currentScopes = $MgGraphContext.Scopes $strScope = "" $strAltScope = "" $missingScopes = "" $missingAltScopes = "" $missingScope = $false $missingAltScope = $false foreach ($scope in $Scopes) { $strScope += "`"" + $scope + "`"," if ($scope -notin $currentScopes) { $missingScope = $true $missingScopes += $scope + "," } } #20231013 - Added option to specify alternative scopes if ($missingScope -and $AltScopes) { foreach ($altScope in $AltScopes) { $strAltScope += "`"" + $altScope + "`"," if ($altScope -notin $currentScopes) { $missingAltScope = $true $missingAltScopes += $altScope + "," } } #20231117 - Issue when AltScopes wasnt submitted } else { $missingAltScope = $true } if (!($currentScopes)) { Write-Warning ("Not Connected to Microsoft Graph" + [Environment]::NewLine + "Please connect to Microsoft Graph before running this cmdlet." + [Environment]::NewLine + "Commercial Tenant: Connect-MgGraph -Scopes " + $strScope.Substring(0, $strScope.Length - 1) + [Environment]::NewLine + "US Gov (GCC-H) Tenant: Connect-MgGraph -Scopes " + $strScope.Substring(0, $strScope.Length - 1) + " -Environment USGov") return $false } #If scopes are missing we need to connect using the required scopes if ($missingScope -and $missingAltScope) { if ($Scopes -and $AltScopes) { Write-Warning ("Missing scope(s): " + $missingScopes.Substring(0, $missingScopes.Length - 1) + " and missing alternative Scope(s): " + $missingAltScopes.Substring(0, $missingAltScopes.Length - 1) + ` [Environment]::NewLine + "Please reconnect to Microsoft Graph before running this cmdlet." + ` [Environment]::NewLine + "Commercial Tenant: Connect-MgGraph -Scopes " + $strScope.Substring(0, $strScope.Length - 1) + " or Connect-MgGraph -Scopes " + $strAltScope.Substring(0, $strAltScope.Length - 1) + ` [Environment]::NewLine + "US Gov (GCC-H) Tenant: Connect-MgGraph -Environment USGov -Scopes " + $strScope.Substring(0, $strScope.Length - 1) + " or Connect-MgGraph -Environment USGov -Scopes " + $strAltScope.Substring(0, $strAltScope.Length - 1) ) } else { Write-Warning ("Missing scope(s): " + $missingScopes.Substring(0, $missingScopes.Length - 1) + ` [Environment]::NewLine + "Please reconnect to Microsoft Graph before running this cmdlet." + ` [Environment]::NewLine + "Commercial Tenant: Connect-MgGraph -Scopes " + $strScope.Substring(0, $strScope.Length - 1) + ` [Environment]::NewLine + "US Gov (GCC-H) Tenant: Connect-MgGraph -Environment USGov -Scopes " + $strScope.Substring(0, $strScope.Length - 1)) } return $false } else { return $true } } #EndRegion '.\Private\Test-UcMgGraphConnection.ps1' 97 #Region '.\Public\Get-UcArch.ps1' -1 function Get-UcArch { param( [string]$FilePath ) <# .SYNOPSIS Funcion to get the Architecture from .exe file .DESCRIPTION Based on PowerShell script Get-ExecutableType.ps1 by David Wyatt, please check the complete script in: Identify 16-bit, 32-bit and 64-bit executables with PowerShell https://gallery.technet.microsoft.com/scriptcenter/Identify-16-bit-32-bit-and-522eae75 .PARAMETER FilePath Specifies the executable full file path. .EXAMPLE PS> Get-UcArch -FilePath C:\temp\example.exe #> try { $stream = New-Object System.IO.FileStream( $FilePath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read ) $exeType = 'Unknown' $bytes = New-Object byte[](4) if ($stream.Seek(0x3C, [System.IO.SeekOrigin]::Begin) -eq 0x3C -and $stream.Read($bytes, 0, 4) -eq 4) { if (-not [System.BitConverter]::IsLittleEndian) { [Array]::Reverse($bytes, 0, 4) } $peHeaderOffset = [System.BitConverter]::ToUInt32($bytes, 0) if ($stream.Length -ge $peHeaderOffset + 6 -and $stream.Seek($peHeaderOffset, [System.IO.SeekOrigin]::Begin) -eq $peHeaderOffset -and $stream.Read($bytes, 0, 4) -eq 4 -and $bytes[0] -eq 0x50 -and $bytes[1] -eq 0x45 -and $bytes[2] -eq 0 -and $bytes[3] -eq 0) { $exeType = 'Unknown' if ($stream.Read($bytes, 0, 2) -eq 2) { if (-not [System.BitConverter]::IsLittleEndian) { [Array]::Reverse($bytes, 0, 2) } $machineType = [System.BitConverter]::ToUInt16($bytes, 0) switch ($machineType) { 0x014C { $exeType = 'x86' } 0x8664 { $exeType = 'x64' } } } } } return $exeType } catch { return "Unknown" } finally { if ($null -ne $stream) { $stream.Dispose() } } } #EndRegion '.\Public\Get-UcArch.ps1' 57 #Region '.\Public\Get-UcM365Domains.ps1' -1 function Get-UcM365Domains { param( [Parameter(Mandatory = $true)] [string]$Domain ) <# .SYNOPSIS Get Microsoft 365 Domains from a Tenant .DESCRIPTION This function returns a list of domains that are associated with a Microsoft 365 Tenant. .PARAMETER Domain Specifies a domain registered with Microsoft 365 .EXAMPLE PS> Get-UcM365Domains -Domain uclobby.com #> $regex = "^(.*@)(.*[.].*)$" $outDomains = [System.Collections.ArrayList]::new() try { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $AllowedAudiences = Invoke-WebRequest -Uri ("https://accounts.accesscontrol.windows.net/" + $Domain + "/metadata/json/1") -UseBasicParsing | ConvertFrom-Json | Select-Object -ExpandProperty allowedAudiences } catch [System.Net.WebException] { if ($PSItem.Exception.Message -eq "The remote server returned an error: (400) Bad Request.") { Write-Warning "The domain $Domain is not part of a Microsoft 365 Tenant." } else { Write-Warning $PSItem.Exception.Message } } catch { #20240318 - Support for GCC High tenants. try { $AllowedAudiences = Invoke-WebRequest -Uri ("https://login.microsoftonline.us/" + $Domain + "/metadata/json/1") -UseBasicParsing | ConvertFrom-Json | Select-Object -ExpandProperty allowedAudiences } catch { Write-Warning "Unknown error while checking domain: $Domain" } } try { foreach ($AllowedAudience in $AllowedAudiences) { $temp = [regex]::Match($AllowedAudience , $regex).captures.groups if ($temp.count -ge 2) { $tempObj = New-Object -TypeName PSObject -Property @{ Name = $temp[2].value } $outDomains.Add($tempObj) | Out-Null } } } catch { Write-Warning "Unknown error while checking domain: $Domain" } return $outDomains } #EndRegion '.\Public\Get-UcM365Domains.ps1' 59 #Region '.\Public\Get-UcM365LicenseAssignment.ps1' -1 function Get-UcM365LicenseAssignment { param( [string]$SKU, [switch]$UseFriendlyNames, [switch]$SkipServicePlan, [string]$OutputPath, [switch]$DuplicateServicePlansOnly ) <# .SYNOPSIS Generate a report of the User assigned licenses either direct or assigned by group (Inherited) .DESCRIPTION This script will get a report of all Service Plans assigned to users and how the license is assigned to the user (Direct, Inherited) Contributors: David Paulino, Freydem Fernandez Lopez, Gal Naor Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) Microsoft Graph Scopes: "Directory.Read.All" .PARAMETER UseFriendlyNames When present will download a csv file containing the License/ServicePlans friendly names Product names and service plan identifiers for licensing https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference .PARAMETER SkipServicePlan When present will just check the licenses and not the service plans assigned to the user. .PARAMETER OutputPath Allows to specify the path where we want to save the results. By default, it will save on current user Download. .PARAMETER DuplicateServicePlansOnly When present the report will be the users that have the same service plan from different assigned licenses. .EXAMPLE PS> Get-UcM365LicenseAssignment .EXAMPLE PS> Get-UcM365LicenseAssignment -UseFriendlyNames #> if ((Test-UcMgGraphConnection -Scopes "Directory.Read.All" -AltScopes ("User.Read.All", "Organization.Read.All"))) { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $startTime = Get-Date; $outFile = "M365LicenseAssigment_" #region 20240905 - Users with Duplicate Service Plans if($DuplicateServicePlansOnly){ $outFile += "DuplicateServicePlansOnly_" } #endregion $outFile += (Get-Date).ToString('yyyyMMdd-HHmmss') + ".csv" #Verify if the Output Path exists if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } $OutputFilePath = [System.IO.Path]::Combine($OutputPath, $outFile) } else { $OutputFilePath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFile) } if ($UseFriendlyNames) { #20231019 - Change: OutputPath will be for both report and Product names and service plan identifiers for licensing.csv $SKUnSPFilePath = [System.IO.Path]::Combine($OutputPath, "Product names and service plan identifiers for licensing.csv") if (!(Test-Path -Path $SKUnSPFilePath)) { try { Write-Warning "M365 Product Names and Service Plans file not found, attempting to download it." Invoke-WebRequest -Uri "https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv" -OutFile $SKUnSPFilePath } catch { Write-Warning "Could not download M365 Product Names and Service Plans." } } try { $SKUnSP = import-CSV -Path $SKUnSPFilePath } catch { Write-Warning "Could not import Service Plan ID file." $UseFriendlyNames = $false } } #region 20240905 - Combined Graph calls for SKUs, Licensed Groups #Tenant SKUs - All Licenses that exist in the tenant $graphRequests = [System.Collections.ArrayList]::new() $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "TenantSKUs" method = "GET" url = "/subscribedSkus?`$select=skuID,skuPartNumber,servicePlans,appliesTo,consumedUnits" } [void]$graphRequests.Add($gRequestTmp) #Groups with Licenses Assignment. $GraphRequestHeader = New-Object 'System.Collections.Generic.Dictionary[string, string]' $GraphRequestHeader.Add("ConsistencyLevel", "eventual") $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "GroupsWithLicenses" method = "GET" headers = $GraphRequestHeader url = "/groups?`$filter=assignedLicenses/`$count ne 0&`$count=true&`$select=id,displayName,assignedLicenses&`$top=999" } [void]$graphRequests.Add($gRequestTmp) $BatchResponse = Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -IncludeBody -Activity "Get-UcM365LicenseAssignment, Step 1: Getting Tenant License details" $tmpGraphResponse = $BatchResponse | Where-Object { $_.id -eq ("TenantSKUs") } if ($tmpGraphResponse.status -eq 200) { $TenantSKUs = $tmpGraphResponse.body.value } $tmpGraphResponse = $BatchResponse | Where-Object { $_.id -eq ("GroupsWithLicenses") } if ($tmpGraphResponse.status -eq 200) { $GroupsWithLicenses = $tmpGraphResponse.body.value } #endregion #region 20232019 - Adding filter to SKU if ($SKU) { if ($UseFriendlyNames) { $SKUGUID = ($SKUnSP | Where-Object { $_.String_Id -eq $SKU -or $_.Product_Display_Name -eq $SKU } | Sort-Object GUID -Unique ).GUID $TenantSKUs = $TenantSKUs | Where-Object { $_.skuId -eq $SKUGUID } if ($TenantSKUs.count -eq 0) { Write-Warning "Could not find `"$SKU`" (SKU Name/Part Number) subscription associated with the tenant." return } } else { $TenantSKUs = $TenantSKUs | Where-Object { $_.skuPartNumber -eq $SKU } if ($TenantSKUs.count -eq 0) { Write-Warning "Could not find `"$SKU`" (SKU Part Number) subscription associated with the tenant." return } } } else { $TenantSKUs = $TenantSKUs | Where-Object -Property consumedUnits -GT -Value 0 | Sort-Object skuPartNumber } #endregion #region 20131019 - Getting all Service Plans for new matrix style report $allServicePlans = [System.Collections.ArrayList]::new() foreach ($TenantSKU in $TenantSKUs) { $tmpUserServicePlans = $TenantSKU.ServicePlans | Where-Object -Property appliesTo -EQ -Value "User" foreach ($ServicePlan in $tmpUserServicePlans) { if (!($ServicePlan.ServicePlanId -in $allServicePlans.ServicePlanId)) { if ($UseFriendlyNames) { $servicePlanName = ($SKUnSP | Where-Object { $_.Service_Plan_Id -eq $ServicePlan.ServicePlanId -and $_.GUID -eq $TenantSKU.skuID } | Sort-Object Service_Plans_Included_Friendly_Names -Unique).Service_Plans_Included_Friendly_Names if ([string]::IsNullOrEmpty($servicePlanName)) { $servicePlanName = $ServicePlan.servicePlanName } } else { $servicePlanName = $ServicePlan.ServicePlanName } $tmpSP = New-Object -TypeName PSObject -Property @{ servicePlanId = $ServicePlan.ServicePlanId servicePlanName = $servicePlanName } [void]$allServicePlans.Add($tmpSP) } } } #Sorting service plans by name and creating the file header $allServicePlans = $allServicePlans | Sort-Object ServicePlanName $row = "UserPrincipalName,LicenseAssigned,LicenseAssignment,LicenseAssignmentGroup" if (!($SkipServicePlan)) { foreach ($ServicePlan in $allServicePlans) { $row += "," + $ServicePlan.servicePlanName } } $row += [Environment]::NewLine #endregion Write-Progress -Id 2 -Activity "Get-UcM365LicenseAssignment, Step 2: Reading users assigned licenses/service plans" if ($DuplicateServicePlansOnly) { #region 20240905 - Users with Duplicate Service Plans #We need to check license per user, this is slower than check per SKU like in Licensing Assignment but required in order to detect duplicates. $TotalUsers = 0 $usersProcessed = 0 $GraphNextPage = "https://graph.microsoft.com/v1.0/users?`$filter=assignedLicenses/`$count ne 0&`$count=true&`$select=userPrincipalName,licenseAssignmentStates&`$top=999" do { $GraphResponse = Invoke-MgGraphRequest -Method Get -Uri $GraphNextPage -Headers $GraphRequestHeader $GraphNextPage = $GraphResponse.'@odata.nextLink' $UsersWithLicenses = $GraphResponse.value if (![string]::IsNullOrEmpty($GraphResponse.'@odata.count')) { $TotalUsers = $GraphResponse.'@odata.count' } foreach ($LicensedUser in $UsersWithLicenses) { $usersProcessed++ #Update the status every 100 users if (($usersProcessed % 100 -eq 0) -or ($usersProcessed -eq $TotalUsers) -or ($usersProcessed -eq 1) ) { Write-Progress -Id 2 -Activity "Get-UcM365LicenseAssignment, Step 2: Reading users assigned licenses/service plans" -Status "$usersProcessed of $TotalUsers" } #We only need to process users that have 2 or more licenses assigned. if ($LicensedUser.licenseAssignmentStates.count -gt 1) { $tmpUserServicePlans = [System.Collections.ArrayList]::new() foreach ($licenseState in $LicensedUser.licenseAssignmentStates) { #If not a in the Tenant SKUs we can skip it if ($licenseState.skuId -in $TenantSKUs.skuId) { $tmpLicenseInfo = ($TenantSKUs | Where-Object { $_.skuId -eq $licenseState.skuId }) $LicenseDisplayName = $tmpLicenseInfo.skuPartNumber if ($UseFriendlyNames) { $LicenseDisplayName = ($SKUnSP | Where-Object { $_.GUID -eq $licenseState.skuId } | Sort-Object Product_Display_Name -Unique).Product_Display_Name } if ([string]::IsNullOrEmpty($LicenseDisplayName)) { $LicenseDisplayName = $licenseState.skuId } $licenseAssignment = "Direct" $licenseAssignmentGroup = "NA" if (!([string]::IsNullOrEmpty($licenseState.assignedByGroup))) { $licenseAssignment = "Inherited" $licenseAssignmentGroup = ($GroupsWithLicenses | Where-Object -Property "id" -EQ -Value $licenseState.assignedByGroup).displayName if ([string]::IsNullOrEmpty($licenseAssignmentGroup)) { $licenseAssignmentGroup = $licenseState.assignedByGroup } } $SKUUserServicePlans = $tmpLicenseInfo.servicePlans | Where-Object -Property appliesTo -EQ -Value "User" | Sort-Object servicePlanName foreach ($SKUUserServicePlan in $SKUUserServicePlans) { $SPStatus = "Off" if ($SKUUserServicePlan.servicePlanId -notin $licenseState.disabledPlans) { $SPStatus = "On" } $ObjUserServicePlans = [PSCustomObject]@{ LicenseSkuId = $licenseState.skuId LicenseDisplayName = $LicenseDisplayName LicenseAssignment = $licenseAssignment LicenseAssignmentGroup = $licenseAssignmentGroup ServicePlanId = $SKUUserServicePlan.servicePlanId ServicePlanName = $SKUUserServicePlan.servicePlanName Status = $SPStatus } [void]$tmpUserServicePlans.Add($ObjUserServicePlans) } } } # Checking if we have more then one Service Plan # In the future we can add filters, like only if both are ON or Ignore Direct/Inherited $skuWithDupServicePlans = $tmpUserServicePlans | Group-Object -Property ServicePlanId | Where-Object { $_.Count -gt 1 } | Select-Object -ExpandProperty Group | Select-Object LicenseSkuId, LicenseDisplayName, LicenseAssignment, LicenseAssignmentGroup | Sort-Object -Property LicenseDisplayName, LicenseAssignment, LicenseAssignmentGroup -Unique if (($skuWithDupServicePlans.Count -gt 0)) { foreach ($UserLicenseState in $skuWithDupServicePlans) { foreach ($ServicePlan in $allServicePlans) { $tmpSPStatus = $tmpUserServicePlans | Where-Object { $UserLicenseState.LicenseSkuId -eq $_.LicenseSkuId -and $UserLicenseState.LicenseAssignment -eq $_.LicenseAssignment -and $UserLicenseState.LicenseAssignmentGroup -eq $_.LicenseAssignmentGroup -and $_.servicePlanId -eq $servicePlan.servicePlanId } if ($tmpSPStatus.Status -in ("On", "Off")) { $userServicePlans += "," + $tmpSPStatus.Status } else { $userServicePlans += "," } } $row += $LicensedUser.userPrincipalName + "," + $UserLicenseState.LicenseDisplayName + "," + $UserLicenseState.LicenseAssignment + "," + $UserLicenseState.LicenseAssignmentGroup + $userServicePlans Out-File -FilePath $OutputFilePath -InputObject $row -Encoding UTF8 -append $row = "" $userServicePlans = "" } } } } } while (!([string]::IsNullOrEmpty($GraphNextPage))) #endregion } else { #region License Assignment foreach ($TenantSKU in $TenantSKUs) { if ($UseFriendlyNames) { $LicenseDisplayName = ($SKUnSP | Where-Object { $_.GUID -eq $TenantSKU.skuID } | Sort-Object Product_Display_Name -Unique).Product_Display_Name } else { $LicenseDisplayName = $TenantSKU.skuPartNumber } $SKUUserServicePlans = $TenantSKU.servicePlans | Where-Object -Property appliesTo -EQ -Value "User" | Sort-Object servicePlanName $usersProcessed = 0 $GraphRequestURI = "https://graph.microsoft.com/v1.0/users?`$filter=assignedLicenses/any(u:u/skuId eq " + $TenantSKU.skuId + " )&`$select=userPrincipalName,licenseAssignmentStates&`$orderby=userPrincipalName&`$count=true&`$top=999" do { try { $UsersWithLicenses = Invoke-MgGraphRequest -Method Get -Uri $GraphRequestURI -Headers $GraphRequestHeader if (![string]::IsNullOrEmpty($UsersWithLicenses.'@odata.count')) { $TotalUsers = $UsersWithLicenses.'@odata.count' } $GraphRequestURI = $UsersWithLicenses.'@odata.nextLink' foreach ($UserWithLicense in $UsersWithLicenses.value) { if (($usersProcessed % 1000 -eq 0) -or ($usersProcessed -eq $TotalUsers)) { Write-Progress -ParentId 2 -Activity "Checking license assignments for $LicenseDisplayName" -Status "$usersProcessed of $TotalUsers" } $tmpLicenseAssignmentStates = $UserWithLicense.licenseAssignmentStates | Where-Object -Property skuId -EQ -Value $TenantSKU.skuId | Sort-Object assignedByGroup foreach ($licenseState in $tmpLicenseAssignmentStates) { $licenseAssignment = "Direct" $licenseAssignmentGroup = "" if (!([string]::IsNullOrEmpty($licenseState.assignedByGroup))) { $licenseAssignment = "Inherited" $licenseAssignmentGroup = ($GroupsWithLicenses | Where-Object -Property "id" -EQ -Value $licenseState.assignedByGroup).displayName if ([string]::IsNullOrEmpty($licenseAssignmentGroup)) { $licenseAssignmentGroup = $licenseState.assignedByGroup } } $userServicePlans = "" if (!($SkipServicePlan)) { foreach ($ServicePlan in $allServicePlans) { if ($servicePlan.servicePlanId -in $SKUUserServicePlans.servicePlanId) { if ($servicePlan.servicePlanId -notin $licenseState.disabledPlans) { $userServicePlans += ",On" } else { $userServicePlans += ",Off" } } else { $userServicePlans += "," } } } $row += $UserWithLicense.userPrincipalName + "," + $LicenseDisplayName + "," + $LicenseAssignment + "," + $LicenseAssignmentGroup + $userServicePlans Out-File -FilePath $OutputFilePath -InputObject $row -Encoding UTF8 -append $row = "" } $usersProcessed++ } } catch { Write-Warning ("Failed to get Users with assigned SKU Id: " + $TenantSKU.skuID) $GraphRequestURI = "" } } while (![string]::IsNullOrEmpty($GraphRequestURI)) } #endregion } if ($usersProcessed -gt 0) { Write-Host ("Results available in " + $OutputFilePath) -ForegroundColor Cyan #region 20231019 - Change: Added execution time to the output. $endTime = Get-Date $totalSeconds = [math]::round(($endTime - $startTime).TotalSeconds, 2) $totalTime = New-TimeSpan -Seconds $totalSeconds Write-Host "Execution time:" $totalTime.Hours "Hours" $totalTime.Minutes "Minutes" $totalTime.Seconds "Seconds" -ForegroundColor Green #endregion } } } #EndRegion '.\Public\Get-UcM365LicenseAssignment.ps1' 343 #Region '.\Public\Get-UcM365TenantId.ps1' -1 function Get-UcM365TenantId { param( [Parameter(Mandatory = $true)] [string]$Domain ) <# .SYNOPSIS Get Microsoft 365 Tenant Id .DESCRIPTION This function returns the Tenant ID associated with a domain that is part of a Microsoft 365 Tenant. .PARAMETER Domain Specifies a domain registered with Microsoft 365 .EXAMPLE PS> Get-UcM365TenantId -Domain uclobby.com #> $regexTenantID = "^(.*@)(\w{8}-\w{4}-\w{4}-\w{4}-\w{12})$" $regexOnMicrosoftDomain = "^(.*@)(?!.*mail)(.*.onmicrosoft.com)$" try { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $AllowedAudiences = Invoke-WebRequest -Uri ("https://accounts.accesscontrol.windows.net/" + $Domain + "/metadata/json/1") -UseBasicParsing | ConvertFrom-Json | Select-Object -ExpandProperty allowedAudiences } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "BadRequest") { Write-Error "The domain $Domain is not part of a Microsoft 365 Tenant." } else { Write-Error $PSItem.Exception.Message } } catch { Write-Error "Unknown error while checking domain: $Domain" } $output = [System.Collections.ArrayList]::new() $OnMicrosoftDomains = [System.Collections.ArrayList]::new() $TenantID = "" foreach ($AllowedAudience in $AllowedAudiences) { $tempTID = [regex]::Match($AllowedAudience , $regexTenantID).captures.groups $tempID = [regex]::Match($AllowedAudience , $regexOnMicrosoftDomain).captures.groups if ($tempTID.count -ge 2) { $TenantID = $tempTID[2].value } if ($tempID.count -ge 2) { [void]$OnMicrosoftDomains.Add($tempID[2].value) } } #Multi Geo will have multiple OnMicrosoft Domains foreach ($OnMicrosoftDomain in $OnMicrosoftDomains) { if ($TenantID -and $OnMicrosoftDomain) { $M365TidPSObj = [PSCustomObject]@{ TenantID = $TenantID OnMicrosoftDomain = $OnMicrosoftDomain } $M365TidPSObj.PSObject.TypeNames.Insert(0, 'M365TenantId') [void]$output.Add($M365TidPSObj) } } return $output } #EndRegion '.\Public\Get-UcM365TenantId.ps1' 63 #Region '.\Public\Get-UcOneDriveWithMultiplePermissions.ps1' -1 function Get-UcOneDriveWithMultiplePermissions { param( [string]$OutputPath, [switch]$MultiGeo ) <# .SYNOPSIS Generate a report with OneDrive's that have more than a user with access permissions. .DESCRIPTION This script will check all OneDrives and return the OneDrive that have additional users with permissions. Author: David Paulino Requirements: Microsoft Graph Authentication PowerShell Module (Microsoft.Graph.Authentication) Microsoft Graph Scopes: "Sites.Read.All" Note: Currently the SharePoint Sites requires to authenticate to Graph API with AppOnly https://learn.microsoft.com/en-us/graph/auth/auth-concepts .PARAMETER OutputPath Allows to specify the path where we want to save the results. By default, it will save on current user Download. .PARAMETER MultiGeo Required if Tenant is MultiGeo .EXAMPLE PS> Get-UcOneDriveWithMultiplePermissions .EXAMPLE PS> Get-UcOneDriveWithMultiplePermissions -MultiGeo #> if ((Test-UcMgGraphConnection -Scopes "Sites.Read.All" -AltScopes ("Sites.ReadWrite.All") -AuthType "AppOnly" )) { $startTime = Get-Date #Verify if the Output Path exists if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } $OutputFilePath = [System.IO.Path]::Combine($OutputPath, $outFile) } else { $OutputFilePath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFile) } #Graph API request is different when the tenant has multigeo if ($MultiGeo) { $outFile = "OneDrivePermissions_MultiGeo_" + (Get-Date).ToString('yyyyMMdd-HHmmss') + ".csv" $GraphRequestSites = "https://graph.microsoft.com/v1.0/sites/getAllSites?`$select=id,displayName,isPersonalSite,WebUrl&`$top=999" } else { $outFile = "OneDrivePermissions_" + (Get-Date).ToString('yyyyMMdd-HHmmss') + ".csv" $GraphRequestSites = "https://graph.microsoft.com/v1.0/sites?`$select=id,displayName,isPersonalSite,WebUrl&`$top=999" } $OneDriveProcessed = 0 $OneDriveFound = 0 $BatchNumber = 1 $row = "OneDriveDisplayName,OneDriveUrl,Role,UserWithAccessDisplayName,UserWithAccessUPN,UserWithAccessSharePointLogin,OneDriveID,PermissionID" + [Environment]::NewLine do { try { $ResponseSites = Invoke-MgGraphRequest -Method Get -Uri $GraphRequestSites $GraphRequestSites = $ResponseSites.'@odata.nextLink' #Currently the SharePoint API doenst support filter for isPersonalSite, so we need to filter it $tempOneDrives = $ResponseSites.value | Where-Object { $_.isPersonalSite -eq $true } #Adding a progress messsage to show status foreach ($OneDrive in $tempOneDrives) { if ($OneDriveProcessed % 10 -eq 0) { Write-Progress -Activity "Looking for addtional users in OneDrive permissions" -Status "Batch #$BatchNumber - Number of OneDrives Processed $OneDriveProcessed" } $GROneDrivePermission = "https://graph.microsoft.com/v1.0/sites/" + $OneDrive.id + "/drive/root/permissions" try { $OneDrivePermissions = (Invoke-MgGraphRequest -Method Get -Uri $GROneDrivePermission).value if ($OneDrivePermissions.count -gt 1) { foreach ($OneDrivePermission in $OneDrivePermissions) { if ($OneDrivePermission.grantedToV2.siteuser.displayName -ne $OneDrive.displayName) { $tempUPN = Get-UcUPNFromString $OneDrivePermission.grantedToV2.siteuser.loginName $row += $OneDrive.displayName + "," + $OneDrive.WebUrl + "," + $OneDrivePermission.roles + ",`"" + $OneDrivePermission.grantedToV2.siteuser.displayName + "`"," + $tempUPN + "," + $OneDrivePermission.grantedToV2.siteuser.loginName + ",`"" + $OneDrive.id + "`"," + $OneDrivePermission.id Out-File -FilePath $OutputFilePath -InputObject $row -Encoding UTF8 -append $row = "" $OneDriveFound++ } } } $OneDriveProcessed++ } catch { } } $BatchNumber++ } catch { break } } while (![string]::IsNullOrEmpty($GraphRequestSites)) $endTime = Get-Date $totalSeconds = [math]::round(($endTime - $startTime).TotalSeconds, 2) $totalTime = New-TimeSpan -Seconds $totalSeconds Write-Host "Total of OneDrives processed: $OneDriveProcessed, total OneDrives with additional users with permissions: $OneDriveFound" -ForegroundColor Cyan if ($OneDriveFound -gt 0) { Write-Host ("Results available in " + $OutputFilePath) -ForegroundColor Cyan } Write-Host "Execution time:" $totalTime.Hours "Hours" $totalTime.Minutes "Minutes" $totalTime.Seconds "Seconds" -ForegroundColor Green } } #EndRegion '.\Public\Get-UcOneDriveWithMultiplePermissions.ps1' 103 #Region '.\Public\Get-UcTeamsDevice.ps1' -1 function Get-UcTeamsDevice { param( [ValidateSet("Phone", "MTR", "MTRA", "MTRW", "SurfaceHub", "Display", "Panel", "SIPPhone")] [string]$Filter, [switch]$Detailed, [switch]$ExportCSV, [string]$OutputPath ) <# .SYNOPSIS Get Microsoft Teams Devices information .DESCRIPTION This function fetch Teams Devices provisioned in a M365 Tenant using MS Graph. Contributors: David Paulino, Silvio Schanz, Gonçalo Sepulveda, Bryan Kendrick and Daniel Jelinek Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) Microsoft Graph Scopes: "TeamworkDevice.Read.All" "User.Read.All" .PARAMETER Filter Specifies a filter, valid options: Phone - Teams Native Phones MTR - Microsoft Teams Rooms running Windows or Android MTRW - Microsoft Teams Room Running Windows MTRA - Microsoft Teams Room Running Android SurfaceHub - Surface Hub Display - Microsoft Teams Displays Panel - Microsoft Teams Panels .PARAMETER Detailed When present it will get detailed information from Teams Devices .PARAMETER ExportCSV When present will export the detailed results to a CSV file. By defautl will save the file under the current user downloads, unless we specify the OutputPath. .PARAMETER OutputPath Allows to specify the path where we want to save the results. .EXAMPLE PS> Get-UcTeamsDevice .EXAMPLE PS> Get-UcTeamsDevice -Filter MTR .EXAMPLE PS> Get-UcTeamsDevice -Detailed #> $outTeamsDevices = [System.Collections.ArrayList]::new() if ($ExportCSV) { $Detailed = $true } #Verify if the Output Path exists if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } } else { $OutputPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads") } if (Test-UcMgGraphConnection -Scopes "TeamworkDevice.Read.All,User.Read.All" -AltScopes ("TeamworkDevice.Read.All","Directory.Read.All")) { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $graphRequests = [System.Collections.ArrayList]::new() $tmpFileName = "MSTeamsDevices_" + $Filter + "_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" switch ($filter) { "Phone" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "ipPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'ipPhone'" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "lowCostPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'lowCostPhone'" } $graphRequests.Add($gRequestTmp) | Out-Null } "MTR" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsRoom" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsRoom'" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "collaborationBar" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'collaborationBar'" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "touchConsole" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'touchConsole'" } $graphRequests.Add($gRequestTmp) | Out-Null } "MTRW" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsRoom" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsRoom'" } $graphRequests.Add($gRequestTmp) | Out-Null } "MTRA" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "collaborationBar" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'collaborationBar'" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "touchConsole" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'touchConsole'" } $graphRequests.Add($gRequestTmp) | Out-Null } "SurfaceHub" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "surfaceHub" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'surfaceHub'" } $graphRequests.Add($gRequestTmp) | Out-Null } "Display" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsDisplay" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsDisplay'" } $graphRequests.Add($gRequestTmp) | Out-Null } "Panel" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsPanel" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsPanel'" } $graphRequests.Add($gRequestTmp) | Out-Null } "SIPPhone" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "sip" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'sip'" } $graphRequests.Add($gRequestTmp) | Out-Null } Default { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = 1 method = "GET" url = "/teamwork/devices" } $graphRequests.Add($gRequestTmp) | Out-Null $tmpFileName = "MSTeamsDevices_All_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" } } $TeamsDeviceList = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Get-UcTeamsDevice, getting Teams device info").value #To improve performance we will use batch requests $graphRequests = [System.Collections.ArrayList]::new() foreach ($TeamsDevice in $TeamsDeviceList) { if (($graphRequests.id -notcontains $TeamsDevice.currentuser.id) -and !([string]::IsNullOrEmpty($TeamsDevice.currentuser.id))) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.currentuser.id method = "GET" url = "/users/" + $TeamsDevice.currentuser.id } $graphRequests.Add($gRequestTmp) | Out-Null } if ($Detailed) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-activity" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/activity" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-configuration" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/configuration" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-health" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/health" } $graphRequests.Add($gRequestTmp) | Out-Null $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-operations" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/operations" } $graphRequests.Add($gRequestTmp) | Out-Null } } if ($graphRequests.Count -gt 0) { if ($Detailed) { $ActivityInfo = "Get-UcTeamsDevice, getting Teams device addtional information (User UPN/Health/Operations/Configurarion)." } else { $ActivityInfo = "Get-UcTeamsDevice, getting Teams device user information." } $graphResponseExtra = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity $ActivityInfo -IncludeBody) } $devicesProcessed = 0 foreach ($TeamsDevice in $TeamsDeviceList) { $devicesProcessed++ $userUPN = ($graphResponseExtra | Where-Object { $_.id -eq $TeamsDevice.currentuser.id }).body.userPrincipalName if ($Detailed) { $TeamsDeviceActivity = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-activity") }).body $TeamsDeviceConfiguration = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-configuration") }).body $TeamsDeviceHealth = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-health") }).body $TeamsDeviceOperations = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-operations") }).body.value if ($TeamsDeviceOperations.count -gt 0) { $LastHistoryAction = $TeamsDeviceOperations[0].operationType $LastHistoryStatus = $TeamsDeviceOperations[0].status $LastHistoryInitiatedBy = $TeamsDeviceOperations[0].createdBy.user.displayName $LastHistoryModifiedDate = ($TeamsDeviceOperations[0].lastActionDateTime).ToLocalTime() $LastHistoryErrorCode = $TeamsDeviceOperations[0].error.code $LastHistoryErrorMessage = $TeamsDeviceOperations[0].error.message } else { $LastHistoryAction = "" $LastHistoryStatus = "" $LastHistoryInitiatedBy = "" $LastHistoryModifiedDate = "" $LastHistoryErrorCode = "" $LastHistoryErrorMessage = "" } $outMacAddress = "" foreach ($macAddress in $TeamsDevice.hardwaredetail.macAddresses) { $outMacAddress += $macAddress + ";" } $TDObj = New-Object -TypeName PSObject -Property @{ UserDisplayName = $TeamsDevice.currentuser.displayName UserUPN = $userUPN TACDeviceID = $TeamsDevice.id DeviceType = Convert-UcTeamsDeviceType $TeamsDevice.deviceType Notes = $TeamsDevice.notes CompanyAssetTag = $TeamsDevice.companyAssetTag Manufacturer = $TeamsDevice.hardwaredetail.manufacturer Model = $TeamsDevice.hardwaredetail.model SerialNumber = $TeamsDevice.hardwaredetail.serialNumber MacAddresses = $outMacAddress DeviceHealth = $TeamsDevice.healthStatus WhenCreated = ($TeamsDevice.createdDateTime).ToLocalTime() WhenChanged = ($TeamsDevice.lastModifiedDateTime).ToLocalTime() ChangedByUser = $TeamsDevice.lastModifiedBy.user.displayName #Activity ActivePeripherals = $TeamsDeviceActivity.activePeripherals #Configuration ConfigurationCreateDate = ($TeamsDeviceConfiguration.createdDateTime).ToLocalTime() ConfigurationCreatedBy = $TeamsDeviceConfiguration.createdBy ConfigurationLastModifiedDate = ($TeamsDeviceConfiguration.lastModifiedDateTime).ToLocalTime() ConfigurationLastModifiedBy = $TeamsDeviceConfiguration.lastModifiedBy DisplayConfiguration = $TeamsDeviceConfiguration.displayConfiguration CameraConfiguration = $TeamsDeviceConfiguration.cameraConfiguration.contentCameraConfiguration SpeakerConfiguration = $TeamsDeviceConfiguration.speakerConfiguration MicrophoneConfiguration = $TeamsDeviceConfiguration.microphoneConfiguration TeamsClientConfiguration = $TeamsDeviceConfiguration.teamsClientConfiguration SupportedMeetingMode = $TeamsDeviceConfiguration.teamsClientConfiguration.accountConfiguration.supportedClient HardwareProcessor = $TeamsDeviceConfiguration.hardwareConfiguration.processorModel SystemConfiguration = $TeamsDeviceConfiguration.systemConfiguration #Health #20240417 - Added connection fields ConnectionStatus = $TeamsDeviceHealth.connection.connectionStatus ConnectionLastActivity = ($TeamsDeviceHealth.connection.lastModifiedDateTime).ToLocalTime() ComputeStatus = $TeamsDeviceHealth.hardwareHealth.computeHealth.connection.connectionStatus HdmiIngestStatus = $TeamsDeviceHealth.hardwareHealth.hdmiIngestHealth.connection.connectionStatus RoomCameraStatus = $TeamsDeviceHealth.peripheralsHealth.roomCameraHealth.connection.connectionStatus ContentCameraStatus = $TeamsDeviceHealth.peripheralsHealth.contentCameraHealth.connection.connectionStatus SpeakerStatus = $TeamsDeviceHealth.peripheralsHealth.speakerHealth.connection.connectionStatus CommunicationSpeakerStatus = $TeamsDeviceHealth.peripheralsHealth.communicationSpeakerHealth.connection.connectionStatus #DisplayCollection = $TeamsDeviceHealth.peripheralsHealth.displayHealthCollection.connectionStatus MicrophoneStatus = $TeamsDeviceHealth.peripheralsHealth.microphoneHealth.connection.connectionStatus TeamsAdminAgentVersion = $TeamsDeviceHealth.softwareUpdateHealth.adminAgentSoftwareUpdateStatus.currentVersion FirmwareVersion = $TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.currentVersion CompanyPortalVersion = $TeamsDeviceHealth.softwareUpdateHealth.companyPortalSoftwareUpdateStatus.currentVersion OEMAgentAppVersion = $TeamsDeviceHealth.softwareUpdateHealth.partnerAgentSoftwareUpdateStatus.currentVersion TeamsAppVersion = $TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.currentVersion #LastOperation LastHistoryAction = $LastHistoryAction LastHistoryStatus = $LastHistoryStatus LastHistoryInitiatedBy = $LastHistoryInitiatedBy LastHistoryModifiedDate = $LastHistoryModifiedDate LastHistoryErrorCode = $LastHistoryErrorCode LastHistoryErrorMessage = $LastHistoryErrorMessage } $TDObj.PSObject.TypeNames.Insert(0, 'TeamsDevice') } else { $TDObj = New-Object -TypeName PSObject -Property @{ UserDisplayName = $TeamsDevice.currentuser.displayName UserUPN = $userUPN TACDeviceID = $TeamsDevice.id DeviceType = Convert-UcTeamsDeviceType $TeamsDevice.deviceType Manufacturer = $TeamsDevice.hardwaredetail.manufacturer Model = $TeamsDevice.hardwaredetail.model SerialNumber = $TeamsDevice.hardwaredetail.serialNumber MacAddresses = $TeamsDevice.hardwaredetail.macAddresses DeviceHealth = $TeamsDevice.healthStatus #20240419 - Adding additional fields that are available on graph api WhenCreated = ($TeamsDevice.createdDateTime).ToLocalTime() WhenChanged = ($TeamsDevice.lastModifiedDateTime).ToLocalTime() ChangedByUser = $TeamsDevice.lastModifiedBy.user.displayName } $TDObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceList') } $outTeamsDevices.Add($TDObj) | Out-Null } #20231020 - We only need to output if we have results. if ($devicesProcessed -gt 0) { #region: Modified by Daniel Jelinek if ($ExportCSV) { $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $tmpFileName) $outTeamsDevices | Sort-Object DeviceType, Manufacturer, Model | Select-Object TACDeviceID, DeviceType, Manufacturer, Model, UserDisplayName, UserUPN, Notes, CompanyAssetTag, SerialNumber, MacAddresses, WhenCreated, WhenChanged, ChangedByUser, HdmiIngestStatus, ComputeStatus, RoomCameraStatus, SpeakerStatus, CommunicationSpeakerStatus, MicrophoneStatus, SupportedMeetingMode, HardwareProcessor, SystemConfiguratio, TeamsAdminAgentVersion, FirmwareVersion, CompanyPortalVersion, OEMAgentAppVersion, TeamsAppVersion, LastUpdate, LastHistoryAction, LastHistoryStatus, LastHistoryInitiatedBy, LastHistoryModifiedDate, LastHistoryErrorCode, LastHistoryErrorMessage | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan } else { $outTeamsDevices | Sort-Object DeviceType, Manufacturer, Model } #endregion } } } #EndRegion '.\Public\Get-UcTeamsDevice.ps1' 362 #Region '.\Public\Get-UcTeamsVersion.ps1' -1 function Get-UcTeamsVersion { param( [string]$Path, [string]$Computer, [System.Management.Automation.PSCredential]$Credential, [switch]$SkipModuleCheck ) <# .SYNOPSIS Get Microsoft Teams Desktop Version .DESCRIPTION This function returns the installed Microsoft Teams desktop version for each user profile. .PARAMETER Path Specify the path with Teams Log Files .PARAMETER Computer Specify the remote computer .PARAMETER Credential Specify the credential to be used to connect to the remote computer .EXAMPLE PS> Get-UcTeamsVersion .EXAMPLE PS> Get-UcTeamsVersion -Path C:\Temp\ .EXAMPLE PS> Get-UcTeamsVersion -Computer workstation124 .EXAMPLE PS> $cred = Get-Credential PS> Get-UcTeamsVersion -Computer workstation124 -Credential $cred #> $regexVersion = '("version":")([0-9.]*)' $regexRing = '("ring":")(\w*)' $regexEnv = '("environment":")(\w*)' $regexCloudEnv = '("cloudEnvironment":")(\w*)' $regexWindowsUser = '("upnWindowUserUpn":")([a-zA-Z0-9@._-]*)' $regexTeamsUserName = '("userName":")([a-zA-Z0-9@._-]*)' #20240309 - REGEX to get New Teams version from log file DesktopApp: Version: 23202.1500.2257.3700 $regexNewVersion = '(DesktopApp: Version: )(\d{5}.\d{4}.\d{4}.\d{4})' $outTeamsVersion = [System.Collections.ArrayList]::new() if (!$SkipModuleCheck) { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams } if ($Path) { if (Test-Path $Path -ErrorAction SilentlyContinue) { #region Teams Classic Path $TeamsSettingsFiles = Get-ChildItem -Path $Path -Include "settings.json" -Recurse foreach ($TeamsSettingsFile in $TeamsSettingsFiles) { $TeamsSettings = Get-Content -Path $TeamsSettingsFile.FullName $Version = "" $Ring = "" $Env = "" $CloudEnv = "" try { $VersionTemp = [regex]::Match($TeamsSettings, $regexVersion).captures.groups if ($VersionTemp.Count -ge 2) { $Version = $VersionTemp[2].value } $RingTemp = [regex]::Match($TeamsSettings, $regexRing).captures.groups if ($RingTemp.Count -ge 2) { $Ring = $RingTemp[2].value } $EnvTemp = [regex]::Match($TeamsSettings, $regexEnv).captures.groups if ($EnvTemp.Count -ge 2) { $Env = $EnvTemp[2].value } $CloudEnvTemp = [regex]::Match($TeamsSettings, $regexCloudEnv).captures.groups if ($CloudEnvTemp.Count -ge 2) { $CloudEnv = $CloudEnvTemp[2].value } } catch { } $TeamsDesktopSettingsFile = $TeamsSettingsFile.Directory.FullName + "\desktop-config.json" if (Test-Path $TeamsDesktopSettingsFile -ErrorAction SilentlyContinue) { $TeamsDesktopSettings = Get-Content -Path $TeamsDesktopSettingsFile $WindowsUser = "" $TeamsUserName = "" $RegexTemp = [regex]::Match($TeamsDesktopSettings, $regexWindowsUser).captures.groups if ($RegexTemp.Count -ge 2) { $WindowsUser = $RegexTemp[2].value } $RegexTemp = [regex]::Match($TeamsDesktopSettings, $regexTeamsUserName).captures.groups if ($RegexTemp.Count -ge 2) { $TeamsUserName = $RegexTemp[2].value } } $TeamsVersion = New-Object -TypeName PSObject -Property @{ WindowsUser = $WindowsUser TeamsUser = $TeamsUserName Type = "Teams Classic" Version = $Version Ring = $Ring Environment = $Env CloudEnvironment = $CloudEnv Path = $TeamsSettingsFile.Directory.FullName } $TeamsVersion.PSObject.TypeNames.Insert(0, 'TeamsVersionFromPath') $outTeamsVersion.Add($TeamsVersion) | Out-Null } #endregion #region New Teams Path $TeamsSettingsFiles = Get-ChildItem -Path $Path -Include "tma_settings.json" -Recurse foreach ($TeamsSettingsFile in $TeamsSettingsFiles) { if (Test-Path $TeamsSettingsFile -ErrorAction SilentlyContinue) { $NewTeamsSettings = Get-Content -Path $TeamsSettingsFile | ConvertFrom-Json $tmpAccountID = $NewTeamsSettings.primary_user.accounts.account_id try { $Version = "" $MostRecentTeamsLogFile = Get-ChildItem -Path $TeamsSettingsFile.Directory.FullName -Include "MSTeams_*.log" -Recurse | Sort-Object -Property CreationTime -Descending | Select-Object -First 1 $TeamLogContents = Get-Content $MostRecentTeamsLogFile $RegexTemp = [regex]::Match($TeamLogContents, $regexNewVersion).captures.groups if ($RegexTemp.Count -ge 2) { $Version = $RegexTemp[2].value } } catch {} $TeamsVersion = New-Object -TypeName PSObject -Property @{ WindowsUser = "NA" TeamsUser = $NewTeamsSettings.primary_user.accounts.account_upn Type = "New Teams" Version = $Version Ring = $NewTeamsSettings.tma_ecs_settings.$tmpAccountID.ring Environment = $NewTeamsSettings.tma_ecs_settings.$tmpAccountID.environment CloudEnvironment = $NewTeamsSettings.primary_user.accounts.cloud Path = $TeamsSettingsFile.Directory.FullName } $TeamsVersion.PSObject.TypeNames.Insert(0, 'TeamsVersionFromPath') [void]$outTeamsVersion.Add($TeamsVersion) } } #endregion } else { Write-Error -Message ("Invalid Path, please check if path: " + $path + " is correct and exists.") } } else { $currentDateFormat = [cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern if ($Computer) { $RemotePath = "\\" + $Computer + "\C$\Users" $ComputerName = $Computer if ($Credential) { if ($Computer.IndexOf('.') -gt 0) { $PSDriveName = $Computer.Substring(0, $Computer.IndexOf('.')) + "_TmpTeamsVersion" } else { $PSDriveName = $Computer + "_TmpTeamsVersion" } New-PSDrive -Root $RemotePath -Name $PSDriveName -PSProvider FileSystem -Credential $Credential | Out-Null } if (Test-Path -Path $RemotePath) { $Profiles = Get-ChildItem -Path $RemotePath -ErrorAction SilentlyContinue } else { Write-Error -Message ("Error: Cannot get users on " + $computer + ", please check if name is correct and if the current user has permissions.") } } else { $ComputerName = $Env:COMPUTERNAME $Profiles = Get-childItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { Get-ItemProperty $_.pspath } | Where-Object { $_.fullprofile -eq 1 } } foreach ($UserProfile in $Profiles) { if ($Computer) { $ProfilePath = $UserProfile.FullName $ProfileName = $UserProfile.Name } else { $ProfilePath = $UserProfile.ProfileImagePath #20231013 Added exception handeling, only known case is when a windows profile was created when the machine was joined to a previous domain. try { $ProfileName = (New-Object System.Security.Principal.SecurityIdentifier($UserProfile.PSChildName)).Translate( [System.Security.Principal.NTAccount]).Value } catch { $ProfileName = "Unknown Windows User" } } #region classic teams $TeamsSettingPath = $ProfilePath + "\AppData\Roaming\Microsoft\Teams\settings.json" if (Test-Path $TeamsSettingPath -ErrorAction SilentlyContinue) { $TeamsSettings = Get-Content -Path $TeamsSettingPath $Version = "" $Ring = "" $Env = "" $CloudEnv = "" try { $VersionTemp = [regex]::Match($TeamsSettings, $regexVersion).captures.groups if ($VersionTemp.Count -ge 2) { $Version = $VersionTemp[2].value } $RingTemp = [regex]::Match($TeamsSettings, $regexRing).captures.groups if ($RingTemp.Count -ge 2) { $Ring = $RingTemp[2].value } $EnvTemp = [regex]::Match($TeamsSettings, $regexEnv).captures.groups if ($EnvTemp.Count -ge 2) { $Env = $EnvTemp[2].value } $CloudEnvTemp = [regex]::Match($TeamsSettings, $regexCloudEnv).captures.groups if ($CloudEnvTemp.Count -ge 2) { $CloudEnv = $CloudEnvTemp[2].value } } catch { } $TeamsApp = $ProfilePath + "\AppData\Local\Microsoft\Teams\current\Teams.exe" $TeamsInstallTimePath = $ProfilePath + "\AppData\Roaming\Microsoft\Teams\installTime.txt" #20240228 - In some cases the install file can be missing. $tmpInstallDate = "" if (Test-Path $TeamsInstallTimePath -ErrorAction SilentlyContinue) { $InstallDateStr = Get-Content ($ProfilePath + "\AppData\Roaming\Microsoft\Teams\installTime.txt") $tmpInstallDate = [Datetime]::ParseExact($InstallDateStr, 'M/d/yyyy', $null) | Get-Date -Format $currentDateFormat } $TeamsVersion = New-Object -TypeName PSObject -Property @{ Computer = $ComputerName Profile = $ProfileName ProfilePath = $ProfilePath Type = "Teams Classic" Version = $Version Ring = $Ring Environment = $Env CloudEnvironment = $CloudEnv Arch = Get-UcArch $TeamsApp InstallDate = $tmpInstallDate } $TeamsVersion.PSObject.TypeNames.Insert(0, 'TeamsVersion') [void]$outTeamsVersion.Add($TeamsVersion) } #endregion #region New Teams $NewTeamsSettingPath = $ProfilePath + "\AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\tma_settings.json" if (Test-Path $NewTeamsSettingPath -ErrorAction SilentlyContinue) { $NewTeamsSettings = Get-Content -Path $NewTeamsSettingPath | ConvertFrom-Json $tmpAccountID = $NewTeamsSettings.primary_user.accounts.account_id if ($Computer) { $newTeamsLocation = Get-ChildItem -Path ( $RemotePath + "\..\Program Files\Windowsapps" ) -Filter "ms-teams.exe" -Recurse -Depth 1 | Sort-Object -Property CreationTime -Descending | Select-Object -First 1 } else { #20240103 - Using Get-AppPackage drops the requirement to run with Administrative Rights $newTeamsInstallPath = (Get-AppPackage MSTeams).InstallLocation + ".\ms-teams.exe" $newTeamsLocation = Get-ItemProperty -Path ($newTeamsInstallPath) } if (Test-Path -Path $newTeamsLocation.FullName -ErrorAction SilentlyContinue) { $TeamsVersion = New-Object -TypeName PSObject -Property @{ Computer = $ComputerName Profile = $ProfileName ProfilePath = $ProfilePath Type = "New Teams" Version = $newTeamsLocation.VersionInfo.ProductVersion Ring = $NewTeamsSettings.tma_ecs_settings.$tmpAccountID.ring Environment = $NewTeamsSettings.tma_ecs_settings.$tmpAccountID.environment CloudEnvironment = $NewTeamsSettings.primary_user.accounts.cloud Arch = Get-UcArch $newTeamsLocation.FullName InstallDate = $newTeamsLocation.CreationTime | Get-Date -Format $currentDateFormat } $TeamsVersion.PSObject.TypeNames.Insert(0, 'TeamsVersion') [void]$outTeamsVersion.Add($TeamsVersion) } } #endregion } if ($Credential -and $PSDriveName) { try { Remove-PSDrive -Name $PSDriveName -ErrorAction SilentlyContinue } catch {} } } return $outTeamsVersion } #EndRegion '.\Public\Get-UcTeamsVersion.ps1' 284 #Region '.\Public\Get-UcTeamsVersionBatch.ps1' -1 function Get-UcTeamsVersionBatch { param( [Parameter(Mandatory = $true)] [string]$InputCSV, [string]$OutputPath, [switch]$ExportCSV, [System.Management.Automation.PSCredential]$Credential ) <# .SYNOPSIS Get Microsoft Teams Desktop Version from all computers in a csv file. .DESCRIPTION This function returns the installed Microsoft Teams desktop version for each user profile. .PARAMETER InputCSV CSV with the list of computers that we want to get the Teams Version .PARAMETER OutputPath Specify the output path .PARAMETER ExportCSV Export the output to a CSV file .PARAMETER Credential Specify the credential to be used to connect to the remote computers .EXAMPLE PS> Get-UcTeamsVersionBatch .EXAMPLE PS> Get-UcTeamsVersionBatch -InputCSV C:\Temp\ComputerList.csv -Credential $cred .EXAMPLE PS> Get-UcTeamsVersionBatch -InputCSV C:\Temp\ComputerList.csv -Credential $cred -ExportCSV #> Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams if (Test-Path $InputCSV) { try { $Computers = Import-Csv -Path $InputCSV } catch { Write-Host ("Invalid CSV input file: " + $InputCSV) -ForegroundColor Red return } $outTeamsVersion = [System.Collections.ArrayList]::new() #Verify if the Output Path exists if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder: " + $OutputPath) -ForegroundColor Red return } } else { $OutputPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads") } $c = 0 $compCount = $Computers.count foreach ($computer in $Computers) { $c++ Write-Progress -Activity ("Getting Teams Version from: " + $computer.Computer) -Status "Computer $c of $compCount " $tmpTV = Get-UcTeamsVersion -Computer $computer.Computer -Credential $cred -SkipModuleCheck $outTeamsVersion.Add($tmpTV) | Out-Null } if ($ExportCSV) { $tmpFileName = "MSTeamsVersion_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $tmpFileName) $outTeamsVersion | Sort-Object Computer, Profile | Select-Object Computer, Profile, ProfilePath, Arch, Version, Environment, Ring, InstallDate | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan } else { return $outTeamsVersion } } else { Write-Host ("Error: File not found " + $InputCSV) -ForegroundColor Red } } #EndRegion '.\Public\Get-UcTeamsVersionBatch.ps1' 82 #Region '.\Public\Get-UcTeamsWithSingleOwner.ps1' -1 function Get-UcTeamsWithSingleOwner { <# .SYNOPSIS Get Teams that have a single owner .DESCRIPTION This function returns a list of Teams that only have a single owner. .EXAMPLE PS> Get-UcTeamsWithSingleOwner #> Get-UcTeamUsersEmail -Role Owner -Confirm:$false | Group-Object -Property TeamDisplayName | Where-Object { $_.Count -lt 2 } | Select-Object -ExpandProperty Group } #EndRegion '.\Public\Get-UcTeamsWithSingleOwner.ps1' 14 #Region '.\Public\Get-UcTeamUsersEmail.ps1' -1 function Get-UcTeamUsersEmail { [cmdletbinding(SupportsShouldProcess)] param( [string]$TeamName, [ValidateSet("Owner", "User", "Guest")] [string]$Role ) <# .SYNOPSIS Get Users Email Address that are in a Team .DESCRIPTION This function returns a list of users email address that are part of a Team. .PARAMETER TeamName Specifies Team Name .PARAMETER Role Specifies which roles to filter (Owner, User, Guest) .EXAMPLE PS> Get-UcTeamUsersEmail .EXAMPLE PS> Get-UcTeamUsersEmail -TeamName "Marketing" .EXAMPLE PS> Get-UcTeamUsersEmail -Role "Guest" .EXAMPLE PS> Get-UcTeamUsersEmail -TeamName "Marketing" -Role "Guest" #> $output = [System.Collections.ArrayList]::new() Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams if ($TeamName) { $Teams = Get-Team -DisplayName $TeamName } else { if ($ConfirmPreference) { $title = 'Confirm' $question = 'Are you sure that you want to list all Teams?' $choices = '&Yes', '&No' $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1) } else { $decision = 0 } if ($decision -eq 0) { $Teams = Get-Team } else { return } } foreach ($Team in $Teams) { if ($Role) { $TeamMembers = Get-TeamUser -GroupId $Team.GroupID -Role $Role } else { $TeamMembers = Get-TeamUser -GroupId $Team.GroupID } foreach ($TeamMember in $TeamMembers) { $Email = ( Get-csOnlineUser $TeamMember.User | Select-Object @{Name = 'PrimarySMTPAddress'; Expression = { $_.ProxyAddresses -cmatch '^SMTP:' -creplace 'SMTP:' } }).PrimarySMTPAddress $Member = New-Object -TypeName PSObject -Property @{ TeamGroupID = $Team.GroupID TeamDisplayName = $Team.DisplayName TeamVisibility = $Team.Visibility UPN = $TeamMember.User Role = $TeamMember.Role Email = $Email } $Member.PSObject.TypeNames.Insert(0, 'TeamUsersEmail') $output.Add($Member) | Out-Null } } return $output } #EndRegion '.\Public\Get-UcTeamUsersEmail.ps1' 79 #Region '.\Public\Test-UcModuleUpdateAvailable.ps1' -1 function Test-UcModuleUpdateAvailable { param( [Parameter(Mandatory = $true)] [string]$ModuleName ) try { #Get the current loaded version $tmpCurrentVersion = (get-module $ModuleName | Sort-Object Version -Descending) if ($tmpCurrentVersion) { $currentVersion = $tmpCurrentVersion[0].Version.ToString() } #Get the lastest version available $availableVersion = (Find-Module -Name $ModuleName -Repository PSGallery -ErrorAction SilentlyContinue).Version #Get all installed versions $installedVersions = (get-module $ModuleName -ListAvailable).Version if ($currentVersion -ne $availableVersion ) { if ($availableVersion -in $installedVersions) { Write-Warning ("The lastest available version of $ModuleName module is installed, however version $currentVersion is imported." + [Environment]::NewLine + "Please make sure you import it with: Import-Module $ModuleName -RequiredVersion $availableVersion") } else { Write-Warning ("There is a new version available $availableVersion, current version $currentVersion, please update the module with: Update-Module $ModuleName") } } } catch { } } #EndRegion '.\Public\Test-UcModuleUpdateAvailable.ps1' 30 #Region '.\Public\Test-UcTeamsDevicesCompliancePolicy.ps1' -1 function Test-UcTeamsDevicesCompliancePolicy { param( [switch]$Detailed, [switch]$All, [switch]$IncludeSupported, [string]$PolicyID, [string]$PolicyName, [string]$UserUPN, [string]$DeviceID, [switch]$ExportCSV, [string]$OutputPath ) <# .SYNOPSIS Validate which Intune Compliance policies are supported by Microsoft Teams Android Devices .DESCRIPTION This function will validate each setting in the Intune Compliance Policy to make sure they are in line with the supported settings: https://docs.microsoft.com/en-us/microsoftteams/rooms/supported-ca-and-compliance-policies?tabs=phones#supported-device-compliance-policies Contributors: Traci Herr, David Paulino Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) .PARAMETER Detailed Displays test results for unsupported settings in each Intune Compliance Policy .PARAMETER All Will check all Intune Compliance policies independently if they are assigned to a Group(s) .PARAMETER IncludeSupported Displays results for all settings in each Intune Compliance Policy .PARAMETER PolicyID Specifies a Policy ID that will be checked if is supported by Microsoft Teams Android Devices .PARAMETER PolicyName Specifies a Policy Name that will be checked if is supported by Microsoft Teams Android Devices .PARAMETER UserUPN Specifies a UserUPN that we want to check for applied compliance policies .PARAMETER DeviceID Specifies DeviceID that we want to check for applied compliance policies .PARAMETER ExportCSV When present will export the detailed results to a CSV file. By defautl will save the file under the current user downloads, unless we specify the OutputPath. .PARAMETER OutputPath Allows to specify the path where we want to save the results. .EXAMPLE PS> Test-UcTeamsDevicesCompliancePolicy .EXAMPLE PS> Test-UcTeamsDevicesCompliancePolicy -Detailed #> $connectedMSGraph = $false $CompliancePolicies = $null $totalCompliancePolicies = 0 $skippedCompliancePolicies = 0 $GraphURI_CompliancePolicies = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies/" $GraphURI_Users = "https://graph.microsoft.com/v1.0/users" $GraphURI_Groups = "https://graph.microsoft.com/v1.0/groups" $GraphURI_Devices = "https://graph.microsoft.com/v1.0/devices" $SupportedAndroidCompliancePolicies = "#microsoft.graph.androidCompliancePolicy", "#microsoft.graph.androidDeviceOwnerCompliancePolicy", "#microsoft.graph.aospDeviceOwnerCompliancePolicy" $SupportedWindowsCompliancePolicies = "#microsoft.graph.windows10CompliancePolicy" $URLSupportedCompliancePoliciesAndroid = "https://aka.ms/TeamsDevicePolicies?tabs=phones#supported-device-compliance-policies" $URLSupportedCompliancePoliciesWindows = "https://aka.ms/TeamsDevicePolicies?tabs=mtr-w#supported-device-compliance-policies" if (Test-UcMgGraphConnection -Scopes "DeviceManagementConfiguration.Read.All", "Directory.Read.All") { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $outFileName = "TeamsDevices_CompliancePolicy_Report_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $outFileName) } else { $OutputFullPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFileName) } try { Write-Progress -Activity "Test-UcTeamsDeviceCompliancePolicy" -Status "Getting Compliance Policies" $CompliancePolicies = (Invoke-MgGraphRequest -Uri $GraphURI_CompliancePolicies -Method GET).value $connectedMSGraph = $true } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "Unauthorized") { Write-Error "Access Denied, please make sure the user connecing to MS Graph is part of one of the following Global Reader/Intune Service Administrator/Global Administrator roles" } else { Write-Error $PSItem.Exception.Message } } catch { Write-Error 'Please connect to MS Graph with Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","Directory.Read.All" before running this script' } if ($connectedMSGraph) { $output = [System.Collections.ArrayList]::new() $outputSum = [System.Collections.ArrayList]::new() if ($UserUPN) { try { $UserGroups = (Invoke-MgGraphRequest -Uri ($GraphURI_Users + "/" + $userUPN + "/transitiveMemberOf?`$select=id") -Method GET).value.id } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "NotFound") { Write-warning -Message ("User Not Found: " + $UserUPN) } return } #We also need to take in consideration devices that are registered to this user $DeviceGroups = [System.Collections.ArrayList]::new() $userDevices = (Invoke-MgGraphRequest -Uri ($GraphURI_Users + "/" + $userUPN + "/registeredDevices?`$select=deviceId,displayName") -Method GET).value foreach ($userDevice in $userDevices) { $tmpGroups = (Invoke-MgGraphRequest -Uri ($GraphURI_Devices + "(deviceId='{" + $userDevice.deviceID + "}')/transitiveMemberOf?`$select=id") -Method GET).value.id foreach ($tmpGroup in $tmpGroups) { $tmpDG = New-Object -TypeName PSObject -Property @{ GroupId = $tmpGroup DeviceId = $userDevice.deviceID DeviceDisplayName = $userDevice.displayName } $DeviceGroups.Add($tmpDG) | Out-Null } } } if ($DeviceID) { try { $DeviceGroups = (Invoke-MgGraphRequest -Uri ($GraphURI_Devices + "(deviceId='{" + $DeviceID + "}')/transitiveMemberOf?`$select=id") -Method GET).value.id } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "BadRequest") { Write-warning -Message ("Device ID Not Found: " + $DeviceID) } return } } #TO DO: We should only get display names from assigned groups $Groups = New-Object 'System.Collections.Generic.Dictionary[string, string]' $p = 0 $policyCount = $CompliancePolicies.Count foreach ($CompliancePolicy in $CompliancePolicies) { $p++ Write-Progress -Activity "Test-UcTeamsDeviceCompliancePolicy" -Status ("Checking policy " + $CompliancePolicy.displayName + " - $p of $policyCount") if ((($PolicyID -eq $CompliancePolicy.id) -or ($PolicyName -eq $CompliancePolicy.displayName) -or (!$PolicyID -and !$PolicyName)) -and (($CompliancePolicy."@odata.type" -in $SupportedAndroidCompliancePolicies) -or ($CompliancePolicy."@odata.type" -in $SupportedWindowsCompliancePolicies))) { #We need to check if the policy has assignments (Groups/All Users/All Devices) $CompliancePolicyAssignments = (Invoke-MgGraphRequest -Uri ($GraphURI_CompliancePolicies + $CompliancePolicy.id + "/assignments" ) -Method GET).value $AssignedToGroup = [System.Collections.ArrayList]::new() $ExcludedFromGroup = [System.Collections.ArrayList]::new() $outAssignedToGroup = "" $outExcludedFromGroup = "" #We wont need to check the settings if the policy is not assigned to a user if ($UserUPN -or $DeviceID) { $userOrDeviceIncluded = $false } else { $userOrDeviceIncluded = $true } #Define the Compliance Policy type switch ($CompliancePolicy."@odata.type") { "#microsoft.graph.androidCompliancePolicy" { $CPType = "Android Device" } "#microsoft.graph.androidDeviceOwnerCompliancePolicy" { $CPType = "Android Enterprise" } "#microsoft.graph.aospDeviceOwnerCompliancePolicy" { $CPType = "Android (AOSP)" } "#microsoft.graph.windows10CompliancePolicy" { $CPType = "Windows 10 or later" } Default { $CPType = $CompliancePolicy."@odata.type".split('.')[2] } } #Checking Compliance Policy assigments since we can skip non assigned policies. foreach ($CompliancePolicyAssignment in $CompliancePolicyAssignments) { $GroupDisplayName = $CompliancePolicyAssignment.target.Groupid if ($Groups.ContainsKey($CompliancePolicyAssignment.target.Groupid)) { $GroupDisplayName = $Groups.Item($CompliancePolicyAssignment.target.Groupid) } else { try { $GroupInfo = Invoke-MgGraphRequest -Uri ($GraphURI_Groups + "/" + $CompliancePolicyAssignment.target.Groupid + "/?`$select=id,displayname") -Method GET $Groups.Add($GroupInfo.id, $GroupInfo.displayname) $GroupDisplayName = $GroupInfo.displayname } catch { } } $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = $CompliancePolicyAssignment.target.Groupid GroupDisplayName = $GroupDisplayName } switch ($CompliancePolicyAssignment.target."@odata.type") { #Policy assigned to all users "#microsoft.graph.allLicensedUsersAssignmentTarget" { $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = "allLicensedUsersAssignment" GroupDisplayName = "All Users" } $AssignedToGroup.Add($GroupEntry) | Out-Null $userOrDeviceIncluded = $true } #Policy assigned to all devices "#microsoft.graph.allDevicesAssignmentTarget" { $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = "allDevicesAssignmentTarget" GroupDisplayName = "All Devices" } $AssignedToGroup.Add($GroupEntry) | Out-Null $userOrDeviceIncluded = $true } #Group that this policy is assigned "#microsoft.graph.groupAssignmentTarget" { $AssignedToGroup.Add($GroupEntry) | Out-Null if (($UserUPN -or $DeviceID) -and (($CompliancePolicyAssignment.target.Groupid -in $UserGroups) -or ($CompliancePolicyAssignment.target.Groupid -in $DeviceGroups))) { $userOrDeviceIncluded = $true } } #Group that this policy is excluded "#microsoft.graph.exclusionGroupAssignmentTarget" { $ExcludedFromGroup.Add($GroupEntry) | Out-Null #If user is excluded then we dont need to check the policy if ($UserUPN -and ($CompliancePolicyAssignment.target.Groupid -in $UserGroups)) { Write-Warning ("Skiping compliance policy " + $CompliancePolicy.displayName + ", since user " + $UserUPN + " is part of an Excluded Group: " + $GroupEntry.GroupDisplayName) $userOrDeviceExcluded = $true } elseif ($DeviceID -and ($CompliancePolicyAssignment.target.Groupid -in $DeviceGroups)) { Write-Warning ("Skiping compliance policy " + $CompliancePolicy.displayName + ", since device " + $DeviceID + " is part of an Excluded Group: " + $GroupEntry.GroupDisplayName) $userOrDeviceExcluded = $true } elseif ($UserUPN -and (($CompliancePolicyAssignment.target.Groupid -in $DeviceGroups.GroupId))) { #In case a device is excluded we will check the policy but output a message $tmpDev = ($DeviceGroups | Where-Object -Property GroupId -eq -Value $CompliancePolicyAssignment.target.Groupid) Write-Warning ("Compliance policy " + $CompliancePolicy.displayName + " will not be applied to device " + $tmpDev.DeviceDisplayName + " (" + $tmpDev.DeviceID + "), since this device is part of an Excluded Group: " + $GroupEntry.GroupDisplayName) } } } } if ((($AssignedToGroup.count -gt 0) -and !$userOrDeviceExcluded -and $userOrDeviceIncluded) -or $all) { $totalCompliancePolicies++ $PolicyErrors = 0 $PolicyWarnings = 0 #If only assigned/excluded from a group we will show the group display name, otherwise the number of groups assigned/excluded. if ($AssignedToGroup.count -eq 1) { $outAssignedToGroup = $AssignedToGroup.GroupDisplayName } elseif ($AssignedToGroup.count -eq 0) { $outAssignedToGroup = "None" } else { $outAssignedToGroup = "" + $AssignedToGroup.count + " groups" } if ($ExcludedFromGroup.count -eq 1) { $outExcludedFromGroup = $ExcludedFromGroup.GroupDisplayName } elseif ($ExcludedFromGroup.count -eq 0) { $outExcludedFromGroup = "None" } else { $outExcludedFromGroup = "" + $ExcludedFromGroup.count + " groups" } if ($CompliancePolicy."@odata.type" -in $SupportedAndroidCompliancePolicies) { $URLSupportedCompliancePolicies = $URLSupportedCompliancePoliciesAndroid } elseif ($CompliancePolicy."@odata.type" -in $SupportedWindowsCompliancePolicies) { $URLSupportedCompliancePolicies = $URLSupportedCompliancePoliciesWindows } #region Common settings between Android (ADA and AOSP) and Windows #region 9: Device Properties > Operation System Version $ID = 9.1 $Setting = "osMinimumVersion" $SettingDescription = "Device Properties > Operation System Version > Minimum OS version" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.osMinimumVersion))) { if ($CompliancePolicy."@odata.type" -in $SupportedWindowsCompliancePolicies) { $Status = "Unsupported" $Comment = "Teams Rooms automatically updates to newer versions of Windows and setting values here could prevent successful sign-in after an OS update." $PolicyErrors++ } else { $Status = "Warning" $Comment = "This setting can cause sign in issues." $PolicyWarnings++ } $SettingValue = $CompliancePolicy.osMinimumVersion } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) $ID = 9.2 $Setting = "osMaximumVersion" $SettingDescription = "Device Properties > Operation System Version > Maximum OS version" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.osMaximumVersion))) { if ($CompliancePolicy."@odata.type" -in $SupportedWindowsCompliancePolicies) { $Status = "Unsupported" $Comment = "Teams Rooms automatically updates to newer versions of Windows and setting values here could prevent successful sign-in after an OS update." $PolicyErrors++ } else { $Status = "Warning" $Comment = "This setting can cause sign in issues." $PolicyWarnings++ } $SettingValue = $CompliancePolicy.osMaximumVersion } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 17: System Security > All Android devices > Require a password to unlock mobile devices $ID = 17 $Setting = "passwordRequired" $SettingDescription = "System Security > All Android devices > Require a password to unlock mobile devices" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.passwordRequired) { $Status = "Unsupported" $SettingValue = "Require" $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #endregion #20240508 - We need to limit the settings since not all are available in AOSP compliance policies. if ($CompliancePolicy."@odata.type" -in $SupportedAndroidCompliancePolicies -and $CompliancePolicy."@odata.type" -ne "#microsoft.graph.aospDeviceOwnerCompliancePolicy") { #region 1: Microsoft Defender for Endpoint > Require the device to be at or under the machine risk score $ID = 1 $Setting = "deviceThreatProtectionEnabled" $SettingDescription = "Microsoft Defender for Endpoint > Require the device to be at or under the machine risk score" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.deviceThreatProtectionEnabled) { $Status = "Unsupported" $PolicyErrors++ $SettingValue = $CompliancePolicy.advancedThreatProtectionRequiredSecurityLevel $Comment = $URLSupportedCompliancePolicies } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 2: Device Health > Device managed with device administrator $ID = 2 $Setting = "securityBlockDeviceAdministratorManagedDevices" $SettingDescription = "Device Health > Device managed with device administrator" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityBlockDeviceAdministratorManagedDevices) { $Status = "Unsupported" $SettingValue = "Block" $Comment = "Teams Android devices management requires device administrator to be enabled." $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 4: Device Health > Require the device to be at or under the Device Threat Level $ID = 4 $Setting = "deviceThreatProtectionRequiredSecurityLevel" $SettingDescription = "Device Health > Require the device to be at or under the Device Threat Level" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.deviceThreatProtectionRequiredSecurityLevel -ne "unavailable") { $Status = "Unsupported" $SettingValue = $CompliancePolicy.deviceThreatProtectionRequiredSecurityLevel $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 5: Device Health > Google Protect > Google Play Services is Configured $ID = 5 $Setting = "securityRequireGooglePlayServices" $SettingDescription = "Device Health > Google Protect > Google Play Services is Configured" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityRequireGooglePlayServices) { $Status = "Unsupported" $SettingValue = "Require" $Comment = "Google play isn't installed on Teams Android devices." $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 6: Device Health > Google Protect > Up-to-date security provider $ID = 6 $Setting = "securityRequireUpToDateSecurityProviders" $SettingDescription = "Device Health > Google Protect > Up-to-date security provider" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityRequireUpToDateSecurityProviders) { $Status = "Unsupported" $SettingValue = "Require" $Comment = "Google play isn't installed on Teams Android devices." $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 7: Device Health > Google Protect > Threat scan on apps $ID = 7 $Setting = "securityRequireVerifyApps" $SettingDescription = "Device Health > Google Protect > Threat scan on apps" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityRequireVerifyApps) { $Status = "Unsupported" $SettingValue = "Require" $Comment = "Google play isn't installed on Teams Android devices." $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 8: Device Health > Google Protect > SafetyNet device attestation $ID = 8 $Setting = "securityRequireSafetyNetAttestation" $SettingDescription = "Device Health > Google Protect > SafetyNet device attestation" $SettingValue = "Not Configured" $Comment = "" if (($CompliancePolicy.securityRequireSafetyNetAttestationBasicIntegrity) -or ($CompliancePolicy.securityRequireSafetyNetAttestationCertifiedDevice)) { $Status = "Unsupported" $Comment = "Google play isn't installed on Teams Android devices." $PolicyErrors++ if ($CompliancePolicy.securityRequireSafetyNetAttestationCertifiedDevice) { $SettingValue = "Check basic integrity and certified devices" } elseif ($CompliancePolicy.securityRequireSafetyNetAttestationBasicIntegrity) { $SettingValue = "Check basic integrity" } } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 11: System Security > Device Security > Block apps from unknown sources $ID = 11 $Setting = "securityPreventInstallAppsFromUnknownSources" $SettingDescription = "System Security > Device Security > Block apps from unknown sources" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityPreventInstallAppsFromUnknownSources) { $Status = "Unsupported" $SettingValue = "Block" $Comment = "Only Teams admins install apps or OEM tools" $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 15: System Security > Device Security > Restricted apps $ID = 15 $Setting = "securityPreventInstallAppsFromUnknownSources" $SettingDescription = "System Security > Device Security > Restricted apps" $SettingValue = "Not Configured" $Comment = "" if (($CompliancePolicy.restrictedApps).count -gt 0 ) { $Status = "Unsupported" $SettingValue = "Found " + ($CompliancePolicy.restrictedApps).count + " restricted app(s)" $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion } if ($CompliancePolicy."@odata.type" -in $SupportedAndroidCompliancePolicies) { #region 3: Device Health > Rooted devices $ID = 3 $Setting = "securityBlockJailbrokenDevices" $SettingDescription = "Device Health > Rooted devices" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.securityBlockJailbrokenDevices) { $Status = "Warning" $SettingValue = "Block" $Comment = "This setting can cause sign in issues." $PolicyWarnings++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 10: System Security > Encryption > Require encryption of data storage on device. $ID = 10 $Setting = "storageRequireEncryption" $SettingDescription = "System Security > Encryption > Require encryption of data storage on device" $SettingValue = "Not Configured" $Comment = "" if ($CompliancePolicy.storageRequireEncryption) { $Status = "Warning" $SettingValue = "Require" $Comment = "Manufacturers might configure encryption attributes on their devices in a way that Intune doesn't recognize. If this happens, Intune marks the device as noncompliant." $PolicyWarnings++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 14: System Security > Device Security > Minimum security patch level $ID = 14 $Setting = "minAndroidSecurityPatchLevel" $SettingDescription = "System Security > Device Security > Minimum security patch level" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.minAndroidSecurityPatchLevel))) { $Status = "Warning" $SettingValue = $CompliancePolicy.minAndroidSecurityPatchLevel $Comment = "This setting can cause sign in issues." $PolicyWarnings++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 16: System Security > All Android devices > Maximum minutes of inactivity before password is required $ID = 16 $Setting = "passwordMinutesOfInactivityBeforeLock" $SettingDescription = "System Security > All Android devices > Maximum minutes of inactivity before password is required" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.passwordMinutesOfInactivityBeforeLock))) { $Status = "Unsupported" $SettingValue = "" + $CompliancePolicy.passwordMinutesOfInactivityBeforeLock + " minutes" $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion } elseif ($CompliancePolicy."@odata.type" -in $SupportedWindowsCompliancePolicies) { #region 18: Device Properties > Operation System Version $ID = 18.1 $Setting = "mobileOsMinimumVersion" $SettingDescription = "Device Properties > Operation System Version > Minimum OS version for mobile devices" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.mobileOsMinimumVersion))) { $Status = "Unsupported" $SettingValue = $CompliancePolicy.mobileOsMinimumVersion $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) $ID = 18.2 $Setting = "mobileOsMaximumVersion" $SettingDescription = "Device Properties > Operation System Version > Maximum OS version for mobile devices" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.mobileOsMaximumVersion))) { $Status = "Unsupported" $SettingValue = $CompliancePolicy.mobileOsMaximumVersion $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 19: Device Properties > Operation System Version > Valid operating system builds $ID = 19 $Setting = "validOperatingSystemBuildRanges" $SettingDescription = "Device Properties > Operation System Version > Valid operating system builds" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.validOperatingSystemBuildRanges))) { $Status = "Unsupported" $SettingValue = "Found " + ($CompliancePolicy.validOperatingSystemBuildRanges).count + " valid OS configured build(s)" $Comment = $URLSupportedCompliancePolicies $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 20: System Security > Defender > Microsoft Defender Antimalware minimum version $ID = 20 $Setting = "defenderVersion" $SettingDescription = "System Security > Defender > Microsoft Defender Antimalware minimum version" $SettingValue = "Not Configured" $Comment = "" if (!([string]::IsNullOrEmpty($CompliancePolicy.defenderVersion))) { $Status = "Unsupported" $SettingValue = $CompliancePolicy.defenderVersion $Comment = "Teams Rooms automatically updates this component so there's no need to set compliance policies." $PolicyErrors++ } else { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $CompliancePolicy.displayName PolicyType = $CPType Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $CompliancePolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicyDetailed') [void]$output.Add($SettingPSObj) #endregion } if ($PolicyErrors -gt 0) { $StatusSum = "Found " + $PolicyErrors + " unsupported settings." $displayWarning = $true } elseif ($PolicyWarnings -gt 0) { $StatusSum = "Found " + $PolicyWarnings + " settings that may impact users." $displayWarning = $true } else { $StatusSum = "No issues found." } $PolicySum = [PSCustomObject]@{ PolicyID = $CompliancePolicy.id PolicyName = $CompliancePolicy.displayName PolicyType = $CPType AssignedToGroup = $outAssignedToGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroup = $outExcludedFromGroup ExcludedFromGroupList = $ExcludedFromGroup TeamsDevicesStatus = $StatusSum } $PolicySum.PSObject.TypeNames.Insert(0, 'TeamsDeviceCompliancePolicy') $outputSum.Add($PolicySum) | Out-Null } elseif (($AssignedToGroup.count -eq 0) -and !($UserUPN -or $DeviceID -or $Detailed)) { $skippedCompliancePolicies++ } } } if ($totalCompliancePolicies -eq 0) { if ($UserUPN) { Write-Warning ("The user " + $UserUPN + " doesn't have any Compliance Policies assigned.") } else { Write-Warning "No Compliance Policies assigned to All Users, All Devices or group found. Please use Test-UcTeamsDevicesCompliancePolicy -All to check all policies." } } if ($IncludeSupported -and $Detailed) { if ($ExportCSV) { $output | Sort-Object PolicyName, ID | Select-Object PolicyName, PolicyID, PolicyType, AssignedToGroup, ExcludedFromGroup, TeamsDevicesStatus, Setting, SettingDescription, Value, Comment | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan return } else { $output | Sort-Object PolicyName, ID } } elseif ($Detailed) { if ((( $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported").count -eq 0) -and !$IncludeSupported) { Write-Warning "No unsupported settings found, please use Test-UcTeamsDevicesCompliancePolicy -IncludeSupported to output all settings." } else { if ($ExportCSV) { $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported" | Sort-Object PolicyName, ID | Select-Object PolicyName, PolicyID, PolicyType, AssignedToGroup, ExcludedFromGroup, TeamsDevicesStatus, Setting, SettingDescription, Value, Comment | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan return } else { $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported" | Sort-Object PolicyName, ID } } } else { if (($skippedCompliancePolicies -gt 0) -and !$All) { Write-Warning ("Skipping $skippedCompliancePolicies compliance policies since will not be applied to Teams Devices.") Write-Warning ("Please use the All switch to check all policies: Test-UcTeamsDevicesCompliancePolicy -All") } if ($displayWarning) { Write-Warning "One or more policies contain unsupported settings, please use Test-UcTeamsDevicesCompliancePolicy -Detailed to identify the unsupported settings." } $outputSum | Sort-Object PolicyName } } } } #EndRegion '.\Public\Test-UcTeamsDevicesCompliancePolicy.ps1' 1059 #Region '.\Public\Test-UcTeamsDevicesConditionalAccessPolicy.ps1' -1 function Test-UcTeamsDevicesConditionalAccessPolicy { param( [switch]$Detailed, [switch]$All, [switch]$IncludeSupported, [string]$UserUPN, [switch]$ExportCSV, [string]$OutputPath ) <# .SYNOPSIS Validate which Conditional Access policies are supported by Microsoft Teams Android Devices .DESCRIPTION This function will validate each setting in a Conditional Access Policy to make sure they are in line with the supported settings: https://docs.microsoft.com/microsoftteams/rooms/supported-ca-and-compliance-policies?tabs=phones#conditional-access-policies" Contributors: Traci Herr, David Paulino Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) .PARAMETER Detailed Displays test results for all settings in each Conditional Access Policy .PARAMETER All Will check all Conditional Access policies independently if they are assigned to a Group(s) or to Teams .PARAMETER IncludeSupported Displays results for all settings in each Conditional Access Policy .PARAMETER UserUPN Specifies a UserUPN that we want to check for applied Conditional Access policies .PARAMETER ExportCSV When present will export the detailed results to a CSV file. By defautl will save the file under the current user downloads, unless we specify the OutputPath. .PARAMETER OutputPath Allows to specify the path where we want to save the results. .EXAMPLE PS> Test-UcTeamsDevicesConditionalAccessPolicy .EXAMPLE PS> Test-UcTeamsDevicesConditionalAccessPolicy -All .EXAMPLE PS> Test-UcTeamsDevicesConditionalAccessPolicy -Detailed .EXAMPLE PS> Test-UcTeamsDevicesConditionalAccessPolicy -Detailed -IncludedSupported .EXAMPLE PS> Test-UcTeamsDevicesConditionalAccessPolicy -UserUPN #> $GraphURI_Users = "https://graph.microsoft.com/v1.0/users" $GraphURI_Groups = "https://graph.microsoft.com/v1.0/groups" $GraphURI_ConditionalAccess = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies" $connectedMSGraph = $false $ConditionalAccessPolicies = $null $totalCAPolicies = 0 $skippedCAPolicies = 0 $URLTeamsDevicesCA = "https://aka.ms/TeamsDevicePolicies#supported-conditional-access-policies" $URLTeamsDevicesKnownIssues = "https://docs.microsoft.com/microsoftteams/troubleshoot/teams-rooms-and-devices/rooms-known-issues#teams-phone-devices" if (Test-UcMgGraphConnection -Scopes "Policy.Read.All", "Directory.Read.All") { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $outFileName = "TeamsDevices_ConditionalAccessPolicy_Report_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $outFileName) } else { $OutputFullPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFileName) } try { Write-Progress -Activity "Test-UcTeamsDevicesConditionalAccessPolicy" -Status "Getting Conditional Access Policies" $ConditionalAccessPolicies = (Invoke-MgGraphRequest -Uri ($GraphURI_ConditionalAccess + $GraphFilter) -Method GET).Value $connectedMSGraph = $true } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "Forbidden") { Write-Host "Access Denied, please make sure the user connecing to MS Graph is part of one of the following Global Reader/Conditional Access Administrator/Global Administrator roles" return } else { Write-Error $PSItem.Exception.Message } } catch { Write-Error $PSItem.Exception.Message } if ($connectedMSGraph) { $output = [System.Collections.ArrayList]::new() $outputSum = [System.Collections.ArrayList]::new() if ($UserUPN) { try { $UserID = (Invoke-MgGraphRequest -Uri ($GraphURI_Users + "/" + $userUPN + "?`$select=id") -Method GET).id $UserGroups = (Invoke-MgGraphRequest -Uri ($GraphURI_Users + "/" + $userUPN + "/transitiveMemberOf?`$select=id") -Method GET).value.id } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "NotFound") { Write-warning -Message ("User Not Found: " + $UserUPN) } return } } $Groups = New-Object 'System.Collections.Generic.Dictionary[string, string]' try { Write-Progress -Activity "Test-UcTeamsDevicesConditionalAccessPolicy" -Status "Fetching Service Principals details." $ServicePrincipals = Get-MgServicePrincipal -Select AppId, DisplayName -All } catch {} $p = 0 $policyCount = $ConditionalAccessPolicies.Count foreach ($ConditionalAccessPolicy in $ConditionalAccessPolicies) { $p++ Write-Progress -Activity "Test-UcTeamsDevicesConditionalAccessPolicy" -Status ("Checking policy " + $ConditionalAccessPolicy.displayName + " - $p of $policyCount") $AssignedToGroup = [System.Collections.ArrayList]::new() $ExcludedFromGroup = [System.Collections.ArrayList]::new() $AssignedToUserCount = 0 $ExcludedFromUserCount = 0 $outAssignedToGroup = "" $outExcludedFromGroup = "" $userExcluded = $false $StatusSum = "" $totalCAPolicies++ $PolicyErrors = 0 $PolicyWarnings = 0 if ($UserUPN) { if ($UserID -in $ConditionalAccessPolicy.conditions.users.excludeUsers) { $userExcluded = $true Write-Warning ("Skiping conditional access policy " + $ConditionalAccessPolicy.displayName + ", since user " + $UserUPN + " is part of Excluded Users") } elseif ($UserID -in $ConditionalAccessPolicy.conditions.users.includeUsers) { $userIncluded = $true } else { $userIncluded = $false } } #All Users in Conditional Access Policy will show as a 'All' in the includeUsers. if ("All" -in $ConditionalAccessPolicy.conditions.users.includeUsers) { $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = "All" GroupDisplayName = "All Users" } $AssignedToGroup.Add($GroupEntry) | Out-Null $userIncluded = $true } elseif ((($ConditionalAccessPolicy.conditions.users.includeUsers).count -gt 0) -and "None" -notin $ConditionalAccessPolicy.conditions.users.includeUsers) { $AssignedToUserCount = ($ConditionalAccessPolicy.conditions.users.includeUsers).count if (!$UserUPN) { $userIncluded = $true } } foreach ($includedGroup in $ConditionalAccessPolicy.conditions.users.includeGroups) { $GroupDisplayName = $includedGroup if ($Groups.ContainsKey($includedGroup)) { $GroupDisplayName = $Groups.Item($includedGroup) } else { try { $GroupInfo = Invoke-MgGraphRequest -Uri ($GraphURI_Groups + "/" + $includedGroup + "/?`$select=id,displayname") -Method GET $Groups.Add($GroupInfo.id, $GroupInfo.displayname) $GroupDisplayName = $GroupInfo.displayname } catch { } } $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = $includedGroup GroupDisplayName = $GroupDisplayName } #We only need to add if we didn't specify a UPN or if the user is part of the group that has the CA assigned. if (!$UserUPN) { $AssignedToGroup.Add($GroupEntry) | Out-Null } if ($includedGroup -in $UserGroups) { $userIncluded = $true $AssignedToGroup.Add($GroupEntry) | Out-Null } } foreach ($excludedGroup in $ConditionalAccessPolicy.conditions.users.excludeGroups) { $GroupDisplayName = $excludedGroup if ($Groups.ContainsKey($excludedGroup)) { $GroupDisplayName = $Groups.Item($excludedGroup) } else { try { $GroupInfo = Invoke-MgGraphRequest -Uri ($GraphURI_Groups + "/" + $excludedGroup + "/?`$select=id,displayname") -Method GET $Groups.Add($GroupInfo.id, $GroupInfo.displayname) $GroupDisplayName = $GroupInfo.displayname } catch { } } $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = $excludedGroup GroupDisplayName = $GroupDisplayName } $ExcludedFromGroup.Add($GroupEntry) | Out-Null if ($excludedGroup -in $UserGroups) { $userExcluded = $true Write-Warning ("Skiping conditional access policy " + $ConditionalAccessPolicy.displayName + ", since user " + $UserUPN + " is part of an Excluded Group: " + $GroupEntry.GroupDisplayName) } } $ExcludedFromUserCount = ($ConditionalAccessPolicy.conditions.users.excludeUsers).count if ("GuestsOrExternalUsers" -in $ConditionalAccessPolicy.conditions.users.excludeUsers) { $ExcludedFromUserCount-- } #If only assigned/excluded from a group we will show the group display name, otherwise the number of groups assigned/excluded. if (($AssignedToGroup.count -gt 0) -and ($AssignedToUserCount -gt 0)) { $outAssignedToGroup = "$AssignedToUserCount user(s)," + $AssignedToGroup.count + " group(s)" } elseif (($AssignedToGroup.count -eq 0) -and ($AssignedToUserCount -gt 0)) { $outAssignedToGroup = "$AssignedToUserCount user(s)" } elseif (($AssignedToGroup.count -gt 0) -and ($AssignedToUserCount -eq 0)) { if ($AssignedToGroup.count -eq 1) { $outAssignedToGroup = $AssignedToGroup[0].GroupDisplayName } else { $outAssignedToGroup = "" + $AssignedToGroup.count + " group(s)" } } else { $outAssignedToGroup = "None" } if (($ExcludedFromGroup.count -gt 0) -and ($ExcludedFromUserCount -gt 0)) { $outExcludedFromGroup = "$ExcludedFromUserCount user(s), " + $ExcludedFromGroup.count + " group(s)" } elseif (($ExcludedFromGroup.count -eq 0) -and ($ExcludedFromUserCount -gt 0)) { $outExcludedFromGroup = "$ExcludedFromUserCount user(s)" } elseif (($ExcludedFromGroup.count -gt 0) -and ($ExcludedFromUserCount -eq 0)) { if ($ExcludedFromGroup.count -eq 1) { $outExcludedFromGroup = $ExcludedFromGroup[0].GroupDisplayName } else { $outExcludedFromGroup = "" + $ExcludedFromGroup.count + " group(s)" } } else { $outExcludedFromGroup = "None" } $PolicyState = $ConditionalAccessPolicy.State if ($PolicyState -eq "enabledForReportingButNotEnforced") { $PolicyState = "ReportOnly" } #region 2: Assignment > Cloud apps or actions > Cloud Apps #Exchange 00000002-0000-0ff1-ce00-000000000000 #SharePoint 00000003-0000-0ff1-ce00-000000000000 #Teams cc15fd57-2c6c-4117-a88c-83b1d56b4bbe $ID = 2 $Setting = "CloudApps" $SettingDescription = "Assignment > Cloud apps or actions > Cloud Apps" $Comment = "" $hasExchange = $false $hasSharePoint = $false $hasTeams = $false $hasOffice365 = $false $SettingValue = "" foreach ($Application in $ConditionalAccessPolicy.Conditions.Applications.IncludeApplications) { $appDisplayName = ($ServicePrincipals | Where-Object -Property AppId -eq -Value $Application).DisplayName switch ($Application) { "All" { $hasOffice365 = $true; $SettingValue = "All" } "Office365" { $hasOffice365 = $true; $SettingValue = "Office 365" } "00000002-0000-0ff1-ce00-000000000000" { $hasExchange = $true; $SettingValue += $appDisplayName + "; " } "00000003-0000-0ff1-ce00-000000000000" { $hasSharePoint = $true; $SettingValue += $appDisplayName + "; " } "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe" { $hasTeams = $true; $SettingValue += $appDisplayName + "; " } default { $SettingValue += $appDisplayName + "; " } } } if ($SettingValue.EndsWith("; ")) { $SettingValue = $SettingValue.Substring(0, $SettingValue.Length - 2) } if (((($AssignedToGroup.count -gt 0) -and ($hasOffice365 -or $hasTeams) -and ($PolicyState -NE "disabled")) -and (!$userExcluded) -and $userIncluded) -or $all) { if (($hasExchange -and $hasSharePoint -and $hasTeams) -or ($hasOffice365)) { $Status = "Supported" } else { $Status = "Unsupported" $Comment = "Teams Devices needs to access: Office 365 or Exchange Online, SharePoint Online, and Microsoft Teams" $PolicyErrors++ } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 6: Assignment > Conditions > Locations $ID = 6.1 $Setting = "includeLocations" $SettingDescription = "Assignment > Conditions > Locations" $Comment = "" $Status = "Supported" if ($ConditionalAccessPolicy.conditions.locations.includeLocations) { $SettingValue = $ConditionalAccessPolicy.conditions.locations.includeLocations } else { $SettingValue = "Not Configured" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) $ID = 6.2 $Setting = "excludeLocations" $SettingDescription = "Assignment > Conditions > Locations" $Comment = "" $Status = "Supported" if ($ConditionalAccessPolicy.conditions.locations.excludeLocations) { $SettingValue = $ConditionalAccessPolicy.conditions.locations.excludeLocations } else { $SettingValue = "Not Configured" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 7: Assignment > Conditions > Client apps $ID = 7 $Setting = "ClientAppTypes" $SettingDescription = "Assignment > Conditions > Client apps" $SettingValue = "" $Comment = "" foreach ($ClientAppType in $ConditionalAccessPolicy.Conditions.ClientAppTypes) { if ($ClientAppType -eq "All") { $Status = "Supported" $SettingValue = $ClientAppType $Comment = "" } else { $Status = "Unsupported" $SettingValue += $ClientAppType + ";" $Comment = $URLTeamsDevicesCA $PolicyErrors++ } } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 8: Assignment > Conditions > Filter for devices $ID = 8 $Setting = "deviceFilter" $SettingDescription = "Assignment > Conditions > Filter for devices" $Comment = "" if ($ConditionalAccessPolicy.conditions.devices.deviceFilter.mode -eq "exclude") { $Status = "Supported" $SettingValue = $ConditionalAccessPolicy.conditions.devices.deviceFilter.mode + ": " + $ConditionalAccessPolicy.conditions.devices.deviceFilter.rule } else { $SettingValue = "Not Configured" $Status = "Warning" $Comment = "https://learn.microsoft.com/microsoftteams/troubleshoot/teams-rooms-and-devices/teams-android-devices-conditional-access-issues" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 10: Access controls > Grant $Setting = "GrantControls" foreach ($BuiltInControl in $ConditionalAccessPolicy.GrantControls.BuiltInControls) { $Comment = "" $SettingValue = "Enabled" switch ($BuiltInControl) { "mfa" { $ID = 11 $Status = "Warning" $SettingDescription = "Access controls > Grant > Require multi-factor authentication" $PolicyWarnings++ $Comment = "Require multi-factor authentication only supported for Teams Phones and Displays." } "compliantDevice" { $ID = 12 $Status = "Supported" $SettingDescription = "Access controls > Grant > Require device to be marked as compliant" } "DomainJoinedDevice" { $ID = 13 $Status = "Unsupported" $SettingDescription = "Access controls > Grant > Require Hybrid Azure AD joined device" $PolicyErrors++ } "ApprovedApplication" { $ID = 14 $Status = "Unsupported" $SettingDescription = "Access controls > Grant > Require approved client app" $Comment = $URLTeamsDevicesCA $PolicyErrors++ } "CompliantApplication" { $ID = 15 $Status = "Unsupported" $SettingDescription = "Access controls > Grant > Require app protection policy" $Comment = $URLTeamsDevicesCA $PolicyErrors++ } "PasswordChange" { $ID = 16 $Status = "Unsupported" $SettingDescription = "Access controls > Grant > Require password change" $Comment = $URLTeamsDevicesCA $PolicyErrors++ } default { $ID = 10 $SettingDescription = "Access controls > Grant > " + $BuiltInControl $Status = "Supported" } } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) } #endregion #region 17: Access controls > Grant > Custom Authentication Factors $ID = 17 $Setting = "CustomAuthenticationFactors" $SettingDescription = "Access controls > Grant > Custom Authentication Factors" if ($ConditionalAccessPolicy.GrantControls.CustomAuthenticationFactors) { $Status = "Unsupported" $SettingValue = "Enabled" $PolicyErrors++ $Comment = $URLTeamsDevicesCA } else { $Status = "Supported" $SettingValue = "Disabled" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 18: Access controls > Grant > Terms of Use $ID = 18 $Setting = "TermsOfUse" $SettingDescription = "Access controls > Grant > Terms of Use" $Comment = "" if ($ConditionalAccessPolicy.GrantControls.TermsOfUse) { $Status = "Warning" $SettingValue = "Enabled" $Comment = $URLTeamsDevicesKnownIssues $PolicyWarnings++ } else { $Status = "Supported" $SettingValue = "Disabled" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 19: Access controls > Session > Use app enforced restrictions $ID = 19 $Setting = "ApplicationEnforcedRestrictions" $SettingDescription = "Access controls > Session > Use app enforced restrictions" $Comment = "" if ($ConditionalAccessPolicy.SessionControls.ApplicationEnforcedRestrictions) { $Status = "Unsupported" $SettingValue = "Enabled" $PolicyErrors++ } else { $Status = "Supported" $SettingValue = "Disabled" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 19: Access controls > Session > Use Conditional Access App Control $ID = 19 $Setting = "CloudAppSecurity" $SettingDescription = "Access controls > Session > Use Conditional Access App Control" $Comment = "" if ($ConditionalAccessPolicy.SessionControls.CloudAppSecurity) { $Status = "Unsupported" $SettingValue = $ConditionalAccessPolicy.SessionControls.CloudAppSecurity.cloudAppSecurityType $PolicyErrors++ } else { $Status = "Supported" $SettingValue = "Not Configured" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 20: Access controls > Session > Sign-in frequency $ID = 20 $Setting = "SignInFrequency" $SettingDescription = "Access controls > Session > Sign-in frequency" $Comment = "" if ($ConditionalAccessPolicy.SessionControls.SignInFrequency.isEnabled -eq "true") { $Status = "Warning" $SettingValue = "" + $ConditionalAccessPolicy.SessionControls.SignInFrequency.Value + " " + $ConditionalAccessPolicy.SessionControls.SignInFrequency.Type $Comment = "Users will be signout from Teams Device every " + $ConditionalAccessPolicy.SessionControls.SignInFrequency.Value + " " + $ConditionalAccessPolicy.SessionControls.SignInFrequency.Type $PolicyWarnings++ } else { $Status = "Supported" $SettingValue = "Not Configured" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion #region 21: Access controls > Session > Persistent browser session $ID = 21 $Setting = "PersistentBrowser" $SettingDescription = "Access controls > Session > Persistent browser session" $Comment = "" if ($ConditionalAccessPolicy.SessionControls.PersistentBrowser.isEnabled -eq "true") { $Status = "Unsupported" $SettingValue = $ConditionalAccessPolicy.SessionControls.persistentBrowser.mode $PolicyErrors++ } else { $Status = "Supported" $SettingValue = "Not Configured" } $SettingPSObj = [PSCustomObject]@{ PolicyName = $ConditionalAccessPolicy.displayName PolicyState = $PolicyState Setting = $Setting Value = $SettingValue TeamsDevicesStatus = $Status Comment = $Comment SettingDescription = $SettingDescription AssignedToGroup = $outAssignedToGroup ExcludedFromGroup = $outExcludedFromGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroupList = $ExcludedFromGroup PolicyID = $ConditionalAccessPolicy.id ID = $ID } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicyDetailed') [void]$output.Add($SettingPSObj) #endregion if ($PolicyErrors -gt 0) { $StatusSum = "Has " + $PolicyErrors + " unsupported settings." $displayWarning = $true } elseif ($PolicyWarnings -gt 0) { $StatusSum = "Has " + $PolicyWarnings + " settings that may impact users." $displayWarning = $true } else { $StatusSum = "All settings supported." } $PolicySum = [PSCustomObject]@{ PolicyID = $ConditionalAccessPolicy.id PolicyName = $ConditionalAccessPolicy.DisplayName PolicyState = $PolicyState AssignedToGroup = $outAssignedToGroup AssignedToGroupList = $AssignedToGroup ExcludedFromGroup = $outExcludedFromGroup ExcludedFromGroupList = $ExcludedFromGroup TeamsDevicesStatus = $StatusSum } $PolicySum.PSObject.TypeNames.Insert(0, 'TeamsDeviceConditionalAccessPolicy') [void]$outputSum.Add($PolicySum) } else { $skippedCAPolicies++ } } if ($totalCAPolicies -eq 0) { if ($UserUPN) { Write-Warning ("The user " + $UserUPN + " doesn't have any Compliance Policies assigned.") } else { Write-Warning "No Conditional Access Policies assigned to All Users, All Devices or group found. Please use Test-UcTeamsDevicesConditionalAccessPolicy -IgnoreAssigment to check all policies." } } if ($IncludeSupported -and $Detailed) { if ($ExportCSV) { $output | Sort-Object PolicyName, ID | Select-Object PolicyName, PolicyID, PolicyState, AssignedToGroup, ExcludedFromGroup, TeamsDevicesStatus, Setting, SettingDescription, Value, Comment | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan return } else { $output | Sort-Object PolicyName, ID } } elseif ($Detailed) { if ((( $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported").count -eq 0) -and !$IncludeSupported) { Write-Warning "No unsupported settings found, please use Test-UcTeamsDevicesConditionalAccessPolicy -IncludeSupported, to output all settings." } else { if ($ExportCSV) { $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported" | Sort-Object PolicyName, ID | Select-Object PolicyName, PolicyID, PolicyState, AssignedToGroup, ExcludedFromGroup, TeamsDevicesStatus, Setting, SettingDescription, Value, Comment | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan } else { $output | Where-Object -Property TeamsDevicesStatus -NE -Value "Supported" | Sort-Object PolicyName, ID } } } else { if (($skippedCAPolicies -gt 0) -and !$All) { Write-Warning ("Skipping $skippedCAPolicies conditional access policies since they will not be applied to Teams Devices") Write-Warning ("Please use the All switch to check all policies: Test-UcTeamsDevicesConditionalAccessPolicy -All") } if ($displayWarning) { Write-Warning "One or more policies contain unsupported settings, please use Test-UcTeamsDevicesConditionalAccessPolicy -Detailed to identify the unsupported settings." } $outputSum | Sort-Object PolicyName } } } } #EndRegion '.\Public\Test-UcTeamsDevicesConditionalAccessPolicy.ps1' 806 #Region '.\Public\Test-UcTeamsDevicesEnrollmentPolicy.ps1' -1 function Test-UcTeamsDevicesEnrollmentPolicy { param( [string]$UserUPN, [switch]$Detailed, [switch]$ExportCSV, [string]$OutputPath ) <# .SYNOPSIS Validate Intune Enrollment Policies that are supported by Microsoft Teams Android Devices .DESCRIPTION This function will validate each setting in a Conditional Access Policy to make sure they are in line with the supported settings: Contributors: David Paulino, Gonçalo Sepulveda Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) .PARAMETER UserUPN Specifies a UserUPN that we want to check for a user enrollment policies. .PARAMETER Detailed Displays test results for unsupported settings in each Intune Enrollment Policy. .PARAMETER ExportCSV When present will export the detailed results to a CSV file. By defautl will save the file under the current user downloads, unless we specify the OutputPath. .PARAMETER OutputPath Allows to specify the path where we want to save the results. .EXAMPLE PS> Test-UcTeamsDevicesEnrollmentPolicy .EXAMPLE PS> Test-UcTeamsDevicesEnrollmentPolicy -UserUPN #> $GraphURI_Users = "https://graph.microsoft.com/v1.0/users" $GraphURI_EnrollmentPolicies = "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" $GraphURI_AOSPEnrollmentProfiles = "https://graph.microsoft.com/beta/deviceManagement/androidDeviceOwnerEnrollmentProfiles?`$select=displayName,tokenExpirationDateTime&`$filter=enrollmentMode eq 'corporateOwnedAOSPUserAssociatedDevice' and isTeamsDeviceProfile eq true" $output = [System.Collections.ArrayList]::new() if (Test-UcMgGraphConnection -Scopes "DeviceManagementServiceConfig.Read.All", "DeviceManagementConfiguration.Read.All", "Directory.Read.All") { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams $outFileName = "TeamsDevices_EnrollmentPolicy_Report_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $outFileName) } else { $OutputFullPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFileName) } try { Write-Progress -Activity "Test-UcTeamsDevicesEnrollmentPolicy" -Status "Getting Intune Enrollment Policies" $EnrollmentPolicies = (Invoke-MgGraphRequest -Uri $GraphURI_EnrollmentPolicies -Method GET).value Write-Progress -Activity "Test-UcTeamsDevicesEnrollmentPolicy" -Status "Getting AOSP Enrollment Profiles" $AOSPEnrollmentProfiles = (Invoke-MgGraphRequest -Uri $GraphURI_AOSPEnrollmentProfiles -Method GET).value $connectedMSGraph = $true } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "Unauthorized") { Write-Error "Access Denied, please make sure the user connecing to MS Graph is part of one of the following Global Reader/Intune Service Administrator/Global Administrator roles" } else { Write-Error $PSItem.Exception.Message } } catch { Write-Error 'Please connect to MS Graph with Connect-MgGraph -Scopes "DeviceManagementServiceConfig.Read.All","Directory.Read.All" before running this script' } if ($connectedMSGraph) { if ($UserUPN) { try { $UserGroups = (Invoke-MgGraphRequest -Uri ($GraphURI_Users + "/" + $userUPN + "/transitiveMemberOf?`$select=id") -Method GET).value.id } catch [System.Net.Http.HttpRequestException] { if ($PSItem.Exception.Response.StatusCode -eq "NotFound") { Write-warning -Message ("User Not Found: " + $UserUPN) } return } } #We need to cycle this in order to get the Group IDs that are assigned to the enrollment policies $graphRequests = [System.Collections.ArrayList]::new() foreach ($EnrollmentPolicy in $EnrollmentPolicies) { #Only Android Policies if (($EnrollmentPolicy."@odata.type" -eq "#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration") -and ($EnrollmentPolicy.platformType -eq "android") ) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $EnrollmentPolicy.id method = "GET" url = "/deviceManagement/deviceEnrollmentConfigurations/" + $EnrollmentPolicy.id + "/assignments?`$select=target" } [void]$graphRequests.Add($gRequestTmp) } } $PolicyGroupAssigment = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Test-UcTeamsDevicesEnrollmentPolicy, fetching enrollment policies assignment" -IncludeBody) $graphRequests = [System.Collections.ArrayList]::new() foreach ($Group in $PolicyGroupAssigment.body.value.target.GroupID) { if (!($UserUPN) -or ($PolicyGroupAssigment.body.value.target.GroupID -in $UserGroups)) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $Group method = "GET" url = "/groups/" + $Group + "?`$select=id,displayName" } [void]$graphRequests.Add($gRequestTmp) } } if ($graphRequests.Count -gt 0) { $Groups = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Test-UcTeamsDevicesEnrollmentPolicy, getting group information") | Select-Object Id, displayName } foreach ($EnrollmentPolicy in $EnrollmentPolicies) { $Status = "Not Supported" #This is the default enrollment policy that is applied to all users/devices if ($EnrollmentPolicy."@odata.type" -eq "#microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration") { if (!($EnrollmentPolicy.androidRestriction.platformBlocked) -and !($EnrollmentPolicy.androidRestriction.personalDeviceEnrollmentBlocked)) { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PID = 9999 PolicyName = $EnrollmentPolicy.displayName PolicyPriority = "Default" PlatformType = "Android device administrator" AssignedToGroup = "All devices" TeamsDevicesStatus = $Status PlatformBlocked = $EnrollmentPolicy.androidRestriction.platformBlocked PersonalDeviceEnrollmentBlocked = $EnrollmentPolicy.androidRestriction.personalDeviceEnrollmentBlocked osMinimumVersion = $EnrollmentPolicy.androidRestriction.osMinimumVersion osMaximumVersion = $EnrollmentPolicy.androidRestriction.osMaximumVersion blockedManufacturers = $EnrollmentPolicy.androidRestriction.blockedManufacturers TokenExpirationDate = "" } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceEnrollmentPolicy') [void]$output.Add($SettingPSObj) } $Status = "Not Supported" if (($EnrollmentPolicy."@odata.type" -eq "#microsoft.graph.deviceEnrollmentPlatformRestrictionConfiguration") -and ($EnrollmentPolicy.platformType -eq "android") ) { $AssignedToGroup = [System.Collections.ArrayList]::new() $AssignedGroupsTemp = ($PolicyGroupAssigment | Where-Object -Property "id" -Value $EnrollmentPolicy.id -EQ).body.value.target.GroupID foreach ($AssignedGroup in $AssignedGroupsTemp) { if (!($UserUPN) -or ($AssignedGroup -in $UserGroups)) { $GroupDisplayName = ($Groups | Where-Object -Property "id" -Value $AssignedGroup -EQ).DisplayName $GroupEntry = New-Object -TypeName PSObject -Property @{ GroupID = $AssignedGroup GroupDisplayName = $GroupDisplayName } [void]$AssignedToGroup.Add($GroupEntry) } } if ($AssignedToGroup.Count -gt 0) { $outAssignedToGroup = "None" if ($AssignedToGroup.count -eq 1) { $outAssignedToGroup = $AssignedToGroup[0].GroupDisplayName } elseif ($AssignedToGroup.count -gt 1) { $outAssignedToGroup = "" + $AssignedToGroup.count + " group(s)" } if (!($EnrollmentPolicy.platformRestriction.platformBlocked) -and !($EnrollmentPolicy.platformRestriction.personalDeviceEnrollmentBlocked)) { $Status = "Supported" } $SettingPSObj = [PSCustomObject]@{ PID = $EnrollmentPolicy.priority PolicyName = $EnrollmentPolicy.displayName PolicyPriority = $EnrollmentPolicy.priority PlatformType = "Android device administrator" AssignedToGroup = $outAssignedToGroup AssignedToGroupList = $AssignedToGroup TeamsDevicesStatus = $Status PlatformBlocked = $EnrollmentPolicy.platformRestriction.platformBlocked PersonalDeviceEnrollmentBlocked = $EnrollmentPolicy.platformRestriction.personalDeviceEnrollmentBlocked osMinimumVersion = $EnrollmentPolicy.platformRestriction.osMinimumVersion osMaximumVersion = $EnrollmentPolicy.platformRestriction.osMaximumVersion blockedManufacturers = $EnrollmentPolicy.platformRestriction.blockedManufacturers TokenExpirationDate = "" } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceEnrollmentPolicy') [void]$output.Add($SettingPSObj) } } } #region 20240912 - Support for Android AOSP Enrollment #AOSP Enrollment Profiles are not assigned to users. if (!$UserUPN) { $PolicyName = "" $TokenExpirationDate = "" $CurrentDate = Get-Date if ($AOSPEnrollmentProfiles.Length -ge 1) { #In some cases we can have multiple AOSP profiles enabled for Teams Devices, currently we only support one valid at a time. $ValidAOSPEnrollmentProfiles = $AOSPEnrollmentProfiles | Where-Object { $_.tokenExpirationDateTime -gt $CurrentDate } if ($ValidAOSPEnrollmentProfiles.Length -eq 1) { $PolicyName = $ValidAOSPEnrollmentProfiles.displayName $TokenExpirationDate = $ValidAOSPEnrollmentProfiles.tokenExpirationDateTime $TeamsDevicesStatus = "Supported - Token valid for " + ($TokenExpirationDate - $CurrentDate).days + " day(s)" } elseif ($ValidAOSPEnrollmentProfiles.Length -eq 0) { $ExpiredAOSPEnrollmentProfiles = $AOSPEnrollmentProfiles | Sort-Object -Property tokenExpirationDateTime -Descending $TeamsDevicesStatus = "Not Supported - Token Expired on " + ($ExpiredAOSPEnrollmentProfiles[0].tokenExpirationDateTime.ToString([cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern)) } else { $TeamsDevicesStatus = "Not Supported - Multiple AOSP Enrollment Profile enabled for Teams Devices" } } else { $TeamsDevicesStatus = "Not Supported - Missing AOSP Enrollment" } $SettingPSObj = [PSCustomObject]@{ PID = "10000" PolicyName = $PolicyName PolicyPriority = "ASOP" PlatformType = "Android Open Source Project (AOSP)" TeamsDevicesStatus = $TeamsDevicesStatus PlatformBlocked = "" PersonalDeviceEnrollmentBlocked = "" osMinimumVersion = "" osMaximumVersion = "" blockedManufacturers = "" TokenExpirationDate = $TokenExpirationDate } $SettingPSObj.PSObject.TypeNames.Insert(0, 'TeamsDeviceEnrollmentPolicy') [void]$output.Add($SettingPSObj) } #endregion if ($Detailed) { if ($ExportCSV) { $output | Sort-Object PID | Select-Object PolicyName, PolicyPriority, PlatformType, AssignedToGroup, TeamsDevicesStatus, PlatformBlocked, PersonalDeviceEnrollmentBlocked, osMinimumVersion, osMaximumVersion, blockedManufacturers | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan return } #20231116 - Fix for empty output. else { $output | Sort-Object PID | Format-List } } else { $output | Sort-Object PID | Format-Table } } } } #EndRegion '.\Public\Test-UcTeamsDevicesEnrollmentPolicy.ps1' 249 #Region '.\Public\Test-UcTeamsOnlyDNSRequirements.ps1' -1 function Test-UcTeamsOnlyDNSRequirements { param( [Parameter(Mandatory = $false)] [string]$Domain, [switch]$All ) <# .SYNOPSIS Check if the DNS records are OK for a TeamsOnly Tenant. .DESCRIPTION This function will check if the DNS entries that were previously required. .PARAMETER Domain Specifies a domain registered with Microsoft 365 .EXAMPLE PS> Test-UcTeamsOnlyDNSRequirements .EXAMPLE PS> Test-UcTeamsOnlyDNSRequirements -Domain uclobby.com #> $outDNSRecords = [System.Collections.ArrayList]::new() if ($Domain) { $365Domains = Get-UcM365Domains -Domain $Domain | Where-Object { $_.Name -notlike "*.onmicrosoft.com" } } else { try { Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams #We only need to validate the Enable domains and exclude *.onmicrosoft.com $365Domains = Get-CsOnlineSipDomain | Where-Object { $_.Status -eq "Enabled" -and $_.Name -notlike "*.onmicrosoft.com" } } catch { Write-Host "Error: Please connect to Microsoft Teams PowerShell before running this cmdlet with Connect-MicrosoftTeams" -ForegroundColor Red return } } $DomainCount = ($365Domains.Count) $i = 1 foreach ($365Domain in $365Domains) { $tmpDomain = $365Domain.Name Write-Progress -Activity "Teams Only DNS Requirements" -Status "Checking: $tmpDomain - $i of $DomainCount" $i++ $DiscoverFQDN = "lyncdiscover." + $365Domain.Name $SIPFQDN = "sip." + $365Domain.Name $SIPTLSFQDN = "_sip._tls." + $365Domain.Name $FederationFQDN = "_sipfederationtls._tcp." + $365Domain.Name $DNSResultDiscover = (Resolve-DnsName $DiscoverFQDN -Type CNAME -ErrorAction Ignore).NameHost $DNSResultSIP = (Resolve-DnsName $SIPFQDN -Type CNAME -ErrorAction Ignore).NameHost $DNSResultSIPTLS = (Resolve-DnsName $SIPTLSFQDN -Type SRV -ErrorAction Ignore).NameTarget $DNSResultFederation = (Resolve-DnsName $FederationFQDN -Type SRV -ErrorAction Ignore) $DNSDiscover = "" if ($DNSResultDiscover -and ($All -or $DNSResultDiscover.contains("online.lync.com") -or $DNSResultDiscover.contains("online.gov.skypeforbusiness.us"))) { $DNSDiscover = $DNSResultDiscover } $DNSSIP = "" if ($DNSResultSIP -and ($All -or $DNSResultSIP.contains("online.lync.com") -or $DNSResultSIP.contains("online.gov.skypeforbusiness.us"))) { $DNSSIP = $DNSResultSIP } $DNSSIPTLS = "" if ($DNSResultSIPTLS -and ($All -or $DNSResultSIPTLS.contains("online.lync.com") -or $DNSResultSIPTLS.contains("online.gov.skypeforbusiness.us"))) { $DNSSIPTLS = $DNSResultSIPTLS } $DNSFederation = "" if ([string]::IsNullOrEmpty($DNSResultFederation.NameTarget)) { $DNSFederation = "Not configured" } elseif (($DNSResultFederation.NameTarget.equals("sipfed.online.lync.com") -or $DNSResultFederation.NameTarget.equals("sipfed.online.gov.skypeforbusiness.us")) -and $DNSResultFederation.Port -eq 5061) { $DNSFederation = "OK" } else { $DNSFederation = "NOK - " + $DNSResultFederation.NameTarget + ":" + $DNSResultFederation.Port } if ($DNSDiscover -or $DNSSIP -or $DNSSIPTLS -or $DNSFederation) { $tmpDNSRecord = New-Object -TypeName PSObject -Property @{ Domain = $365Domain.Name DiscoverRecord = $DNSDiscover SIPRecord = $DNSSIP SIPTLSRecord = $DNSSIPTLS FederationRecord = $DNSFederation } $tmpDNSRecord.PSObject.TypeNames.Insert(0, 'TeamsOnlyDNSRequirements') [void]$outDNSRecords.Add($tmpDNSRecord) } } return $outDNSRecords | Sort-Object Domain } #EndRegion '.\Public\Test-UcTeamsOnlyDNSRequirements.ps1' 94 #Region '.\Public\Update-UcTeamsDevice.ps1' -1 function Update-UcTeamsDevice { [cmdletbinding(SupportsShouldProcess)] param( [ValidateSet("Firmware", "TeamsClient", "All")] [string]$UpdateType = "All", [ValidateSet("Phone", "MTRA", "Display", "Panel")] [string]$DeviceType, [string]$DeviceID, [string]$SoftwareVersion, [string]$InputCSV, [string]$Subnet, [string]$OutputPath, [switch]$ReportOnly ) <# .SYNOPSIS Update Microsoft Teams Devices .DESCRIPTION This function will send update commands to Teams Android Devices using MS Graph. Contributors: Eileen Beato, David Paulino and Bryan Kendrick Requirements: Microsoft Graph PowerShell Module (Install-Module Microsoft.Graph) Microsoft Graph Scopes: "TeamworkDevice.ReadWrite.All","User.Read.All" .PARAMETER DeviceID Specify the Teams Admin Center Device ID that we want to update. .PARAMETER DeviceType Specifies a filter, valid options: Phone - Teams Native Phones MTRA - Microsoft Teams Room Running Android Display - Microsoft Teams Displays Panel - Microsoft Teams Panels .PARAMETER UpdateType Allow to specify which time of update we want to do: Firmware TeamsClient All .PARAMETER SoftwareVersion Allow to specify which version we want to update. .PARAMETER InputCSV When present will use this file as Input, we only need a column with Device Id. It supports files exported from Teams Admin Center (TAC). .PARAMETER Subnet Only available when using InputCSV and requires a “IP Address” column, it allows to only send updates to Teams Android devices within a subnet. Format examples: 10.0.0.0/8 192.168.0.0/24 .PARAMETER OutputPath Allows to specify the path where we want to save the results. By default will save on current user Download. .PARAMETER ReportOnly Will read Teams Device Android versions info and generate a report .EXAMPLE PS> Update-UcTeamsDevice .EXAMPLE PS> Update-UcTeamsDevice -ReportOnly .EXAMPLE PS> Update-UcTeamsDevice -InputCSV C:\Temp\DevicesList_2023-04-20_15-19-00-UTC.csv #> $regExIPAddressSubnet = "^((25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9])\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[1-9]|0)\.(25[0-5]|2[0-4][0-9]|[0-1]{1}[0-9]{2}|[1-9]{1}[0-9]{1}|[0-9]))\/(3[0-2]|[1-2]{1}[0-9]{1}|[1-9])$" if (Test-UcMgGraphConnection -Scopes "TeamworkDevice.ReadWrite.All", "User.Read.All") { $outTeamsDevices = [System.Collections.ArrayList]::new() Test-UcModuleUpdateAvailable -ModuleName UcLobbyTeams #Checking if the Subnet is valid if ($Subnet) { if (!($Subnet -match $regExIPAddressSubnet)) { Write-Host ("Error: Subnet " + $Subnet + " is invalid, please make sure the subnet is valid and in this format 10.0.0.0/8, 192.168.0.0/24") -ForegroundColor Red return } } if ($ReportOnly) { $outFileName = "UpdateTeamsDevices_ReportOnly_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" $StatusType = "offline", "critical", "nonUrgent", "healthy" } else { $outFileName = "UpdateTeamsDevices_" + ( get-date ).ToString('yyyyMMdd-HHmmss') + ".csv" $StatusType = "critical", "nonUrgent" } #Verify if the Output Path exists if ($OutputPath) { if (!(Test-Path $OutputPath -PathType Container)) { Write-Host ("Error: Invalid folder " + $OutputPath) -ForegroundColor Red return } else { $OutputFullPath = [System.IO.Path]::Combine($OutputPath, $outFileName) } } else { $OutputFullPath = [System.IO.Path]::Combine($env:USERPROFILE, "Downloads", $outFileName) } $graphRequests = [System.Collections.ArrayList]::new() if ($DeviceID) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $DeviceID method = "GET" url = "/teamwork/devices/" + $DeviceID } [void]$graphRequests.Add($gRequestTmp) $GraphResponse = Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Update-UcTeamsDevices, getting device info" -IncludeBody if ($GraphResponse.status -eq 200) { $TeamsDeviceList = $GraphResponse.body } elseif ($GraphResponse.status -eq 404) { Write-Host ("Error: Device ID $DeviceID not found.") -ForegroundColor Red return } } elseif ($InputCSV) { if (Test-Path $InputCSV) { try { $TeamsDeviceInput = Import-Csv -Path $InputCSV } catch { Write-Host ("Invalid CSV input file: " + $InputCSV) -ForegroundColor Red return } foreach ($TeamsDevice in $TeamsDeviceInput) { $includeDevice = $true if ($Subnet) { $includeDevice = Test-UcIPaddressInSubnet -IPAddress $TeamsDevice.'IP Address' -Subnet $Subnet } if ($includeDevice) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.'Device Id' method = "GET" url = "/teamwork/devices/" + $TeamsDevice.'Device Id' } [void]$graphRequests.Add($gRequestTmp) } } if ($graphRequests.Count -gt 0) { $TeamsDeviceList = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Update-UcTeamsDevices, getting device info" ) } } else { Write-Host ("Error: File not found " + $InputCSV) -ForegroundColor Red return } } else { #Currently only Android based Teams devices are supported. switch ($DeviceType) { "Phone" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "ipPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'ipPhone'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "lowCostPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'lowCostPhone'" } [void]$graphRequests.Add($gRequestTmp) } "MTRA" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "collaborationBar" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'collaborationBar'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "touchConsole" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'touchConsole'" } [void]$graphRequests.Add($gRequestTmp) } "Display" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsDisplay" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsDisplay'" } [void]$graphRequests.Add($gRequestTmp) } "Panel" { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsPanel" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsPanel'" } [void]$graphRequests.Add($gRequestTmp) } Default { #This is the only way to exclude MTRW and SurfaceHub by creating a request per device type. $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "ipPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'ipPhone'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "lowCostPhone" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'lowCostPhone'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "collaborationBar" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'collaborationBar'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "touchConsole" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'touchConsole'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsDisplay" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsDisplay'" } [void]$graphRequests.Add($gRequestTmp) $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = "teamsPanel" method = "GET" url = "/teamwork/devices/?`$filter=deviceType eq 'teamsPanel'" } [void]$graphRequests.Add($gRequestTmp) } } #Using new cmdlet to get a list of devices $TeamsDeviceList = (Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Update-UcTeamsDevices, getting device info").value } $devicesWithUpdatePending = 0 $graphRequests = [System.Collections.ArrayList]::new() foreach ($TeamsDevice in $TeamsDeviceList) { if (($graphRequests.id -notcontains $TeamsDevice.currentuser.id) -and !([string]::IsNullOrEmpty($TeamsDevice.currentuser.id))) { $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.currentuser.id method = "GET" url = "/users/" + $TeamsDevice.currentuser.id } [void]$graphRequests.Add($gRequestTmp) } if ($TeamsDevice.healthStatus -in $StatusType -or $SoftwareVersion) { $devicesWithUpdatePending++ $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-health" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/health" } [void]$graphRequests.Add($gRequestTmp) } $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-operations" method = "GET" url = "/teamwork/devices/" + $TeamsDevice.id + "/operations" } [void]$graphRequests.Add($gRequestTmp) } if ($graphRequests.Count -gt 0) { $graphResponseExtra = Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Update-UcTeamsDevices, getting device health info" -IncludeBody } #In case we detect more than 5 devices with updates pending we will request confirmation that we can continue. if (($devicesWithUpdatePending -ge 5) -and !$ReportOnly) { if ($ConfirmPreference) { $title = 'Confirm' $question = "There are " + $devicesWithUpdatePending + " Teams Devices pending update. Are you sure that you want to continue?" $choices = '&Yes', '&No' $decision = $Host.UI.PromptForChoice($title, $question, $choices, 1) } else { $decision = 0 } if ($decision -ne 0) { return } } $graphRequests = [System.Collections.ArrayList]::new() foreach ($TeamsDevice in $TeamsDeviceList) { if ($TeamsDevice.healthStatus -in $StatusType -or $SoftwareVersion) { $TeamsDeviceHealth = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-health") }).body #Valid types are: adminAgent, operatingSystem, teamsClient, firmware, partnerAgent, companyPortal. #Currently we only consider Firmware and TeamsApp(teamsClient) #Firmware if (($TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.softwareFreshness.Equals("updateAvailable") -or $SoftwareVersion) -and ($UpdateType -in ("All", "Firmware"))) { if (!($ReportOnly)) { $requestHeader = New-Object 'System.Collections.Generic.Dictionary[string, string]' $requestHeader.Add("Content-Type", "application/json") $requestBody = New-Object 'System.Collections.Generic.Dictionary[string, string]' $requestBody.Add("softwareType", "firmware") if ($SoftwareVersion) { $requestBody.Add("softwareVersion", $SoftwareVersion) } else { $requestBody.Add("softwareVersion", $TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.availableVersion) } $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-updateFirmware" method = "POST" url = "/teamwork/devices/" + $TeamsDevice.id + "/updateSoftware" body = $requestBody headers = $requestHeader } [void]$graphRequests.Add($gRequestTmp) } } #TeamsApp if (($TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.softwareFreshness.Equals("updateAvailable") -or $SoftwareVersion) -and ($UpdateType -in ("All", "TeamsClient"))) { if (!($ReportOnly)) { $requestHeader = New-Object 'System.Collections.Generic.Dictionary[string, string]' $requestHeader.Add("Content-Type", "application/json") $requestBody = New-Object 'System.Collections.Generic.Dictionary[string, string]' $requestBody.Add("softwareType", "teamsClient") if ($SoftwareVersion) { $requestBody.Add("softwareVersion", $SoftwareVersion) } else { $requestBody.Add("softwareVersion", $TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.availableVersion) } $gRequestTmp = New-Object -TypeName PSObject -Property @{ id = $TeamsDevice.id + "-updateTeamsClient" method = "POST" url = "/teamwork/devices/" + $TeamsDevice.id + "/updateSoftware" body = $requestBody headers = $requestHeader } [void]$graphRequests.Add($gRequestTmp) } } } } if ($graphRequests.Count -gt 0) { $updateGraphResponse = Invoke-UcMgGraphBatch -Requests $graphRequests -MgProfile beta -Activity "Update-UcTeamsDevices, sending update commands" -IncludeBody } foreach ($TeamsDevice in $TeamsDeviceList) { if ($TeamsDevice.healthStatus -in $StatusType -or $SoftwareVersion) { $TeamsDeviceHealth = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-health") }).body if ($ReportOnly) { $UpdateStatus = "Report Only:" $pendingUpdate = $false if ($TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.softwareFreshness.Equals("updateAvailable") -and ($UpdateType -in ("All", "Firmware"))) { $UpdateStatus += " Firmware Update Pending;" $pendingUpdate = $true } if ($TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.softwareFreshness.Equals("updateAvailable") -and ($UpdateType -in ("All", "TeamsClient"))) { $UpdateStatus += " Teams App Update Pending;" $pendingUpdate = $true } if (!$pendingUpdate) { $UpdateStatus = "Report Only: No firmware or Teams App updates pending." } } else { $tmpUpdateStatus = ($updateGraphResponse | Where-Object { $_.id -eq ($TeamsDevice.id + "-updateFirmware") }) $tmpUpdateRequest = $graphRequests | Where-Object { $_.id -eq ($TeamsDevice.id + "-updateFirmware") } if ($tmpUpdateStatus.status -eq 202) { $UpdateStatus = "Firmware update request to version " + $tmpUpdateRequest.body.softwareVersion + " was queued." } elseif ($tmpUpdateStatus.status -eq 404) { $UpdateStatus = "Unknown/Invalid firmware version: " + $tmpUpdateRequest.body.softwareVersion } elseif ($tmpUpdateStatus.status -eq 409) { $UpdateStatus = "There is a firmware update pending, please check the update status." } $tmpUpdateStatus = ($updateGraphResponse | Where-Object { $_.id -eq ($TeamsDevice.id + "-updateTeamsClient") }) $tmpUpdateRequest = $graphRequests | Where-Object { $_.id -eq ($TeamsDevice.id + "-updateTeamsClient") } if ($tmpUpdateStatus.status -eq 202) { $UpdateStatus = "Teams App update request to version " + $tmpUpdateRequest.body.softwareVersion + " was queued." } elseif ($tmpUpdateStatus.status -eq 404) { $UpdateStatus = "Unknown/Invalid Teams App version: " + $tmpUpdateRequest.body.softwareVersion } elseif ($tmpUpdateStatus.status -eq 409) { $UpdateStatus = "There is a Teams App update pending, please check the update status." } } $userUPN = ($graphResponseExtra | Where-Object { $_.id -eq $TeamsDevice.currentuser.id }).body.userPrincipalName $TeamsDeviceOperations = ($graphResponseExtra | Where-Object { $_.id -eq ($TeamsDevice.id + "-operations") }).body.value $LastUpdateStatus = "" $LastUpdateInitiatedBy = "" $LastUpdateModifiedDate = "" #In this case we only need the last time we tried to udpdate. foreach ($TeamsDeviceOperation in $TeamsDeviceOperations) { if ($TeamsDeviceOperation.operationType -eq 'softwareUpdate') { $LastUpdateStatus = $TeamsDeviceOperation.status $LastUpdateInitiatedBy = $TeamsDeviceOperation.createdBy.user.displayName $LastUpdateModifiedDate = $TeamsDeviceOperation.lastActionDateTime break; } } $TDObj = New-Object -TypeName PSObject -Property @{ TACDeviceID = $TeamsDevice.id UserDisplayName = $TeamsDevice.currentuser.displayName UserUPN = $userUPN DeviceType = Convert-UcTeamsDeviceType $TeamsDevice.deviceType Manufacturer = $TeamsDevice.hardwaredetail.manufacturer Model = $TeamsDevice.hardwaredetail.model HealthStatus = $TeamsDevice.healthStatus TeamsAdminAgentCurrentVersion = $TeamsDeviceHealth.softwareUpdateHealth.adminAgentSoftwareUpdateStatus.currentVersion TeamsAdminAgentAvailableVersion = $TeamsDeviceHealth.softwareUpdateHealth.adminAgentSoftwareUpdateStatus.availableVersion FirmwareCurrentVersion = $TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.currentVersion FirmwareAvailableVersion = $TeamsDeviceHealth.softwareUpdateHealth.firmwareSoftwareUpdateStatus.availableVersion CompanyPortalCurrentVersion = $TeamsDeviceHealth.softwareUpdateHealth.companyPortalSoftwareUpdateStatus.currentVersion CompanyPortalAvailableVersion = $TeamsDeviceHealth.softwareUpdateHealth.companyPortalSoftwareUpdateStatus.availableVersion OEMAgentAppCurrentVersion = $TeamsDeviceHealth.softwareUpdateHealth.partnerAgentSoftwareUpdateStatus.currentVersion OEMAgentAppAvailableVersion = $TeamsDeviceHealth.softwareUpdateHealth.partnerAgentSoftwareUpdateStatus.availableVersion TeamsAppCurrentVersion = $TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.currentVersion TeamsAppAvailableVersion = $TeamsDeviceHealth.softwareUpdateHealth.teamsClientSoftwareUpdateStatus.availableVersion UpdateStatus = $UpdateStatus #PreviousUpdate PreviousUpdateStatus = $LastUpdateStatus PreviousUpdateInitiatedBy = $LastUpdateInitiatedBy PreviousUpdateModifiedDate = $LastUpdateModifiedDate } $TDObj.PSObject.TypeNames.Insert(0, 'UpdateTeamsDevice') [void]$outTeamsDevices.Add($TDObj) } } if ( $outTeamsDevices.Count -eq 1) { return $outTeamsDevices } elseif ( $outTeamsDevices.Count -gt 1) { $outTeamsDevices | Sort-Object DeviceType, Manufacturer, Model | Select-Object TACDeviceID, DisplayName, UserUPN, DeviceType, Manufacturer, Model, HealthStatus, TeamsAdminAgentCurrentVersion, TeamsAdminAgentAvailableVersion, FirmwareCurrentVersion, FirmwareAvailableVersion, CompanyPortalCurrentVersion, CompanyPortalAvailableVersion, OEMAgentAppCurrentVersion, OEMAgentAppAvailableVersion, TeamsAppCurrentVersion, TeamsAppAvailableVersion, PreviousUpdateStatus, PreviousUpdateInitiatedBy, PreviousUpdateModifiedDate, UpdateStatus | Export-Csv -path $OutputFullPath -NoTypeInformation Write-Host ("Results available in: " + $OutputFullPath) -ForegroundColor Cyan } else { Write-Host ("No Teams Device(s) found that have pending update.") -ForegroundColor Cyan } } } #EndRegion '.\Public\Update-UcTeamsDevice.ps1' 464 |