Merge pull request #6114 from NikCharlebois/AADServicePrincipal---Fixes

AADServicePrincipal - Fix AppAssignedToRole Assignment on Creation

Author: NikCharlebois

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Change log for Microsoft365DSC
 
-# 1.25.515.1
+# UNRELEASED
+
+* AADServicePrincipal
+  * Fixed the assignment of AppRoleAssignedTo when creatign a new Service Principal.
+
+# 1.25.514.1
 
 * AADApplication
   * Fixed an issue where the `AdminConsentGranted` property had an incorrect value.

Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1

@@ -538,15 +538,13 @@ function Set-TargetResource
         Write-Verbose -Message "Translated to AppId {$($currentParameters.AppId)}"
     }
 
+    $AppRoleAssignedToSpecified = $currentParameters.ContainsKey('AppRoleAssignedTo')
     # ServicePrincipal should exist but it doesn't
     if ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Absent')
     {
-        if ($null -ne $AppRoleAssignedTo)
-        {
-            $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValues
-        }
         # removing Delegated permission classifications from this new call, as adding below separately
         $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null
+        $currentParameters.Remove('AppRoleAssignedTo') | Out-Null
 
         Write-Verbose -Message 'Creating new Service Principal'
         Write-Verbose -Message "With Values: $(Convert-M365DscHashtableToString -Hashtable $currentParameters)"
@@ -576,6 +574,40 @@ function Set-TargetResource
                 Invoke-MgGraphRequest -Uri $Uri -Method Post -Body $params
             }
         }
+
+        # Update AppRoleAssignedTo
+        if ($AppRoleAssignedToSpecified)
+        {
+            Write-Verbose -Message "Updating AppRoleAssignedTo value"
+            foreach ($assignment in $AppRoleAssignedTo)
+            {
+                $AppRoleAssignedToValues += @{
+                    PrincipalType = $assignment.PrincipalType
+                    Identity      = $assignment.Identity
+                }
+
+                if ($assignment.PrincipalType -eq 'User')
+                {
+                    Write-Verbose -Message "Retrieving user {$($assignment.Identity)}"
+                    $user = Get-MgUser -Filter "startswith(UserPrincipalName, '$($assignment.Identity)')"
+                    $PrincipalIdValue = $user.Id
+                }
+                else
+                {
+                    Write-Verbose -Message "Retrieving group {$($assignment.Identity)}"
+                    $group = Get-MgGroup -Filter "DisplayName eq '$($assignment.Identity)'"
+                    $PrincipalIdValue = $group.Id
+                }
+                $bodyParam = @{
+                    principalId = $PrincipalIdValue
+                    resourceId  = $newSP.Id
+                    appRoleId   = '00000000-0000-0000-0000-000000000000'
+                }
+                Write-Verbose -Message "Adding Service Principal AppRoleAssignedTo with values:`r`n$(ConvertTo-Json $bodyParam -Depth 3)"
+                New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $newSP.Id `
+                    -BodyParameter $bodyParam | Out-Null
+            }
+        }
     }
     # ServicePrincipal should exist and will be configured to desired state
     elseif ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present')

Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1

@@ -2659,6 +2659,9 @@ Specifies the name of parameters that should not be assessed as part of the repo
 .Parameter ExcludedResources
 Specifies the name of resources that should not be assessed as part of the report.
 
+.Parameter DriftOnly
+Specifies if the report should only show properties drifts and not missing instances.
+
 .Example
 Assert-M365DSCBlueprint -BluePrintUrl 'C:\DS\blueprint.m365' -OutputReportPath 'C:\DSC\BlueprintReport.html'
 
@@ -2723,7 +2726,11 @@ function Assert-M365DSCBlueprint
 
         [Parameter()]
         [System.String[]]
-        $ExcludedResources
+        $ExcludedResources,
+
+        [Parameter()]
+        [System.Boolean]
+        $DriftOnly = $true
     )
 
     #Ensure the proper dependencies are installed in the current environment.
@@ -2827,7 +2834,7 @@ function Assert-M365DSCBlueprint
         New-M365DSCDeltaReport -Source $ExportPath `
             -Destination $LocalBluePrintPath `
             -OutputPath $OutputReportPath `
-            -DriftOnly:$true `
+            -DriftOnly $DriftOnly `
             -IsBlueprintAssessment:$true `
             -HeaderFilePath $HeaderFilePath `
             -Type $Type `