chore: update settings for Edge and Defender policies

2025-03-12 21:36:16 +10:00
parent 40c7895196
commit 39b6a1272d
4 changed files with 270 additions and 56 deletions
--- a/ImportPolicies.ps1
+++ b/ImportPolicies.ps1
@ -27,7 +27,7 @@ ForEach ($policie in $policies) {
    try {
        $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies"  # Using the beta version
-        # $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
+        $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
        Write-Host "✅ $PolicieName - successfully imported!"
        #$response
    } catch {
@ -39,10 +39,9 @@ ForEach ($policie in $policies) {
 # Define the dynamic membership rule
 $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")'
 # Create the security group with dynamic membership
 $groupBody = @{
-    displayName = "Intune - All Windows Workstations Dynamic Membership"
+    displayName = "Intune - All Windows Workstations MDM"
    mailEnabled = $false
    mailNickname = "IntuneWindowsDevices"
    securityEnabled = $true
@ -57,4 +56,26 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
 # Create the group using Invoke-MgGraphRequest
 Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
 # Define the dynamic membership rule
 $dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
 # Create the security group with dynamic membership
 $groupBody = @{
    displayName = "Intune - All Windows Computers"
    mailEnabled = $false
    mailNickname = "IntuneWindowsDevices"
    securityEnabled = $true
    groupTypes = @("DynamicMembership")
    membershipRule = $dynamicRule
    membershipRuleProcessingState = "On"
 }
 # Convert the body to JSON
 $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
 # Create the group using Invoke-MgGraphRequest
 Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
 $null = Disconnect-Graph -ErrorAction SilentlyContinue
--- a/NewAppReg.ps1
+++ b/NewAppReg.ps1
@ -0,0 +1,178 @@
 # Ensure Microsoft.Graph module is installed
 if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
    Write-Host "Installing Microsoft.Graph module..."
    Install-Module -Name Microsoft.Graph -Force -AllowClobber
 }
 # Ensure ExchangeOnlineManagement module is installed
 if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
    Write-Host "Installing ExchangeOnlineManagement Module..."
    Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
 }
 # Import necessary modules
 Import-Module Microsoft.Graph.Authentication
 Import-Module Microsoft.Graph.Applications
 Import-Module ExchangeOnlineManagement
 # Connect to Microsoft Graph with required permissions
 Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome
 # Application details
 $Name = "GraphAPI"
 $Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All"
 # Fetch Microsoft Graph Service Principal
 $graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
 $graphRoles = $graphSp.AppRoles
 # Debugging: Confirm AppRoles permissions
 # Write-Host "`n🔍 Retrieved AppRoles from Microsoft Graph:"
 # $graphRoles | Format-Table DisplayName, Id, Value -AutoSize
 # Build required resource access list
 $resourceAccess = @()
 foreach ($perm in $Scope) {
    $permId = ($graphRoles | Where-Object { $_.Value -eq $perm }).Id
    if ($permId) {
        $resourceAccess += @{
            "id"   = $permId
            "Type" = "Role"  # Use "Scope" if using delegated permissions
        }
    } else {
        Write-Host "⚠️ Skipping $perm - Role ID not found in Microsoft Graph."
    }
 }
 # Debugging: Confirm matched permissions
 # Write-Host "`n✅ Final Mapped Permissions:"
 # $resourceAccess | Format-Table -AutoSize
 # Define app creation body
 $body = @{
    DisplayName            = $Name
    SignInAudience         = "AzureADMyOrg"
    RequiredResourceAccess = @(
        @{
            ResourceAppId  = "00000003-0000-0000-c000-000000000000"  # Microsoft Graph
            ResourceAccess = $resourceAccess
        }
    )
 }
 # Convert body to JSON
 $payload = $body | ConvertTo-Json -Depth 4
 # Create the application
 Write-Host "Creating Azure AD application..."
 $app = New-MgApplication -BodyParameter $payload
 if (-not $app) {
    Write-Host "❌ Failed to create application. Exiting."
    exit
 }
 Write-Host "✅ Application Created: $($app.Id)"
 # Wait for the application to propagate
 Start-Sleep -Seconds 10
 Write-Host "⏳ Waiting for application propagation..."
 # Create Service Principal
 Write-Host "Creating Service Principal..."
 $servicePrincipal = New-MgServicePrincipal -AppId $app.AppId
 if (-not $servicePrincipal) {
    Write-Host "❌ Failed to create Service Principal. Exiting."
    exit
 }
 Write-Host "✅ Service Principal created: $($servicePrincipal.Id)"
 # Wait for service principal to propagate
 Start-Sleep -Seconds 10
 Write-Host "⏳ Waiting for application permissions to propagate..."
 # Grant Admin Consent
 foreach ($access in $resourceAccess) {
    # Write-Host "`n🔹 About to grant admin consent for:"
    # Write-Host "   ➜ AppRoleId: $($access.id)"
    # Write-Host "   ➜ ServicePrincipalId: $($servicePrincipal.Id)"
    # Write-Host "   ➜ PrincipalId: $($servicePrincipal.Id)"
    # Write-Host "   ➜ ResourceId: $($graphSp.Id)"
    try {
       $null = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -PrincipalId $servicePrincipal.Id -ResourceId $graphSp.Id -AppRoleId $access.id
        Write-Host "✅ Successfully granted admin consent for AppRoleId: $($access.id)"
    } catch {
        Write-Host "❌ Failed to grant admin consent for AppRoleId: $($access.id) - $_"
    }
 }
 Write-Host "`n🎉 Admin consent process completed!"
 # -------------------------------
 # CREATE CLIENT SECRET
 # -------------------------------
 Write-Host "`n🔐 Creating Client Secret..."
 $secretStartDate = Get-Date
 $secretEndDate = $secretStartDate.AddYears(1)  # Secret valid for 1 year
 $clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{
    DisplayName = "GraphAPI-ClientSecret"
    StartDateTime = $secretStartDate
    EndDateTime = $secretEndDate
 }
 if (-not $clientSecret) {
    Write-Host "❌ Failed to create client secret. Exiting."
    exit
 }
 Write-Host "✅ Client Secret Created!"
 # -------------------------------
 # PRINT CREDENTIALS (STORE SECURELY!)
 # -------------------------------
 $tenantId = (Get-MgOrganization).Id
 Write-Host "`n🚀 **Application Credentials**"
 Write-Host "----------------------------------"
 Write-Host "🌐 Tenant ID:       $tenantId"
 Write-Host "🔑 Client ID:       $($app.AppId)"
 Write-Host "🕵️‍♂️ Client Secret:  $($clientSecret.SecretText)"
 Write-Host "----------------------------------"
 #Connect-ExchangeOnline -ShowBanner:$false
 $scope = "https://graph.microsoft.com/.default"
 $tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
 # Create the body for the token request
 $body = @{
    client_id     = "$($app.AppId)"
    scope         = $scope
    client_secret = "$($clientSecret.SecretText)"
    grant_type    = "client_credentials"
 }
 # Request the token
 $tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body
 $accessToken = $tokenResponse.access_token
 # Use the token in subsequent requests
 $headers = @{
    Authorization = "Bearer $accessToken"
 }
 $templates = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates" -Headers $headers
 # Output the templates
 $templates
 $null = Disconnect-Graph -ErrorAction SilentlyContinue
 $null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
--- a/policies/LAPS.json
+++ b/policies/LAPS.json
@ -1,81 +1,59 @@
 {
-  "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
+  "name": "Windows LAPS",
-  "createdDateTime": "2025-03-03T10:40:15.8588089Z",
+  "description": "created by ourcloudnetwork.com",
  "creationSource": null,
  "description": "",
  "lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z",
  "name": "LAPS",
  "platforms": "windows10",
-  "priorityMetaData": null,
+  "technologies": "mdm",
  "roleScopeTagIds": [
    "0"
  ],
  "settingCount": 2,
  "technologies": "mdm",
  "id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9",
  "templateReference": {
    "templateId": "",
    "templateFamily": "none",
    "templateDisplayName": null,
    "templateDisplayVersion": null
  },
  "settings": [
    {
-      "id": "0",
+      "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-        "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd",
+        "settingDefinitionId": "device_vendor_msft_laps_policies_backupdirectory",
        "settingInstanceTemplateReference": null,
        "choiceSettingValue": {
-          "settingValueTemplateReference": null,
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-          "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1",
+          "value": "device_vendor_msft_laps_policies_backupdirectory_1",
          "children": [
            {
              "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
-              "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays",
+              "settingDefinitionId": "device_vendor_msft_laps_policies_passwordagedays_aad",
              "settingInstanceTemplateReference": null,
              "simpleSettingValue": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
                "settingValueTemplateReference": null,
                "value": 14
              }
            },
            {
              "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
              "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity",
              "settingInstanceTemplateReference": null,
              "choiceSettingValue": {
                "settingValueTemplateReference": null,
                "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4",
                "children": []
              }
            },
            {
              "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
              "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength",
              "settingInstanceTemplateReference": null,
              "simpleSettingValue": {
                "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
                "settingValueTemplateReference": null,
                "value": 14
              }
            }
-          ]
+          ],
          "settingValueTemplateReference": {
            "settingValueTemplateId": "4d90f03d-e14c-43c4-86da-681da96a2f92"
          }
        },
        "settingInstanceTemplateReference": {
          "settingInstanceTemplateId": "a3270f64-e493-499d-8900-90290f61ed8a"
        }
      }
    },
    {
-      "id": "1",
+      "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-        "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
+        "settingDefinitionId": "device_vendor_msft_laps_policies_passwordcomplexity",
        "settingInstanceTemplateReference": null,
        "choiceSettingValue": {
-          "settingValueTemplateReference": null,
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-          "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
+          "value": "device_vendor_msft_laps_policies_passwordcomplexity_4",
-          "children": []
+          "children": [],
          "settingValueTemplateReference": {
            "settingValueTemplateId": "aa883ab5-625e-4e3b-b830-a37a4bb8ce01"
          }
        },
        "settingInstanceTemplateReference": {
          "settingInstanceTemplateId": "8a7459e8-1d1c-458a-8906-7b27d216de52"
        }
      }
    }
-  ]
+  ],
-}
+  "templateReference": {
    "templateId": "adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1"
  }
 }
--- a/policies/LAPSAdmin.json
+++ b/policies/LAPSAdmin.json
@ -0,0 +1,37 @@
 {
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
  "createdDateTime": "2025-02-05T23:10:06.2132942Z",
  "creationSource": null,
  "description": "",
  "lastModifiedDateTime": "2025-02-05T23:10:06.2132942Z",
  "name": "Windows LAPS - Enable Administrator Account",
  "platforms": "windows10",
  "priorityMetaData": null,
  "roleScopeTagIds": [
    "0"
  ],
  "settingCount": 1,
  "technologies": "mdm",
  "id": "388fbf31-619d-42e9-a481-7c09c64d2266",
  "templateReference": {
    "templateId": "",
    "templateFamily": "none",
    "templateDisplayName": null,
    "templateDisplayVersion": null
  },
  "settings": [
    {
      "id": "0",
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
        "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
        "settingInstanceTemplateReference": null,
        "choiceSettingValue": {
          "settingValueTemplateReference": null,
          "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
          "children": []
        }
      }
    }
  ]
 }