chore: update settings for Edge and Defender policies
This commit is contained in:
@ -27,7 +27,7 @@ ForEach ($policie in $policies) {
|
||||
|
||||
try {
|
||||
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
|
||||
# $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
|
||||
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
|
||||
Write-Host "✅ $PolicieName - successfully imported!"
|
||||
#$response
|
||||
} catch {
|
||||
@ -39,10 +39,9 @@ ForEach ($policie in $policies) {
|
||||
# Define the dynamic membership rule
|
||||
$dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")'
|
||||
|
||||
|
||||
# Create the security group with dynamic membership
|
||||
$groupBody = @{
|
||||
displayName = "Intune - All Windows Workstations Dynamic Membership"
|
||||
displayName = "Intune - All Windows Workstations MDM"
|
||||
mailEnabled = $false
|
||||
mailNickname = "IntuneWindowsDevices"
|
||||
securityEnabled = $true
|
||||
@ -57,4 +56,26 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
|
||||
# Create the group using Invoke-MgGraphRequest
|
||||
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
|
||||
|
||||
# Define the dynamic membership rule
|
||||
$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
|
||||
|
||||
# Create the security group with dynamic membership
|
||||
$groupBody = @{
|
||||
displayName = "Intune - All Windows Computers"
|
||||
mailEnabled = $false
|
||||
mailNickname = "IntuneWindowsDevices"
|
||||
securityEnabled = $true
|
||||
groupTypes = @("DynamicMembership")
|
||||
membershipRule = $dynamicRule
|
||||
membershipRuleProcessingState = "On"
|
||||
}
|
||||
|
||||
# Convert the body to JSON
|
||||
$groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
|
||||
|
||||
# Create the group using Invoke-MgGraphRequest
|
||||
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
|
||||
|
||||
|
||||
|
||||
$null = Disconnect-Graph -ErrorAction SilentlyContinue
|
||||
178
NewAppReg.ps1
Normal file
178
NewAppReg.ps1
Normal file
@ -0,0 +1,178 @@
|
||||
# Ensure Microsoft.Graph module is installed
|
||||
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
|
||||
Write-Host "Installing Microsoft.Graph module..."
|
||||
Install-Module -Name Microsoft.Graph -Force -AllowClobber
|
||||
}
|
||||
|
||||
# Ensure ExchangeOnlineManagement module is installed
|
||||
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
|
||||
Write-Host "Installing ExchangeOnlineManagement Module..."
|
||||
Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber
|
||||
}
|
||||
|
||||
|
||||
# Import necessary modules
|
||||
Import-Module Microsoft.Graph.Authentication
|
||||
Import-Module Microsoft.Graph.Applications
|
||||
Import-Module ExchangeOnlineManagement
|
||||
|
||||
# Connect to Microsoft Graph with required permissions
|
||||
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All" -NoWelcome
|
||||
|
||||
# Application details
|
||||
$Name = "GraphAPI"
|
||||
$Scope = "Application.ReadWrite.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Group.ReadWrite.All", "Policy.ReadWrite.ApplicationConfiguration", "User.ReadWrite.All"
|
||||
|
||||
# Fetch Microsoft Graph Service Principal
|
||||
$graphSp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
|
||||
$graphRoles = $graphSp.AppRoles
|
||||
|
||||
# Debugging: Confirm AppRoles permissions
|
||||
# Write-Host "`n🔍 Retrieved AppRoles from Microsoft Graph:"
|
||||
# $graphRoles | Format-Table DisplayName, Id, Value -AutoSize
|
||||
|
||||
# Build required resource access list
|
||||
$resourceAccess = @()
|
||||
foreach ($perm in $Scope) {
|
||||
$permId = ($graphRoles | Where-Object { $_.Value -eq $perm }).Id
|
||||
if ($permId) {
|
||||
$resourceAccess += @{
|
||||
"id" = $permId
|
||||
"Type" = "Role" # Use "Scope" if using delegated permissions
|
||||
}
|
||||
} else {
|
||||
Write-Host "⚠️ Skipping $perm - Role ID not found in Microsoft Graph."
|
||||
}
|
||||
}
|
||||
|
||||
# Debugging: Confirm matched permissions
|
||||
# Write-Host "`n✅ Final Mapped Permissions:"
|
||||
# $resourceAccess | Format-Table -AutoSize
|
||||
|
||||
# Define app creation body
|
||||
$body = @{
|
||||
DisplayName = $Name
|
||||
SignInAudience = "AzureADMyOrg"
|
||||
RequiredResourceAccess = @(
|
||||
@{
|
||||
ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
|
||||
ResourceAccess = $resourceAccess
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
# Convert body to JSON
|
||||
$payload = $body | ConvertTo-Json -Depth 4
|
||||
|
||||
# Create the application
|
||||
Write-Host "Creating Azure AD application..."
|
||||
$app = New-MgApplication -BodyParameter $payload
|
||||
|
||||
if (-not $app) {
|
||||
Write-Host "❌ Failed to create application. Exiting."
|
||||
exit
|
||||
}
|
||||
|
||||
Write-Host "✅ Application Created: $($app.Id)"
|
||||
|
||||
# Wait for the application to propagate
|
||||
Start-Sleep -Seconds 10
|
||||
Write-Host "⏳ Waiting for application propagation..."
|
||||
|
||||
# Create Service Principal
|
||||
Write-Host "Creating Service Principal..."
|
||||
$servicePrincipal = New-MgServicePrincipal -AppId $app.AppId
|
||||
|
||||
if (-not $servicePrincipal) {
|
||||
Write-Host "❌ Failed to create Service Principal. Exiting."
|
||||
exit
|
||||
}
|
||||
|
||||
Write-Host "✅ Service Principal created: $($servicePrincipal.Id)"
|
||||
|
||||
# Wait for service principal to propagate
|
||||
Start-Sleep -Seconds 10
|
||||
Write-Host "⏳ Waiting for application permissions to propagate..."
|
||||
|
||||
# Grant Admin Consent
|
||||
foreach ($access in $resourceAccess) {
|
||||
# Write-Host "`n🔹 About to grant admin consent for:"
|
||||
# Write-Host " ➜ AppRoleId: $($access.id)"
|
||||
# Write-Host " ➜ ServicePrincipalId: $($servicePrincipal.Id)"
|
||||
# Write-Host " ➜ PrincipalId: $($servicePrincipal.Id)"
|
||||
# Write-Host " ➜ ResourceId: $($graphSp.Id)"
|
||||
|
||||
try {
|
||||
$null = New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -PrincipalId $servicePrincipal.Id -ResourceId $graphSp.Id -AppRoleId $access.id
|
||||
|
||||
Write-Host "✅ Successfully granted admin consent for AppRoleId: $($access.id)"
|
||||
} catch {
|
||||
Write-Host "❌ Failed to grant admin consent for AppRoleId: $($access.id) - $_"
|
||||
}
|
||||
}
|
||||
|
||||
Write-Host "`n🎉 Admin consent process completed!"
|
||||
|
||||
# -------------------------------
|
||||
# CREATE CLIENT SECRET
|
||||
# -------------------------------
|
||||
|
||||
Write-Host "`n🔐 Creating Client Secret..."
|
||||
$secretStartDate = Get-Date
|
||||
$secretEndDate = $secretStartDate.AddYears(1) # Secret valid for 1 year
|
||||
|
||||
$clientSecret = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential @{
|
||||
DisplayName = "GraphAPI-ClientSecret"
|
||||
StartDateTime = $secretStartDate
|
||||
EndDateTime = $secretEndDate
|
||||
}
|
||||
|
||||
if (-not $clientSecret) {
|
||||
Write-Host "❌ Failed to create client secret. Exiting."
|
||||
exit
|
||||
}
|
||||
|
||||
Write-Host "✅ Client Secret Created!"
|
||||
|
||||
# -------------------------------
|
||||
# PRINT CREDENTIALS (STORE SECURELY!)
|
||||
# -------------------------------
|
||||
|
||||
$tenantId = (Get-MgOrganization).Id
|
||||
|
||||
Write-Host "`n🚀 **Application Credentials**"
|
||||
Write-Host "----------------------------------"
|
||||
Write-Host "🌐 Tenant ID: $tenantId"
|
||||
Write-Host "🔑 Client ID: $($app.AppId)"
|
||||
Write-Host "🕵️♂️ Client Secret: $($clientSecret.SecretText)"
|
||||
Write-Host "----------------------------------"
|
||||
|
||||
#Connect-ExchangeOnline -ShowBanner:$false
|
||||
|
||||
$scope = "https://graph.microsoft.com/.default"
|
||||
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
|
||||
|
||||
# Create the body for the token request
|
||||
$body = @{
|
||||
client_id = "$($app.AppId)"
|
||||
scope = $scope
|
||||
client_secret = "$($clientSecret.SecretText)"
|
||||
grant_type = "client_credentials"
|
||||
}
|
||||
|
||||
# Request the token
|
||||
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType "application/x-www-form-urlencoded" -Body $body
|
||||
$accessToken = $tokenResponse.access_token
|
||||
|
||||
# Use the token in subsequent requests
|
||||
$headers = @{
|
||||
Authorization = "Bearer $accessToken"
|
||||
}
|
||||
$templates = Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates" -Headers $headers
|
||||
|
||||
# Output the templates
|
||||
$templates
|
||||
|
||||
$null = Disconnect-Graph -ErrorAction SilentlyContinue
|
||||
$null = Disconnect-ExchangeOnline -Confirm:$false -ErrorAction SilentlyContinue
|
||||
|
||||
@ -1,81 +1,59 @@
|
||||
{
|
||||
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
|
||||
"createdDateTime": "2025-03-03T10:40:15.8588089Z",
|
||||
"creationSource": null,
|
||||
"description": "",
|
||||
"lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z",
|
||||
"name": "LAPS",
|
||||
"name": "Windows LAPS",
|
||||
"description": "created by ourcloudnetwork.com",
|
||||
"platforms": "windows10",
|
||||
"priorityMetaData": null,
|
||||
"technologies": "mdm",
|
||||
"roleScopeTagIds": [
|
||||
"0"
|
||||
],
|
||||
"settingCount": 2,
|
||||
"technologies": "mdm",
|
||||
"id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9",
|
||||
"templateReference": {
|
||||
"templateId": "",
|
||||
"templateFamily": "none",
|
||||
"templateDisplayName": null,
|
||||
"templateDisplayVersion": null
|
||||
},
|
||||
"settings": [
|
||||
{
|
||||
"id": "0",
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
|
||||
"settingInstance": {
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"settingDefinitionId": "device_vendor_msft_laps_policies_backupdirectory",
|
||||
"choiceSettingValue": {
|
||||
"settingValueTemplateReference": null,
|
||||
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1",
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
|
||||
"value": "device_vendor_msft_laps_policies_backupdirectory_1",
|
||||
"children": [
|
||||
{
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"settingDefinitionId": "device_vendor_msft_laps_policies_passwordagedays_aad",
|
||||
"simpleSettingValue": {
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
|
||||
"settingValueTemplateReference": null,
|
||||
"value": 14
|
||||
}
|
||||
},
|
||||
{
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"choiceSettingValue": {
|
||||
"settingValueTemplateReference": null,
|
||||
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4",
|
||||
"children": []
|
||||
}
|
||||
},
|
||||
{
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"simpleSettingValue": {
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
|
||||
"settingValueTemplateReference": null,
|
||||
"value": 14
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
"settingValueTemplateReference": {
|
||||
"settingValueTemplateId": "4d90f03d-e14c-43c4-86da-681da96a2f92"
|
||||
}
|
||||
},
|
||||
"settingInstanceTemplateReference": {
|
||||
"settingInstanceTemplateId": "a3270f64-e493-499d-8900-90290f61ed8a"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "1",
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
|
||||
"settingInstance": {
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"settingDefinitionId": "device_vendor_msft_laps_policies_passwordcomplexity",
|
||||
"choiceSettingValue": {
|
||||
"settingValueTemplateReference": null,
|
||||
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
|
||||
"children": []
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
|
||||
"value": "device_vendor_msft_laps_policies_passwordcomplexity_4",
|
||||
"children": [],
|
||||
"settingValueTemplateReference": {
|
||||
"settingValueTemplateId": "aa883ab5-625e-4e3b-b830-a37a4bb8ce01"
|
||||
}
|
||||
},
|
||||
"settingInstanceTemplateReference": {
|
||||
"settingInstanceTemplateId": "8a7459e8-1d1c-458a-8906-7b27d216de52"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
"templateReference": {
|
||||
"templateId": "adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1"
|
||||
}
|
||||
}
|
||||
37
policies/LAPSAdmin.json
Normal file
37
policies/LAPSAdmin.json
Normal file
@ -0,0 +1,37 @@
|
||||
{
|
||||
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
|
||||
"createdDateTime": "2025-02-05T23:10:06.2132942Z",
|
||||
"creationSource": null,
|
||||
"description": "",
|
||||
"lastModifiedDateTime": "2025-02-05T23:10:06.2132942Z",
|
||||
"name": "Windows LAPS - Enable Administrator Account",
|
||||
"platforms": "windows10",
|
||||
"priorityMetaData": null,
|
||||
"roleScopeTagIds": [
|
||||
"0"
|
||||
],
|
||||
"settingCount": 1,
|
||||
"technologies": "mdm",
|
||||
"id": "388fbf31-619d-42e9-a481-7c09c64d2266",
|
||||
"templateReference": {
|
||||
"templateId": "",
|
||||
"templateFamily": "none",
|
||||
"templateDisplayName": null,
|
||||
"templateDisplayVersion": null
|
||||
},
|
||||
"settings": [
|
||||
{
|
||||
"id": "0",
|
||||
"settingInstance": {
|
||||
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
|
||||
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
|
||||
"settingInstanceTemplateReference": null,
|
||||
"choiceSettingValue": {
|
||||
"settingValueTemplateReference": null,
|
||||
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
|
||||
"children": []
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user