Add handle WorkloadIdentities in CAPolicy

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1

@@ -92,6 +92,23 @@ function Get-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]
@@ -642,6 +659,11 @@ function Get-TargetResource
         ExcludeExternalTenantsMembershipKind     = [System.String]$Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.MembershipKind
         ExcludeExternalTenantsMembers            = [System.String[]](@() + $Policy.Conditions.Users.ExcludeGuestsOrExternalUsers.ExternalTenants.AdditionalProperties.members)
 
+        IncludeServicePrincipals                 = $Policy.Conditions.ClientApplications.IncludeServicePrincipals
+        ExcludeServicePrincipals                 = $Policy.Conditions.ClientApplications.ExcludeServicePrincipals
+        ServicePrincipalFilterMode               = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Mode
+        ServicePrincipalFilterRule               = $Policy.Conditions.ClientApplications.ServicePrincipalFilter.Rule
+
         IncludePlatforms                         = [System.String[]](@() + $Policy.Conditions.Platforms.IncludePlatforms)
         #no translation needed, return empty string array if undefined
         ExcludePlatforms                         = [System.String[]](@() + $Policy.Conditions.Platforms.ExcludePlatforms)
@@ -794,6 +816,23 @@ function Set-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]
@@ -1340,6 +1379,49 @@ function Set-TargetResource
             $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers)
         }
 
+        Write-Verbose -Message 'Set-Targetresource: process includeServicePrincipals'
+        if ($currentParameters.ContainsKey('IncludeServicePrincipals'))
+        {
+            if (-not $conditions.ContainsKey('clientApplications')) {
+                $conditions.Add('clientApplications', @{})
+            }
+            $conditions.clientApplications.Add('includeServicePrincipals', $IncludeServicePrincipals)
+        }
+
+        Write-Verbose -Message 'Set-Targetresource: process excludeServicePrincipals'
+        if ($currentParameters.ContainsKey('ExcludeServicePrincipals'))
+        {
+            if (-not $conditions.ContainsKey('clientApplications')) {
+                $conditions.Add('clientApplications', @{})
+            }
+            $conditions.clientApplications.Add('excludeServicePrincipals', $ExcludeServicePrincipals)
+        }
+
+        Write-Verbose -Message 'Set-Targetresource: process servicePrincipalFilter'
+        if ($currentParameters.ContainsKey('ServicePrincipalFilterMode') -and $currentParameters.ContainsKey('ServicePrincipalFilterRule'))
+        {
+            #check if the custom attribute exist.
+            $customattribute = Invoke-MgGraphRequest -Method GET -Uri https://graph.microsoft.com/v1.0/directory/customSecurityAttributeDefinitions
+            $ServicePrincipalFilterRule -match "CustomSecurityAttribute.(?<attribute>.*) -.*"
+            $attrinrule = $matches.attribute
+            if ($customattribute.value.id -contains $attrinrule){
+                if (-not $conditions.ContainsKey('clientApplications')) {
+                    $conditions.Add('clientApplications', @{})
+                }
+                $conditions.clientApplications.Add('servicePrincipalFilter', @{})
+                $conditions.clientApplications.servicePrincipalFilter.Add('mode', $ServicePrincipalFilterMode)
+                $conditions.clientApplications.servicePrincipalFilter.Add('rule', $ServicePrincipalFilterRule)
+            }
+            else{
+                $message = "Couldn't find the custom attribute $attrinrule in the tenant, couldn't add the filter to policy $DisplayName"
+                Write-Verbose -Message $message
+                New-M365DSCLogEntry -Message $message `
+                    -Source $($MyInvocation.MyCommand.Source) `
+                    -TenantId $TenantId `
+                    -Credential $Credential
+            }
+        }
+
         Write-Verbose -Message 'Set-Targetresource: process platform condition'
         if ($currentParameters.ContainsKey('IncludePlatforms') -or $currentParameters.ContainsKey('ExcludePlatforms'))
         {
@@ -1661,6 +1743,9 @@ function Set-TargetResource
         $NewParameters.Add('sessionControls', $sessioncontrols)
         #add SessionControls to the parameter list
     }
+
+    Write-Host "newparameters: $($NewParameters | ConvertTo-Json -Depth 5)"
+
     if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present')
     {
         Write-Verbose -Message "Set-Targetresource: Change policy $DisplayName"
@@ -1829,6 +1914,23 @@ function Test-TargetResource
         [System.String[]]
         $ExcludeExternalTenantsMembers,
 
+        [Parameter()]
+        [System.String[]]
+        $IncludeServicePrincipals,
+
+        [Parameter()]
+        [System.String[]]
+        $ExcludeServicePrincipals,
+
+        [Parameter()]
+        [ValidateSet('include', 'exclude')]
+        [System.String]
+        $ServicePrincipalFilterMode,
+
+        [Parameter()]
+        [System.String]
+        $ServicePrincipalFilterRule,
+
         #ConditionalAccessPlatformCondition
         [Parameter()]
         [System.String[]]

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof

@@ -21,6 +21,10 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource
     [Write, Description("Represents the Excluded internal guests or external user types. This is a multi-valued property. Supported values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, OtherExternalUser, serviceProvider and unknownFutureValue."), ValueMap{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}, Values{"none","internalGuest","b2bCollaborationGuest","b2bCollaborationMember","b2bDirectConnectUser","otherExternalUser","serviceProvider","unknownFutureValue"}] String ExcludeGuestOrExternalUserTypes[];
     [Write, Description("Represents the Excluded Tenants membership kind. The possible values are: all, enumerated, unknownFutureValue. enumerated references an object of conditionalAccessEnumeratedExternalTenants derived type."), ValueMap{"","all","enumerated","unknownFutureValue"}, Values{"","all","enumerated","unknownFutureValue"}] String ExcludeExternalTenantsMembershipKind;
     [Write, Description("Represents the Excluded collection of tenant ids in the scope of Conditional Access for guests and external users policy targeting.")] String ExcludeExternalTenantsMembers[];
+    [Write, Description("Service Principals in scope of the Policy. 'Attribute Definition Reader' role is needed.")] String IncludeServicePrincipals[];
+    [Write, Description("Service Principals out of scope of the Policy. 'Attribute Definition Reader' role is needed.")] String ExcludeServicePrincipals[];
+    [Write, Description("Mode to use for the Service Principal filter. Possible values are include or exclude. 'Attribute Definition Reader' role is needed."), ValueMap{"include","exclude"}, Values{"include","exclude"}] String ServicePrincipalFilterMode;
+    [Write, Description("Rule syntax for the Service Principal filter. 'Attribute Definition Reader' role is needed.")] String ServicePrincipalFilterRule;
     [Write, Description("Client Device Platforms in scope of the Policy.")] String IncludePlatforms[];
     [Write, Description("Client Device Platforms out of scope of the Policy.")] String ExcludePlatforms[];
     [Write, Description("AAD Named Locations in scope of the Policy.")] String IncludeLocations[];

Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/settings.json

@@ -27,6 +27,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ],
                 "update": [
@@ -47,6 +50,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ]
             },
@@ -69,6 +75,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ],
                 "update": [
@@ -92,6 +101,9 @@
                     },
                     {
                         "name": "User.Read.All"
+                    },
+                    {
+                        "name": "CustomSecAttributeDefinition.Read.All"
                     }
                 ]
             }