Skip to content

Commit d0d2595

Browse files
committed
Enhance Teams federation config parsing and updates
Improve parsing and comparison of Teams AllowedDomains and BlockedDomains when evaluating/updating tenant federation settings. Handles multiple API return shapes (AllowAllKnownDomains, AllowedDomain arrays, Domain arrays, empty PSObject), normalizes domain lists for comparisons, and correctly decides whether to send AllowedDomains or AllowedDomainsAsAList to Set-CsTenantFederationConfiguration. Also normalizes blocked domains comparisons, adds informational logging for detected structures and update parameters, and adjusts reporting to return consistent Current/Expected values. Minor formatting tweaks to license capability array and try/catch alignment.
1 parent 8f743a8 commit d0d2595

1 file changed

Lines changed: 93 additions & 19 deletions

File tree

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1

Lines changed: 93 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,16 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
3333
#>
3434

3535
param($Tenant, $Settings)
36-
$TestResult = Test-CIPPStandardLicense -StandardName 'TeamsFederationConfiguration' -TenantFilter $Tenant -RequiredCapabilities @('MCOSTANDARD', 'MCOEV', 'MCOIMP', 'TEAMS1','Teams_Room_Standard')
36+
$TestResult = Test-CIPPStandardLicense -StandardName 'TeamsFederationConfiguration' -TenantFilter $Tenant -RequiredCapabilities @('MCOSTANDARD', 'MCOEV', 'MCOIMP', 'TEAMS1', 'Teams_Room_Standard')
3737

3838
if ($TestResult -eq $false) {
3939
return $true
4040
} #we're done.
4141

4242
try {
4343
$CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTenantFederationConfiguration' -CmdParams @{Identity = 'Global' } |
44-
Select-Object *
45-
}
46-
catch {
44+
Select-Object *
45+
} catch {
4746
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
4847
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the TeamsFederationConfiguration state for $Tenant. Error: $ErrorMessage" -Sev Error
4948
return
@@ -56,15 +55,18 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
5655
'AllowAllExternal' {
5756
$AllowFederatedUsers = $true
5857
$AllowedDomains = $AllowAllKnownDomains
58+
$AllowedDomainsAsAList = @()
5959
$BlockedDomains = @()
6060
}
6161
'BlockAllExternal' {
6262
$AllowFederatedUsers = $false
6363
$AllowedDomains = $AllowAllKnownDomains
64+
$AllowedDomainsAsAList = @()
6465
$BlockedDomains = @()
6566
}
6667
'AllowSpecificExternal' {
6768
$AllowFederatedUsers = $true
69+
$AllowedDomains = $null
6870
$BlockedDomains = @()
6971
if ($null -ne $Settings.DomainList) {
7072
$AllowedDomainsAsAList = @($Settings.DomainList).Split(',').Trim()
@@ -74,7 +76,8 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
7476
}
7577
'BlockSpecificExternal' {
7678
$AllowFederatedUsers = $true
77-
$AllowedDomainsAsAList = 'AllowAllKnownDomains'
79+
$AllowedDomains = $AllowAllKnownDomains
80+
$AllowedDomainsAsAList = @()
7881
if ($null -ne $Settings.DomainList) {
7982
$BlockedDomains = @($Settings.DomainList).Split(',').Trim()
8083
} else {
@@ -87,17 +90,69 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
8790
}
8891
}
8992

93+
# Parse current allowed domains and compare with expected configuration
9094
$CurrentAllowedDomains = $CurrentState.AllowedDomains
91-
if ($CurrentAllowedDomains.GetType().Name -eq 'PSObject') {
92-
$CurrentAllowedDomains = $CurrentAllowedDomains.Domain | Sort-Object
93-
$DomainList = ($CurrentAllowedDomains | Sort-Object) ?? @()
94-
$AllowedDomainsMatches = -not (Compare-Object -ReferenceObject $AllowedDomainsAsAList -DifferenceObject $DomainList)
95+
$AllowedDomainsMatches = $false
96+
$IsCurrentAllowAllKnownDomains = $false
97+
98+
if (!$CurrentAllowedDomains) {
99+
# Current state has no allowed domains set
100+
$CurrentAllowedDomains = @()
101+
$AllowedDomainsMatches = (!$AllowedDomains -and $AllowedDomainsAsAList.Count -eq 0)
102+
} elseif ($CurrentAllowedDomains.GetType().Name -eq 'PSObject') {
103+
# Current state is a PSObject - check if it has AllowAllKnownDomains, AllowedDomain, or Domain property
104+
$properties = Get-Member -InputObject $CurrentAllowedDomains -MemberType Properties, NoteProperty
105+
106+
if ($null -ne $CurrentAllowedDomains.AllowAllKnownDomains -or (Get-Member -InputObject $CurrentAllowedDomains -Name 'AllowAllKnownDomains')) {
107+
# PSObject with AllowAllKnownDomains property = Allow all known domains
108+
$IsCurrentAllowAllKnownDomains = $true
109+
$CurrentAllowedDomains = 'AllowAllKnownDomains'
110+
Write-Information 'Detected AllowAllKnownDomains configuration (via property)'
111+
$AllowedDomainsMatches = ($null -ne $AllowedDomains) -and (!$AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0)
112+
} elseif ($null -ne $CurrentAllowedDomains.AllowedDomain -or (Get-Member -InputObject $CurrentAllowedDomains -Name 'AllowedDomain')) {
113+
# PSObject with AllowedDomain property = Specific domain list (array of objects with Domain property)
114+
$CurrentAllowedDomains = @($CurrentAllowedDomains.AllowedDomain | ForEach-Object { $_.Domain }) | Sort-Object
115+
$DomainList = ($CurrentAllowedDomains | Sort-Object) ?? @()
116+
Write-Information "Detected AllowedDomain list: $($CurrentAllowedDomains -join ', ')"
117+
# Compare with expected domain list
118+
if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0) {
119+
$AllowedDomainsMatches = -not (Compare-Object -ReferenceObject $AllowedDomainsAsAList -DifferenceObject $DomainList)
120+
} else {
121+
$AllowedDomainsMatches = $false
122+
}
123+
} elseif ($null -ne $CurrentAllowedDomains.Domain -or (Get-Member -InputObject $CurrentAllowedDomains -Name 'Domain')) {
124+
# PSObject with Domain property = Specific domain list (direct array)
125+
$CurrentAllowedDomains = $CurrentAllowedDomains.Domain | Sort-Object
126+
$DomainList = ($CurrentAllowedDomains | Sort-Object) ?? @()
127+
# Compare with expected domain list
128+
if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0) {
129+
$AllowedDomainsMatches = -not (Compare-Object -ReferenceObject $AllowedDomainsAsAList -DifferenceObject $DomainList)
130+
} else {
131+
$AllowedDomainsMatches = $false
132+
}
133+
} elseif (!$properties -or $properties.Count -eq 0) {
134+
# Empty PSObject with no properties = AllowAllKnownDomains (this is how Teams API returns it)
135+
$IsCurrentAllowAllKnownDomains = $true
136+
$CurrentAllowedDomains = 'AllowAllKnownDomains'
137+
Write-Information 'Detected AllowAllKnownDomains configuration (empty PSObject)'
138+
$AllowedDomainsMatches = ($null -ne $AllowedDomains) -and (!$AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0)
139+
} else {
140+
# Unknown PSObject structure
141+
Write-Information "Unknown PSObject structure with properties: $($properties.Name -join ', ')"
142+
$CurrentAllowedDomains = @()
143+
$AllowedDomainsMatches = $false
144+
}
95145
} elseif ($CurrentAllowedDomains.GetType().Name -eq 'Deserialized.Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains') {
96-
$CurrentAllowedDomains = $CurrentAllowedDomains.ToString()
97-
$AllowedDomainsMatches = $CurrentAllowedDomains -eq $AllowedDomains.ToString()
146+
# Current state is set to AllowAllKnownDomains
147+
$IsCurrentAllowAllKnownDomains = $true
148+
# Match if expected is also AllowAllKnownDomains (not a specific list)
149+
$AllowedDomainsMatches = ($null -ne $AllowedDomains) -and (!$AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0)
98150
}
99151

100-
$BlockedDomainsMatches = -not (Compare-Object -ReferenceObject $BlockedDomains -DifferenceObject $CurrentState.BlockedDomains)
152+
# Normalize blocked domains for comparison
153+
$CurrentBlockedDomains = $CurrentState.BlockedDomains ?? @()
154+
$ExpectedBlockedDomains = $BlockedDomains ?? @()
155+
$BlockedDomainsMatches = -not (Compare-Object -ReferenceObject $ExpectedBlockedDomains -DifferenceObject $CurrentBlockedDomains)
101156

102157
$StateIsCorrect = ($CurrentState.AllowTeamsConsumer -eq $Settings.AllowTeamsConsumer) -and
103158
($CurrentState.AllowFederatedUsers -eq $AllowFederatedUsers) -and
@@ -115,14 +170,16 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
115170
BlockedDomains = $BlockedDomains
116171
}
117172

118-
if (!$AllowedDomainsAsAList) {
119-
$cmdParams.AllowedDomains = $AllowedDomains
120-
} else {
173+
if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0) {
121174
$cmdParams.AllowedDomainsAsAList = $AllowedDomainsAsAList
175+
} else {
176+
$cmdParams.AllowedDomains = $AllowedDomains
122177
}
123178

124179
try {
125180
New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTenantFederationConfiguration' -CmdParams $cmdParams
181+
Write-Information "Updated Teams Federation Configuration for tenant $Tenant with parameters: $($cmdParams | ConvertTo-Json -Compress -Depth 5)"
182+
126183
Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Federation Configuration Policy' -sev Info
127184
} catch {
128185
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
@@ -143,17 +200,34 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
143200
if ($Settings.report -eq $true) {
144201
Add-CIPPBPAField -FieldName 'FederationConfiguration' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
145202

203+
$CurrentAllowedDomainsForReport = if ($IsCurrentAllowAllKnownDomains) {
204+
'AllowAllKnownDomains'
205+
} elseif ($CurrentAllowedDomains) {
206+
$CurrentAllowedDomains
207+
} else {
208+
@()
209+
}
210+
211+
# Normalize expected allowed domains for reporting
212+
$ExpectedAllowedDomainsForReport = if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0) {
213+
$AllowedDomainsAsAList
214+
} elseif ($AllowedDomains) {
215+
'AllowAllKnownDomains'
216+
} else {
217+
@()
218+
}
219+
146220
$CurrentValue = @{
147221
AllowTeamsConsumer = $CurrentState.AllowTeamsConsumer
148222
AllowFederatedUsers = $CurrentState.AllowFederatedUsers
149-
AllowedDomains = if ($CurrentAllowedDomains.GetType().Name -eq 'Deserialized.Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains') { $CurrentAllowedDomains.ToString() } else { $CurrentAllowedDomains }
150-
BlockedDomains = $CurrentState.BlockedDomains
223+
AllowedDomains = $CurrentAllowedDomainsForReport
224+
BlockedDomains = $CurrentBlockedDomains
151225
}
152226
$ExpectedValue = @{
153227
AllowTeamsConsumer = $Settings.AllowTeamsConsumer
154228
AllowFederatedUsers = $AllowFederatedUsers
155-
AllowedDomains = $AllowedDomains
156-
BlockedDomains = $BlockedDomains
229+
AllowedDomains = $ExpectedAllowedDomainsForReport
230+
BlockedDomains = $ExpectedBlockedDomains
157231
}
158232
Set-CIPPStandardsCompareField -FieldName 'standards.TeamsFederationConfiguration' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -Tenant $Tenant
159233
}

0 commit comments

Comments
 (0)