@@ -33,17 +33,16 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
3333 #>
3434
3535 param ($Tenant , $Settings )
36- $TestResult = Test-CIPPStandardLicense - StandardName ' TeamsFederationConfiguration' - TenantFilter $Tenant - RequiredCapabilities @ (' MCOSTANDARD' , ' MCOEV' , ' MCOIMP' , ' TEAMS1' , ' Teams_Room_Standard' )
36+ $TestResult = Test-CIPPStandardLicense - StandardName ' TeamsFederationConfiguration' - TenantFilter $Tenant - RequiredCapabilities @ (' MCOSTANDARD' , ' MCOEV' , ' MCOIMP' , ' TEAMS1' , ' Teams_Room_Standard' )
3737
3838 if ($TestResult -eq $false ) {
3939 return $true
4040 } # we're done.
4141
4242 try {
4343 $CurrentState = New-TeamsRequest - TenantFilter $Tenant - Cmdlet ' Get-CsTenantFederationConfiguration' - CmdParams @ {Identity = ' Global' } |
44- Select-Object *
45- }
46- catch {
44+ Select-Object *
45+ } catch {
4746 $ErrorMessage = Get-NormalizedError - Message $_.Exception.Message
4847 Write-LogMessage - API ' Standards' - Tenant $Tenant - Message " Could not get the TeamsFederationConfiguration state for $Tenant . Error: $ErrorMessage " - Sev Error
4948 return
@@ -56,15 +55,18 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
5655 ' AllowAllExternal' {
5756 $AllowFederatedUsers = $true
5857 $AllowedDomains = $AllowAllKnownDomains
58+ $AllowedDomainsAsAList = @ ()
5959 $BlockedDomains = @ ()
6060 }
6161 ' BlockAllExternal' {
6262 $AllowFederatedUsers = $false
6363 $AllowedDomains = $AllowAllKnownDomains
64+ $AllowedDomainsAsAList = @ ()
6465 $BlockedDomains = @ ()
6566 }
6667 ' AllowSpecificExternal' {
6768 $AllowFederatedUsers = $true
69+ $AllowedDomains = $null
6870 $BlockedDomains = @ ()
6971 if ($null -ne $Settings.DomainList ) {
7072 $AllowedDomainsAsAList = @ ($Settings.DomainList ).Split(' ,' ).Trim()
@@ -74,7 +76,8 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
7476 }
7577 ' BlockSpecificExternal' {
7678 $AllowFederatedUsers = $true
77- $AllowedDomainsAsAList = ' AllowAllKnownDomains'
79+ $AllowedDomains = $AllowAllKnownDomains
80+ $AllowedDomainsAsAList = @ ()
7881 if ($null -ne $Settings.DomainList ) {
7982 $BlockedDomains = @ ($Settings.DomainList ).Split(' ,' ).Trim()
8083 } else {
@@ -87,17 +90,69 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
8790 }
8891 }
8992
93+ # Parse current allowed domains and compare with expected configuration
9094 $CurrentAllowedDomains = $CurrentState.AllowedDomains
91- if ($CurrentAllowedDomains.GetType ().Name -eq ' PSObject' ) {
92- $CurrentAllowedDomains = $CurrentAllowedDomains.Domain | Sort-Object
93- $DomainList = ($CurrentAllowedDomains | Sort-Object ) ?? @ ()
94- $AllowedDomainsMatches = -not (Compare-Object - ReferenceObject $AllowedDomainsAsAList - DifferenceObject $DomainList )
95+ $AllowedDomainsMatches = $false
96+ $IsCurrentAllowAllKnownDomains = $false
97+
98+ if (! $CurrentAllowedDomains ) {
99+ # Current state has no allowed domains set
100+ $CurrentAllowedDomains = @ ()
101+ $AllowedDomainsMatches = (! $AllowedDomains -and $AllowedDomainsAsAList.Count -eq 0 )
102+ } elseif ($CurrentAllowedDomains.GetType ().Name -eq ' PSObject' ) {
103+ # Current state is a PSObject - check if it has AllowAllKnownDomains, AllowedDomain, or Domain property
104+ $properties = Get-Member - InputObject $CurrentAllowedDomains - MemberType Properties, NoteProperty
105+
106+ if ($null -ne $CurrentAllowedDomains.AllowAllKnownDomains -or (Get-Member - InputObject $CurrentAllowedDomains - Name ' AllowAllKnownDomains' )) {
107+ # PSObject with AllowAllKnownDomains property = Allow all known domains
108+ $IsCurrentAllowAllKnownDomains = $true
109+ $CurrentAllowedDomains = ' AllowAllKnownDomains'
110+ Write-Information ' Detected AllowAllKnownDomains configuration (via property)'
111+ $AllowedDomainsMatches = ($null -ne $AllowedDomains ) -and (! $AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0 )
112+ } elseif ($null -ne $CurrentAllowedDomains.AllowedDomain -or (Get-Member - InputObject $CurrentAllowedDomains - Name ' AllowedDomain' )) {
113+ # PSObject with AllowedDomain property = Specific domain list (array of objects with Domain property)
114+ $CurrentAllowedDomains = @ ($CurrentAllowedDomains.AllowedDomain | ForEach-Object { $_.Domain }) | Sort-Object
115+ $DomainList = ($CurrentAllowedDomains | Sort-Object ) ?? @ ()
116+ Write-Information " Detected AllowedDomain list: $ ( $CurrentAllowedDomains -join ' , ' ) "
117+ # Compare with expected domain list
118+ if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0 ) {
119+ $AllowedDomainsMatches = -not (Compare-Object - ReferenceObject $AllowedDomainsAsAList - DifferenceObject $DomainList )
120+ } else {
121+ $AllowedDomainsMatches = $false
122+ }
123+ } elseif ($null -ne $CurrentAllowedDomains.Domain -or (Get-Member - InputObject $CurrentAllowedDomains - Name ' Domain' )) {
124+ # PSObject with Domain property = Specific domain list (direct array)
125+ $CurrentAllowedDomains = $CurrentAllowedDomains.Domain | Sort-Object
126+ $DomainList = ($CurrentAllowedDomains | Sort-Object ) ?? @ ()
127+ # Compare with expected domain list
128+ if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0 ) {
129+ $AllowedDomainsMatches = -not (Compare-Object - ReferenceObject $AllowedDomainsAsAList - DifferenceObject $DomainList )
130+ } else {
131+ $AllowedDomainsMatches = $false
132+ }
133+ } elseif (! $properties -or $properties.Count -eq 0 ) {
134+ # Empty PSObject with no properties = AllowAllKnownDomains (this is how Teams API returns it)
135+ $IsCurrentAllowAllKnownDomains = $true
136+ $CurrentAllowedDomains = ' AllowAllKnownDomains'
137+ Write-Information ' Detected AllowAllKnownDomains configuration (empty PSObject)'
138+ $AllowedDomainsMatches = ($null -ne $AllowedDomains ) -and (! $AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0 )
139+ } else {
140+ # Unknown PSObject structure
141+ Write-Information " Unknown PSObject structure with properties: $ ( $properties.Name -join ' , ' ) "
142+ $CurrentAllowedDomains = @ ()
143+ $AllowedDomainsMatches = $false
144+ }
95145 } elseif ($CurrentAllowedDomains.GetType ().Name -eq ' Deserialized.Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains' ) {
96- $CurrentAllowedDomains = $CurrentAllowedDomains.ToString ()
97- $AllowedDomainsMatches = $CurrentAllowedDomains -eq $AllowedDomains.ToString ()
146+ # Current state is set to AllowAllKnownDomains
147+ $IsCurrentAllowAllKnownDomains = $true
148+ # Match if expected is also AllowAllKnownDomains (not a specific list)
149+ $AllowedDomainsMatches = ($null -ne $AllowedDomains ) -and (! $AllowedDomainsAsAList -or $AllowedDomainsAsAList.Count -eq 0 )
98150 }
99151
100- $BlockedDomainsMatches = -not (Compare-Object - ReferenceObject $BlockedDomains - DifferenceObject $CurrentState.BlockedDomains )
152+ # Normalize blocked domains for comparison
153+ $CurrentBlockedDomains = $CurrentState.BlockedDomains ?? @ ()
154+ $ExpectedBlockedDomains = $BlockedDomains ?? @ ()
155+ $BlockedDomainsMatches = -not (Compare-Object - ReferenceObject $ExpectedBlockedDomains - DifferenceObject $CurrentBlockedDomains )
101156
102157 $StateIsCorrect = ($CurrentState.AllowTeamsConsumer -eq $Settings.AllowTeamsConsumer ) -and
103158 ($CurrentState.AllowFederatedUsers -eq $AllowFederatedUsers ) -and
@@ -115,14 +170,16 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
115170 BlockedDomains = $BlockedDomains
116171 }
117172
118- if (! $AllowedDomainsAsAList ) {
119- $cmdParams.AllowedDomains = $AllowedDomains
120- } else {
173+ if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0 ) {
121174 $cmdParams.AllowedDomainsAsAList = $AllowedDomainsAsAList
175+ } else {
176+ $cmdParams.AllowedDomains = $AllowedDomains
122177 }
123178
124179 try {
125180 New-TeamsRequest - TenantFilter $Tenant - Cmdlet ' Set-CsTenantFederationConfiguration' - CmdParams $cmdParams
181+ Write-Information " Updated Teams Federation Configuration for tenant $Tenant with parameters: $ ( $cmdParams | ConvertTo-Json - Compress - Depth 5 ) "
182+
126183 Write-LogMessage - API ' Standards' - tenant $Tenant - message ' Updated Federation Configuration Policy' - sev Info
127184 } catch {
128185 $ErrorMessage = Get-NormalizedError - Message $_.Exception.Message
@@ -143,17 +200,34 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
143200 if ($Settings.report -eq $true ) {
144201 Add-CIPPBPAField - FieldName ' FederationConfiguration' - FieldValue $StateIsCorrect - StoreAs bool - Tenant $Tenant
145202
203+ $CurrentAllowedDomainsForReport = if ($IsCurrentAllowAllKnownDomains ) {
204+ ' AllowAllKnownDomains'
205+ } elseif ($CurrentAllowedDomains ) {
206+ $CurrentAllowedDomains
207+ } else {
208+ @ ()
209+ }
210+
211+ # Normalize expected allowed domains for reporting
212+ $ExpectedAllowedDomainsForReport = if ($AllowedDomainsAsAList -and $AllowedDomainsAsAList.Count -gt 0 ) {
213+ $AllowedDomainsAsAList
214+ } elseif ($AllowedDomains ) {
215+ ' AllowAllKnownDomains'
216+ } else {
217+ @ ()
218+ }
219+
146220 $CurrentValue = @ {
147221 AllowTeamsConsumer = $CurrentState.AllowTeamsConsumer
148222 AllowFederatedUsers = $CurrentState.AllowFederatedUsers
149- AllowedDomains = if ( $CurrentAllowedDomains .GetType ().Name -eq ' Deserialized.Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains ' ) { $CurrentAllowedDomains .ToString () } else { $CurrentAllowedDomains }
150- BlockedDomains = $CurrentState .BlockedDomains
223+ AllowedDomains = $CurrentAllowedDomainsForReport
224+ BlockedDomains = $CurrentBlockedDomains
151225 }
152226 $ExpectedValue = @ {
153227 AllowTeamsConsumer = $Settings.AllowTeamsConsumer
154228 AllowFederatedUsers = $AllowFederatedUsers
155- AllowedDomains = $AllowedDomains
156- BlockedDomains = $BlockedDomains
229+ AllowedDomains = $ExpectedAllowedDomainsForReport
230+ BlockedDomains = $ExpectedBlockedDomains
157231 }
158232 Set-CIPPStandardsCompareField - FieldName ' standards.TeamsFederationConfiguration' - CurrentValue $CurrentValue - ExpectedValue $ExpectedValue - Tenant $Tenant
159233 }
0 commit comments