Skip to content

Commit 2cef221

Browse files
timayabi2020timayabi2020
authored
Merge pull request #2468 from subray2014/users/subray/retireDirectorySettings
Change preapproval commandlets to not call directory settings apis
2 parents 4550a3b + 165f558 commit 2cef221

File tree

5 files changed

+138
-232
lines changed

5 files changed

+138
-232
lines changed

src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -242,11 +242,6 @@ protected override void ProcessRecord()
242242

243243
WriteVerbose($"Fetched permission grant policies for tenant.");
244244

245-
// Get Group consent settings
246-
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection = await this.Client.GetTenantConsentSettings(this, Pipeline);
247-
248-
WriteVerbose($"Fetched Tenant App Settings for tenant.");
249-
250245
if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; }
251246

252247
// Get authorization policy
@@ -259,7 +254,6 @@ protected override void ProcessRecord()
259254
RscConfigurationSynthesizer rscConfigurationConverter = new RscConfigurationSynthesizer();
260255
Models.IMicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = rscConfigurationConverter.ConvertToTeamRscConfiguration(
261256
permissionGrantPolicyCollection,
262-
tenantConsentSettingCollection,
263257
authorizationPolicy,
264258
this);
265259

src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,9 @@ public enum MicrosoftGraphRscConfigurationState
2424
EnabledForAllApps,
2525

2626
/// <summary>
27-
/// Enabled for selected group of users.
27+
/// RSC configuration is managed by Microsoft.
2828
/// </summary>
29-
EnabledForSelectedGroupOfUsers,
29+
ManagedByMicrosoft,
3030

3131
/// <summary>
3232
/// Custom configuration not understood by the sdk.

src/Teams/beta/custom/RscConfigurationSynthesizer.cs

Lines changed: 78 additions & 114 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,19 @@
1313
/// </summary>
1414
internal class RscConfigurationSynthesizer
1515
{
16-
internal const string MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-chat";
16+
internal const string GroupConsentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a";
1717

18-
internal const string MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-group";
18+
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForChats = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-chat";
1919

20-
internal const string MicrosoftCreatedPermissionGrantPolicyForUserConsentLegacy = "ManagePermissionGrantsForSelf.microsoft-user-default-legacy";
20+
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForChats = "ManagePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-chat";
2121

22-
internal const string GroupConsentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a";
22+
internal const string MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForChats = "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat";
2323

24-
internal const string EnableGroupSpecificConsentKey = "EnableGroupSpecificConsent";
24+
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-team";
2525

26-
internal const string ConstrainGroupSpecificConsentToMembersOfGroupIdKey = "ConstrainGroupSpecificConsentToMembersOfGroupId";
26+
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-team";
27+
28+
internal const string MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team";
2729

2830
/// <summary>
2931
/// Initializes a new instance of the <see cref="RscConfigurationSynthesizer"/> class.
@@ -82,33 +84,54 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration(
8284

8385
if (teamsAppSettings.IsChatResourceSpecificConsentEnabled == true)
8486
{
85-
if (assignedPermissionGrantPoliciesApplicableToChatScope.Any())
86-
{
87-
this.LogVerbose(
88-
"Chat RSC is enabled in Teams App Settings and chat scoped permission grant policies are enabled. Not a supported scenario.",
89-
eventListener);
90-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
91-
}
92-
else
93-
{
94-
this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener);
95-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
96-
}
87+
this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener);
88+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
9789
}
9890
else if (assignedPermissionGrantPoliciesApplicableToChatScope.Any())
9991
{
100-
if (assignedPermissionGrantPoliciesApplicableToChatScope.Any(pgp => !string.Equals(
101-
pgp.ManagePermissionGrantsForOwnedResourcePrefixedId,
102-
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval,
103-
StringComparison.OrdinalIgnoreCase)))
92+
int interestingPermissionGrantPolicyCount = assignedPermissionGrantPoliciesApplicableToChatScope.Count();
93+
94+
if (interestingPermissionGrantPolicyCount > 1)
10495
{
105-
this.LogVerbose("Unknown chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
96+
this.LogVerbose("Multiple chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
10697
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
10798
}
99+
else if (interestingPermissionGrantPolicyCount == 0)
100+
{
101+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
102+
}
108103
else
109104
{
110-
this.LogVerbose("Authorization policy contains permission grant policy for chat RSC preapprovals.", eventListener);
111-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
105+
MGTeamsInternalPermissionGrantPolicy interestingPermissionGrantPolicy =
106+
assignedPermissionGrantPoliciesApplicableToChatScope.Single();
107+
108+
if (string.Equals(
109+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
110+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForChats,
111+
StringComparison.OrdinalIgnoreCase))
112+
{
113+
this.LogVerbose("Authorization policy contains permission grant policy for all chat RSC applications.", eventListener);
114+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
115+
}
116+
else if (string.Equals(
117+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
118+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForChats,
119+
StringComparison.OrdinalIgnoreCase))
120+
{
121+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
122+
}
123+
else if (string.Equals(
124+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
125+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForChats,
126+
StringComparison.OrdinalIgnoreCase))
127+
{
128+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.ManagedByMicrosoft;
129+
}
130+
else
131+
{
132+
this.LogVerbose("Unknown chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
133+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
134+
}
112135
}
113136
}
114137
else
@@ -124,12 +147,10 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration(
124147
/// Convert the given tenant settings to Team RSC configuration.
125148
/// </summary>
126149
/// <param name="permissionGrantPolicyCollection">Permission grant policy collection.</param>
127-
/// <param name="tenantConsentSettingCollection">Tenant consent setting collection.</param>
128150
/// <param name="authorizationPolicy">Authorization policy.</param>
129151
/// <returns>Rsc configuration.</returns>
130152
internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
131153
MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection,
132-
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection,
133154
MGTeamsInternalAuthorizationPolicy authorizationPolicy,
134155
Runtime.IEventListener eventListener)
135156
{
@@ -140,13 +161,6 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
140161
"Permission grant policies were not found.");
141162
}
142163

143-
if (tenantConsentSettingCollection?.Value == null)
144-
{
145-
throw new MGTeamsInternalException(
146-
MGTeamsInternalErrorType.ResourceNotFound,
147-
"Tenant consent settings were not found.");
148-
}
149-
150164
if (authorizationPolicy == null)
151165
{
152166
throw new MGTeamsInternalException(
@@ -161,58 +175,53 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
161175
State = MicrosoftGraphRscConfigurationState.Custom
162176
};
163177

164-
(string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) projectedGroupConsentSettings = this.GetProjectedGroupConsentSettings(
165-
tenantConsentSettingCollection,
166-
authorizationPolicy,
167-
eventListener);
168-
169178
IEnumerable<MGTeamsInternalPermissionGrantPolicy> assignedPermissionGrantPoliciesApplicableToGroupScope =
170179
this.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType(
171180
permissionGrantPolicyCollection,
172181
authorizationPolicy,
173182
MicrosoftGraphRscConfigurationScopeType.Team);
174183

175-
if (string.Equals(projectedGroupConsentSettings.isGroupConsentSettingEnabled, true.ToString(), StringComparison.OrdinalIgnoreCase))
184+
int interestingPermissionGrantPolicyCount = assignedPermissionGrantPoliciesApplicableToGroupScope.Count();
185+
186+
if (interestingPermissionGrantPolicyCount > 1)
176187
{
177-
if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any())
178-
{
179-
this.LogVerbose(
180-
"Projected group consent setting value is enabled and group scoped permission grant policies are enabled. Not a supported scenario.",
181-
eventListener);
182-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
183-
}
184-
else if (string.IsNullOrWhiteSpace(projectedGroupConsentSettings.groupConsentConstrainedToGroupId))
188+
this.LogVerbose("Multiple group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
189+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
190+
}
191+
else if (interestingPermissionGrantPolicyCount == 0)
192+
{
193+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
194+
}
195+
else
196+
{
197+
MGTeamsInternalPermissionGrantPolicy interestingPermissionGrantPolicy = assignedPermissionGrantPoliciesApplicableToGroupScope.Single();
198+
if (string.Equals(
199+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
200+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForTeams,
201+
StringComparison.OrdinalIgnoreCase))
185202
{
186-
this.LogVerbose("Projected group consent setting value is enabled. No constraints on users able to grant consent.", eventListener);
187203
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
188204
}
189-
else
205+
else if (string.Equals(
206+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
207+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForTeams,
208+
StringComparison.OrdinalIgnoreCase))
190209
{
191-
this.LogVerbose($"Projected group consent setting value is enabled. Consent is constrained to users belonging to group '{projectedGroupConsentSettings.groupConsentConstrainedToGroupId}'.", eventListener);
192-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForSelectedGroupOfUsers;
210+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
193211
}
194-
}
195-
else if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any())
196-
{
197-
if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any(pgp => !string.Equals(
198-
pgp.ManagePermissionGrantsForOwnedResourcePrefixedId,
199-
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval,
200-
StringComparison.OrdinalIgnoreCase)))
212+
else if (string.Equals(
213+
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
214+
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForTeams,
215+
StringComparison.OrdinalIgnoreCase))
201216
{
202-
this.LogVerbose("Unknown group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
203-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
217+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.ManagedByMicrosoft;
204218
}
205219
else
206220
{
207-
this.LogVerbose("Authorization policy contains permission grant policy for team RSC preapprovals.", eventListener);
208-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
221+
this.LogVerbose("Unknown group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
222+
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
209223
}
210224
}
211-
else
212-
{
213-
this.LogVerbose("Team RSC is disabled.", eventListener);
214-
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
215-
}
216225

217226
return microsoftGraphRscConfiguration;
218227
}
@@ -233,7 +242,7 @@ internal IEnumerable<MGTeamsInternalPermissionGrantPolicy> GetAssignedPermission
233242
switch (rscConfigurationScopeType)
234243
{
235244
case MicrosoftGraphRscConfigurationScopeType.Team:
236-
identitySpecificScopeType = "group";
245+
identitySpecificScopeType = "team";
237246
break;
238247

239248
case MicrosoftGraphRscConfigurationScopeType.Chat:
@@ -262,51 +271,6 @@ internal IEnumerable<MGTeamsInternalPermissionGrantPolicy> GetAssignedPermission
262271
return assignedPermissionGrantPoliciesApplicableToGivenScope;
263272
}
264273

265-
/// <summary>
266-
/// Get the projected value of group consent settings. i.e.
267-
/// 1. Whether group consent is enabled. This is derived from group consent and user consent settings.
268-
/// 2. Specific groups that group consent is restricted to.
269-
/// </summary>
270-
/// <param name="tenantConsentSettingCollection">Tenant consent setting collection.</param>
271-
/// <param name="authorizationPolicy">The authorization policy.</param>
272-
/// <param name="eventListener">The event listener.</param>
273-
/// <returns>Projected value of group consent settings.</returns>
274-
private (string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) GetProjectedGroupConsentSettings(
275-
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection,
276-
MGTeamsInternalAuthorizationPolicy authorizationPolicy,
277-
IEventListener eventListener)
278-
{
279-
MGTeamsInternalTenantConsentSettings groupConsentSettings = tenantConsentSettingCollection.Value?.FirstOrDefault(
280-
v => string.Equals(v.TemplateId, RscConfigurationSynthesizer.GroupConsentSettingsTemplateId, StringComparison.OrdinalIgnoreCase));
281-
282-
if (groupConsentSettings == null)
283-
{
284-
this.LogVerbose("Group Consent settings were not found.", eventListener);
285-
286-
if (authorizationPolicy
287-
?.DefaultUserRolePermissions
288-
?.PermissionGrantPoliciesAssigned
289-
?.Contains(
290-
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForUserConsentLegacy, StringComparer.OrdinalIgnoreCase) == true)
291-
{
292-
this.LogVerbose("Legacy policy for user consent was found in default user role permissions. Projecting group consent to be true.", eventListener);
293-
return (isGroupConsentSettingEnabled: true.ToString(), groupConsentConstrainedToGroupId: null);
294-
}
295-
296-
return (isGroupConsentSettingEnabled: false.ToString(), groupConsentConstrainedToGroupId: null);
297-
}
298-
299-
MGTeamsInternalTenantConsentSettingValue isGroupConsentEnabledSettingValue = groupConsentSettings.Values?.SingleOrDefault(
300-
v => string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase));
301-
302-
MGTeamsInternalTenantConsentSettingValue groupConsentConstrainedToGroupId = groupConsentSettings.Values?.SingleOrDefault(
303-
v => string.Equals(v.Name, RscConfigurationSynthesizer.ConstrainGroupSpecificConsentToMembersOfGroupIdKey, StringComparison.OrdinalIgnoreCase));
304-
305-
return
306-
(isGroupConsentSettingEnabled: isGroupConsentEnabledSettingValue?.Value,
307-
groupConsentConstrainedToGroupId: groupConsentConstrainedToGroupId?.Value);
308-
}
309-
310274
/// <summary>
311275
/// Log verbose.
312276
/// </summary>

0 commit comments

Comments
 (0)