Merge pull request #1605 from jemrobinson/add-update-aad-sync-rule

Pulumi: Add update AAD sync script

data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1

@@ -415,9 +415,14 @@ Configuration DownloadInstallers {
         }
 
         xRemoteFile DisconnectAD { # from xPSDesiredStateConfiguration
-            Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/active_directory/disconnect_ad.ps1"
+            Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/desired_state_configuration/DisconnectAD.ps1"
             DestinationPath = Join-Path $DIInstallerBasePath "DisconnectAD.ps1"
         }
+
+        xRemoteFile UpdateAADSyncRule { # from xPSDesiredStateConfiguration
+            Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1"
+            DestinationPath = Join-Path $DIInstallerBasePath "UpdateAADSyncRule.ps1"
+        }
     }
 }
 

data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1

@@ -0,0 +1,41 @@
+Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Force -ErrorAction Stop
+
+# Create a new rule that is a copy of the default rule
+$defaultRule = Get-ADSyncRule | Where-Object { $_.Name -eq "Out to AAD - User Join" }
+$newRule = New-ADSyncRule  `
+           -Name 'Out to AAD - User Join' `
+           -Description $defaultRule.Description `
+           -Direction 'Outbound' `
+           -Precedence $defaultRule.Precedence `
+           -PrecedenceAfter $defaultRule.PrecedenceAfter `
+           -PrecedenceBefore $defaultRule.PrecedenceBefore `
+           -SourceObjectType $defaultRule.SourceObjectType `
+           -TargetObjectType $defaultRule.TargetObjectType `
+           -Connector $defaultRule.Connector `
+           -LinkType $defaultRule.LinkType `
+           -SoftDeleteExpiryInterval $defaultRule.SoftDeleteExpiryInterval `
+           -ImmutableTag '' `
+           -EnablePasswordSync
+
+# Copy all flow mappings except the usage location one
+foreach ($flow in ($defaultRule.AttributeFlowMappings | Where-Object { $_.Destination -ne "usageLocation" })) {
+    $params = @{
+        Destination    = $flow.Destination
+        FlowType       = $flow.FlowType
+        ValueMergeType = $flow.ValueMergeType
+    }
+    if ($flow.Source) { $params["Source"] = $flow.Source }
+    if ($flow.Expression) { $params["Expression"] = $flow.Expression }
+    $null = Add-ADSyncAttributeFlowMapping -SynchronizationRule $newRule @params
+}
+
+# Set the usage location flow mapping manually
+$null = Add-ADSyncAttributeFlowMapping -SynchronizationRule $newRule -Source @('c') -Destination 'usageLocation' -FlowType 'Direct' -ValueMergeType 'Update'
+
+# Add appropriate scope and join conditions
+$newRule.JoinFilter = $defaultRule.JoinFilter
+$newRule.ScopeFilter = $defaultRule.ScopeFilter
+
+# Remove the old rule and add the new one
+$null = Remove-ADSyncRule -SynchronizationRule $defaultRule
+Add-ADSyncRule -SynchronizationRule $newRule