From 6871b84a5b71e3de714a40aa310eb58a3b7f3ca0 Mon Sep 17 00:00:00 2001 From: James Robinson Date: Thu, 14 Sep 2023 16:20:27 +0100 Subject: [PATCH] :wrench: Add the UpdateAADSyncRule.ps1 script --- .../DisconnectAD.ps1} | 0 .../PrimaryDomainController.ps1 | 7 +++- .../UpdateAADSyncRule.ps1 | 41 +++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) rename data_safe_haven/resources/{active_directory/disconnect_ad.ps1 => desired_state_configuration/DisconnectAD.ps1} (100%) create mode 100644 data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1 diff --git a/data_safe_haven/resources/active_directory/disconnect_ad.ps1 b/data_safe_haven/resources/desired_state_configuration/DisconnectAD.ps1 similarity index 100% rename from data_safe_haven/resources/active_directory/disconnect_ad.ps1 rename to data_safe_haven/resources/desired_state_configuration/DisconnectAD.ps1 diff --git a/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 b/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 index ad92098e3c..2690968137 100644 --- a/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 +++ b/data_safe_haven/resources/desired_state_configuration/PrimaryDomainController.ps1 @@ -415,9 +415,14 @@ Configuration DownloadInstallers { } xRemoteFile DisconnectAD { # from xPSDesiredStateConfiguration - Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/active_directory/disconnect_ad.ps1" + Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/desired_state_configuration/DisconnectAD.ps1" DestinationPath = Join-Path $DIInstallerBasePath "DisconnectAD.ps1" } + + xRemoteFile UpdateAADSyncRule { # from xPSDesiredStateConfiguration + Uri = "https://raw.githubusercontent.com/alan-turing-institute/data-safe-haven/python-migration/data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1" + DestinationPath = Join-Path $DIInstallerBasePath "UpdateAADSyncRule.ps1" + } } } diff --git a/data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1 b/data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1 new file mode 100644 index 0000000000..675981bba3 --- /dev/null +++ b/data_safe_haven/resources/desired_state_configuration/UpdateAADSyncRule.ps1 @@ -0,0 +1,41 @@ +Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Force -ErrorAction Stop + +# Create a new rule that is a copy of the default rule +$defaultRule = Get-ADSyncRule | Where-Object { $_.Name -eq "Out to AAD - User Join" } +$newRule = New-ADSyncRule ` + -Name 'Out to AAD - User Join' ` + -Description $defaultRule.Description ` + -Direction 'Outbound' ` + -Precedence $defaultRule.Precedence ` + -PrecedenceAfter $defaultRule.PrecedenceAfter ` + -PrecedenceBefore $defaultRule.PrecedenceBefore ` + -SourceObjectType $defaultRule.SourceObjectType ` + -TargetObjectType $defaultRule.TargetObjectType ` + -Connector $defaultRule.Connector ` + -LinkType $defaultRule.LinkType ` + -SoftDeleteExpiryInterval $defaultRule.SoftDeleteExpiryInterval ` + -ImmutableTag '' ` + -EnablePasswordSync + +# Copy all flow mappings except the usage location one +foreach ($flow in ($defaultRule.AttributeFlowMappings | Where-Object { $_.Destination -ne "usageLocation" })) { + $params = @{ + Destination = $flow.Destination + FlowType = $flow.FlowType + ValueMergeType = $flow.ValueMergeType + } + if ($flow.Source) { $params["Source"] = $flow.Source } + if ($flow.Expression) { $params["Expression"] = $flow.Expression } + $null = Add-ADSyncAttributeFlowMapping -SynchronizationRule $newRule @params +} + +# Set the usage location flow mapping manually +$null = Add-ADSyncAttributeFlowMapping -SynchronizationRule $newRule -Source @('c') -Destination 'usageLocation' -FlowType 'Direct' -ValueMergeType 'Update' + +# Add appropriate scope and join conditions +$newRule.JoinFilter = $defaultRule.JoinFilter +$newRule.ScopeFilter = $defaultRule.ScopeFilter + +# Remove the old rule and add the new one +$null = Remove-ADSyncRule -SynchronizationRule $defaultRule +Add-ADSyncRule -SynchronizationRule $newRule