cisagov · schrolla · Nov 1, 2024 · Nov 1, 2024 · Dec 2, 2024 · Dec 2, 2024
diff --git a/Testing/Functional/Products/FunctionalTestUtils.ps1 b/Testing/Functional/Products/FunctionalTestUtils.ps1
@@ -264,49 +264,49 @@ function UpdateConditionalAccessPolicyByName{
   }
 }
 
-function UpdateCachedConditionalAccessPolicyByName{
-      <#
-    .SYNOPSIS
-      Wrapper function to locate a given conditional access policy by name for update within an provider setting export.
-    .PARAMETER DisplayName
-      The DisplayName of the Directory Setting to be updated.
-    .PARAMETER Updates
-      A hashtable of key/value pairs used as a splat for the Update-MgBetaDirectorySetting commandlet.
-    .PARAMETER OutputFolder
-      The folder containing the original and updated provider settings exports.
-    .NOTES
-      If more than one conditional access policy has the same DisplayName then only the first is updated.
-  #>
+function UpdateCachedConditionalAccessPolicyByName {
+  <#
+.SYNOPSIS
+  Wrapper function to locate a given conditional access policy by name for update within an provider setting export.
+.PARAMETER DisplayName
+  The DisplayName of the Directory Setting to be updated.
+.PARAMETER Updates
+  A hashtable of key/value pairs used as a splat for the Update-MgBetaDirectorySetting commandlet.
+.PARAMETER OutputFolder
+  The folder containing the original and updated provider settings exports.
+.NOTES
+  If more than one conditional access policy has the same DisplayName then only the first is updated.
+#>
   [CmdletBinding()]
   param (
-      [Parameter(Mandatory = $true)]
-      [ValidateNotNullOrEmpty()]
-      [string]
-      $DisplayName,
-      [Parameter(Mandatory = $true)]
-      [ValidateNotNullOrEmpty()]
-      [hashtable]
-      $Updates,
-      [Parameter(Mandatory = $true)]
-      [ValidateNotNullOrEmpty()]
-      [string]
-      $OutputFolder
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [string]
+    $DisplayName,
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [hashtable]
+    $Updates,
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [string]
+    $OutputFolder
   )
 
   $ProviderExport = LoadProviderExport($OutputFolder)
 
   $ConditionalAccessPolicies = $ProviderExport.conditional_access_policies
-  $Index = $ConditionalAccessPolicies.indexof($($ConditionalAccessPolicies.Where{$_.DisplayName -eq $DisplayName}))
+  $Index = $ConditionalAccessPolicies.indexof($($ConditionalAccessPolicies.Where{ $_.DisplayName -eq $DisplayName }))
 
-  if (-1 -ne $Index){
-    $Updates.Keys | ForEach-Object{
+  if (-1 -ne $Index) {
+    $Updates.Keys | ForEach-Object {
       try {
-          $Update = $Updates.Item($_)
-          $Policy = $ConditionalAccessPolicies[$Index]
-          Set-NestedMemberValue -InputObject $Policy -MemberPath $_  -Value $Update
+        $Update = $Updates.Item($_)
+        $Policy = $ConditionalAccessPolicies[$Index]
+        Set-NestedMemberValue -InputObject $Policy -MemberPath $_  -Value $Update
       }
       catch {
-          Write-Error "Exception:  UpdateCachedConditionalAccessPolicyByName failed"
+        Write-Error "Exception:  UpdateCachedConditionalAccessPolicyByName failed"
       }
     }
 
@@ -334,3 +334,70 @@ function LoadTestResults() {
   $IntermediateTestResults = Get-Content "$OutputFolder/TestResults.json" -Raw | ConvertFrom-Json
   $IntermediateTestResults
 }
+
+function SetAndCheckTenantSetting {
+<#
+    .SYNOPSIS
+      Function executes one script block until the second block registers it as successful or timeout occurs.
+    .PARAMETER SetBlock
+      Script block used to set the tenant setting value
+    .PARAMETER CheckBlock
+      A hashtable of key/value pairs used as a splat for the Update-MgBetaDirectorySetting commandlet.
+    .PARAMETER Retries
+      Number of times to retry the set block before failing (0 - 10)
+    .PARAMETER WaitInterval
+      Number of seconds to wait before each check, except the first which always checks immediately (0 - 3600)
+    .PARAMETER WaitOnFirstCheck
+      Delay first check by WaitInterval if true, otherwise check immediately (Default: True)
+    .NOTES
+      If the check block does not return true after the last retry, function will throw an error.
+#>
+[CmdletBinding()]
+param (
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [string]
+    $SetBlock,
+    [Parameter(Mandatory = $true)]
+    [ValidateNotNullOrEmpty()]
+    [string]
+    $CheckBlock,
+    [Parameter(Mandatory = $false)]
+    [ValidateRange(0,10)]
+    [int]
+    $Retries = 3,
+    [Parameter(Mandatory = $false)]
+    [ValidateRange(0,3600)]
+    [int]
+    $WaitInterval = 10,
+    [Parameter(Mandatory = $false)]
+    [switch]
+    $WaitOnFirstCheck = $False
+)
+    $SetAttempts = 0
+
+    try {
+        $SetFunc = [ScriptBlock]::Create($SetBlock)
+        $CheckFunc = [ScriptBlock]::Create($CheckBlock)
+        do {
+            Write-Debug("Running set block: $($SetFunc.Ast.EndBlock)...")
+            Invoke-Command -ScriptBlock $SetFunc
+
+            # Sleep if not first check or option to always wait is set
+            if($SetAttempts -ne 0 -or $WaitOnFirstCheck) {
+                Write-Debug("Sleeping for $WaitInterval seconds...")
+                Start-Sleep $WaitInterval
+            }
+            Write-Debug("Running check block: $($CheckFunc.Ast.EndBlock)...")
+            $CheckSucceeded = Invoke-Command -ScriptBlock $CheckFunc
+            Write-Verbose("(Attempt $SetAttempts) Check block result = $CheckSucceeded")
+            ++$SetAttempts
+        } while(-not $CheckSucceeded -and $SetAttempts -lt $Retries)
+
+        if(-not $CheckSucceeded) {
+            throw "Unable to set value after $SetAttempts attempts."
+        }
+    } catch {
+        throw "Error executing script block: $_.StackTrace"
+    }
+}
diff --git a/Testing/Functional/Products/TestPlans/powerplatform.testplan.yaml b/Testing/Functional/Products/TestPlans/powerplatform.testplan.yaml
@@ -90,12 +90,22 @@ TestPlan:
     Tests:
       - TestDescription: MS.POWERPLATFORM.3.1v1 Non-Compliant case - Power Platform tenant isolation is NOT enabled
         Preconditions:
-          - Command: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled = $true; Set-PowerAppTenantIsolationPolicy -TenantId $guid -TenantIsolationPolicy $iso'
+          - Command: SetAndCheckTenantSetting
+            Splat:
+              SetBlock: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled = $true; Set-PowerAppTenantIsolationPolicy -TenantId $guid -TenantIsolationPolicy $iso'
+              CheckBlock: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled -eq $True'
+              Retries: 3
+              WaitInterval: 10
         Postconditions: []
         ExpectedResult: false
       - TestDescription: MS.POWERPLATFORM.3.1v1 Compliant case - Power Platform tenant isolation is enabled.
         Preconditions:
-          - Command: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled = $false; Set-PowerAppTenantIsolationPolicy -TenantId $guid -TenantIsolationPolicy $iso'
+          - Command: SetAndCheckTenantSetting
+            Splat:
+              SetBlock: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled = $false; Set-PowerAppTenantIsolationPolicy -TenantId $guid -TenantIsolationPolicy $iso'
+              CheckBlock: '$guid = (Get-AdminPowerAppEnvironment -Default).EnvironmentName | Select-String -Pattern "[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value; $iso = Get-PowerAppTenantIsolationPolicy -TenantId $guid; $iso.psobject.properties.value.isDisabled -eq $False'
+              Retries: 3
+              WaitInterval: 10
         Postconditions: []
         ExpectedResult: true