Skip to content

Commit

Permalink
Merge pull request #43 from KelvinTegelaar/master
Browse files Browse the repository at this point in the history
[pull] master from KelvinTegelaar:master
  • Loading branch information
pull[bot] authored Aug 8, 2024
2 parents a788d47 + c754b0a commit 3e3de53
Show file tree
Hide file tree
Showing 127 changed files with 5,770 additions and 353 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/dev_cipphfjdq.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions

name: Build and deploy Powershell project to Azure Function App - cipphfjdq

on:
push:
branches:
- dev
workflow_dispatch:

env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root

jobs:
deploy:
runs-on: windows-latest

steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: 'cipphfjdq'
slot-name: 'Production'
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_194504F3E0EE4941A2206C7E71DA4915 }}
30 changes: 30 additions & 0 deletions .github/workflows/dev_cippopy3o.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions

name: Build and deploy Powershell project to Azure Function App - cippopy3o

on:
push:
branches:
- dev
workflow_dispatch:

env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root

jobs:
deploy:
runs-on: windows-latest

steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: 'cippopy3o'
slot-name: 'Production'
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B5A7200CF39F4853A33349B80D54DC99 }}
2 changes: 1 addition & 1 deletion Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ function Add-CIPPAzDataTableEntity {
throw "Error processing entity: $ErrorMessage Linenumber: $($_.InvocationInfo.ScriptLineNumber)"
}
} else {
Write-Information "THE ERROR IS $($_.Exception.ErrorCode). The size of the entity is $entitySize."
Write-Information "THE ERROR IS $($_.Exception.message). The size of the entity is $entitySize."
throw $_
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,12 @@ function Push-BPACollectData {
}
}
$Table = Get-CippTable -tablename 'cachebpav2'
Write-Host "Working on BPA for $($TenantName.displayName) with GUID $($TenantName.customerId) - Report ID $($Item.Template)"
$Rerun = Test-CIPPRerun -Type 'BPA' -Tenant $TenantName.defaultDomainName -API $Item.Template
if ($Rerun) {
Write-Host 'Detected rerun. Exiting cleanly'
exit 0
}
Write-Host "Working on BPA for $($TenantName.defaultDomainName) with GUID $($TenantName.customerId) - Report ID $($Item.Template)"
$Template = $Templates | Where-Object -Property Name -EQ -Value $Item.Template
# Build up the result object that will be stored in tables
$Result = @{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,13 @@ function Push-CIPPStandard {
$Standard = $Item.Standard
$FunctionName = 'Invoke-CIPPStandard{0}' -f $Standard
Write-Host "We'll be running $FunctionName"
$Rerun = Test-CIPPRerun -Type Standard -Tenant $Tenant -Settings $Item.Settings -API $Standard
if ($Rerun) {
Write-Host 'Detected rerun. Exiting cleanly'
exit 0
} else {
Write-Host "Rerun is set to false. We'll be running $FunctionName"
}
try {
& $FunctionName -Tenant $Item.Tenant -Settings $Item.Settings -ErrorAction Stop
} catch {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,21 +17,22 @@ Function Invoke-ExecExtensionsConfig {
#Connect-AzAccount -UseDeviceAuthentication
# Write to the Azure Functions log stream.
Write-Information 'PowerShell HTTP trigger function processed a request.'
$Body = [PSCustomObject]$Request.Body
$results = try {
if ($Request.Body.CIPPAPI.Enabled) {
if ($Body.CIPPAPI.Enabled) {
try {
$APIConfig = New-CIPPAPIConfig -ExecutingUser $Request.Headers.'x-ms-client-principal' -resetpassword $Request.Body.CIPPAPI.ResetPassword
$APIConfig = New-CIPPAPIConfig -ExecutingUser $Request.Headers.'x-ms-client-principal' -resetpassword $Body.CIPPAPI.ResetPassword
$AddedText = $APIConfig.Results
} catch {
$AddedText = ' Could not enable CIPP-API. Check the CIPP documentation for API requirements.'
$Request.Body = $Request.Body | Select-Object * -ExcludeProperty CIPPAPI
$Body = $Body | Select-Object * -ExcludeProperty CIPPAPI
}
}

# Check if NinjaOne URL is set correctly and the instance has at least version 5.6
if ($Request.Body.NinjaOne) {
if ($Body.NinjaOne) {
try {
[version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$(($Request.Body.NinjaOne.Instance -replace '/ws','') -replace 'https://','')/app-version.txt" -ea stop).content
[version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$(($Body.NinjaOne.Instance -replace '/ws','') -replace 'https://','')/app-version.txt" -ea stop).content
} catch {
throw "Failed to connect to NinjaOne check your Instance is set correctly eg 'app.ninjarmmm.com'"
}
Expand All @@ -41,39 +42,39 @@ Function Invoke-ExecExtensionsConfig {
}

$Table = Get-CIPPTable -TableName Extensionsconfig
foreach ($APIKey in ([pscustomobject]$Request.Body).psobject.properties.name) {
foreach ($APIKey in $Body.PSObject.Properties.Name) {
Write-Information "Working on $apikey"
if ($Request.Body.$APIKey.APIKey -eq 'SentToKeyVault' -or $Request.Body.$APIKey.APIKey -eq '') {
if ($Body.$APIKey.APIKey -eq 'SentToKeyVault' -or $Body.$APIKey.APIKey -eq '') {
Write-Information 'Not sending to keyvault. Key previously set or left blank.'
} else {
Write-Information 'writing API Key to keyvault, and clearing.'
Write-Information "$ENV:WEBSITE_DEPLOYMENT_ID"
if ($Request.Body.$APIKey.APIKey) {
if ($Body.$APIKey.APIKey) {
if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
$DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
$Secret = [PSCustomObject]@{
'PartitionKey' = $APIKey
'RowKey' = $APIKey
'APIKey' = $Request.Body.$APIKey.APIKey
'APIKey' = $Body.$APIKey.APIKey
}
Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
} else {
$null = Set-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name $APIKey -SecretValue (ConvertTo-SecureString -AsPlainText -Force -String $Request.Body.$APIKey.APIKey)
$null = Set-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name $APIKey -SecretValue (ConvertTo-SecureString -AsPlainText -Force -String $Body.$APIKey.APIKey)
}
}
if ($Request.Body.$APIKey.PSObject.Properties -notcontains 'APIKey') {
$Request.Body.$APIKey | Add-Member -MemberType NoteProperty -Name APIKey -Value 'SentToKeyVault'
if ($Body.$APIKey.PSObject.Properties.Name -notcontains 'APIKey') {
$Body.$APIKey | Add-Member -MemberType NoteProperty -Name APIKey -Value 'SentToKeyVault'
} else {
$Request.Body.$APIKey.APIKey = 'SentToKeyVault'
$Body.$APIKey.APIKey = 'SentToKeyVault'
}
}
$Request.Body.$APIKey = $Request.Body.$APIKey | Select-Object * -ExcludeProperty ResetPassword
$Body.$APIKey = $Body.$APIKey | Select-Object * -ExcludeProperty ResetPassword
}
$body = $Request.Body | Select-Object * -ExcludeProperty APIKey, Enabled | ConvertTo-Json -Depth 10 -Compress
$Body = $Body | Select-Object * -ExcludeProperty APIKey, Enabled | ConvertTo-Json -Depth 10 -Compress
$Config = @{
'PartitionKey' = 'CippExtensions'
'RowKey' = 'Config'
'config' = [string]$body
'config' = [string]$Body
}

Add-CIPPAzDataTableEntity @Table -Entity $Config -Force | Out-Null
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ Function Invoke-ExecJITAdmin {
}
}

$Parameters = @{
$Parameters = [pscustomobject]@{
TenantFilter = $Request.Body.TenantFilter
User = @{
'UserPrincipalName' = $Username
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
function Invoke-ExecPerUserMFAAllUsers {
<#
.FUNCTIONALITY
Entrypoint
.ROLE
Identity.User.ReadWrite
#>
Param(
$Request,
$TriggerMetadata
)
$TenantFilter = $request.query.TenantFilter
$Users = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users' -tenantid $TenantFilter
$Request = @{
userId = $Users.id
TenantFilter = $tenantfilter
State = $Request.query.State
executingUser = $Request.Headers.'x-ms-client-principal'
}
$Result = Set-CIPPPerUserMFA @Request
$Body = @{
Results = @($Result)
}
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $Body
})
}
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ Function Invoke-ExecSendPush {
$SPBody = [pscustomobject]@{
appId = $MFAAppID
}
$SPID = (New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -type POST -body $SPBody -verbose).id
$SPID = (New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -type POST -body $SPBody ).id
}


Expand All @@ -64,7 +64,7 @@ Function Invoke-ExecSendPush {
}
} | ConvertTo-Json -Depth 5

$TempPass = (New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SPID/addPassword" -tenantid $TenantFilter -type POST -body $PassReqBody -verbose).secretText
$TempPass = (New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SPID/addPassword" -tenantid $TenantFilter -type POST -body $PassReqBody -AsApp $true).secretText

# Give it a chance to apply
#Start-Sleep 5
Expand Down
29 changes: 20 additions & 9 deletions Modules/CIPPCore/Public/Get-CIPPMFAState.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,20 +17,25 @@ function Get-CIPPMFAState {
}
}

$SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled
try {
$SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled
} catch {
Write-Host "Secure Defaults not available: $($_.Exception.Message)"
}
$CAState = [System.Collections.Generic.List[object]]::new()

Try {
$MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails' -tenantid $TenantFilter)
$MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails' -tenantid $TenantFilter)
} catch {
$CAState.Add('Not Licensed for Conditional Access') | Out-Null
$MFARegistration = $null
Write-Host "User registration details not available: $($_.Exception.Message)"
}

if ($null -ne $MFARegistration) {
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -ErrorAction Stop )

$CASuccess = $true
try {
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -ErrorAction Stop )
foreach ($Policy in $CAPolicies) {
$IsMFAControl = $policy.grantControls.builtincontrols -eq 'mfa' -or $Policy.grantControls.authenticationStrength.requirementsSatisfied -eq 'mfa' -or $Policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa'
$IsAllApps = [bool]($Policy.conditions.applications.includeApplications -eq 'All')
Expand All @@ -51,6 +56,8 @@ function Get-CIPPMFAState {
}
}
} catch {
$CASuccess = $false
$CAError = "CA policies not available: $($_.Exception.Message)"
}
}

Expand All @@ -59,7 +66,6 @@ function Get-CIPPMFAState {

# Interact with query parameters or the body of the request.
$GraphRequest = $Users | ForEach-Object {
Write-Host 'Processing users'
$UserCAState = [System.Collections.Generic.List[object]]::new()
foreach ($CA in $CAState) {
if ($CA.IncludedUsers -eq 'All' -or $CA.IncludedUsers -contains $_.ObjectId) {
Expand All @@ -79,12 +85,16 @@ function Get-CIPPMFAState {
$CoveredByCA = 'Enforced - Specific Apps'
}
} else {
$CoveredByCA = 'Not Enforced'
if ($CASuccess -eq $false) {
$CoveredByCA = $CAError
} else {
$CoveredByCA = 'Not Enforced'
}
}

$PerUser = if ($PerUserMFAState -eq $null) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }

$MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName) }
$MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }

[PSCustomObject]@{
Tenant = $TenantFilter
Expand All @@ -94,8 +104,9 @@ function Get-CIPPMFAState {
AccountEnabled = $_.accountEnabled
PerUser = $PerUser
isLicensed = $_.isLicensed
MFARegistration = $MFARegUser.IsMFARegistered
MFAMethods = $MFARegUser.authMethods
MFARegistration = $MFARegUser.isMFARegistered
MFACapable = $MFARegUser.isMFACapable
MFAMethods = $MFARegUser.methodsRegistered
CoveredByCA = $CoveredByCA
CAPolicies = $UserCAState
CoveredBySD = $SecureDefaultsState
Expand Down
15 changes: 9 additions & 6 deletions Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -88,24 +88,23 @@ function Get-Tenants {
$TenantList = $ActiveRelationships | Group-Object -Property customerId | ForEach-Object {
#Write-Host "Processing $($_.Name) to add to tenant list."
$ExistingTenantInfo = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$($_.Name)'"

if ($TriggerRefresh.IsPresent -and $ExistingTenantInfo.customerId) {
# Reset error count
Write-Host "Resetting error count for $($_.Name)"
$ExistingTenantInfo.GraphErrorCount = 0
Add-CIPPAzDataTableEntity @TenantsTable -Entity $ExistingTenantInfo -Force | Out-Null
}

if ($ExistingTenantInfo -and $ExistingTenantInfo.RequiresRefresh -eq $false) {
#Write-Host 'Existing tenant found. We already have it cached, skipping.'
Write-Host 'Existing tenant found. We already have it cached, skipping.'
$ExistingTenantInfo
return
}
$LatestRelationship = $_.Group | Sort-Object -Property relationshipEnd | Select-Object -Last 1
$AutoExtend = ($_.Group | Where-Object { $_.autoExtend -eq $true } | Measure-Object).Count -gt 0

if (-not $SkipDomains.IsPresent) {
if (!$SkipDomains.IsPresent) {
try {
#Write-Host "Getting domains for $($_.Name)."
Write-Host "Getting domains for $($_.Name)."
$Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $LatestRelationship.customerId -NoAuthCheck:$true -ErrorAction Stop
$defaultDomainName = ($Domains | Where-Object { $_.isDefault -eq $true }).id
$initialDomainName = ($Domains | Where-Object { $_.isInitial -eq $true }).id
Expand All @@ -121,6 +120,7 @@ function Get-Tenants {
Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -level 'Critical'
}
}
Write-Host 'finished getting domain'

$Obj = [PSCustomObject]@{
PartitionKey = 'Tenants'
Expand All @@ -143,9 +143,12 @@ function Get-Tenants {
LastRefresh = (Get-Date).ToUniversalTime()
}
if ($Obj.defaultDomainName -eq 'Invalid' -or !$Obj.defaultDomainName) {
continue
Write-Host "We're skipping $($Obj.displayName) as it has an invalid default domain name. Something is up with this instance."
return
}
Write-Host "Adding $($_.Name) to tenant list."
Add-CIPPAzDataTableEntity @TenantsTable -Entity $Obj -Force | Out-Null

$Obj
}
}
Expand Down
5 changes: 3 additions & 2 deletions Modules/CIPPCore/Public/New-CIPPBackup.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,11 @@ function New-CIPPBackup {
'templates'
'standards'
'SchedulerConfig'
'Extensions'
)
$CSVfile = foreach ($CSVTable in $BackupTables) {
$Table = Get-CippTable -tablename $CSVTable
Get-CIPPAzDataTableEntity @Table | Select-Object *, @{l = 'table'; e = { $CSVTable } }
Get-AzDataTableEntity @Table | Select-Object *, @{l = 'table'; e = { $CSVTable } }
}
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Created backup' -Sev 'Debug'
$CSVfile
Expand All @@ -37,7 +38,7 @@ function New-CIPPBackup {
}
$Table = Get-CippTable -tablename 'CIPPBackup'
try {
$Result = Add-CIPPAzDataTableEntity @Table -entity $entity -Force
$Result = Add-AzDataTableEntity @Table -entity $entity -Force
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Created CIPP Backup' -Sev 'Debug'
} catch {
$ErrorMessage = Get-CippException -Exception $_
Expand Down
Loading

0 comments on commit 3e3de53

Please sign in to comment.