Skip to content

Commit

Permalink
Merge pull request #7 from KelvinTegelaar/master
Browse files Browse the repository at this point in the history
[pull] master from KelvinTegelaar:master
  • Loading branch information
pull[bot] authored Oct 13, 2023
2 parents d954205 + 9f2297c commit 6893c7c
Show file tree
Hide file tree
Showing 48 changed files with 6,342 additions and 673 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/dev_cipppwrro.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ jobs:
app-name: 'cipppwrro'
slot-name: 'Production'
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_7CFCA05390754624B5492AF7ECD3D826 }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9E109464904540339CA94F283ACE1312 }}
2 changes: 2 additions & 0 deletions AddAPDevice/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@ $Result = try {
if ($groupname -in $CurrentStatus.items.id) { throw "This device batch name already exists. Please try with another name." }
$body = '{"batchId":"' + $($GroupName) + '","devices":' + $Devices + '}'
$GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation')
Write-Host ($GraphRequest | ConvertTo-Json)
Start-Sleep 5
$NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation'
Write-Host $($Newstatus | ConvertTo-Json)
if ($Newstatus.totalcount -eq $CurrentStatus.totalcount) { throw "We could not find the new autopilot device. Please check if your input is correct." }
Write-Host $CurrentStatus.Items
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev "Info"
Expand Down
9 changes: 6 additions & 3 deletions AddAlert/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@ $Results = foreach ($Tenant in $tenants) {
try {
$TenantID = if ($tenant -ne 'AllTenants') {
(get-tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId
} else {
}
else {
'AllTenants'
}
if ($Request.body.SetAlerts) {
Expand Down Expand Up @@ -60,7 +61,8 @@ $Results = foreach ($Tenant in $tenants) {
Push-OutputBinding -Name Subscription -Value $Params
}
}
} else {
}
else {
foreach ($eventType in $Request.body.EventTypes.value) {
$params = @{
TenantFilter = $tenant
Expand All @@ -76,7 +78,8 @@ $Results = foreach ($Tenant in $tenants) {
}
"Successfully added Alert for $($Tenant) to queue."
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Successfully added Alert for $($Tenant) to queue." -Sev 'Info'
} catch {
}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Alert for for $($Tenant) to queue" -Sev 'Error'
"Failed to add Alert for for $($Tenant) to queue $($_.Exception.message)"
}
Expand Down
49 changes: 37 additions & 12 deletions AddScheduledItem/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,45 @@ $Table = Get-CIPPTable -TableName 'ScheduledTasks'

$propertiesToCheck = @('Webhook', 'Email', 'PSA')
$PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ','
$Parameters = ($task.Parameters | ConvertTo-Json -Compress)

$Parameters = [System.Collections.Hashtable]@{}
foreach ($Key in $task.Parameters.Keys) {
$Param = $task.Parameters.$Key
if ($Param.Key) {
$ht = @{}
foreach ($p in $Param) {
Write-Host $p.Key
$ht[$p.Key] = $p.Value
}
$Parameters[$Key] = [PSCustomObject]$ht
} else {
$Parameters[$Key] = $Param
}
}

$Parameters = ($Parameters | ConvertTo-Json -Compress)

$AdditionalProperties = [System.Collections.Hashtable]@{}
foreach ($Prop in $task.AdditionalProperties) {
$AdditionalProperties[$Prop.Key] = $Prop.Value
}
$AdditionalProperties = ([PSCustomObject]$AdditionalProperties | ConvertTo-Json -Compress)


if ($Parameters -eq 'null') { $Parameters = '' }
$entity = @{
PartitionKey = [string]'ScheduledTask'
TaskState = [string]'Planned'
RowKey = [string]"$(New-Guid)"
Tenant = [string]$task.TenantFilter
Name = [string]$task.Name
Command = [string]$task.Command.value
Parameters = [string]$Parameters
ScheduledTime = [string]$task.ScheduledTime
Recurrence = [string]$task.Recurrence.value
PostExecution = [string]$PostExecution
Results = 'Planned'
PartitionKey = [string]'ScheduledTask'
TaskState = [string]'Planned'
RowKey = [string]"$(New-Guid)"
Tenant = [string]$task.TenantFilter
Name = [string]$task.Name
Command = [string]$task.Command.value
Parameters = [string]$Parameters
ScheduledTime = [string]$task.ScheduledTime
Recurrence = [string]$task.Recurrence.value
PostExecution = [string]$PostExecution
AdditionalProperties = [string]$AdditionalProperties
Results = 'Planned'
}
Write-Host "entity: $($entity | ConvertTo-Json)"
Add-AzDataTableEntity @Table -Entity $entity
Expand Down
8 changes: 8 additions & 0 deletions AddUser/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ try {
}
}
if ($userobj.businessPhone) { $bodytoShip | Add-Member -NotePropertyName businessPhones -NotePropertyValue @($userobj.businessPhone) }
if ($userobj.addedAttributes) {
Write-Host "Found added attribute"
Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)"
$userobj.addedAttributes.getenumerator() | ForEach-Object {
$results.add("Added property $($_.Key) with value $($_.value)")
$bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value
}
}
$bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress
$GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users" -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Created user $($userobj.displayname) with id $($GraphRequest.id) " -Sev "Info"
Expand Down
2 changes: 1 addition & 1 deletion Cache_SAMSetup/PermissionsTranslator.json
Original file line number Diff line number Diff line change
Expand Up @@ -2986,7 +2986,7 @@
"description": "Read activity data for your organization",
"displayName": "Allows the application to read activity data for your organization.",
"id": "594c1fb6-4f81-4475-ae41-0c394909246c",
"Origin": "Delegated",
"Origin": "Delegated (Office 365 Management)",
"userConsentDescription": "Read activity data for your organization",
"userConsentDisplayName": "Allows the application to read activity data for your organization.",
"value": "ActivityFeed.Read"
Expand Down
30 changes: 15 additions & 15 deletions EditGroup/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ if ($AddMembers) {
else {
New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)" -tenantid $Userobj.tenantid -type patch -body $addmemberbody -Verbose
}
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info"
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info"
$body = $results.add("Success. $member has been added")
}
catch {
$body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)")
$body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)")
}
}

Expand All @@ -46,7 +46,7 @@ if ($AddContacts) {
if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") {
$Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true }
New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-DistributionGroupMember" -cmdParams $params -UseSystemMailbox $true
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info"
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info"
$body = $results.add("Success. $member has been added")
}
else {
Expand All @@ -55,7 +55,7 @@ if ($AddContacts) {
}
}
catch {
$body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)")
$body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)")
}
}

Expand All @@ -74,14 +74,14 @@ try {
$MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid)
New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/members/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE
}
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupid) group" -Sev "Info"
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupName) group" -Sev "Info"
$body = $results.add("Success. Member $member has been removed")
}
}
}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error"
$body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)")
$body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)")
}

$AddOwners = $userobj.Addowner.value
Expand All @@ -92,11 +92,11 @@ try {
$ID = "https://graph.microsoft.com/beta/users/" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid).id
Write-Host $ID
$AddOwner = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/`$ref" -tenantid $Userobj.tenantid -type POST -body ('{"@odata.id": "' + $ID + '"}')
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupid) group" -Sev "Info"
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupName) group" -Sev "Info"
$body = $results.add("Success. $_ has been added")
}
catch {
$body = $results.add("Failed to add owner $_ to $($userobj.Groupid): $($_.Exception.Message)")
$body = $results.add("Failed to add owner $_ to $($userobj.groupName): $($_.Exception.Message)")
}
}

Expand All @@ -115,17 +115,17 @@ try {
$MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid)
New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE
Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $($MemberInfo.UserPrincipalname) from $($userobj.displayname) group" -Sev "Info"
$body = $results.add("Success. Member $_ has been removed from $($userobj.Groupid)")
$body = $results.add("Success. Member $_ has been removed from $($userobj.groupName)")
}
catch {
$body = $results.add("Failed to remove $_ from $($userobj.Groupid): $($_.Exception.Message)")
$body = $results.add("Failed to remove $_ from $($userobj.groupName): $($_.Exception.Message)")
}
}
}
}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error"
$body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)")
$body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)")
}

if ($userobj.allowExternal -eq 'true') {
Expand All @@ -138,13 +138,13 @@ if ($userobj.allowExternal -eq 'true') {
$Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false }
New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-UnifiedGroup" -cmdParams $params
}
$body = $results.add("Allowed external senders to send to $($userobj.Groupid).")
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.Groupid)" -Sev "Error"
$body = $results.add("Allowed external senders to send to $($userobj.groupName).")
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.groupName)" -Sev "Error"

}
catch {
$body = $results.add("Failed to allow external senders to send to $($userobj.Groupid).")
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.Groupid). $($_.Exception.Message)" -Sev "Error"
$body = $results.add("Failed to allow external senders to send to $($userobj.groupName).")
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.groupName). $($_.Exception.Message)" -Sev "Error"
}

}
Expand Down
18 changes: 18 additions & 0 deletions ExecAddMultiTenantApp/function.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"scriptFile": "../Modules/CippEntryPoints/CippEntryPoints.psm1",
"entryPoint": "Receive-CippHttpTrigger",
"bindings": [
{
"authLevel": "anonymous",
"type": "httpTrigger",
"direction": "in",
"name": "Request",
"methods": ["get", "post"]
},
{
"type": "http",
"direction": "out",
"name": "Response"
}
]
}
90 changes: 7 additions & 83 deletions ExecCPVPermissions/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -9,93 +9,17 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

# Interact with query parameters or the body of the request.
$TenantFilter = $Request.Query.TenantFilter
Set-Location (Get-Item $PSScriptRoot).Parent.FullName

$Translator = Get-Content '.\Cache_SAMSetup\PermissionsTranslator.json' | ConvertFrom-Json
$ExpectedPermissions = Get-Content '.\Cache_SAMSetup\SAMManifest.json' | ConvertFrom-Json
try {
$DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID

}
catch {
"no old permissions to delete, moving on"
}

$GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object {
try {
$Resource = $_
$Permissionsname = switch ($Resource.ResourceAppId) {
'00000002-0000-0ff1-ce00-000000000000' { 'Office 365 Exchange Online' }
'00000003-0000-0000-c000-000000000000' { "Graph API" }
'fc780465-2017-40d4-a0c5-307022471b92' { 'WindowsDefenderATP' }
'00000003-0000-0ff1-ce00-000000000000' { 'Sharepoint' }
'48ac35b8-9aa8-4d74-927d-1f4a14a0b239' { 'Skype and Teams Tenant Admin API' }
'c5393580-f805-4401-95e8-94b7a6ef2fc2' { 'Office 365 Management API' }

}
$Scope = ($Translator | Where-Object { $_.id -in $Resource.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ', '
if ($Scope) {
$RequiredCPVPerms = [PSCustomObject]@{
EnterpriseApplicationId = $_.ResourceAppId
Scope = "$Scope"
}
$AppBody = @"
{
"ApplicationGrants":[ $(ConvertTo-Json -InputObject $RequiredCPVPerms -Compress -Depth 10)],
"ApplicationId": "$($env:ApplicationID)"}
"@
$CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID
"Succesfully set CPV permissions for $Permissionsname"

}
}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API. error: $($_.Exception.message)" -Sev "Error"
"Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API? Error: $($_.Exception.message)"
}
}

try {
$ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($ENV:applicationid)')" -tenantid $Tenantfilter
$CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $tenantfilter

$TenantFilter = (get-tenants -IncludeAll -IncludeErrors | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName
Write-Host "Our Tenantfilter is $TenantFilter"
$GraphRequest = try {
Set-CIPPCPVConsent -Tenantfilter $TenantFilter
Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
Add-CIPPDelegatedPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
}
catch {
#this try catch exists because of 500 errors when the app principal does not exist. :)
}
# if the app svc principal exists, consent app permissions
$apps = $ExpectedPermissions
#get current roles
#If
$Grants = foreach ($App in $apps.requiredResourceAccess) {
try {
$svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $tenantfilter
}
catch {
continue
}
foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") {
if ($singleresource.id -In $currentroles.appRoleId) { continue }
[pscustomobject]@{
principalId = $($ourSVCPrincipal.id)
resourceId = $($svcPrincipalId.id)
appRoleId = "$($SingleResource.Id)"
}
}
}
foreach ($Grant in $grants) {
try {
$SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $tenantfilter -type POST
}
catch {
"Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message). "
}
"Failed to update permissions for $($TenantFilter): $($_.Exception.Message)"
}


# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Expand Down
Loading

0 comments on commit 6893c7c

Please sign in to comment.