Skip to content

Commit

Permalink
Merge pull request KelvinTegelaar#706 from JohnDuprey/dev
Browse files Browse the repository at this point in the history
Update CPV to use customerId
  • Loading branch information
JohnDuprey authored Mar 29, 2024
2 parents e515b31 + 1adb647 commit 9887237
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 24 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,30 +11,30 @@ Function Invoke-ExecCPVPermissions {
$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'


# Write to the Azure Functions log stream.
Write-Host 'PowerShell HTTP trigger function processed a request.'
$TenantFilter = (get-tenants -IncludeAll -IncludeErrors | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName
Write-Host "Our Tenantfilter is $TenantFilter"
$Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $Request.Query.TenantFilter | Select-Object -First 1

Write-Host "Our tenant is $($Tenant.displayName) - $($Tenant.defaultDomainName)"

$CPVConsentParams = @{
Tenantfilter = $TenantFilter
TenantFilter = $Request.Query.TenantFilter
}
if ($Request.Query.ResetSP -eq 'true') {
$CPVConsentParams.ResetSP = $true
}

$GraphRequest = try {
Set-CIPPCPVConsent @CPVConsentParams
Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Request.Query.TenantFilter
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Request.Query.TenantFilter
$Success = $true
} catch {
"Failed to update permissions for $($TenantFilter): $($_.Exception.Message)"
"Failed to update permissions for $($Tenant.displayName): $($_.Exception.Message)"
$Success = $false
}

$Tenant = Get-Tenants -IncludeAll -IncludeErrors | Where-Object -Property defaultDomainName -EQ $Tenantfilter
$Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ Function Push-ExecOnboardTenantQueue {
Remove-CIPPCache -tenantsOnly $true
} catch {}

$Tenant = Get-Tenants | Where-Object { $_.customerId -eq $Relationship.customer.tenantId } | Select-Object -First 1
$Tenant = Get-Tenants -IncludeAll | Where-Object { $_.customerId -eq $Relationship.customer.tenantId } | Select-Object -First 1
$y++
Start-Sleep -Seconds 20
} while (!$Tenant -and $y -le 4)
Expand All @@ -287,7 +287,7 @@ Function Push-ExecOnboardTenantQueue {
$Logs.Add([PSCustomObject]@{ Date = Get-Date -UFormat $DateFormat; Log = 'Tenant found in customer list' })
try {
$CPVConsentParams = @{
TenantFilter = $Tenant.defaultDomainName
TenantFilter = $Relationship.customer.tenantId
}
$Consent = Set-CIPPCPVConsent @CPVConsentParams
if ($Consent -match 'Could not add our Service Principal to the client tenant') {
Expand All @@ -313,8 +313,8 @@ Function Push-ExecOnboardTenantQueue {
Add-CIPPAzDataTableEntity @OnboardTable -Entity $TenantOnboarding -Force -ErrorAction Stop
do {
try {
Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Tenant.defaultDomainName
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Tenant.defaultDomainName
Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Relationship.customer.tenantId
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Relationship.customer.tenantId
$CPVSuccess = $true
$Refreshing = $false
} catch {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ function Push-UpdatePermissionsQueue {
if (!$CPVRows -or $ENV:ApplicationID -notin $CPVRows.applicationId) {
Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message 'A New tenant has been added, or a new CIPP-SAM Application is in use' -Sev 'Warn' -API 'NewTenant'
Write-Host 'Adding CPV permissions'
Set-CIPPCPVConsent -Tenantfilter $Item.defaultDomainName
Set-CIPPCPVConsent -Tenantfilter $Item.customerId
}

Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.defaultDomainName
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.defaultDomainName
Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.customerId
Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.customerId

Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.defaultDomainName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue'
}
18 changes: 10 additions & 8 deletions Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1
Original file line number Diff line number Diff line change
@@ -1,23 +1,25 @@
function Set-CIPPCPVConsent {
[CmdletBinding()]
param(
$Tenantfilter,
$TenantFilter,
$APIName = 'CPV Consent',
$ExecutingUser,
[bool]$ResetSP = $false
)
$Results = [System.Collections.Generic.List[string]]::new()
$Tenant = Get-Tenants -IncludeAll -IncludeErrors | Where-Object -Property defaultDomainName -EQ $Tenantfilter
$TenantName = $Tenant.defaultDomainName
$TenantFilter = $Tenant.customerId
$Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter | Select-Object -First 1
$TenantName = $Tenant.displayName

if ($Tenantfilter -eq $env:TenantID) {
if ($TenantFilter -eq $env:TenantID) {
return @('Cannot modify CPV consent on partner tenant')
}
if ($Tenant.customerId -ne $TenantFilter) {
return @('Not a valid tenant')
}

if ($ResetSP) {
try {
$DeleteSP = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($ENV:applicationId)" -scope 'https://api.partnercenter.microsoft.com/.default' -tenantid $env:TenantID
$DeleteSP = New-GraphPostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($ENV:applicationId)" -scope 'https://api.partnercenter.microsoft.com/.default' -tenantid $env:TenantID
$Results.add("Deleted Service Principal from $TenantName")
} catch {
$Results.add("Error deleting SP - $($_.Exception.Message)")
Expand Down Expand Up @@ -51,7 +53,7 @@ function Set-CIPPCPVConsent {
}
Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force
$Results.add("Successfully added CPV Application to tenant $($TenantName)") | Out-Null
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Added our Service Principal to $($TenantName): $($_.Exception.message)" -Sev 'Info' -tenant $TenantName -tenantId $TenantFilter
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Added our Service Principal to $($TenantName): $($_.Exception.message)" -Sev 'Info' -tenant $Tenant.defaultDomainName -tenantId $TenantFilter

} catch {
$ErrorMessage = Get-NormalizedError -message $_.Exception.Message
Expand All @@ -68,7 +70,7 @@ function Set-CIPPCPVConsent {
Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force
return @("We've already added our Service Principal to $($TenantName)")
}
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev 'Error' -tenant $TenantName -tenantId $TenantFilter
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev 'Error' -tenant $Tenant.defaultDomainName -tenantId $TenantFilter
return @("Could not add our Service Principal to the client tenant $($TenantName): $ErrorMessage")
}
return $Results
Expand Down

0 comments on commit 9887237

Please sign in to comment.