Skip to content

Commit

Permalink
Merge pull request #39 from KelvinTegelaar/master
Browse files Browse the repository at this point in the history
[pull] master from KelvinTegelaar:master
  • Loading branch information
pull[bot] authored Jul 13, 2024
2 parents 26eb9d5 + af19f65 commit a3228bd
Show file tree
Hide file tree
Showing 99 changed files with 2,258 additions and 2,778 deletions.
8 changes: 4 additions & 4 deletions Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,19 @@ function Add-CIPPScheduledTask {
$propertiesToCheck = @('Webhook', 'Email', 'PSA')
$PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ','
$Parameters = [System.Collections.Hashtable]@{}
foreach ($Key in $task.Parameters.Keys) {
foreach ($Key in $task.Parameters.PSObject.Properties.Name) {
$Param = $task.Parameters.$Key
if ($Param.Key) {
if ($Param -is [System.Collections.IDictionary]) {
$ht = @{}
foreach ($p in $Param) {
Write-Host $p.Key
foreach ($p in $Param.GetEnumerator()) {
$ht[$p.Key] = $p.Value
}
$Parameters[$Key] = [PSCustomObject]$ht
} else {
$Parameters[$Key] = $Param
}
}

$Parameters = ($Parameters | ConvertTo-Json -Depth 10 -Compress)
$AdditionalProperties = [System.Collections.Hashtable]@{}
foreach ($Prop in $task.AdditionalProperties) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Function Invoke-ExecClrImmId {
Try {
$TenantFilter = $Request.Query.TenantFilter
$UserID = $Request.Query.ID
$Body = [pscustomobject] @{
onPremisesImmutableId = $null
} | ConvertTo-Json
$GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
$Body = [pscustomobject]@{ onPremisesImmutableId = $null }
$Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress
$null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
$Results = [pscustomobject]@{'Results' = 'Successfully Cleared ImmutableId' }
} catch {
$Results = [pscustomobject]@{'Results' = "Failed. $_.Exception.Message"; colour = 'danger' }
$ErrorMessage = Get-NormalizedError -Message $_.Exception
$Results = [pscustomobject]@{'Results' = "Failed. $ErrorMessage"; colour = 'danger' }
$_.Exception
}

Expand All @@ -35,5 +35,4 @@ Function Invoke-ExecClrImmId {
StatusCode = [HttpStatusCode]::OK
Body = $Results
})

}
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,9 @@ Function Invoke-ExecJITAdmin {
param($Request, $TriggerMetadata)

$APIName = 'ExecJITAdmin'
Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$User = $Request.Headers.'x-ms-client-principal'

Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug'

if ($Request.Query.Action -eq 'List') {
$Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' }
Expand Down Expand Up @@ -61,14 +63,14 @@ Function Invoke-ExecJITAdmin {
if ($Request.Body.UserId -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
$Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.UserId)" -tenantid $Request.Body.TenantFilter).userPrincipalName
}
Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info'
Write-LogMessage -user $User -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info'

$Start = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate)).DateTime.ToLocalTime()
$Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime()
$Results = [System.Collections.Generic.List[string]]::new()

if ($Request.Body.useraction -eq 'create') {
Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info'
if ($Request.Body.useraction -eq 'Create') {
Write-LogMessage -user $User -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info'
Write-Information "Creating JIT Admin user $($Request.Body.UserPrincipalName)"
$JITAdmin = @{
User = @{
Expand All @@ -86,7 +88,7 @@ Function Invoke-ExecJITAdmin {
if (!$Request.Body.UseTAP) {
$Results.Add("Password: $($CreateResult.password)")
}
$Results.Add("JIT Expires: $($Expiration)")
$Results.Add("JIT Admin Expires: $($Expiration)")
Start-Sleep -Seconds 1
}

Expand All @@ -101,14 +103,27 @@ Function Invoke-ExecJITAdmin {
$TapBody = '{}'
}
Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods"
$TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody
# Retry creating the TAP up to 5 times, since it can fail due to the user not being fully created yet
$Retries = 0
do {
try {
$TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody
} catch {
Start-Sleep -Seconds 2
Write-Information 'ERROR: Failed to create TAP, retrying'
Write-Information ( ConvertTo-Json -Depth 5 -InputObject (Get-CippException -Exception $_))
}
$Retries++
} while ( $null -eq $TapRequest.temporaryAccessPass -and $Retries -le 5 )

$TempPass = $TapRequest.temporaryAccessPass
$PasswordExpiration = $TapRequest.LifetimeInMinutes

$PasswordLink = New-PwPushLink -Payload $TempPass
if ($PasswordLink) {
$Password = $PasswordLink
} else {
$Password = $TempPass
}
$Results.Add("Temporary Access Pass: $Password")
$Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes")
Expand Down Expand Up @@ -147,7 +162,9 @@ Function Invoke-ExecJITAdmin {
}
}
Add-CIPPScheduledTask -Task $TaskBody -hidden $false
Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration
if ($Request.Body.useraction -ne 'Create') {
Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration
}
$Results.Add("Scheduling JIT Admin enable task for $Username")
} else {
$Results.Add("Executing JIT Admin enable task for $Username")
Expand Down Expand Up @@ -176,7 +193,7 @@ Function Invoke-ExecJITAdmin {
}
ScheduledTime = $Request.Body.EndDate
}
Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
$null = Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
$Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction) task for $Username")
$Body = @{
Results = @($Results)
Expand Down
2 changes: 1 addition & 1 deletion Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Function Invoke-ListDomains {
$TenantFilter = $Request.Query.TenantFilter

try {
$GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault
$GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault -Descending
$StatusCode = [HttpStatusCode]::OK
} catch {
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
Expand Down
11 changes: 9 additions & 2 deletions Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ function Set-CIPPUserJITAdmin {
switch ($Action) {
'Create' {
$Password = New-passwordString
$Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' }

$Body = @{
givenName = $User.FirstName
surname = $User.LastName
Expand All @@ -62,6 +64,10 @@ function Set-CIPPUserJITAdmin {
forceChangePasswordNextSignInWithMfa = $false
password = $Password
}
$Schema.id = @{
jitAdminEnabled = $false
jitAdminExpiration = $Expiration.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
}
}
$Json = ConvertTo-Json -Depth 5 -InputObject $Body
try {
Expand Down Expand Up @@ -135,9 +141,10 @@ function Set-CIPPUserJITAdmin {
Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null
return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
} catch {
return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $($_.Exception.Message)"
$ErrrorMessage = Get-NormalizedError -Message $_.Exception.Message
return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrrorMessage"
}
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -1,36 +1,35 @@
function Invoke-CIPPStandardActivityBasedTimeout {
<#
.FUNCTIONALITY
Internal
.APINAME
ActivityBasedTimeout
.CAT
Global Standards
.TAG
"mediumimpact"
"CIS"
"spo_idle_session_timeout"
.HELPTEXT
Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
.ADDEDCOMPONENT
{"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]}
.LABEL
Enable Activity based Timeout
.IMPACT
Medium Impact
.POWERSHELLEQUIVALENT
Portal or Graph API
.RECOMMENDEDBY
"CIS"
.DOCSDESCRIPTION
Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
.UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
Internal
.COMPONENT
(APIName) ActivityBasedTimeout
.SYNOPSIS
(Label) Enable Activity based Timeout
.DESCRIPTION
(Helptext) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
(DocsDescription) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
.NOTES
CAT
Global Standards
TAG
"mediumimpact"
"CIS"
"spo_idle_session_timeout"
ADDEDCOMPONENT
{"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]}
IMPACT
Medium Impact
POWERSHELLEQUIVALENT
Portal or Graph API
RECOMMENDEDBY
"CIS"
UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
.LINK
https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
#>




param($Tenant, $Settings)

# Input validation
Expand Down Expand Up @@ -91,8 +90,3 @@ function Invoke-CIPPStandardActivityBasedTimeout {
}

}





55 changes: 25 additions & 30 deletions Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1
Original file line number Diff line number Diff line change
@@ -1,34 +1,33 @@
function Invoke-CIPPStandardAddDKIM {
<#
.FUNCTIONALITY
Internal
.APINAME
AddDKIM
.CAT
Exchange Standards
.TAG
"lowimpact"
"CIS"
.HELPTEXT
Enables DKIM for all domains that currently support it
.ADDEDCOMPONENT
.LABEL
Enables DKIM for all domains that currently support it
.IMPACT
Low Impact
.POWERSHELLEQUIVALENT
New-DkimSigningConfig and Set-DkimSigningConfig
.RECOMMENDEDBY
"CIS"
.DOCSDESCRIPTION
Enables DKIM for all domains that currently support it
.UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
Internal
.COMPONENT
(APIName) AddDKIM
.SYNOPSIS
(Label) Enables DKIM for all domains that currently support it
.DESCRIPTION
(Helptext) Enables DKIM for all domains that currently support it
(DocsDescription) Enables DKIM for all domains that currently support it
.NOTES
CAT
Exchange Standards
TAG
"lowimpact"
"CIS"
ADDEDCOMPONENT
IMPACT
Low Impact
POWERSHELLEQUIVALENT
New-DkimSigningConfig and Set-DkimSigningConfig
RECOMMENDEDBY
"CIS"
UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
.LINK
https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
#>




param($Tenant, $Settings)

$AllDomains = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -tenantid $Tenant | Where-Object { $_.supportedServices -contains 'Email' -or $_.id -like '*mail.onmicrosoft.com' }).id
Expand Down Expand Up @@ -107,7 +106,3 @@ function Invoke-CIPPStandardAddDKIM {
Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIMState -StoreAs bool -Tenant $tenant
}
}




Original file line number Diff line number Diff line change
@@ -1,34 +1,31 @@
function Invoke-CIPPStandardAnonReportDisable {
<#
.FUNCTIONALITY
Internal
.APINAME
AnonReportDisable
.CAT
Global Standards
.TAG
"lowimpact"
.HELPTEXT
Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
.DOCSDESCRIPTION
Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.
.ADDEDCOMPONENT
.LABEL
Enable Usernames instead of pseudo anonymised names in reports
.IMPACT
Low Impact
.POWERSHELLEQUIVALENT
Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}
.RECOMMENDEDBY
.DOCSDESCRIPTION
Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
.UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
Internal
.COMPONENT
(APIName) AnonReportDisable
.SYNOPSIS
(Label) Enable Usernames instead of pseudo anonymised names in reports
.DESCRIPTION
(Helptext) Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
(DocsDescription) Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.
.NOTES
CAT
Global Standards
TAG
"lowimpact"
ADDEDCOMPONENT
IMPACT
Low Impact
POWERSHELLEQUIVALENT
Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}
RECOMMENDEDBY
UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
.LINK
https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
#>




param($Tenant, $Settings)
$CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true

Expand Down Expand Up @@ -58,7 +55,3 @@ function Invoke-CIPPStandardAnonReportDisable {
Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue $CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant
}
}




Loading

0 comments on commit a3228bd

Please sign in to comment.