From 1adb64744562b328f89c50632fdbaa7593d4ce31 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 29 Mar 2024 14:49:52 -0400 Subject: [PATCH 1/2] Update CPV to use customerId --- .../Entrypoints/Invoke-ExecCPVPermissions.ps1 | 16 ++++++++-------- .../Push-ExecOnboardTenantQueue.ps1 | 8 ++++---- .../Push-UpdatePermissionsQueue.ps1 | 8 ++++---- Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 | 18 ++++++++++-------- 4 files changed, 26 insertions(+), 24 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCPVPermissions.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCPVPermissions.ps1 index 7573e9fd209c..4703972094e4 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCPVPermissions.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCPVPermissions.ps1 @@ -11,14 +11,14 @@ Function Invoke-ExecCPVPermissions { $APIName = $TriggerMetadata.FunctionName Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' - # Write to the Azure Functions log stream. Write-Host 'PowerShell HTTP trigger function processed a request.' - $TenantFilter = (get-tenants -IncludeAll -IncludeErrors | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName - Write-Host "Our Tenantfilter is $TenantFilter" + $Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $Request.Query.TenantFilter | Select-Object -First 1 + + Write-Host "Our tenant is $($Tenant.displayName) - $($Tenant.defaultDomainName)" $CPVConsentParams = @{ - Tenantfilter = $TenantFilter + TenantFilter = $Request.Query.TenantFilter } if ($Request.Query.ResetSP -eq 'true') { $CPVConsentParams.ResetSP = $true @@ -26,15 +26,15 @@ Function Invoke-ExecCPVPermissions { $GraphRequest = try { Set-CIPPCPVConsent @CPVConsentParams - Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter - Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter + Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Request.Query.TenantFilter + Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Request.Query.TenantFilter $Success = $true } catch { - "Failed to update permissions for $($TenantFilter): $($_.Exception.Message)" + "Failed to update permissions for $($Tenant.displayName): $($_.Exception.Message)" $Success = $false } - $Tenant = Get-Tenants -IncludeAll -IncludeErrors | Where-Object -Property defaultDomainName -EQ $Tenantfilter + $Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter # Associate values to output bindings by calling 'Push-OutputBinding'. Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 index c4200021627f..46868993d12d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 @@ -278,7 +278,7 @@ Function Push-ExecOnboardTenantQueue { Remove-CIPPCache -tenantsOnly $true } catch {} - $Tenant = Get-Tenants | Where-Object { $_.customerId -eq $Relationship.customer.tenantId } | Select-Object -First 1 + $Tenant = Get-Tenants -IncludeAll | Where-Object { $_.customerId -eq $Relationship.customer.tenantId } | Select-Object -First 1 $y++ Start-Sleep -Seconds 20 } while (!$Tenant -and $y -le 4) @@ -287,7 +287,7 @@ Function Push-ExecOnboardTenantQueue { $Logs.Add([PSCustomObject]@{ Date = Get-Date -UFormat $DateFormat; Log = 'Tenant found in customer list' }) try { $CPVConsentParams = @{ - TenantFilter = $Tenant.defaultDomainName + TenantFilter = $Relationship.customer.tenantId } $Consent = Set-CIPPCPVConsent @CPVConsentParams if ($Consent -match 'Could not add our Service Principal to the client tenant') { @@ -313,8 +313,8 @@ Function Push-ExecOnboardTenantQueue { Add-CIPPAzDataTableEntity @OnboardTable -Entity $TenantOnboarding -Force -ErrorAction Stop do { try { - Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Tenant.defaultDomainName - Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Tenant.defaultDomainName + Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Relationship.customer.tenantId + Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Relationship.customer.tenantId $CPVSuccess = $true $Refreshing = $false } catch { diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-UpdatePermissionsQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-UpdatePermissionsQueue.ps1 index e1d72b14e867..672f1f196b65 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-UpdatePermissionsQueue.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-UpdatePermissionsQueue.ps1 @@ -7,11 +7,11 @@ function Push-UpdatePermissionsQueue { if (!$CPVRows -or $ENV:ApplicationID -notin $CPVRows.applicationId) { Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message 'A New tenant has been added, or a new CIPP-SAM Application is in use' -Sev 'Warn' -API 'NewTenant' Write-Host 'Adding CPV permissions' - Set-CIPPCPVConsent -Tenantfilter $Item.defaultDomainName + Set-CIPPCPVConsent -Tenantfilter $Item.customerId } - Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.defaultDomainName - Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.defaultDomainName + Add-CIPPApplicationPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.customerId + Add-CIPPDelegatedPermission -RequiredResourceAccess 'CippDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $Item.customerId - Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.defaultDomainName)" -Sev 'Info' -API 'UpdatePermissionsQueue' + Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message "Updated permissions for $($Item.displayName)" -Sev 'Info' -API 'UpdatePermissionsQueue' } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 index 35a90d7f9e90..d508471a08a4 100644 --- a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 @@ -1,23 +1,25 @@ function Set-CIPPCPVConsent { [CmdletBinding()] param( - $Tenantfilter, + $TenantFilter, $APIName = 'CPV Consent', $ExecutingUser, [bool]$ResetSP = $false ) $Results = [System.Collections.Generic.List[string]]::new() - $Tenant = Get-Tenants -IncludeAll -IncludeErrors | Where-Object -Property defaultDomainName -EQ $Tenantfilter - $TenantName = $Tenant.defaultDomainName - $TenantFilter = $Tenant.customerId + $Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter | Select-Object -First 1 + $TenantName = $Tenant.displayName - if ($Tenantfilter -eq $env:TenantID) { + if ($TenantFilter -eq $env:TenantID) { return @('Cannot modify CPV consent on partner tenant') } + if ($Tenant.customerId -ne $TenantFilter) { + return @('Not a valid tenant') + } if ($ResetSP) { try { - $DeleteSP = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($ENV:applicationId)" -scope 'https://api.partnercenter.microsoft.com/.default' -tenantid $env:TenantID + $DeleteSP = New-GraphPostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($ENV:applicationId)" -scope 'https://api.partnercenter.microsoft.com/.default' -tenantid $env:TenantID $Results.add("Deleted Service Principal from $TenantName") } catch { $Results.add("Error deleting SP - $($_.Exception.Message)") @@ -51,7 +53,7 @@ function Set-CIPPCPVConsent { } Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force $Results.add("Successfully added CPV Application to tenant $($TenantName)") | Out-Null - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Added our Service Principal to $($TenantName): $($_.Exception.message)" -Sev 'Info' -tenant $TenantName -tenantId $TenantFilter + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Added our Service Principal to $($TenantName): $($_.Exception.message)" -Sev 'Info' -tenant $Tenant.defaultDomainName -tenantId $TenantFilter } catch { $ErrorMessage = Get-NormalizedError -message $_.Exception.Message @@ -68,7 +70,7 @@ function Set-CIPPCPVConsent { Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force return @("We've already added our Service Principal to $($TenantName)") } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev 'Error' -tenant $TenantName -tenantId $TenantFilter + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev 'Error' -tenant $Tenant.defaultDomainName -tenantId $TenantFilter return @("Could not add our Service Principal to the client tenant $($TenantName): $ErrorMessage") } return $Results From 3ce6d5097a996f6344d5a24364617e9bd53a33ba Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 29 Mar 2024 15:25:29 -0400 Subject: [PATCH 2/2] Fix onboarding tenant cache clear --- .../Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 index 46868993d12d..b6938cc1389c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-ExecOnboardTenantQueue.ps1 @@ -326,6 +326,12 @@ Function Push-ExecOnboardTenantQueue { $Logs.Add([PSCustomObject]@{ Date = Get-Date -UFormat $DateFormat; Log = 'CPV permissions refreshed' }) $OnboardingSteps.Step4.Status = 'succeeded' $OnboardingSteps.Step4.Message = 'CPV permissions refreshed' + if ($Tenant.defaultDomainName -match 'Domain Error') { + try { + Remove-CIPPCache -tenantsOnly $true + } catch {} + $Tenant = Get-Tenants -IncludeAll | Where-Object { $_.customerId -eq $Relationship.customer.tenantId } | Select-Object -First 1 + } } else { $Logs.Add([PSCustomObject]@{ Date = Get-Date -UFormat $DateFormat; Log = 'CPV permissions failed to refresh' }) $TenantOnboarding.Status = 'failed'