Skip to content

Commit

Permalink
Merge branch 'KelvinTegelaar:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
ACCIPP authored Aug 19, 2024
2 parents 9a1303e + 2b7fe4c commit 8a5a079
Show file tree
Hide file tree
Showing 26 changed files with 771 additions and 403 deletions.
10 changes: 5 additions & 5 deletions Config/SharePoint.BPATemplate.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,18 +31,18 @@
},
{
"name": "Resharing by external users",
"value": "isResharingByExternalUsersEnabled",
"formatter": "reverseBool"
"value": "SharepointSettings.isResharingByExternalUsersEnabled",
"formatter": "bool"
},
{
"name": "Allow users to sync from unmanaged devices",
"value": "SharepointSettings.isUnmanagedSyncAppForTenantRestricted",
"formatter": "bool"
"formatter": "reverseBool"
},
{
"name": "Site creation by standards users enabled",
"name": "Site creation by standard users enabled",
"value": "SharepointSettings.isSiteCreationEnabled",
"formatter": "reverseBool"
"formatter": "bool"
},
{
"name": "Deleted user data rention(days)",
Expand Down
21 changes: 20 additions & 1 deletion Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,26 @@ function Add-CIPPApplicationPermission {
}
Set-Location (Get-Item $PSScriptRoot).FullName
if ($RequiredResourceAccess -eq 'CIPPDefaults') {
$RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
#$RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess

$Permissions = Get-CippSamPermissions -NoDiff
$RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()

foreach ($AppId in $Permissions.Permissions.PSObject.Properties.Name) {
$AppPermissions = @($Permissions.Permissions.$AppId.applicationPermissions)
$Resource = @{
resourceAppId = $AppId
resourceAccess = [System.Collections.Generic.List[object]]::new()
}
foreach ($Permission in $AppPermissions) {
$Resource.ResourceAccess.Add(@{
id = $Permission.id
type = 'Role'
})
}

$RequiredResourceAccess.Add($Resource)
}
}
$ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
$ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
Expand Down
43 changes: 32 additions & 11 deletions Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,31 @@ function Add-CIPPDelegatedPermission {
}

if ($RequiredResourceAccess -eq 'CIPPDefaults') {
$RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
$AdditionalPermissions = Get-Content '.\AdditionalPermissions.json' | ConvertFrom-Json
$Permissions = Get-CippSamPermissions -NoDiff
$NoTranslateRequired = $Permissions.Type -eq 'Table'
$RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
foreach ($AppId in $Permissions.Permissions.PSObject.Properties.Name) {
$DelegatedPermissions = @($Permissions.Permissions.$AppId.delegatedPermissions)
$ResourceAccess = [System.Collections.Generic.List[object]]::new()
foreach ($Permission in $DelegatedPermissions) {
$ResourceAccess.Add(@{
id = $Permission.value
type = 'Scope'
})
}
$Resource = @{
resourceAppId = $AppId
resourceAccess = @($ResourceAccess)
}
$RequiredResourceAccess.Add($Resource)
}

if ($Tenantfilter -eq $env:TenantID) {
$RequiredResourceAccess = $RequiredResourceAccess + ($AdditionalPermissions | Where-Object { $RequiredResourceAccess.resourceAppId -notcontains $_.resourceAppId })
} else {
# remove the partner center permission if not pushing to partner tenant
$RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
}
$RequiredResourceAccess = $RequiredResourceAccess + ($AdditionalPermissions | Where-Object { $RequiredResourceAccess.resourceAppId -notcontains $_.resourceAppId })
}
$Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
$ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
Expand All @@ -46,16 +61,22 @@ function Add-CIPPDelegatedPermission {
continue
}
}
$AdditionalScopes = ($AdditionalPermissions | Where-Object -Property resourceAppId -EQ $App.resourceAppId).resourceAccess | Where-Object -Property type -EQ 'Scope'

$DelegatedScopes = $App.resourceAccess | Where-Object -Property type -EQ 'Scope'
if ($AdditionalScopes) {
$NewScope = (@(($Translator | Where-Object { $_.id -in $DelegatedScopes.id }).value) + @($AdditionalScopes.id | Select-Object -Unique)) -join ' '
if ($NoTranslateRequired) {
$NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
} else {
if ($NoTranslateRequired) {
$NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
} else {
$NewScope = @(($Translator | Where-Object { $_.id -in $DelegatedScopes.id }).value | Sort-Object -Unique) -join ' '
$NewScope = foreach ($Scope in $DelegatedScopes.id) {
if ($Scope -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
$TranslatedScope = ($Translator | Where-Object -Property id -EQ $Scope).value
if ($TranslatedScope) {
$TranslatedScope
}
} else {
$Scope
}
}
$NewScope = (@($NewScope) | Sort-Object -Unique) -join ' '
}

$OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id)
Expand Down Expand Up @@ -83,7 +104,7 @@ function Add-CIPPDelegatedPermission {
# Added permissions
$Added = ($Compare | Where-Object { $_.SideIndicator -eq '=>' }).InputObject -join ' '
$Removed = ($Compare | Where-Object { $_.SideIndicator -eq '<=' }).InputObject -join ' '
$Results.add("Successfully updated permissions for $($svcPrincipalId.displayName). $(if ($Added) { "Added: $Added"}) $(if ($Removed) { "Removed: $Removed"})")
$Results.add("Successfully updated permissions for $($svcPrincipalId.displayName). $(if ($Added) { "Added: $Added"}) $(if ($Removed) { "Removed: $Removed"})")
}
}

Expand Down
4 changes: 4 additions & 0 deletions Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ function Add-CIPPScheduledTask {
$task.Recurrence.value
}

if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
$task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
}

$entity = @{
PartitionKey = [string]'ScheduledTask'
TaskState = [string]'Planned'
Expand Down
44 changes: 44 additions & 0 deletions Modules/CIPPCore/Public/Alerts/Get-CIPPAlertHuntressRogueApps.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
function Get-CIPPAlertHuntressRogueApps {
<#
.SYNOPSIS
Check for rogue apps in a Tenant
.DESCRIPTION
This function checks for rogue apps in the tenant by comparing the service principals in the tenant with a list of known rogue apps provided by Huntress.
.FUNCTIONALITY
Entrypoint
.LINK
https://huntresslabs.github.io/rogueapps/
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory = $false)]
[Alias('input')]
$InputValue,
$TenantFilter
)

try {
$RogueApps = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/huntresslabs/rogueapps/main/public/rogueapps.json'
$RogueAppFilter = $RogueApps.appId -join "','"
$ServicePrincipals = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$filter=appId in ('$RogueAppFilter')" -tenantid $TenantFilter

if (($ServicePrincipals | Measure-Object).Count -gt 0) {
$AlertData = foreach ($ServicePrincipal in $ServicePrincipals) {
$RogueApp = $RogueApps | Where-Object { $_.appId -eq $ServicePrincipal.appId }
[pscustomobject]@{
'App Name' = $RogueApp.appDisplayName
'App Id' = $RogueApp.appId
'Description' = $RogueApp.description
'Enabled' = $ServicePrincipal.accountEnabled
'Created' = $ServicePrincipal.createdDateTime
'Tags' = $RogueApp.tags -join ', '
'References' = $RogueApp.references -join ', '
'Huntress Added' = $RogueApp.dateAdded
}
}
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
}
} catch {
#Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check for rogue apps for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ function Push-ExecScheduledCommand {
Entrypoint
#>
param($Item)
$item = $Item | ConvertTo-Json -Depth 100 | ConvertFrom-Json
Write-Host "We are going to be running a scheduled task: $($Item.TaskInfo | ConvertTo-Json -Depth 10)"

$Table = Get-CippTable -tablename 'ScheduledTasks'
Expand Down Expand Up @@ -99,8 +100,16 @@ function Push-ExecScheduledCommand {
'(\d+)d$' { [int64]$matches[1] * 86400 }
default { throw "Unsupported recurrence format: $($task.Recurrence)" }
}

if ($secondsToAdd -gt 0) {
$unixtimeNow = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
if ([int64]$task.ScheduledTime -lt ($unixtimeNow - $secondsToAdd)) {
$task.ScheduledTime = $unixtimeNow
}
}

$nextRunUnixTime = [int64]$task.ScheduledTime + [int64]$secondsToAdd
Write-Host "The job is recurring and should occur again at: $nextRunUnixTime"
Write-Host "The job is recurring. It was scheduled for $($task.ScheduledTime). The next runtime should be $nextRunUnixTime"
Update-AzDataTableEntity @Table -Entity @{
PartitionKey = $task.PartitionKey
RowKey = $task.RowKey
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ function Push-AuditLogTenant {

# Get Table contexts
$AuditBundleTable = Get-CippTable -tablename 'AuditLogBundles'
$SchedulerConfig = Get-CIPPTable -TableName 'SchedulerConfig'
$SchedulerConfig = Get-CippTable -TableName 'SchedulerConfig'
$WebhookTable = Get-CippTable -tablename 'webhookTable'
$ConfigTable = Get-CIPPTable -TableName 'WebhookRules'
$ConfigTable = Get-CippTable -TableName 'WebhookRules'

# Query CIPPURL for linking
$CIPPURL = Get-CIPPAzDataTableEntity @SchedulerConfig -Filter "PartitionKey eq 'webhookcreation'" | Select-Object -First 1 -ExpandProperty CIPPURL
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
function Invoke-ExecServicePrincipals {
<#
.FUNCTIONALITY
Entrypoint
.ROLE
CIPP.Core.ReadWrite
#>
[CmdletBinding()]
param($Request, $TriggerMetadata)

$TenantFilter = $env:TenantId

$Success = $true

$Action = $Request.Query.Action ?? 'Default'
try {
switch ($Request.Query.Action) {
'Create' {
$Action = 'Create'
if ($Request.Query.AppId -match '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$') {
$Body = @{
'appId' = $Request.Query.AppId
} | ConvertTo-Json -Compress
try {
$Results = New-GraphPostRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -type POST -body $Body
} catch {
$Results = "Unable to create service principal: $($_.Exception.Message)"
$Success = $false
}
} else {
$Results = 'Invalid AppId'
$Success = $false
}
}
default {
if ($Request.Query.AppId) {
$Action = 'Get'
$Results = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($Request.Query.AppId)')" -tenantid $TenantFilter -NoAuthCheck $true
} else {
$Action = 'List'
$Results = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$orderby=displayName&$count=true' -ComplexFilter -tenantid $TenantFilter -NoAuthCheck $true
}
}
}
} catch {
$Results = $_.Exception.Message
$Success = $false
}

$Metadata = @{
'Action' = $Action
'Success' = $Success
}

if ($Request.Query.AppId) {
$Metadata.AppId = $Request.Query.AppId
}

$Body = @{
'Results' = $Results
'Metadata' = $Metadata
}

$Json = $Body | ConvertTo-Json -Depth 10 -Compress
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $Json
})
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
function Invoke-ExecSAMAppPermissions {
<#
.FUNCTIONALITY
Entrypoint
.ROLE
CIPP.SuperAdmin.ReadWrite
#>
[CmdletBinding()]
param($Request, $TriggerMetadata)

switch ($Request.Query.Action) {
'Update' {
try {
$Permissions = $Request.Body.Permissions
$Entity = @{
'PartitionKey' = 'CIPP-SAM'
'RowKey' = 'CIPP-SAM'
'Permissions' = [string]($Permissions.Permissions | ConvertTo-Json -Depth 10 -Compress)
}
$Table = Get-CIPPTable -TableName 'AppPermissions'
$null = Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force
$Body = @{
'Results' = 'Permissions Updated'
}
} catch {
$Body = @{
'Results' = $_.Exception.Message
}
}
}
default {
$Body = Get-CippSamPermissions
}
}


Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = ConvertTo-Json -Depth 10 -InputObject $Body
})

}
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,14 @@ Function Invoke-AddDefenderDeployment {
iosMobileApplicationManagementEnabled = [bool]$Compliance.appSync
microsoftDefenderForEndpointAttachEnabled = [bool]$true
} | ConvertTo-Json -Compress
$SettingsRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
"$($Tenant): Successfully set Defender Compliance and Reporting settings"
$ExistingSettings = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/fc780465-2017-40d4-a0c5-307022471b92' -tenantid $tenant
if ($ExistingSettings) {
"Defender Intune Configuration already active for $($Tenant). Skipping"
} else {
$SettingsRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
"$($Tenant): Successfully set Defender Compliance and Reporting settings"
}


$Settings = switch ($PolicySettings) {
{ $_.ScanArchives } {
Expand Down Expand Up @@ -210,11 +216,11 @@ Function Invoke-AddDefenderDeployment {
settings = @($EDRSettings)
}
Write-Host ( $EDRbody)
$CheckExististingEDR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant
$CheckExististingEDR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant | Where-Object -Property Name -EQ 'EDR Configuration'
if ('EDR Configuration' -in $CheckExististingEDR.Name) {
"$($Tenant): EDR Policy already exists. Skipping"
} else {
#$EDRRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $EDRbody
$EDRRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $EDRbody
if ($ASR.AssignTo -ne 'none') {
$AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
$assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($EDRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ Function Invoke-ExecJITAdmin {
}
}

$Parameters = [pscustomobject]@{
$Parameters = @{
TenantFilter = $Request.Body.TenantFilter
User = @{
'UserPrincipalName' = $Username
Expand All @@ -153,7 +153,7 @@ Function Invoke-ExecJITAdmin {
value = 'Set-CIPPUserJITAdmin'
label = 'Set-CIPPUserJITAdmin'
}
Parameters = $Parameters
Parameters = [pscustomobject]$Parameters
ScheduledTime = $Request.Body.StartDate
PostExecution = @{
Webhook = [bool]$Request.Body.PostExecution.Webhook
Expand Down
Loading

0 comments on commit 8a5a079

Please sign in to comment.