Merge remote-tracking branch 'upstream/master'

.github/workflows/dev_cipppwrro.yml

@@ -26,4 +26,4 @@ jobs:
           app-name: 'cipppwrro'
           slot-name: 'Production'
           package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
-          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_7CFCA05390754624B5492AF7ECD3D826 }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9E109464904540339CA94F283ACE1312 }}

AddAPDevice/run.ps1

@@ -19,8 +19,10 @@ $Result = try {
     if ($groupname -in $CurrentStatus.items.id) { throw "This device batch name already exists. Please try with another name." }
     $body = '{"batchId":"' + $($GroupName) + '","devices":' + $Devices + '}'
     $GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation')
+    Write-Host ($GraphRequest | ConvertTo-Json)
     Start-Sleep 5
     $NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation'
+    Write-Host $($Newstatus | ConvertTo-Json)
     if ($Newstatus.totalcount -eq $CurrentStatus.totalcount) { throw "We could not find the new autopilot device. Please check if your input is correct." }
     Write-Host $CurrentStatus.Items
     Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev "Info"

AddAlert/run.ps1

@@ -11,7 +11,8 @@ $Results = foreach ($Tenant in $tenants) {
     try {
         $TenantID = if ($tenant -ne 'AllTenants') {
             (get-tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId
-        } else {
+        }
+        else {
             'AllTenants'
         }
         if ($Request.body.SetAlerts) {
@@ -60,7 +61,8 @@ $Results = foreach ($Tenant in $tenants) {
                     Push-OutputBinding -Name Subscription -Value $Params
                 }
             }
-        } else {
+        }
+        else {
             foreach ($eventType in $Request.body.EventTypes.value) {
                 $params = @{
                     TenantFilter     = $tenant
@@ -76,7 +78,8 @@ $Results = foreach ($Tenant in $tenants) {
         }
         "Successfully added Alert for $($Tenant) to queue."
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Successfully added Alert for $($Tenant) to queue." -Sev 'Info'
-    } catch {
+    }
+    catch {
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Alert for for $($Tenant) to queue" -Sev 'Error'
         "Failed to add Alert for for $($Tenant) to queue $($_.Exception.message)"
     }

AddScheduledItem/run.ps1

@@ -7,20 +7,45 @@ $Table = Get-CIPPTable -TableName 'ScheduledTasks'
 
 $propertiesToCheck = @('Webhook', 'Email', 'PSA')
 $PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ','
-$Parameters = ($task.Parameters | ConvertTo-Json -Compress)
+
+$Parameters = [System.Collections.Hashtable]@{}
+foreach ($Key in $task.Parameters.Keys) {
+    $Param = $task.Parameters.$Key
+    if ($Param.Key) {
+        $ht = @{}
+        foreach ($p in $Param) {
+            Write-Host $p.Key
+            $ht[$p.Key] = $p.Value
+        }
+        $Parameters[$Key] = [PSCustomObject]$ht
+    } else {
+        $Parameters[$Key] = $Param
+    }
+}
+
+$Parameters = ($Parameters | ConvertTo-Json -Compress)
+
+$AdditionalProperties = [System.Collections.Hashtable]@{}
+foreach ($Prop in $task.AdditionalProperties) {
+    $AdditionalProperties[$Prop.Key] = $Prop.Value
+}
+$AdditionalProperties = ([PSCustomObject]$AdditionalProperties | ConvertTo-Json -Compress)
+
+
 if ($Parameters -eq 'null') { $Parameters = '' }
 $entity = @{
-    PartitionKey  = [string]'ScheduledTask'
-    TaskState     = [string]'Planned'
-    RowKey        = [string]"$(New-Guid)"
-    Tenant        = [string]$task.TenantFilter
-    Name          = [string]$task.Name
-    Command       = [string]$task.Command.value
-    Parameters    = [string]$Parameters
-    ScheduledTime = [string]$task.ScheduledTime
-    Recurrence    = [string]$task.Recurrence.value
-    PostExecution = [string]$PostExecution
-    Results       = 'Planned'
+    PartitionKey         = [string]'ScheduledTask'
+    TaskState            = [string]'Planned'
+    RowKey               = [string]"$(New-Guid)"
+    Tenant               = [string]$task.TenantFilter
+    Name                 = [string]$task.Name
+    Command              = [string]$task.Command.value
+    Parameters           = [string]$Parameters
+    ScheduledTime        = [string]$task.ScheduledTime
+    Recurrence           = [string]$task.Recurrence.value
+    PostExecution        = [string]$PostExecution
+    AdditionalProperties = [string]$AdditionalProperties
+    Results              = 'Planned'
 }
 Write-Host "entity: $($entity | ConvertTo-Json)"
 Add-AzDataTableEntity @Table -Entity $entity

AddUser/run.ps1

@@ -36,6 +36,14 @@ try {
         }
     } 
     if ($userobj.businessPhone) { $bodytoShip | Add-Member -NotePropertyName businessPhones -NotePropertyValue @($userobj.businessPhone) }
+    if ($userobj.addedAttributes) {
+        Write-Host "Found added attribute"
+        Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)"
+        $userobj.addedAttributes.getenumerator() | ForEach-Object {
+            $results.add("Added property $($_.Key) with value $($_.value)")
+            $bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value
+        }
+    }
     $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress
     $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users" -tenantid $Userobj.tenantid -type POST -body $BodyToship  -verbose
     Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid)  -message "Created user $($userobj.displayname) with id $($GraphRequest.id) " -Sev "Info"

Cache_SAMSetup/PermissionsTranslator.json

@@ -2986,7 +2986,7 @@
     "description": "Read activity data for your organization",
     "displayName": "Allows the application to read activity data for your organization.",
     "id": "594c1fb6-4f81-4475-ae41-0c394909246c",
-    "Origin": "Delegated",
+    "Origin": "Delegated  (Office 365 Management)",
     "userConsentDescription": "Read activity data for your organization",
     "userConsentDisplayName": "Allows the application to read activity data for your organization.",
     "value": "ActivityFeed.Read"

EditGroup/run.ps1

@@ -28,11 +28,11 @@ if ($AddMembers) {
             else {
                 New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)" -tenantid $Userobj.tenantid -type patch -body $addmemberbody -Verbose
             }
-            Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info"
+            Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info"
             $body = $results.add("Success. $member has been added")
         }
         catch {
-            $body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)")
+            $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)")
         }
     }
 
@@ -46,7 +46,7 @@ if ($AddContacts) {
             if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") {
                 $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true }
                 New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-DistributionGroupMember" -cmdParams $params  -UseSystemMailbox $true
-                Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info"
+                Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info"
                 $body = $results.add("Success. $member has been added")
             }
             else {
@@ -55,7 +55,7 @@ if ($AddContacts) {
             }
         }
         catch {
-            $body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)")
+            $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)")
         }
     }
 
@@ -74,14 +74,14 @@ try {
                 $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid)
                 New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/members/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE 
             }
-            Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal'  -message "Removed $member from $($userobj.groupid) group" -Sev "Info"
+            Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal'  -message "Removed $member from $($userobj.groupName) group" -Sev "Info"
             $body = $results.add("Success. Member $member has been removed")
         }  
     }
 }
 catch {
     Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error"
-    $body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)")
+    $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)")
 }
 
 $AddOwners = $userobj.Addowner.value
@@ -92,11 +92,11 @@ try {
                 $ID = "https://graph.microsoft.com/beta/users/" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid).id
                 Write-Host $ID
                 $AddOwner = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/`$ref" -tenantid $Userobj.tenantid -type POST -body ('{"@odata.id": "' + $ID + '"}')
-                Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal'  -message "Added owner $_ to $($userobj.groupid) group" -Sev "Info"
+                Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal'  -message "Added owner $_ to $($userobj.groupName) group" -Sev "Info"
                 $body = $results.add("Success. $_ has been added")
             }
             catch {
-                $body = $results.add("Failed to add owner $_ to $($userobj.Groupid): $($_.Exception.Message)")
+                $body = $results.add("Failed to add owner $_ to $($userobj.groupName): $($_.Exception.Message)")
             }
         }
 
@@ -115,17 +115,17 @@ try {
                 $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid)
                 New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE 
                 Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal'  -message "Removed $($MemberInfo.UserPrincipalname) from $($userobj.displayname) group" -Sev "Info"
-                $body = $results.add("Success. Member $_ has been removed from $($userobj.Groupid)")
+                $body = $results.add("Success. Member $_ has been removed from $($userobj.groupName)")
             }
             catch {
-                $body = $results.add("Failed to remove $_ from $($userobj.Groupid): $($_.Exception.Message)")
+                $body = $results.add("Failed to remove $_ from $($userobj.groupName): $($_.Exception.Message)")
             }
         }  
     }
 }
 catch {
     Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error"
-    $body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)")
+    $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)")
 }
 
 if ($userobj.allowExternal -eq 'true') {
@@ -138,13 +138,13 @@ if ($userobj.allowExternal -eq 'true') {
             $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false }
             New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-UnifiedGroup" -cmdParams $params
         }
-        $body = $results.add("Allowed external senders to send to $($userobj.Groupid).")
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.Groupid)" -Sev "Error"
+        $body = $results.add("Allowed external senders to send to $($userobj.groupName).")
+        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.groupName)" -Sev "Error"
 
     }
     catch {
-        $body = $results.add("Failed to allow external senders to send to $($userobj.Groupid).")
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.Groupid). $($_.Exception.Message)" -Sev "Error"
+        $body = $results.add("Failed to allow external senders to send to $($userobj.groupName).")
+        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.groupName). $($_.Exception.Message)" -Sev "Error"
     }
 
 }

ExecAddMultiTenantApp/function.json

@@ -0,0 +1,18 @@
+{
+  "scriptFile": "../Modules/CippEntryPoints/CippEntryPoints.psm1",
+  "entryPoint": "Receive-CippHttpTrigger",
+  "bindings": [
+    {
+      "authLevel": "anonymous",
+      "type": "httpTrigger",
+      "direction": "in",
+      "name": "Request",
+      "methods": ["get", "post"]
+    },
+    {
+      "type": "http",
+      "direction": "out",
+      "name": "Response"
+    }
+  ]
+}

ExecCPVPermissions/run.ps1

@@ -9,93 +9,17 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME  -
 
 # Write to the Azure Functions log stream.
 Write-Host "PowerShell HTTP trigger function processed a request."
-
-# Interact with query parameters or the body of the request.
-$TenantFilter = $Request.Query.TenantFilter
-Set-Location (Get-Item $PSScriptRoot).Parent.FullName
-
-$Translator = Get-Content '.\Cache_SAMSetup\PermissionsTranslator.json' | ConvertFrom-Json
-$ExpectedPermissions = Get-Content '.\Cache_SAMSetup\SAMManifest.json' | ConvertFrom-Json
-try {
-    $DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID
-
-}
-catch {
-    "no old permissions to delete, moving on"
-}
-
-$GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object { 
-    try {
-        $Resource = $_
-        $Permissionsname = switch ($Resource.ResourceAppId) {
-            '00000002-0000-0ff1-ce00-000000000000' { 'Office 365 Exchange Online' }
-            '00000003-0000-0000-c000-000000000000' { "Graph API" }
-            'fc780465-2017-40d4-a0c5-307022471b92' { 'WindowsDefenderATP' }
-            '00000003-0000-0ff1-ce00-000000000000' { 'Sharepoint' }
-            '48ac35b8-9aa8-4d74-927d-1f4a14a0b239' { 'Skype and Teams Tenant Admin API' }
-            'c5393580-f805-4401-95e8-94b7a6ef2fc2' { 'Office 365 Management API' }
-
-        }
-        $Scope = ($Translator | Where-Object { $_.id -in $Resource.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ', '
-        if ($Scope) {
-            $RequiredCPVPerms = [PSCustomObject]@{
-                EnterpriseApplicationId = $_.ResourceAppId
-                Scope                   = "$Scope"
-            }
-            $AppBody = @"
-{
-  "ApplicationGrants":[ $(ConvertTo-Json -InputObject $RequiredCPVPerms -Compress -Depth 10)],
-  "ApplicationId": "$($env:ApplicationID)"}
-"@
-            $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID
-            "Succesfully set CPV permissions for $Permissionsname"
-
-        } 
-    }
-    catch {
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API. error: $($_.Exception.message)" -Sev "Error"
-        "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API? Error: $($_.Exception.message)"
-    }
-}
-
-try {
-    $ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($ENV:applicationid)')" -tenantid $Tenantfilter
-    $CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $tenantfilter
-
+$TenantFilter = (get-tenants -IncludeAll -IncludeErrors | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName
+Write-Host "Our Tenantfilter is $TenantFilter"
+$GraphRequest = try {
+    Set-CIPPCPVConsent -Tenantfilter $TenantFilter
+    Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
+    Add-CIPPDelegatedPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
 }
 catch {
-    #this try catch exists because of 500 errors when the app principal does not exist. :)
-}
-# if the app svc principal exists, consent app permissions
-$apps = $ExpectedPermissions 
-#get current roles
-#If 
-$Grants = foreach ($App in $apps.requiredResourceAccess) {
-    try {
-        $svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $tenantfilter
-    }
-    catch {
-        continue
-    }
-    foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") {
-        if ($singleresource.id -In $currentroles.appRoleId) { continue }
-        [pscustomobject]@{
-            principalId = $($ourSVCPrincipal.id)
-            resourceId  = $($svcPrincipalId.id)
-            appRoleId   = "$($SingleResource.Id)"
-        }
-    } 
-} 
-foreach ($Grant in $grants) {
-    try {
-        $SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $tenantfilter -type POST
-    }
-    catch {
-        "Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message). "
-    }
+    "Failed to update permissions for $($TenantFilter): $($_.Exception.Message)" 
 }
 
-
 # Associate values to output bindings by calling 'Push-OutputBinding'.
 Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
         StatusCode = [HttpStatusCode]::OK