From 5e051b76bd79dd5263f57375853d39c17d107ed7 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Sat, 23 Sep 2023 13:12:09 -0400 Subject: [PATCH 01/79] Fix parameter types --- .../Public/Core Functions/Get-GraphRequestList.ps1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 b/Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 index 33b0711f43ae5..e04f4e9af019b 100644 --- a/Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 +++ b/Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 @@ -1,15 +1,15 @@ function Get-GraphRequestList { [CmdletBinding()] Param( - $Tenant = $env:TenantId, + [string]$Tenant = $env:TenantId, [Parameter(Mandatory = $true)] - $Endpoint, - $Parameters = @(), - $QueueId, - $CippLink, + [string]$Endpoint, + [hashtable]$Parameters = @{}, + [string]$QueueId, + [string]$CippLink, [ValidateSet('v1.0', 'beta')] - $Version = 'beta', - $QueueNameOverride, + [string]$Version = 'beta', + [string]$QueueNameOverride, [switch]$SkipCache, [switch]$ClearCache, [switch]$NoPagination, From 410aeb816aa4dde8f9a6c60664c104b657b36c99 Mon Sep 17 00:00:00 2001 From: Jr7468 <126574444+Jr7468@users.noreply.github.com> Date: Wed, 27 Sep 2023 11:45:28 +0100 Subject: [PATCH 02/79] Changed groupId to groupName for logging legibility --- EditGroup/run.ps1 | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/EditGroup/run.ps1 b/EditGroup/run.ps1 index b07c515725084..ed3f3afa4f7d4 100644 --- a/EditGroup/run.ps1 +++ b/EditGroup/run.ps1 @@ -28,11 +28,11 @@ if ($AddMembers) { else { New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)" -tenantid $Userobj.tenantid -type patch -body $addmemberbody -Verbose } - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info" + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info" $body = $results.add("Success. $member has been added") } catch { - $body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)") + $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") } } @@ -46,7 +46,7 @@ if ($AddContacts) { if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") { $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true } New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-DistributionGroupMember" -cmdParams $params -UseSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupid) group" -Sev "Info" + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info" $body = $results.add("Success. $member has been added") } else { @@ -55,7 +55,7 @@ if ($AddContacts) { } } catch { - $body = $results.add("Failed to add member $member to $($userobj.Groupid): $($_.Exception.Message)") + $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") } } @@ -74,14 +74,14 @@ try { $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/members/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE } - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupid) group" -Sev "Info" + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupName) group" -Sev "Info" $body = $results.add("Success. Member $member has been removed") } } } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)") + $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") } $AddOwners = $userobj.Addowner.value @@ -92,11 +92,11 @@ try { $ID = "https://graph.microsoft.com/beta/users/" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid).id Write-Host $ID $AddOwner = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/`$ref" -tenantid $Userobj.tenantid -type POST -body ('{"@odata.id": "' + $ID + '"}') - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupid) group" -Sev "Info" + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupName) group" -Sev "Info" $body = $results.add("Success. $_ has been added") } catch { - $body = $results.add("Failed to add owner $_ to $($userobj.Groupid): $($_.Exception.Message)") + $body = $results.add("Failed to add owner $_ to $($userobj.groupName): $($_.Exception.Message)") } } @@ -115,17 +115,17 @@ try { $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $($MemberInfo.UserPrincipalname) from $($userobj.displayname) group" -Sev "Info" - $body = $results.add("Success. Member $_ has been removed from $($userobj.Groupid)") + $body = $results.add("Success. Member $_ has been removed from $($userobj.groupName)") } catch { - $body = $results.add("Failed to remove $_ from $($userobj.Groupid): $($_.Exception.Message)") + $body = $results.add("Failed to remove $_ from $($userobj.groupName): $($_.Exception.Message)") } } } } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Could not remove $RemoveMembers from $($userobj.Groupid). $($_.Exception.Message)") + $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") } if ($userobj.allowExternal -eq 'true') { @@ -138,13 +138,13 @@ if ($userobj.allowExternal -eq 'true') { $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false } New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-UnifiedGroup" -cmdParams $params } - $body = $results.add("Allowed external senders to send to $($userobj.Groupid).") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.Groupid)" -Sev "Error" + $body = $results.add("Allowed external senders to send to $($userobj.groupName).") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.groupName)" -Sev "Error" } catch { - $body = $results.add("Failed to allow external senders to send to $($userobj.Groupid).") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.Groupid). $($_.Exception.Message)" -Sev "Error" + $body = $results.add("Failed to allow external senders to send to $($userobj.groupName).") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.groupName). $($_.Exception.Message)" -Sev "Error" } } From 540c10d2faf048c7497dc6dc9d7a89e6404363ee Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 28 Sep 2023 12:27:23 +0200 Subject: [PATCH 03/79] tenantid filter --- Modules/CIPPCore/Public/Send-CIPPAlert.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 index be9d5c7063811..d7b21125ce6ef 100644 --- a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 +++ b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 @@ -81,7 +81,7 @@ function Send-CIPPAlert { try { $Alert = @{ - TenantId = $Tenant + TenantId = $TenantFilter AlertText = "$HTMLContent" AlertTitle = "$($Title)" } From 61d4501361e3ce54b1bfeae679f850abeea3ba5a Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Thu, 28 Sep 2023 13:10:27 +0100 Subject: [PATCH 04/79] Added -Tenant to log Added -Tenant to log --- Modules/CIPPCore/Public/Send-CIPPAlert.ps1 | 4 ++-- Scheduler_CIPPNotifications/run.ps1 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 index d7b21125ce6ef..eea1166b81b25 100644 --- a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 +++ b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 @@ -86,12 +86,12 @@ function Send-CIPPAlert { AlertTitle = "$($Title)" } New-CippExtAlert -Alert $Alert - Write-LogMessage -API 'Webhook Alerts' -message "Sent PSA alert $title" -sev info + Write-LogMessage -API 'Webhook Alerts' -tenant $TenantFilter -message "Sent PSA alert $title" -sev info } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Webhook Alerts' -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev info + Write-LogMessage -API 'Webhook Alerts' -tenant $TenantFilter -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev info } } } diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 19d4f19b8e2d2..0addf8cd56b3b 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -156,7 +156,7 @@ if ($config.sendtoIntegration) { } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev info } } From 6043cba1bb41a3a2dfdaf036ae3062ca0c46a091 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 29 Sep 2023 11:38:18 +0200 Subject: [PATCH 05/79] temporary write host --- AddAPDevice/run.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/AddAPDevice/run.ps1 b/AddAPDevice/run.ps1 index 3108368b2086c..32ef68ecc146d 100644 --- a/AddAPDevice/run.ps1 +++ b/AddAPDevice/run.ps1 @@ -21,6 +21,7 @@ $Result = try { $GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation') Start-Sleep 5 $NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation' + Write-Host $($Newstatus | ConvertTo-Json) if ($Newstatus.totalcount -eq $CurrentStatus.totalcount) { throw "We could not find the new autopilot device. Please check if your input is correct." } Write-Host $CurrentStatus.Items Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev "Info" From fae4f1d3d21cff7e1b286c66110970be0f8e7afd Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 29 Sep 2023 11:43:49 +0200 Subject: [PATCH 06/79] added troubleshooting writehost --- AddAPDevice/run.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/AddAPDevice/run.ps1 b/AddAPDevice/run.ps1 index 32ef68ecc146d..7f689191c4c55 100644 --- a/AddAPDevice/run.ps1 +++ b/AddAPDevice/run.ps1 @@ -19,6 +19,7 @@ $Result = try { if ($groupname -in $CurrentStatus.items.id) { throw "This device batch name already exists. Please try with another name." } $body = '{"batchId":"' + $($GroupName) + '","devices":' + $Devices + '}' $GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation') + Write-Host ($GraphRequest | ConvertTo-Json) Start-Sleep 5 $NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation' Write-Host $($Newstatus | ConvertTo-Json) From 28a542a51bcd461c4fc41c83c583aee11de62ce5 Mon Sep 17 00:00:00 2001 From: Jr7468 Date: Thu, 5 Oct 2023 22:21:16 +0100 Subject: [PATCH 07/79] Improved wording on result and log messages --- ExecEditMailboxPermissions/run.ps1 | 36 +++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/ExecEditMailboxPermissions/run.ps1 b/ExecEditMailboxPermissions/run.ps1 index 601a7f0c00702..0b72530ce29ae 100644 --- a/ExecEditMailboxPermissions/run.ps1 +++ b/ExecEditMailboxPermissions/run.ps1 @@ -20,7 +20,7 @@ foreach ($RemoveUser in $RemoveFullAccess) { } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not remove mailbox permissions for $($removeuser) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not remove shared mailbox permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not remove $($removeuser) shared mailbox permissions for $($username). Error: $($_.Exception.Message)") } } $AddFullAccess = ($Request.body.AddFullAccess).value @@ -28,13 +28,13 @@ $AddFullAccess = ($Request.body.AddFullAccess).value foreach ($UserAutomap in $AddFullAccess) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Add-MailboxPermission" -cmdParams @{Identity = $userid; user = $UserAutomap; accessRights = @("FullAccess"); automapping = $true } - $results.add( "added $($UserAutomap) to $($username) Mailbox with automapping") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Gave full permissions to $($UserAutomap) on $($username)" -Sev "Info" -tenant $TenantFilter + $results.add( "Granted $($UserAutomap) access to $($username) Mailbox with automapping") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Granted $($UserAutomap) access to $($username) Mailbox with automapping" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not add mailbox permissions for $($UserAutomap) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add( "Could not add shared mailbox permissions for $($username). Error: $($_.Exception.Message)") + $results.add( "Could not add $($UserAutomap) shared mailbox permissions for $($username). Error: $($_.Exception.Message)") } } $AddFullAccessNoAutoMap = ($Request.body.AddFullAccessNoAutoMap).value @@ -42,12 +42,12 @@ $AddFullAccessNoAutoMap = ($Request.body.AddFullAccessNoAutoMap).value foreach ($UserNoAutomap in $AddFullAccessNoAutoMap) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Add-MailboxPermission" -cmdParams @{Identity = $userid; user = $UserNoAutomap; accessRights = @("FullAccess"); automapping = $false } - $results.add( "added $UserNoAutomap to $($username) Mailbox without automapping") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Gave full permissions to $($UserNoAutomap) on $($username)" -Sev "Info" -tenant $TenantFilter + $results.add( "Granted $UserNoAutomap access to $($username) Mailbox without automapping") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Granted $UserNoAutomap access to $($username) Mailbox without automapping" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not add mailbox permissions for $($UserNoAutomap) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not add shared mailbox permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not add $($UserNoAutomap) shared mailbox permissions for $($username). Error: $($_.Exception.Message)") } } @@ -56,12 +56,12 @@ $AddSendAS = ($Request.body.AddSendAs).value foreach ($UserSendAs in $AddSendAS) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Add-RecipientPermission" -cmdParams @{Identity = $userid; Trustee = $UserSendAs; accessRights = @("SendAs") } - $results.add( "added $UserSendAs to $($username) with Send As permissions") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Gave sendas permissions to $($UserSendAs) on $($username)" -Sev "Info" -tenant $TenantFilter + $results.add( "Granted $UserSendAs access to $($username) with Send As permissions") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Granted $UserSendAs access to $($username) with Send As permissions" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not add mailbox permissions for $($UserSendAs) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not add send-as permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not add $($UserSendAs) send-as permissions for $($username). Error: $($_.Exception.Message)") } } @@ -71,11 +71,11 @@ foreach ($UserSendAs in $RemoveSendAs) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Remove-RecipientPermission" -cmdParams @{Identity = $userid; Trustee = $UserSendAs; accessRights = @("SendAs") } $results.add( "Removed $UserSendAs from $($username) with Send As permissions") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Remove sendas permissions to $($UserSendAs) on $($username)" -Sev "Info" -tenant $TenantFilter + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Removed $UserSendAs from $($username) with Send As permissions" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not remove mailbox permissions for $($UserSendAs) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not remove send-as permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not remove $($UserSendAs) send-as permissions for $($username). Error: $($_.Exception.Message)") } } @@ -84,12 +84,12 @@ $AddSendOnBehalf = ($Request.body.AddSendOnBehalf).value foreach ($UserSendOnBehalf in $AddSendOnBehalf) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Set-Mailbox" -cmdParams @{Identity = $userid; GrantSendonBehalfTo = @{'@odata.type' = '#Exchange.GenericHashTable'; add = $UserSendOnBehalf}; } - $results.add( "added $UserSendOnBehalf to $($username) with Send On Behalf Permissions") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Gave send on behalf permissions to $($UserSendOnBehalf) on $($username)" -Sev "Info" -tenant $TenantFilter + $results.add( "Granted $UserSendOnBehalf access to $($username) with Send On Behalf Permissions") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Granted $UserSendOnBehalf access to $($username) with Send On Behalf Permissions" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not add send on behalf permissions for $($UserSendOnBehalf) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not add send on behalf permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not add $($UserSendOnBehalf) send on behalf permissions for $($username). Error: $($_.Exception.Message)") } } @@ -98,12 +98,12 @@ $RemoveSendOnBehalf = ($Request.body.RemoveSendOnBehalf).value foreach ($UserSendOnBehalf in $RemoveSendOnBehalf) { try { $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Set-Mailbox" -cmdParams @{Identity = $userid; GrantSendonBehalfTo = @{'@odata.type' = '#Exchange.GenericHashTable'; remove = $UserSendOnBehalf}; } - $results.add( "Removed Send On Behalf Permissions $UserSendOnBehalf on $($username)") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Removed Send On Behalf Permissions to $($UserSendOnBehalf) on $($username)" -Sev "Info" -tenant $TenantFilter + $results.add( "Removed $UserSendOnBehalf from $($username) Send on Behalf Permissions") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Removed $UserSendOnBehalf from $($username) Send on Behalf Permissions" -Sev "Info" -tenant $TenantFilter } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME-message "Could not Remove send on behalf permissions for $($UserSendOnBehalf) on $($username)" -Sev "Error" -tenant $TenantFilter - $results.add("Could not remove send on behalf permissions for $($username). Error: $($_.Exception.Message)") + $results.add("Could not remove $($UserSendOnBehalf) send on behalf permissions for $($username). Error: $($_.Exception.Message)") } } From f782801e120fec4c8edc8c8c3d7bb5a9cd665af7 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 6 Oct 2023 19:17:49 +0200 Subject: [PATCH 08/79] activity feed add --- Cache_SAMSetup/PermissionsTranslator.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cache_SAMSetup/PermissionsTranslator.json b/Cache_SAMSetup/PermissionsTranslator.json index fdb6b61d88a0e..27c5a7e6463f5 100644 --- a/Cache_SAMSetup/PermissionsTranslator.json +++ b/Cache_SAMSetup/PermissionsTranslator.json @@ -2986,7 +2986,7 @@ "description": "Read activity data for your organization", "displayName": "Allows the application to read activity data for your organization.", "id": "594c1fb6-4f81-4475-ae41-0c394909246c", - "Origin": "Delegated", + "Origin": "Delegated (Office 365 Management)", "userConsentDescription": "Read activity data for your organization", "userConsentDisplayName": "Allows the application to read activity data for your organization.", "value": "ActivityFeed.Read" From c669b190f05dde7409a0b7a927e12a7e854f2d1f Mon Sep 17 00:00:00 2001 From: John Duprey Date: Fri, 6 Oct 2023 17:33:57 -0400 Subject: [PATCH 09/79] ExecScheduledCommand - Update webhook payload to separate task metadata and selected tenant from results --- ExecScheduledCommand/run.ps1 | 48 +++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/ExecScheduledCommand/run.ps1 b/ExecScheduledCommand/run.ps1 index d08f4fe6ccaaa..faef5ae522595 100644 --- a/ExecScheduledCommand/run.ps1 +++ b/ExecScheduledCommand/run.ps1 @@ -6,28 +6,26 @@ $task = $QueueItem.TaskInfo $commandParameters = $QueueItem.Parameters $tenant = $QueueItem.Parameters['TenantFilter'] -Write-Host "started task" +Write-Host 'started task' try { try { $results = & $QueueItem.command @commandParameters - } - catch { + } catch { $results = "Task Failed: $($_.Exception.Message)" - + } - - Write-Host "ran the command" + + Write-Host 'ran the command' if ($results.GetType() -eq [String]) { $results = @{ Results = $results } } - $results = $results | Select-Object *, @{l = 'TaskInfo'; e = { $QueueItem.TaskInfo } } -ExcludeProperty RowKey, PartitionKey + $results = $results | Select-Object * -ExcludeProperty RowKey, PartitionKey $StoredResults = $results | ConvertTo-Json -Compress -Depth 20 | Out-String - if ($StoredResults.Length -gt 64000 -or $task.Tenant -eq "AllTenants") { - $StoredResults = @{ Results = "The results for this query are too long to store in this table, or the query was meant for All Tenants. Please use the options to send the results to another target to be able to view the results. " } | ConvertTo-Json -Compress + if ($StoredResults.Length -gt 64000 -or $task.Tenant -eq 'AllTenants') { + $StoredResults = @{ Results = 'The results for this query are too long to store in this table, or the query was meant for All Tenants. Please use the options to send the results to another target to be able to view the results. ' } | ConvertTo-Json -Compress } -} -catch { +} catch { $errorMessage = $_.Exception.Message if ($task.Recurrence -gt 0) { $State = 'Failed - Planned' } else { $State = 'Failed' } Update-AzDataTableEntity @Table -Entity @{ @@ -36,21 +34,28 @@ catch { Results = "$errorMessage" TaskState = $State } - Write-LogMessage -API "Scheduler_UserTasks" -tenant $tenant -message "Failed to execute task $($task.Name): $errorMessage" -sev Error + Write-LogMessage -API 'Scheduler_UserTasks' -tenant $tenant -message "Failed to execute task $($task.Name): $errorMessage" -sev Error } -$TableDesign = "" -$HTML = ($results | Select-Object * -ExcludeProperty RowKey, PartitionKey | ConvertTo-Html -Fragment) -replace '', "$TableDesign
" | Out-String +$TableDesign = '' +$HTML = ($results | Select-Object * -ExcludeProperty RowKey, PartitionKey | ConvertTo-Html -Fragment) -replace '
', "$TableDesign
" | Out-String $title = "Scheduled Task $($task.Name) - $($task.ExpectedRunTime)" Write-Host $title switch -wildcard ($task.PostExecution) { - "*psa*" { Send-CIPPAlert -Type 'psa' -Title $title -HTMLContent $HTML } - "*email*" { Send-CIPPAlert -Type 'email' -Title $title -HTMLContent $HTML } - "*webhook*" { Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $($Results | ConvertTo-Json) } + '*psa*' { Send-CIPPAlert -Type 'psa' -Title $title -HTMLContent $HTML } + '*email*' { Send-CIPPAlert -Type 'email' -Title $title -HTMLContent $HTML } + '*webhook*' { + $Webhook = [PSCustomObject]@{ + 'Tenant' = $tenant + 'TaskInfo' = $QueueItem.TaskInfo + 'Results' = $Results + } + Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $($Webhook | ConvertTo-Json) + } } -Write-Host "ran the command" +Write-Host 'ran the command' if ($task.Recurrence -le '0' -or $task.Recurrence -eq $null) { Update-AzDataTableEntity @Table -Entity @{ @@ -59,10 +64,9 @@ if ($task.Recurrence -le '0' -or $task.Recurrence -eq $null) { Results = "$StoredResults" TaskState = 'Completed' } -} -else { +} else { $nextRun = (Get-Date).AddDays($task.Recurrence) - $nextRunUnixTime = [int64]($nextRun - (Get-Date "1/1/1970")).TotalSeconds + $nextRunUnixTime = [int64]($nextRun - (Get-Date '1/1/1970')).TotalSeconds Update-AzDataTableEntity @Table -Entity @{ PartitionKey = $task.PartitionKey RowKey = $task.RowKey @@ -71,4 +75,4 @@ else { ScheduledTime = "$nextRunUnixTime" } } -Write-LogMessage -API "Scheduler_UserTasks" -tenant $tenant -message "Successfully executed task: $($task.name)" -sev Info \ No newline at end of file +Write-LogMessage -API 'Scheduler_UserTasks' -tenant $tenant -message "Successfully executed task: $($task.name)" -sev Info \ No newline at end of file From f9bfd522b4bc3abb1134db3cc40fdcaf26c287fb Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 00:12:50 +0200 Subject: [PATCH 10/79] Added settings page and offboarding defaults --- ExecUserSettings/function.json | 18 +++++++++++ GraphHelper.psm1 | 1 + ListUserSettings/function.json | 18 +++++++++++ .../Entrypoints/Invoke-ExecUserSettings.ps1 | 32 +++++++++++++++++++ .../Entrypoints/Invoke-ListUserSettings.ps1 | 28 ++++++++++++++++ 5 files changed, 97 insertions(+) create mode 100644 ExecUserSettings/function.json create mode 100644 ListUserSettings/function.json create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 diff --git a/ExecUserSettings/function.json b/ExecUserSettings/function.json new file mode 100644 index 0000000000000..bf6c3ef0c49a3 --- /dev/null +++ b/ExecUserSettings/function.json @@ -0,0 +1,18 @@ +{ + "scriptFile": "../Modules/CippEntryPoints/CippEntryPoints.psm1", + "entryPoint": "Receive-CippHttpTrigger", + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + "direction": "in", + "name": "Request", + "methods": ["get", "post"] + }, + { + "type": "http", + "direction": "out", + "name": "Response" + } + ] +} diff --git a/GraphHelper.psm1 b/GraphHelper.psm1 index 7cf967bd4c6d6..5e7789cfa0aca 100644 --- a/GraphHelper.psm1 +++ b/GraphHelper.psm1 @@ -32,6 +32,7 @@ function Get-NormalizedError { '*AppLifecycle_2210*' { 'Failed to call Intune APIs: Does the tenant have a license available?' } '*One or more added object references already exist for the following modified properties:*' { 'This user is already a member of this group.' } '*Microsoft.Exchange.Management.Tasks.MemberAlreadyExistsException*' { 'This user is already a member of this group.' } + '*The property value exceeds the maximum allowed size (64KB)*' { 'One of the values exceeds the maximum allowed size (64KB).' } Default { $message } } diff --git a/ListUserSettings/function.json b/ListUserSettings/function.json new file mode 100644 index 0000000000000..bf6c3ef0c49a3 --- /dev/null +++ b/ListUserSettings/function.json @@ -0,0 +1,18 @@ +{ + "scriptFile": "../Modules/CippEntryPoints/CippEntryPoints.psm1", + "entryPoint": "Receive-CippHttpTrigger", + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + "direction": "in", + "name": "Request", + "methods": ["get", "post"] + }, + { + "type": "http", + "direction": "out", + "name": "Response" + } + ] +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 new file mode 100644 index 0000000000000..7c2f56081eafc --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 @@ -0,0 +1,32 @@ +using namespace System.Net + +function Invoke-ExecUserSettings { + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + try { + $object = $request.body.currentSettings | Select-Object * -ExcludeProperty CurrentTenant, pageSizes, sidebarShow, sidebarUnfoldable, _persist | ConvertTo-Json -Compress + $Table = Get-CippTable -tablename 'UserSettings' + $Table.Force = $true + Add-AzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$($Request.body.user)" + PartitionKey = "UserSettings" + } + $StatusCode = [HttpStatusCode]::OK + $Results = [pscustomobject]@{"Results" = "Successfully added user settings" } + } + catch { + $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message) + $Results = "Function Error: $ErrorMsg" + $StatusCode = [HttpStatusCode]::BadRequest + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = @($Results) + }) + +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 new file mode 100644 index 0000000000000..be2a948cfa9c7 --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 @@ -0,0 +1,28 @@ +using namespace System.Net + +function Invoke-ListUserSettings { + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails + + try { + $Table = Get-CippTable -tablename 'UserSettings' + $UserSettings = Get-AzDataTableEntity @Table -Filter "RowKey eq 'allUsers'" + if (!$UserSettings) { Get-AzDataTableEntity @Table -Filter "RowKey eq '$username'" } + $UserSettings = $UserSettings | Select-Object -ExpandProperty JSON | ConvertFrom-Json -Depth 10 -ErrorAction SilentlyContinue + $StatusCode = [HttpStatusCode]::OK + $Results = $UserSettings + } + catch { + $Results = "Function Error: $($_.Exception.Message)" + $StatusCode = [HttpStatusCode]::BadRequest + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = $Results + }) + +} \ No newline at end of file From f3068996bfd8472a9aa647130abdb04caeed37a3 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 01:21:15 +0200 Subject: [PATCH 11/79] add new tenant functionality --- AddAlert/run.ps1 | 10 +++++++--- ListAlertsQueue/run.ps1 | 1 + Scheduler_Alert/run.ps1 | 15 +++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/AddAlert/run.ps1 b/AddAlert/run.ps1 index 58091f3d07216..d0fba32ed6609 100644 --- a/AddAlert/run.ps1 +++ b/AddAlert/run.ps1 @@ -11,7 +11,8 @@ $Results = foreach ($Tenant in $tenants) { try { $TenantID = if ($tenant -ne 'AllTenants') { (get-tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId - } else { + } + else { 'AllTenants' } if ($Request.body.SetAlerts) { @@ -36,6 +37,7 @@ $Results = foreach ($Tenant in $tenants) { SecDefaultsUpsell = [bool]$Request.body.SecDefaultsUpsell SharePointQuota = [bool]$Request.body.SharePointQuota ExpiringLicenses = [bool]$Request.body.ExpiringLicenses + NewTenant = [bool]$QueueFile.NewTenant type = 'Alert' RowKey = $TenantID PartitionKey = 'Alert' @@ -60,7 +62,8 @@ $Results = foreach ($Tenant in $tenants) { Push-OutputBinding -Name Subscription -Value $Params } } - } else { + } + else { foreach ($eventType in $Request.body.EventTypes.value) { $params = @{ TenantFilter = $tenant @@ -76,7 +79,8 @@ $Results = foreach ($Tenant in $tenants) { } "Successfully added Alert for $($Tenant) to queue." Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Successfully added Alert for $($Tenant) to queue." -Sev 'Info' - } catch { + } + catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Alert for for $($Tenant) to queue" -Sev 'Error' "Failed to add Alert for for $($Tenant) to queue $($_.Exception.message)" } diff --git a/ListAlertsQueue/run.ps1 b/ListAlertsQueue/run.ps1 index 4fa36495dd12e..d00462ab9b8a3 100644 --- a/ListAlertsQueue/run.ps1 +++ b/ListAlertsQueue/run.ps1 @@ -34,6 +34,7 @@ $CurrentStandards = foreach ($QueueFile in $QueuedApps) { SecDefaultsUpsell = [bool]$QueueFile.SecDefaultsUpsell SharepointQuota = [bool]$QueueFile.SharePointQuota ExpiringLicenses = [bool]$QueueFile.ExpiringLicenses + NewTenant = [bool]$QueueFile.NewTenant tenantId = $QueueFile.tenantid } } diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1 index 524cc8c8d9931..41d5c661f72b3 100644 --- a/Scheduler_Alert/run.ps1 +++ b/Scheduler_Alert/run.ps1 @@ -232,6 +232,21 @@ try { } } + { $_.'NewTenant' -eq $true } { + try { + $Table = Get-CIPPTable -TableName cpvtenants + $CPVRows = Get-AzDataTableEntity @Table + $AllTenants = get-tenants + $NewTenants = $AllTenants | Where-Object { $_.customerId -notin $CPVRows.Tenant + foreach ($NewTenant in $NewTenants) { + "Tenant '{0}' has been detected as a tenant without CPV consent. This could be a new tenant. ID: {1}" -f $NewTenant.displayName, $NewTenant.defaultDomainName + } + } + } + catch { + + } + } { $_.'AppSecretExpiry' -eq $true } { try { $Filter = "RowKey eq 'AppSecretExpiry' and PartitionKey eq '{0}'" -f $Tenant.tenantid From 1c5e67b8fc323fc797f5129946ca2bb2ad034de1 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 01:27:42 +0200 Subject: [PATCH 12/79] better adding of new alert --- AddAlert/run.ps1 | 1 - ListAlertsQueue/run.ps1 | 1 - Scheduler_Alert/run.ps1 | 14 -------------- UpdatePermissions/run.ps1 | 1 + 4 files changed, 1 insertion(+), 16 deletions(-) diff --git a/AddAlert/run.ps1 b/AddAlert/run.ps1 index d0fba32ed6609..991a8c7958929 100644 --- a/AddAlert/run.ps1 +++ b/AddAlert/run.ps1 @@ -37,7 +37,6 @@ $Results = foreach ($Tenant in $tenants) { SecDefaultsUpsell = [bool]$Request.body.SecDefaultsUpsell SharePointQuota = [bool]$Request.body.SharePointQuota ExpiringLicenses = [bool]$Request.body.ExpiringLicenses - NewTenant = [bool]$QueueFile.NewTenant type = 'Alert' RowKey = $TenantID PartitionKey = 'Alert' diff --git a/ListAlertsQueue/run.ps1 b/ListAlertsQueue/run.ps1 index d00462ab9b8a3..4fa36495dd12e 100644 --- a/ListAlertsQueue/run.ps1 +++ b/ListAlertsQueue/run.ps1 @@ -34,7 +34,6 @@ $CurrentStandards = foreach ($QueueFile in $QueuedApps) { SecDefaultsUpsell = [bool]$QueueFile.SecDefaultsUpsell SharepointQuota = [bool]$QueueFile.SharePointQuota ExpiringLicenses = [bool]$QueueFile.ExpiringLicenses - NewTenant = [bool]$QueueFile.NewTenant tenantId = $QueueFile.tenantid } } diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1 index 41d5c661f72b3..53abd9b1f41ff 100644 --- a/Scheduler_Alert/run.ps1 +++ b/Scheduler_Alert/run.ps1 @@ -232,21 +232,7 @@ try { } } - { $_.'NewTenant' -eq $true } { - try { - $Table = Get-CIPPTable -TableName cpvtenants - $CPVRows = Get-AzDataTableEntity @Table - $AllTenants = get-tenants - $NewTenants = $AllTenants | Where-Object { $_.customerId -notin $CPVRows.Tenant - foreach ($NewTenant in $NewTenants) { - "Tenant '{0}' has been detected as a tenant without CPV consent. This could be a new tenant. ID: {1}" -f $NewTenant.displayName, $NewTenant.defaultDomainName - } - } - } - catch { - } - } { $_.'AppSecretExpiry' -eq $true } { try { $Filter = "RowKey eq 'AppSecretExpiry' and PartitionKey eq '{0}'" -f $Tenant.tenantid diff --git a/UpdatePermissions/run.ps1 b/UpdatePermissions/run.ps1 index 70b088355d1c0..ce7a307dad113 100644 --- a/UpdatePermissions/run.ps1 +++ b/UpdatePermissions/run.ps1 @@ -20,6 +20,7 @@ foreach ($Row in $Tenants ) { if ($Row.customerId -notin $TenantList) { Write-Output "Not in the list: $($row.customerId)" + Write-LogMessage -message "A New tenant has been added: $($row.defaultDomainName) with id $($row.customerId)" -Sev "Warn" -API "NewTenant" Push-OutputBinding -Name Msg -Value $row.customerId continue From 51dd9b735fba8ff88085ea28c3c29a88911f9348 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 01:33:05 +0200 Subject: [PATCH 13/79] added troubleshooting for halo API --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 4 ++++ Modules/CippExtensions/Public/New-CippExtAlert.ps1 | 3 +++ 2 files changed, 7 insertions(+) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index c7035417428b1..256ab72104599 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -33,6 +33,10 @@ function New-HaloPSATicket { } ] "@ + + Write-Host "Sending ticket to HaloPSA" + Write-Host $body + Invoke-RestMethod -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } } \ No newline at end of file diff --git a/Modules/CippExtensions/Public/New-CippExtAlert.ps1 b/Modules/CippExtensions/Public/New-CippExtAlert.ps1 index 55a7d43e3ab52..905084be8f529 100644 --- a/Modules/CippExtensions/Public/New-CippExtAlert.ps1 +++ b/Modules/CippExtensions/Public/New-CippExtAlert.ps1 @@ -14,8 +14,11 @@ function New-CippExtAlert { "HaloPSA" { If ($Configuration.HaloPSA.enabled) { $TenantId = (Get-Tenants | Where-Object defaultDomainName -EQ $Alert.TenantId).customerId + Write-Host "TenantId: $TenantId" $MappedId = ($MappingFile | Where-Object RowKey -EQ $TenantId).HaloPSA + Write-Host "MappedId: $MappedId" if (!$mappedId) { $MappedId = 1 } + Write-Host "MappedId: $MappedId" New-HaloPSATicket -Title $Alert.AlertTitle -Description $Alert.AlertText -Client $mappedId } } From dcf3cb70b7ba2a4f8122eaa8677862b6f4bca75f Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 07:47:31 +1000 Subject: [PATCH 14/79] Add tenantid param to Write-LogMessage in GraphHelper.psm1 --- GraphHelper.psm1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/GraphHelper.psm1 b/GraphHelper.psm1 index 5e7789cfa0aca..3d3a02b9904e3 100644 --- a/GraphHelper.psm1 +++ b/GraphHelper.psm1 @@ -117,7 +117,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $Retur } } -function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $user, $sev) { +function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId = 'None', $user, $sev) { try { $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails } @@ -136,6 +136,7 @@ function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $user, $se $PartitionKey = (Get-Date -UFormat '%Y%m%d').ToString() $TableRow = @{ 'Tenant' = [string]$tenant + 'TenantID' = [string]$tenantId 'API' = [string]$API 'Message' = [string]$message 'Username' = [string]$username From 364bdbd8922d18902a325fce0b1f82709a27beac Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 07:48:51 +1000 Subject: [PATCH 15/79] Pass $Tenant.tenantid to $ShippedAlerts in Scheduler_Alert/run.ps1 --- Scheduler_Alert/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1 index 53abd9b1f41ff..8200da2479e96 100644 --- a/Scheduler_Alert/run.ps1 +++ b/Scheduler_Alert/run.ps1 @@ -379,7 +379,7 @@ try { $ShippedAlerts | ForEach-Object { if ($_ -notin $currentlog.Message) { - Write-LogMessage -message $_ -API 'Alerts' -tenant $tenant.tenant -sev Alert + Write-LogMessage -message $_ -API 'Alerts' -tenant $tenant.tenant -sev Alert -tenantid $Tenant.tenantid } } [PSCustomObject]@{ From 484805ea8092b733475a7cad97bd55bb92d6a412 Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 09:57:10 +1000 Subject: [PATCH 16/79] Add includeTenantId to NotificationConfig --- ExecNotificationConfig/run.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/ExecNotificationConfig/run.ps1 b/ExecNotificationConfig/run.ps1 index 959818c8b5356..e4cbc4066c970 100644 --- a/ExecNotificationConfig/run.ps1 +++ b/ExecNotificationConfig/run.ps1 @@ -22,6 +22,7 @@ $results = try { 'webhook' = "$($Request.Body.Webhook)" 'onePerTenant' = [boolean]$Request.Body.onePerTenant 'sendtoIntegration' = [boolean]$Request.Body.sendtoIntegration + 'includeTenantId' = [boolean]$Request.Body.includeTenantId 'PartitionKey' = 'CippNotifications' 'RowKey' = 'CippNotifications' } From 5bace87720edf1f68b0a6637b8af724e37cef6bd Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 09:57:51 +1000 Subject: [PATCH 17/79] Use Config in alerts to optionally send tenant ID if includeTenantId is true --- Scheduler_Alert/run.ps1 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1 index 8200da2479e96..aeb7ea354d982 100644 --- a/Scheduler_Alert/run.ps1 +++ b/Scheduler_Alert/run.ps1 @@ -11,6 +11,9 @@ try { } $Alerts = Get-AzDataTableEntity @Table -Filter $Filter + $ConfigFilter = "RowKey eq 'CippNotifications' and PartitionKey eq 'CippNotifications'" + $Config = [pscustomobject](Get-AzDataTableEntity @Table -Filter $ConfigFilter) + $DeltaTable = Get-CIPPTable -Table DeltaCompare $LastRunTable = Get-CIPPTable -Table AlertLastRun @@ -379,7 +382,12 @@ try { $ShippedAlerts | ForEach-Object { if ($_ -notin $currentlog.Message) { - Write-LogMessage -message $_ -API 'Alerts' -tenant $tenant.tenant -sev Alert -tenantid $Tenant.tenantid + if ($Config.includeTenantId) { + Write-LogMessage -message $_ -API 'Alerts' -tenant $tenant.tenant -sev Alert -tenantid $Tenant.tenantid + } + else { + Write-LogMessage -message $_ -API 'Alerts' -tenant $tenant.tenant -sev Alert + } } } [PSCustomObject]@{ From 79a31c8caed934b9061a8c8d3b9125ae5f5dd13e Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 10:39:27 +1000 Subject: [PATCH 18/79] Make $tenantId param null by default, only include in alert if it's not null --- GraphHelper.psm1 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/GraphHelper.psm1 b/GraphHelper.psm1 index 3d3a02b9904e3..1171c4449e0ab 100644 --- a/GraphHelper.psm1 +++ b/GraphHelper.psm1 @@ -117,7 +117,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $Retur } } -function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId = 'None', $user, $sev) { +function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId = $null, $user, $sev) { try { $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails } @@ -145,6 +145,12 @@ function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId 'PartitionKey' = $PartitionKey 'RowKey' = ([guid]::NewGuid()).ToString() } + + if($tenantId) + { + $TableRow.Add('TenantID', [string]$tenantId) + } + $Table.Entity = $TableRow Add-AzDataTableEntity @Table | Out-Null } From 9b54aacf3615636f8a5b0276592d4fa20312476e Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 12:31:04 +1000 Subject: [PATCH 19/79] Update ListNotificationConfig to exclude includeTenantId --- ListNotificationConfig/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ListNotificationConfig/run.ps1 b/ListNotificationConfig/run.ps1 index 82e382843126c..bf04ba1c990bf 100644 --- a/ListNotificationConfig/run.ps1 +++ b/ListNotificationConfig/run.ps1 @@ -15,7 +15,7 @@ if ($Config) { $Config = @{} } #$config | Add-Member -NotePropertyValue @() -NotePropertyName 'logsToInclude' -Force -$config.logsToInclude = @(([pscustomobject]$config | Select-Object * -ExcludeProperty schedule, type, tenantid, onepertenant, sendtoIntegration, partitionkey, rowkey, tenant, ETag, email, logsToInclude, Severity, Alert, Info, Error, timestamp, webhook).psobject.properties.name) +$config.logsToInclude = @(([pscustomobject]$config | Select-Object * -ExcludeProperty schedule, type, tenantid, onepertenant, sendtoIntegration, partitionkey, rowkey, tenant, ETag, email, logsToInclude, Severity, Alert, Info, Error, timestamp, webhook includeTenantId).psobject.properties.name) if (!$config.logsToInclude) { $config.logsToInclude = @('None') } From 678197661495fcac31d59b2423f3b709c9d22768 Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 13:28:10 +1000 Subject: [PATCH 20/79] Ensure TenantID isn't included in alert by default (regression from prior merge) --- GraphHelper.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/GraphHelper.psm1 b/GraphHelper.psm1 index 1171c4449e0ab..60d78dbebe0a7 100644 --- a/GraphHelper.psm1 +++ b/GraphHelper.psm1 @@ -136,7 +136,6 @@ function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId $PartitionKey = (Get-Date -UFormat '%Y%m%d').ToString() $TableRow = @{ 'Tenant' = [string]$tenant - 'TenantID' = [string]$tenantId 'API' = [string]$API 'Message' = [string]$message 'Username' = [string]$username From d62026e0e1c1ae35f7b6be63cef046f3c58344e7 Mon Sep 17 00:00:00 2001 From: Yoshify Date: Mon, 9 Oct 2023 13:29:59 +1000 Subject: [PATCH 21/79] Formatting, added missing comma. --- ListNotificationConfig/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ListNotificationConfig/run.ps1 b/ListNotificationConfig/run.ps1 index bf04ba1c990bf..a33c2f38c3baa 100644 --- a/ListNotificationConfig/run.ps1 +++ b/ListNotificationConfig/run.ps1 @@ -15,7 +15,7 @@ if ($Config) { $Config = @{} } #$config | Add-Member -NotePropertyValue @() -NotePropertyName 'logsToInclude' -Force -$config.logsToInclude = @(([pscustomobject]$config | Select-Object * -ExcludeProperty schedule, type, tenantid, onepertenant, sendtoIntegration, partitionkey, rowkey, tenant, ETag, email, logsToInclude, Severity, Alert, Info, Error, timestamp, webhook includeTenantId).psobject.properties.name) +$config.logsToInclude = @(([pscustomobject]$config | Select-Object * -ExcludeProperty schedule, type, tenantid, onepertenant, sendtoIntegration, partitionkey, rowkey, tenant, ETag, email, logsToInclude, Severity, Alert, Info, Error, timestamp, webhook, includeTenantId).psobject.properties.name) if (!$config.logsToInclude) { $config.logsToInclude = @('None') } From 4a5091bedd320f4d10476774b570f43607d40a7a Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 11:16:09 +0200 Subject: [PATCH 22/79] use actual object that gets converted instead of native json. --- .../Private/New-HaloPSATicket.ps1 | 40 +++++++++---------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index 256ab72104599..95883934e17d8 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -11,28 +11,24 @@ function New-HaloPSATicket { $token = Get-HaloToken -configuration $Configuration #use the token to create a new ticket in HaloPSA - $body = @" -[ - { - "files": null, - "usertype": 1, - "userlookup": { - "id": -1, - "lookupdisplay": "Enter Details Manually" - }, - "client_id": $client, - "site_id": null, - "user_name": null, - "reportedby": null, - "summary": "$($title)", - "details_html": "$description", - "donotapplytemplateintheapi": true, - "attachments": [ - - ] - } -] -"@ + $body = ConvertTo-Json -Compress -Depth 10 -InputObject @( + [PSCustomObject]@{ + files = $null + usertype = 1 + userlookup = @{ + id = -1 + lookupdisplay = "Enter Details Manually" + } + client_id = $client + site_id = $null + user_name = $null + reportedby = $null + summary = $title + details_html = $description + donotapplytemplateintheapi = $true + attachments = @() + } + ) Write-Host "Sending ticket to HaloPSA" Write-Host $body From 69a2b3bb01ab7b2d29525b13e6bcc1a63a37921b Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 12:10:26 +0200 Subject: [PATCH 23/79] added temporary write host --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index 95883934e17d8..cc9010ef40480 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -33,6 +33,8 @@ function New-HaloPSATicket { Write-Host "Sending ticket to HaloPSA" Write-Host $body - Invoke-RestMethod -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } + $Ticket = Invoke-RestMethod -SkipHttpErrorCheck -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } + Write-Host $ticket + } \ No newline at end of file From a528d17ccaa5b550b13523354beb6dd6a55dc766 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 12:13:41 +0200 Subject: [PATCH 24/79] forgot conversion --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index cc9010ef40480..988efcd90933d 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -34,7 +34,7 @@ function New-HaloPSATicket { Write-Host $body $Ticket = Invoke-RestMethod -SkipHttpErrorCheck -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } - Write-Host $ticket + Write-Host ($ticket | ConvertTo-Json) } \ No newline at end of file From 730b58ad74bc7c36c70123bcde8ac8a7de298e55 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 12:46:31 +0200 Subject: [PATCH 25/79] testing --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index 988efcd90933d..7512162b212b9 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -11,7 +11,7 @@ function New-HaloPSATicket { $token = Get-HaloToken -configuration $Configuration #use the token to create a new ticket in HaloPSA - $body = ConvertTo-Json -Compress -Depth 10 -InputObject @( + $body = ConvertTo-Json -EscapeHandling EscapeHtml -Compress -Depth 10 -InputObject @( [PSCustomObject]@{ files = $null usertype = 1 From 0efc4cedc5abde533c4bf02f074798b5ea5edbea Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 13:07:32 +0200 Subject: [PATCH 26/79] adding forced charset --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index 7512162b212b9..1b8975168fc8d 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -11,7 +11,7 @@ function New-HaloPSATicket { $token = Get-HaloToken -configuration $Configuration #use the token to create a new ticket in HaloPSA - $body = ConvertTo-Json -EscapeHandling EscapeHtml -Compress -Depth 10 -InputObject @( + $body = ConvertTo-Json -Compress -Depth 10 -InputObject @( [PSCustomObject]@{ files = $null usertype = 1 @@ -33,7 +33,7 @@ function New-HaloPSATicket { Write-Host "Sending ticket to HaloPSA" Write-Host $body - $Ticket = Invoke-RestMethod -SkipHttpErrorCheck -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } + $Ticket = Invoke-RestMethod -SkipHttpErrorCheck -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json; charset=utf-8' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } Write-Host ($ticket | ConvertTo-Json) From d76ba8a51771f4b0d117f77bc04bfd823d77d185 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 13:14:23 +0200 Subject: [PATCH 27/79] removed skip error check --- Modules/CippExtensions/Private/New-HaloPSATicket.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index 1b8975168fc8d..ada78c4b377e9 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -33,8 +33,7 @@ function New-HaloPSATicket { Write-Host "Sending ticket to HaloPSA" Write-Host $body - $Ticket = Invoke-RestMethod -SkipHttpErrorCheck -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json; charset=utf-8' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } - Write-Host ($ticket | ConvertTo-Json) + $Ticket = Invoke-RestMethod -Uri "$($Configuration.ResourceURL)/Tickets" -ContentType 'application/json; charset=utf-8' -Method Post -Body $body -Headers @{Authorization = "Bearer $($token.access_token)" } } \ No newline at end of file From c041a70939363290825305b03e291f4f258f59b7 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Mon, 9 Oct 2023 13:20:15 +0100 Subject: [PATCH 28/79] Add or update the Azure App Service build and deployment workflow config --- .github/workflows/dev_cippexdyr.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/dev_cippexdyr.yml diff --git a/.github/workflows/dev_cippexdyr.yml b/.github/workflows/dev_cippexdyr.yml new file mode 100644 index 0000000000000..260977a37c4e3 --- /dev/null +++ b/.github/workflows/dev_cippexdyr.yml @@ -0,0 +1,29 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy Powershell project to Azure Function App - cippexdyr + +on: + push: + branches: + - dev + workflow_dispatch: + +env: + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + +jobs: + build-and-deploy: + runs-on: windows-latest + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v2 + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: 'cippexdyr' + slot-name: 'Production' + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_E034296DFC754683A45A6A9B4B8E4382 }} From d64c9427b9128d7939ff1f039d4c3350aecabff2 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 23:11:42 +0200 Subject: [PATCH 29/79] Added option for no tenant --- Modules/CippExtensions/Private/Get-HaloToken.ps1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/Get-HaloToken.ps1 b/Modules/CippExtensions/Private/Get-HaloToken.ps1 index 4bce007974919..9e3bc5434e418 100644 --- a/Modules/CippExtensions/Private/Get-HaloToken.ps1 +++ b/Modules/CippExtensions/Private/Get-HaloToken.ps1 @@ -11,7 +11,8 @@ function Get-HaloToken { client_secret = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name 'HaloPSA' -AsPlainText) scope = 'all' } - $token = Invoke-RestMethod -Uri "$($Configuration.AuthURL)/token?tenant=$($Configuration.tenant)" -Method Post -Body $body -ContentType 'application/x-www-form-urlencoded' + if ($Configuration.tenant) { $Tenant = "?tenant=$($Configuration.tenant)"} + $token = Invoke-RestMethod -Uri "$($Configuration.AuthURL)/token$Tenant" -Method Post -Body $body -ContentType 'application/x-www-form-urlencoded' return $token } else { throw 'No Halo configuration' From 10eb7d0379fc3eaa6e43c8f71abaf95d714ad5e2 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 9 Oct 2023 23:11:56 +0200 Subject: [PATCH 30/79] Added skip tenant cache --- GraphHelper.psm1 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/GraphHelper.psm1 b/GraphHelper.psm1 index 60d78dbebe0a7..088db40df1066 100644 --- a/GraphHelper.psm1 +++ b/GraphHelper.psm1 @@ -38,7 +38,7 @@ function Get-NormalizedError { } } -function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $ReturnRefresh) { +function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $ReturnRefresh, $SkipCache) { if (!$scope) { $scope = 'https://graph.microsoft.com/.default' } if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' } $AuthBody = @{ @@ -71,7 +71,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $Retur $TokenKey = '{0}-{1}-{2}' -f $tenantid, $scope, $asApp try { - if ($script:AccessTokens.$TokenKey -and [int](Get-Date -UFormat %s -Millisecond 0) -lt $script:AccessTokens.$TokenKey.expires_on) { + if ($script:AccessTokens.$TokenKey -and [int](Get-Date -UFormat %s -Millisecond 0) -lt $script:AccessTokens.$TokenKey.expires_on -and $SkipCache -ne $true) { Write-Host 'Graph: cached token' $AccessToken = $script:AccessTokens.$TokenKey } @@ -145,8 +145,7 @@ function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId 'RowKey' = ([guid]::NewGuid()).ToString() } - if($tenantId) - { + if ($tenantId) { $TableRow.Add('TenantID', [string]$tenantId) } @@ -162,6 +161,7 @@ function New-GraphGetRequest { $AsApp, $noPagination, $NoAuthCheck, + $skipTokenCache, [switch]$ComplexFilter, [switch]$CountOnly ) @@ -172,7 +172,7 @@ function New-GraphGetRequest { $headers = @{ Authorization = "Bearer $($AccessToken.access_token)" } } else { - $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp + $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp -SkipCache $skipTokenCache } if ($ComplexFilter) { @@ -225,9 +225,9 @@ function New-GraphGetRequest { } } -function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck) { +function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache) { if ($NoAuthCheck -or (Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) { - $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp + $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp -SkipCache $skipTokenCache Write-Verbose "Using $($uri) as url" if (!$type) { $type = 'POST' From 6a122a0eef9859a5d0c4f0a72746d994c1af84df Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 9 Oct 2023 19:44:24 -0400 Subject: [PATCH 31/79] Update Invoke-CIPPWebhookProcessing.ps1 Add Table to service principal alerts --- Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 index cb94ab15221e2..2b7b6e29621f1 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 @@ -172,6 +172,7 @@ function Invoke-CippWebhookProcessing { 'Add service principal.' { if ($Appname) { $AppName = $AppName.'Application Name' } else { $appName = $data.ApplicationId } $Title = "$($TenantFilter) - Service Principal $($data.ObjectId) has been added." + $Table = ($data.ModifiedProperties | ConvertTo-Html -Fragment | Out-String).Replace('
', '
') $IntroText = "$($data.ObjectId) has been added by $($data.UserId)." $ButtonUrl = "$CIPPPURL/tenant/administration/enterprise-apps?customerId=?customerId=$($data.OrganizationId)" $ButtonText = 'Enterprise Apps' @@ -179,6 +180,7 @@ function Invoke-CippWebhookProcessing { 'Remove service principal.' { if ($Appname) { $AppName = $AppName.'Application Name' } else { $appName = $data.ApplicationId } $Title = "$($TenantFilter) - Service Principal $($data.ObjectId) has been removed." + $Table = ($data.ModifiedProperties | ConvertTo-Html -Fragment | Out-String).Replace('
', '
') $IntroText = "$($data.ObjectId) has been added by $($data.UserId)." $ButtonUrl = "$CIPPPURL/tenant/administration/enterprise-apps?customerId=?customerId=$($data.OrganizationId)" $ButtonText = 'Enterprise Apps' From acef60d6c459c169a0fc44c6d4e93e82ab00bd8b Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 9 Oct 2023 19:53:44 -0400 Subject: [PATCH 32/79] Move GraphRequests to CIPPCore --- .../Private/Get-StringHash.ps1 | 0 .../Public/Entrypoints/Invoke-ListGraphRequest.ps1 | 0 .../Entrypoints/Push-ListGraphRequestQueue.ps1 | 0 .../Public/GraphRequests}/Get-GraphRequestList.ps1 | 0 Modules/GraphRequests/GraphRequests.psm1 | 12 ------------ 5 files changed, 12 deletions(-) rename Modules/{GraphRequests => CIPPCore}/Private/Get-StringHash.ps1 (100%) rename Modules/{GraphRequests => CIPPCore}/Public/Entrypoints/Invoke-ListGraphRequest.ps1 (100%) rename Modules/{GraphRequests => CIPPCore}/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 (100%) rename Modules/{GraphRequests/Public/Core Functions => CIPPCore/Public/GraphRequests}/Get-GraphRequestList.ps1 (100%) delete mode 100644 Modules/GraphRequests/GraphRequests.psm1 diff --git a/Modules/GraphRequests/Private/Get-StringHash.ps1 b/Modules/CIPPCore/Private/Get-StringHash.ps1 similarity index 100% rename from Modules/GraphRequests/Private/Get-StringHash.ps1 rename to Modules/CIPPCore/Private/Get-StringHash.ps1 diff --git a/Modules/GraphRequests/Public/Entrypoints/Invoke-ListGraphRequest.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 similarity index 100% rename from Modules/GraphRequests/Public/Entrypoints/Invoke-ListGraphRequest.ps1 rename to Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 diff --git a/Modules/GraphRequests/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 similarity index 100% rename from Modules/GraphRequests/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 rename to Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 diff --git a/Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 b/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 similarity index 100% rename from Modules/GraphRequests/Public/Core Functions/Get-GraphRequestList.ps1 rename to Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 diff --git a/Modules/GraphRequests/GraphRequests.psm1 b/Modules/GraphRequests/GraphRequests.psm1 deleted file mode 100644 index 12f13762d19cb..0000000000000 --- a/Modules/GraphRequests/GraphRequests.psm1 +++ /dev/null @@ -1,12 +0,0 @@ -$Public = @(Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -Recurse -ErrorAction SilentlyContinue) -$Private = @(Get-ChildItem -Path $PSScriptRoot\private\*.ps1 -Recurse -ErrorAction SilentlyContinue) -$Functions = $Public + $Private -foreach ($import in @($Functions)) { - try { - . $import.FullName - } catch { - Write-Error -Message "Failed to import function $($import.FullName): $_" - } -} - -Export-ModuleMember -Function $Public.BaseName -Alias * From 8018f930618ef6ee38299ab83e443cb13b724516 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 9 Oct 2023 20:14:52 -0400 Subject: [PATCH 33/79] Update profile.ps1 --- profile.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/profile.ps1 b/profile.ps1 index 2ab564b829022..056111747b680 100644 --- a/profile.ps1 +++ b/profile.ps1 @@ -18,7 +18,6 @@ try { try { Import-Module Az.Accounts } catch { $_.Exception.Message } -Import-Module GraphRequests Import-Module CippExtensions Import-Module CippCore From e3c76ea337ef016bde2e48741ff76ed028a38edf Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 9 Oct 2023 21:25:13 -0400 Subject: [PATCH 34/79] Invoke-ListGraphRequest Update - Move queue message to metadata --- .../Entrypoints/Invoke-ListGraphRequest.ps1 | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 index c1ff835fc18d8..e36bbe85eb338 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 @@ -86,8 +86,21 @@ function Invoke-ListGraphRequest { } Write-Host ($GraphRequestParams | ConvertTo-Json) + + $Metadata = $GraphRequestParams + try { - $GraphRequestData = Get-GraphRequestList @GraphRequestParams + $Results = Get-GraphRequestList @GraphRequestParams + if ($Results.Queued -eq $true) { + $Metadata.Queued = $Results.Queued + $Metadata.QueueMessage = $Results.QueueMessage + $Metadata.QueuedId = $Results.QueueId + $Results = @() + } + $GraphRequestData = [PSCustomObject]@{ + Results = @($Results) + Metadata = $Metadata + } $StatusCode = [HttpStatusCode]::OK } catch { $GraphRequestData = "Graph Error: $($_.Exception.Message) - Endpoint: $($Request.Query.Endpoint)" @@ -96,6 +109,6 @@ function Invoke-ListGraphRequest { Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ StatusCode = $StatusCode - Body = @($GraphRequestData) + Body = $GraphRequestData | ConvertTo-Json -Depth 20 -Compress }) } \ No newline at end of file From b2473dfd7edf5598b19b2a6336bae8c470a0afa0 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 10 Oct 2023 19:30:38 +0200 Subject: [PATCH 35/79] Add AppApproval and CPV improvements --- ExecAddMultiTenantApp/function.json | 18 + ExecCPVPermissions/run.ps1 | 89 +- .../Public/Add-CIPPApplicationPermission.ps1 | 43 + .../Public/Add-CIPPDelegatedPermission.ps1 | 51 + .../Invoke-ExecAddMultiTenantApp.ps1 | 53 + .../Public/PermissionsTranslator.json | 5316 +++++++++++++++++ Modules/CIPPCore/Public/SAMManifest.json | 203 + .../CIPPCore/Public/Set-CIPPCPVConsent.ps1 | 111 +- UpdatePermissions/run.ps1 | 31 +- UpdatePermissionsQueue/run.ps1 | 96 +- 10 files changed, 5731 insertions(+), 280 deletions(-) create mode 100644 ExecAddMultiTenantApp/function.json create mode 100644 Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1 create mode 100644 Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1 create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 create mode 100644 Modules/CIPPCore/Public/PermissionsTranslator.json create mode 100644 Modules/CIPPCore/Public/SAMManifest.json diff --git a/ExecAddMultiTenantApp/function.json b/ExecAddMultiTenantApp/function.json new file mode 100644 index 0000000000000..bf6c3ef0c49a3 --- /dev/null +++ b/ExecAddMultiTenantApp/function.json @@ -0,0 +1,18 @@ +{ + "scriptFile": "../Modules/CippEntryPoints/CippEntryPoints.psm1", + "entryPoint": "Receive-CippHttpTrigger", + "bindings": [ + { + "authLevel": "anonymous", + "type": "httpTrigger", + "direction": "in", + "name": "Request", + "methods": ["get", "post"] + }, + { + "type": "http", + "direction": "out", + "name": "Response" + } + ] +} diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1 index 8f7b9a920aee2..ecd545e8ae4ce 100644 --- a/ExecCPVPermissions/run.ps1 +++ b/ExecCPVPermissions/run.ps1 @@ -9,93 +9,16 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME - # Write to the Azure Functions log stream. Write-Host "PowerShell HTTP trigger function processed a request." - -# Interact with query parameters or the body of the request. -$TenantFilter = $Request.Query.TenantFilter -Set-Location (Get-Item $PSScriptRoot).Parent.FullName - -$Translator = Get-Content '.\Cache_SAMSetup\PermissionsTranslator.json' | ConvertFrom-Json -$ExpectedPermissions = Get-Content '.\Cache_SAMSetup\SAMManifest.json' | ConvertFrom-Json -try { - $DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - -} -catch { - "no old permissions to delete, moving on" -} - -$GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object { - try { - $Resource = $_ - $Permissionsname = switch ($Resource.ResourceAppId) { - '00000002-0000-0ff1-ce00-000000000000' { 'Office 365 Exchange Online' } - '00000003-0000-0000-c000-000000000000' { "Graph API" } - 'fc780465-2017-40d4-a0c5-307022471b92' { 'WindowsDefenderATP' } - '00000003-0000-0ff1-ce00-000000000000' { 'Sharepoint' } - '48ac35b8-9aa8-4d74-927d-1f4a14a0b239' { 'Skype and Teams Tenant Admin API' } - 'c5393580-f805-4401-95e8-94b7a6ef2fc2' { 'Office 365 Management API' } - - } - $Scope = ($Translator | Where-Object { $_.id -in $Resource.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ', ' - if ($Scope) { - $RequiredCPVPerms = [PSCustomObject]@{ - EnterpriseApplicationId = $_.ResourceAppId - Scope = "$Scope" - } - $AppBody = @" -{ - "ApplicationGrants":[ $(ConvertTo-Json -InputObject $RequiredCPVPerms -Compress -Depth 10)], - "ApplicationId": "$($env:ApplicationID)"} -"@ - $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - "Succesfully set CPV permissions for $Permissionsname" - - } - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API. error: $($_.Exception.message)" -Sev "Error" - "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API? Error: $($_.Exception.message)" - } -} - -try { - $ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($ENV:applicationid)')" -tenantid $Tenantfilter - $CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $tenantfilter - +$TenantFilter = (get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName +$GraphRequest = try { + Set-CIPPCPVConsent -Tenantfilter $TenantFilter + Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter + Add-CIPPDelegatedPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter } catch { - #this try catch exists because of 500 errors when the app principal does not exist. :) -} -# if the app svc principal exists, consent app permissions -$apps = $ExpectedPermissions -#get current roles -#If -$Grants = foreach ($App in $apps.requiredResourceAccess) { - try { - $svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $tenantfilter - } - catch { - continue - } - foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") { - if ($singleresource.id -In $currentroles.appRoleId) { continue } - [pscustomobject]@{ - principalId = $($ourSVCPrincipal.id) - resourceId = $($svcPrincipalId.id) - appRoleId = "$($SingleResource.Id)" - } - } -} -foreach ($Grant in $grants) { - try { - $SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $tenantfilter -type POST - } - catch { - "Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message). " - } + "Failed to update permissions for $($TenantFilter): $($_.Exception.Message)" } - # Associate values to output bindings by calling 'Push-OutputBinding'. Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ StatusCode = [HttpStatusCode]::OK diff --git a/Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1 b/Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1 new file mode 100644 index 0000000000000..ce51d6c7eff6b --- /dev/null +++ b/Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1 @@ -0,0 +1,43 @@ +function Add-CIPPApplicationPermission { + [CmdletBinding()] + param( + $RequiredResourceAccess, + $ApplicationId, + $Tenantfilter + ) + Set-Location (Get-Item $PSScriptRoot).FullName + if ($RequiredResourceAccess -eq "CIPPDefaults") { + $RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess + } + $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter + $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId + + $Results = [System.Collections.ArrayList]@() + + $CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $Tenantfilter -skipTokenCache $true + + $Grants = foreach ($App in $RequiredResourceAccess) { + $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId + if (!$svcPrincipalId) { continue } + foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ "Role") { + if ($SingleResource.id -In $CurrentRoles.appRoleId) { continue } + [pscustomobject]@{ + principalId = $($ourSVCPrincipal.id) + resourceId = $($svcPrincipalId.id) + appRoleId = "$($SingleResource.Id)" + } + } + } + $counter = 0 + foreach ($Grant in $Grants) { + try { + $SettingsRequest = New-GraphPOSTRequest -body ($Grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $Tenantfilter -type POST + $counter ++ + } + catch { + $Results.add("Failed to grant $($Grant.appRoleId) to $($Grant.resourceId): $($_.Exception.Message)") | Out-Null + } + } + "Added $counter Application permissions to $($ourSVCPrincipal.displayName)" + return $Results +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1 b/Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1 new file mode 100644 index 0000000000000..7ff4452bba453 --- /dev/null +++ b/Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1 @@ -0,0 +1,51 @@ +function Add-CIPPDelegatedPermission { + [CmdletBinding()] + param( + $RequiredResourceAccess, + $ApplicationId, + $Tenantfilter + ) + Set-Location (Get-Item $PSScriptRoot).FullName + + if ($RequiredResourceAccess -eq "CIPPDefaults") { + $RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess + } + $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json + $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true + $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId + $Results = [System.Collections.ArrayList]@() + + $CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -skipTokenCache $true -tenantid $Tenantfilter + + foreach ($App in $requiredResourceAccess) { + $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId + if (!$svcPrincipalId) { continue } + $NewScope = ($Translator | Where-Object { $_.id -in $App.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ' ' + $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id) + + if (!$OldScope) { + $Createbody = @{ + clientId = $ourSVCPrincipal.id + consentType = "AllPrincipals" + resourceId = $svcPrincipalId.id + scope = $NewScope + } | ConvertTo-Json -Compress + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" -tenantid $Tenantfilter -body $Createbody -type POST + $Results.add("Successfully added permissions for $($svcPrincipalId.displayName)") | Out-Null + } + else { + $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ') + if (!$compare) { + $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") | Out-Null + continue + } + $Patchbody = @{ + scope = "$NewScope" + } | ConvertTo-Json -Compress + $Patchrequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScope.id)" -tenantid $Tenantfilter -body $Patchbody -type PATCH + $Results.add("Successfully updated permissions for $($svcPrincipalId.displayName)") | Out-Null + } + } + + return $Results +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 new file mode 100644 index 0000000000000..45d87a357b42e --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 @@ -0,0 +1,53 @@ +using namespace System.Net + +function Invoke-ExecAddMultiTenantApp { + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $DelegateResources = $request.body.permissions | Where-Object -Property origin -EQ "Delegated" | ForEach-Object { @{ id = $_.id; type = "Scope" } } + $DelegateResourceAccess = @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; resourceAccess = $DelegateResources } + $ApplicationResources = $request.body.permissions | Where-Object -Property origin -EQ "Application" | ForEach-Object { @{ id = $_.id; type = "Role" } } + $ApplicationResourceAccess = @{ ResourceAppId = "00000003-0000-0000-c000-000000000000"; resourceAccess = $ApplicationResources } + + $Results = try { + #This needs to be moved to a queue. + if ("allTenants" -in $Request.body.SelectedTenants.defaultDomainName) { $TenantFilter = Get-Tenants } else { $TenantFilter = $Request.body.SelectedTenants.defaultDomainName } + if ($request.body.CopyPermissions -eq $true) { + try { + $ExistingApp = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/applications(appId='$($Request.body.AppId)')" -tenantid $ENV:tenantid -NoAuthCheck $true + $DelegateResourceAccess = $Existingapp.requiredResourceAccess + $ApplicationResourceAccess = $Existingapp.requiredResourceAccess + } + catch { + "Failed to get existing permissions. The app does not exist in the partner tenant." + } + } + + foreach ($Tenant in $TenantFilter) { + $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenant + if ($Request.body.AppId -Notin $ServicePrincipalList.appId) { + $PostResults = New-GraphPostRequest "https://graph.microsoft.com/beta/servicePrincipals" -type POST -tenantid $tenant -body "{ `"appId`": `"$($Request.body.AppId)`" }" + "Added $($Request.body.AppId) to tenant $($Tenant)" + } + else { + "This app already exists in tenant $($Tenant). We're adding the required permissions." + } + + Add-CIPPApplicationPermission -RequiredResourceAccess $applicationResourceAccess -ApplicationId $Request.body.AppId -Tenantfilter $Tenant + Add-CIPPDelegatedPermission -RequiredResourceAccess $DelegateResourceAccess -ApplicationId $Request.body.AppId -Tenantfilter $Tenant + } + $StatusCode = [HttpStatusCode]::OK + } + catch { + $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message) + $Results = "Function Error: $ErrorMsg" + $StatusCode = [HttpStatusCode]::BadRequest + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = @{ Results = @($Results) } + }) + +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/PermissionsTranslator.json b/Modules/CIPPCore/Public/PermissionsTranslator.json new file mode 100644 index 0000000000000..a38d0786d5f12 --- /dev/null +++ b/Modules/CIPPCore/Public/PermissionsTranslator.json @@ -0,0 +1,5316 @@ +[ + { + "description": "Allows Exchange Management as app", + "displayName": "Manage Exchange As Application ", + "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", + "origin": "Application (Office 365 Exchange Online)", + "value": "Exchange.ManageAsApp" + }, + { + "description": "Allows the app to read a basic set of profile properties of other users in your organization without a signed-in user. Includes display name, first and last name, email address, open extensions, and photo.", + "displayName": "Read all users' basic profiles", + "id": "97235f07-e226-4f63-ace3-39588e11d3a1", + "origin": "Application", + "value": "User.ReadBasic.All" + }, + { + "description": "Allows the app to read all\u00a0class assignments without grades for all users without a signed-in user.", + "displayName": "Read all class assignments without grades", + "id": "6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e", + "origin": "Application", + "value": "EduAssignments.ReadBasic.All" + }, + { + "description": "Allows the app to create, read, update and delete all\u00a0class assignments without grades for all users without a signed-in user.", + "displayName": "Create, read, update and delete all\u00a0class assignments without grades", + "id": "f431cc63-a2de-48c4-8054-a34bc093af84", + "origin": "Application", + "value": "EduAssignments.ReadWriteBasic.All" + }, + { + "description": "Allows the app to read all\u00a0class assignments with grades for all users without a signed-in user.", + "displayName": "Read all class assignments with grades", + "id": "4c37e1b6-35a1-43bf-926a-6f30f2cdf585", + "origin": "Application", + "value": "EduAssignments.Read.All" + }, + { + "description": "Allows the app to create, read, update and delete all\u00a0class assignments with grades for all users without a signed-in user.", + "displayName": "Create, read, update and delete all\u00a0class assignments with grades", + "id": "0d22204b-6cad-4dd0-8362-3e3f2ae699d9", + "origin": "Application", + "value": "EduAssignments.ReadWrite.All" + }, + { + "description": "Allows\u00a0the\u00a0app\u00a0to\u00a0read\u00a0subject\u00a0rights requests\u00a0without a\u00a0signed-in\u00a0user.", + "displayName": "Read\u00a0all subject\u00a0rights requests", + "id": "ee1460f0-368b-4153-870a-4e1ca7e72c42", + "origin": "Application", + "value": "SubjectRightsRequest.Read.All" + }, + { + "description": "Allows\u00a0the\u00a0app\u00a0to\u00a0read\u00a0and\u00a0write subject\u00a0rights requests\u00a0without a signed in user.", + "displayName": "Read\u00a0and\u00a0write\u00a0all subject\u00a0rights requests", + "id": "8387eaa4-1a3c-41f5-b261-f888138e6041", + "origin": "Application", + "value": "SubjectRightsRequest.ReadWrite.All" + }, + { + "description": "Allows the app to read attack simulation and training data for an organization without a signed-in user.", + "displayName": "Read attack simulation data of an organization", + "id": "93283d0a-6322-4fa8-966b-8c121624760d", + "origin": "Application", + "value": "AttackSimulation.Read.All" + }, + { + "description": "Allows custom authentication extensions associated with the app to receive HTTP requests triggered by an authentication event. The request can include information about a user, client and resource service principals, and other information about the authentication.", + "displayName": "Receive custom authentication extension HTTP requests", + "id": "214e810f-fda8-4fd7-a475-29461495eb00", + "origin": "Application", + "value": "CustomAuthenticationExtension.Receive.Payload" + }, + { + "description": "Allows the app to read and write your organization's directory access review default policy without a signed-in user.", + "displayName": "Read and write your organization's directory access review default policy", + "id": "77c863fd-06c0-47ce-a7eb-49773e89d319", + "origin": "Application", + "value": "Policy.ReadWrite.AccessReview" + }, + { + "description": "Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.", + "displayName": "Read and write all groups", + "id": "62a82d76-70ea-41e2-9197-370581804d09", + "origin": "Application", + "value": "Group.ReadWrite.All" + }, + { + "description": "Allows the app to read group properties and memberships, and read\u00a0conversations for all groups, without a signed-in user.", + "displayName": "Read all groups", + "id": "5b567255-7703-4780-807c-7be8301ae99b", + "origin": "Application", + "value": "Group.Read.All" + }, + { + "description": "Allows the app to read your organization's threat submissions and threat submission policies without a signed-in user. Also allows the app to create new threat submissions without a signed-in user.", + "displayName": "Read and write all of the organization's threat submissions", + "id": "d72bdbf4-a59b-405c-8b04-5995895819ac", + "origin": "Application", + "value": "ThreatSubmission.ReadWrite.All" + }, + { + "description": "Allows an app to read Bookings appointments, businesses, customers, services, and staff without a signed-in user. ", + "displayName": "Read all Bookings related resources.", + "id": "6e98f277-b046-4193-a4f2-6bf6a78cd491", + "origin": "Application", + "value": "Bookings.Read.All" + }, + { + "description": "Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff without a signed-in user. ", + "displayName": "Read and write all Bookings related resources.", + "id": "9769393e-5a9f-4302-9e3d-7e018ecb64a7", + "origin": "Application", + "value": "BookingsAppointment.ReadWrite.All" + }, + { + "description": "Allows the application to read any data from Records Management, such as configuration, labels, and policies without the signed in user.", + "displayName": "Read Records Management configuration,\u00a0labels and policies", + "id": "ac3a2b8e-03a3-4da9-9ce0-cbe28bf1accd", + "origin": "Application", + "value": "RecordsManagement.Read.All" + }, + { + "description": "Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user.", + "displayName": "Read and write Records Management configuration, labels and policies", + "id": "eb158f57-df43-4751-8b21-b8932adb3d34", + "origin": "Application", + "value": "RecordsManagement.ReadWrite.All" + }, + { + "description": "Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups without a signed-in user.", + "displayName": "Read Delegated Admin relationships with customers", + "id": "f6e9e124-4586-492f-adc0-c6f96e4823fd", + "origin": "Application", + "value": "DelegatedAdminRelationship.Read.All" + }, + { + "description": "Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user.", + "displayName": "Manage Delegated Admin relationships with customers", + "id": "cc13eba4-8cd8-44c6-b4d4-f93237adce58", + "origin": "Application", + "value": "DelegatedAdminRelationship.ReadWrite.All" + }, + { + "description": "Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, without a signed-in user. This includes reading and managing Cloud PC role definitions and memberships.", + "displayName": "Read and write all Cloud PC RBAC settings", + "id": "274d0592-d1b6-44bd-af1d-26d259bcb43a", + "origin": "Application", + "value": "RoleManagement.ReadWrite.CloudPC" + }, + { + "description": "Allows the app to read the Cloud PC role-based access control (RBAC) settings, without a signed-in user.", + "displayName": "Read Cloud PC RBAC settings", + "id": "031a549a-bb80-49b6-8032-2068448c6a3c", + "origin": "Application", + "value": "RoleManagement.Read.CloudPC" + }, + { + "description": "Allows the app to read custom security attribute assignments for all principals in the tenant without a signed in user.", + "displayName": "Read custom security attribute assignments", + "id": "3b37c5a4-1226-493d-bec3-5d6c6b866f3f", + "origin": "Application", + "value": "CustomSecAttributeAssignment.Read.All" + }, + { + "description": "Allows the app to read custom security attribute definitions for the tenant without a signed in user.", + "displayName": "Read custom security attribute definitions", + "id": "b185aa14-d8d2-42c1-a685-0f5596613624", + "origin": "Application", + "value": "CustomSecAttributeDefinition.Read.All" + }, + { + "description": "Allows the app to read all external connections without a signed-in user.", + "displayName": "Read all external connections", + "id": "1914711b-a1cb-4793-b019-c2ce0ed21b8c", + "origin": "Application", + "value": "ExternalConnection.Read.All" + }, + { + "description": "Allows the app to read and write all external connections without a signed-in user.", + "displayName": "Read and write all external connections", + "id": "34c37bc0-2b40-4d5e-85e1-2365cd256d79", + "origin": "Application", + "value": "ExternalConnection.ReadWrite.All" + }, + { + "description": "Allows the app to read all external items without a signed-in user.", + "displayName": "Read all external items", + "id": "7a7cffad-37d2-4f48-afa4-c6ab129adcc2", + "origin": "Application", + "value": "ExternalItem.Read.All" + }, + { + "description": "Allows the app to read and write your organization's cross tenant access policies without a signed-in user.", + "displayName": "Read and write your organization's cross tenant access policies", + "id": "338163d7-f101-4c92-94ba-ca46fe52447c", + "origin": "Application", + "value": "Policy.ReadWrite.CrossTenantAccess" + }, + { + "description": "Allows the app to read and write custom security attribute definitions for the tenant without a signed in user.", + "displayName": "Read and write custom security attribute definitions", + "id": "12338004-21f4-4896-bf5e-b75dfaf1016d", + "origin": "Application", + "value": "CustomSecAttributeDefinition.ReadWrite.All" + }, + { + "description": "Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user.", + "displayName": "Read and write custom security attribute assignments", + "id": "de89b5e4-5b8f-48eb-8925-29c2b33bd8bd", + "origin": "Application", + "value": "CustomSecAttributeAssignment.ReadWrite.All" + }, + { + "description": "Allows the app to read and write to all security incidents, without a signed-in user.", + "displayName": "Read and write to all security incidents", + "id": "34bf0e97-1971-4929-b999-9e2442d941d7", + "origin": "Application", + "value": "SecurityIncident.ReadWrite.All" + }, + { + "description": "Allows the app to read all security incidents, without a signed-in user.", + "displayName": "Read all security incidents", + "id": "45cc0394-e837-488b-a098-1918f48d186c", + "origin": "Application", + "value": "SecurityIncident.Read.All" + }, + { + "description": "Allows the app to read and write to all security alerts, without a signed-in user.", + "displayName": "Read and write to all security alerts", + "id": "ed4fca05-be46-441f-9803-1873825f8fdb", + "origin": "Application", + "value": "SecurityAlert.ReadWrite.All" + }, + { + "description": "Allows the app to read all security alerts, without a signed-in user.", + "displayName": "Read all security alerts", + "id": "472e4a4d-bb4a-4026-98d1-0b0d74cb74a5", + "origin": "Application", + "value": "SecurityAlert.Read.All" + }, + { + "description": "Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user.", + "displayName": "Read and write all eDiscovery objects", + "id": "b2620db1-3bf7-4c5b-9cb9-576d29eac736", + "origin": "Application", + "value": "eDiscovery.ReadWrite.All" + }, + { + "description": "Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user.", + "displayName": "Read all eDiscovery objects", + "id": "50180013-6191-4d1e-a373-e590ff4e66af", + "origin": "Application", + "value": "eDiscovery.Read.All" + }, + { + "description": "Allows the app to run hunting queries, without a signed-in user.", + "displayName": "Run hunting queries", + "id": "dd98c7f5-2d42-42d3-a0e4-633161547251", + "origin": "Application", + "value": "ThreatHunting.Read.All" + }, + { + "description": "Allow the app to read the management data for Teams devices, without a signed-in user.", + "displayName": "Read Teams devices", + "id": "0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8", + "origin": "Application", + "value": "TeamworkDevice.Read.All" + }, + { + "description": "Allow the app to read and write the management data for Teams devices, without a signed-in user.", + "displayName": "Read and write Teams devices", + "id": "79c02f5b-bd4f-4713-bc2c-a8a4a66e127b", + "origin": "Application", + "value": "TeamworkDevice.ReadWrite.All" + }, + { + "description": "Allows the app to read and update identity risky service principal for your organization, without a signed-in user.", + "displayName": "Read and write all identity risky service principal information", + "id": "cb8d6980-6bcb-4507-afec-ed6de3a2d798", + "origin": "Application", + "value": "IdentityRiskyServicePrincipal.ReadWrite.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user.", + "displayName": "Allow the Teams app to manage only its own tabs for all users", + "id": "3c42dec6-49e8-4a0a-b469-36cff0d9da93", + "origin": "Application", + "value": "TeamsTab.ReadWriteSelfForUser.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user.", + "displayName": "Allow the Teams app to manage only its own tabs for all teams", + "id": "91c32b81-0ef0-453f-a5c7-4ce2e562f449", + "origin": "Application", + "value": "TeamsTab.ReadWriteSelfForTeam.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user.", + "displayName": "Allow the Teams app to manage only its own tabs for all chats", + "id": "9f62e4a2-a2d6-4350-b28b-d244728c4f86", + "origin": "Application", + "value": "TeamsTab.ReadWriteSelfForChat.All" + }, + { + "description": "Allows the app to read all risky service principal information for your organization, without a signed-in user.", + "displayName": "Read all identity risky service principal information", + "id": "607c7344-0eed-41e5-823a-9695ebe1b7b0", + "origin": "Application", + "value": "IdentityRiskyServicePrincipal.Read.All" + }, + { + "description": "Allows the app to read and write search configurations, without a signed-in user.", + "displayName": "Read and write your organization's search configuration", + "id": "0e778b85-fefa-466d-9eec-750569d92122", + "origin": "Application", + "value": "SearchConfiguration.ReadWrite.All" + }, + { + "description": "Allows the app to read search configurations, without a signed-in user.", + "displayName": "Read your organization's search configuration", + "id": "ada977a5-b8b1-493b-9a91-66c206d76ecf", + "origin": "Application", + "value": "SearchConfiguration.Read.All" + }, + { + "description": "Allows the app to read online meeting artifacts in your organization, without a signed-in user.", + "displayName": "Read online meeting artifacts", + "id": "df01ed3b-eb61-4eca-9965-6b3d789751b2", + "origin": "Application", + "value": "OnlineMeetingArtifact.Read.All" + }, + { + "description": "Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user.", + "displayName": "Read and write to all app catalogs", + "id": "dc149144-f292-421e-b185-5953f2e98d7f", + "origin": "Application", + "value": "AppCatalog.ReadWrite.All" + }, + { + "description": "Allows the app to read apps in the app catalogs without a signed-in user.", + "displayName": "Read all app catalogs", + "id": "e12dae10-5a57-4817-b79d-dfbec5348930", + "origin": "Application", + "value": "AppCatalog.Read.All" + }, + { + "description": "Allows the app to manage workforce integrations to synchronize data from Microsoft Teams Shifts, without a signed-in user.", + "displayName": "Read and write workforce integrations", + "id": "202bf709-e8e6-478e-bcfd-5d63c50b68e3", + "origin": "Application", + "value": "WorkforceIntegration.ReadWrite.All" + }, + { + "description": "Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location.", + "displayName": "Read and write presence information for all users", + "id": "83cded22-8297-4ff6-a7fa-e97e9545a259", + "origin": "Application", + "value": "Presence.ReadWrite.All" + }, + { + "description": "Allows the app to read and write tags in Teams without a signed-in user.", + "displayName": "Read and write tags in Teams", + "id": "a3371ca5-911d-46d6-901c-42c8c7a937d8", + "origin": "Application", + "value": "TeamworkTag.ReadWrite.All" + }, + { + "description": "Allows the app to read\u00a0tags in Teams\u00a0without a signed-in user.", + "displayName": "Read tags in Teams", + "id": "b74fd6c4-4bde-488e-9695-eeb100e4907f", + "origin": "Application", + "value": "TeamworkTag.Read.All" + }, + { + "description": "Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user.", + "displayName": "Read and write all Windows update deployment settings", + "id": "7dd1be58-6e76-4401-bf8d-31d1e8180d5b", + "origin": "Application", + "value": "WindowsUpdates.ReadWrite.All" + }, + { + "description": "Allows the app to read and write external connections without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. ", + "displayName": "Read and write external connections", + "id": "f431331c-49a6-499f-be1c-62af19c34a9d", + "origin": "Application", + "value": "ExternalConnection.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to.", + "displayName": "Read and write external items", + "id": "8116ae0f-55c2-452d-9944-d18420f5b2c8", + "origin": "Application", + "value": "ExternalItem.ReadWrite.OwnedBy" + }, + { + "description": "Allow the application to access a subset of site collections without a signed in user.\u00a0\u00a0The specific site collections and the permissions granted will be configured in SharePoint Online.", + "displayName": "Access selected site collections", + "id": "883ea226-0bf2-4a8f-9f9d-92c9162a727d", + "origin": "Application", + "value": "Sites.Selected" + }, + { + "description": "Allows the app to read documents and list items in all site collections without a signed in user.", + "displayName": "Read items in all site collections ", + "id": "332a536c-c7ef-4017-ab91-336970924f0d", + "origin": "Application", + "value": "Sites.Read.All" + }, + { + "description": "Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.", + "displayName": "Read and write items in all site collections", + "id": "9492366f-7969-46a4-8d15-ed1a20078fff", + "origin": "Application", + "value": "Sites.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the properties of Cloud PCs, without a signed-in user.", + "displayName": "Read and write Cloud PCs", + "id": "3b4349e1-8cf5-45a3-95b7-69d1751d3e6a", + "origin": "Application", + "value": "CloudPC.ReadWrite.All" + }, + { + "description": "Allows the app to read the properties of Cloud PCs, without a signed-in user.", + "displayName": "Read Cloud PCs", + "id": "a9e09520-8ed4-4cde-838e-4fdea192c227", + "origin": "Application", + "value": "CloudPC.Read.All" + }, + { + "description": "Allows the app to update service principal endpoints", + "displayName": "Read and update service principal endpoints", + "id": "89c8469c-83ad-45f7-8ff2-6e3d4285709e", + "origin": "Application", + "value": "ServicePrincipalEndpoint.ReadWrite.All" + }, + { + "description": "Allows the app to read service principal endpoints", + "displayName": "Read service principal endpoints", + "id": "5256681e-b7f6-40c0-8447-2d9db68797a0", + "origin": "Application", + "value": "ServicePrincipalEndpoint.Read.All" + }, + { + "description": "Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies.", + "displayName": "Send a teamwork activity to any user", + "id": "a267235f-af13-44dc-8385-c1dc93023186", + "origin": "Application", + "value": "TeamsActivity.Send" + }, + { + "description": "Allows the app to read terms of use acceptance statuses, without a signed in user.", + "displayName": "Read all terms of use acceptance statuses", + "id": "d8e4ec18-f6c0-4620-8122-c8b1f2bf400e", + "origin": "Application", + "value": "AgreementAcceptance.Read.All" + }, + { + "description": "Allows the app to read and write terms of use agreements, without a signed in user.", + "displayName": "Read and write all terms of use agreements", + "id": "c9090d00-6101-42f0-a729-c41074260d47", + "origin": "Application", + "value": "Agreement.ReadWrite.All" + }, + { + "description": "Allows the app to read terms of use agreements, without a signed in user.", + "displayName": "Read all terms of use agreements", + "id": "2f3e6f8c-093b-4c57-a58b-ba5ce494a169", + "origin": "Application", + "value": "Agreement.Read.All" + }, + { + "description": "Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user.", + "displayName": "Read and write all consent requests", + "id": "9f1b81a7-0223-4428-bfa4-0bcb5535f27d", + "origin": "Application", + "value": "ConsentRequest.ReadWrite.All" + }, + { + "description": "Allows the app to read and write your organization's consent requests policy without a signed-in user.", + "displayName": "Read and write your organization's consent request policy", + "id": "999f8c63-0a38-4f1b-91fd-ed1947bdd1a9", + "origin": "Application", + "value": "Policy.ReadWrite.ConsentRequest" + }, + { + "description": "Allows the app to read consent requests and approvals without a signed-in user.", + "displayName": "Read all consent requests", + "id": "1260ad83-98fb-4785-abbb-d6cc1806fd41", + "origin": "Application", + "value": "ConsentRequest.Read.All" + }, + { + "description": "Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties.", + "displayName": "Read basic mail in all mailboxes", + "id": "693c5e45-0940-467d-9b8a-1022fb9d42ef", + "origin": "Application", + "value": "Mail.ReadBasic.All" + }, + { + "description": "Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties.", + "displayName": "Read basic mail in all mailboxes", + "id": "6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a", + "origin": "Application", + "value": "Mail.ReadBasic" + }, + { + "description": "Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature.", + "displayName": "Read and write feature rollout policies", + "id": "2044e4f1-e56c-435b-925c-44cd8f6ba89a", + "origin": "Application", + "value": "Policy.ReadWrite.FeatureRollout" + }, + { + "description": "Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.", + "displayName": "Read and write all directory RBAC settings", + "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8", + "origin": "Application", + "value": "RoleManagement.ReadWrite.Directory" + }, + { + "description": "Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.", + "displayName": "Read all directory RBAC settings", + "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c", + "origin": "Application", + "value": "RoleManagement.Read.Directory" + }, + { + "description": "Allows the app to read and write the organization and related resources, without a signed-in user.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "displayName": "Read and write organization information", + "id": "292d869f-3427-49a8-9dab-8c70152b74e9", + "origin": "Application", + "value": "Organization.ReadWrite.All" + }, + { + "description": "Allows the app to read the organization and related resources, without a signed-in user.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "displayName": "Read organization information", + "id": "498476ce-e0fe-48b0-b801-37ba7e2685c6", + "origin": "Application", + "value": "Organization.Read.All" + }, + { + "description": "Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user.", + "displayName": "Read all company places", + "id": "913b9306-0ce1-42b8-9137-6a7df690a760", + "origin": "Application", + "value": "Place.Read.All" + }, + { + "description": "Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.", + "displayName": "Read all hidden memberships", + "id": "658aa5d8-239f-45c4-aa12-864f4fc7e490", + "origin": "Application", + "value": "Member.Read.Hidden" + }, + { + "description": "Allow the app to read or write items in all external datasets that the app is authorized to access", + "displayName": "Read and write items in external datasets", + "id": "38c3d6ee-69ee-422f-b954-e17819665354", + "origin": "Application", + "value": "ExternalItem.ReadWrite.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user.", + "displayName": "Manage access reviews for group and app memberships", + "id": "18228521-a591-40f1-b215-5fad4488c117", + "origin": "Application", + "value": "AccessReview.ReadWrite.Membership" + }, + { + "description": "Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.", + "displayName": "Read Microsoft Intune device configuration and policies", + "id": "dc377aa6-52d8-4e23-b271-2a7ae04cedf3", + "origin": "Application", + "value": "DeviceManagementConfiguration.Read.All" + }, + { + "description": "Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.", + "displayName": "Read Microsoft Intune apps", + "id": "7a6ee1e7-141e-4cec-ae74-d9db155731ff", + "origin": "Application", + "value": "DeviceManagementApps.Read.All" + }, + { + "description": "Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.", + "displayName": "Read Microsoft Intune devices", + "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e", + "origin": "Application", + "value": "DeviceManagementManagedDevices.Read.All" + }, + { + "description": "Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.", + "displayName": "Read Microsoft Intune RBAC settings", + "id": "58ca0d9a-1575-47e1-a3cb-007ef2e4583b", + "origin": "Application", + "value": "DeviceManagementRBAC.Read.All" + }, + { + "description": "Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.", + "displayName": "Read Microsoft Intune configuration", + "id": "06a5fe6d-c49d-46a7-b082-56b1b14103c7", + "origin": "Application", + "value": "DeviceManagementServiceConfig.Read.All" + }, + { + "description": "Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user.", + "displayName": "Manage on-premises published resources", + "id": "0b57845e-aa49-4e6f-8109-ce654fffa618", + "origin": "Application", + "value": "OnPremisesPublishingProfiles.ReadWrite.All" + }, + { + "description": "Allows the app to read and write trust framework key set properties without a signed-in user.", + "displayName": "Read and write trust framework key sets", + "id": "4a771c9a-1cf2-4609-b88e-3d3e02d539cd", + "origin": "Application", + "value": "TrustFrameworkKeySet.ReadWrite.All" + }, + { + "description": "Allows the app to read trust framework key set properties without a signed-in user.", + "displayName": "Read trust framework key sets", + "id": "fff194f1-7dce-4428-8301-1badb5518201", + "origin": "Application", + "value": "TrustFrameworkKeySet.Read.All" + }, + { + "description": "Allows the app to read and write your organization's trust framework policies without a signed in user.", + "displayName": "Read and write your organization's trust framework policies", + "id": "79a677f7-b79d-40d0-a36a-3e6f8688dd7a", + "origin": "Application", + "value": "Policy.ReadWrite.TrustFramework" + }, + { + "description": "Allows the app to read all your organization's policies without a signed in user.", + "displayName": "Read your organization's policies", + "id": "246dd0d5-5bd0-4def-940b-0421030a5b68", + "origin": "Application", + "value": "Policy.Read.All" + }, + { + "description": "Allows the app to read and write your organization\u2019s identity (authentication) providers\u2019 properties without a signed in user.", + "displayName": "Read and write identity providers", + "id": "90db2b9a-d928-4d33-a4dd-8442ae3d41e4", + "origin": "Application", + "value": "IdentityProvider.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization\u2019s identity (authentication) providers\u2019 properties without a signed in user.", + "displayName": "Read identity providers", + "id": "e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0", + "origin": "Application", + "value": "IdentityProvider.Read.All" + }, + { + "description": "Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.", + "displayName": "Read and write all administrative units", + "id": "5eb59dd3-1da2-4329-8733-9dabdc435916", + "origin": "Application", + "value": "AdministrativeUnit.ReadWrite.All" + }, + { + "description": "Allows the app to read administrative units and administrative unit membership without a signed-in user.", + "displayName": "Read all administrative units", + "id": "134fd756-38ce-4afd-ba33-e9623dbe66c2", + "origin": "Application", + "value": "AdministrativeUnit.Read.All" + }, + { + "description": "Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user.", + "displayName": "Read all published labels and label policies for an organization.", + "id": "19da66cb-0fb0-4390-b071-ebc76a349482", + "origin": "Application", + "value": "InformationProtectionPolicy.Read.All" + }, + { + "description": "Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.", + "displayName": "Read all OneNote notebooks", + "id": "3aeca27b-ee3a-4c2b-8ded-80376e2134a4", + "origin": "Application", + "value": "Notes.Read.All" + }, + { + "description": "Allows the app to invite guest users to the organization, without a signed-in user.", + "displayName": "Invite guest users to the organization", + "id": "09850681-111b-4a89-9bed-3f2cae46d706", + "origin": "Application", + "value": "User.Invite.All" + }, + { + "description": "Allows the app to read, create, update and delete all files in all site collections without a signed in user. ", + "displayName": "Read and write files in all site collections", + "id": "75359482-378d-4052-8f01-80520e7db3cd", + "origin": "Application", + "value": "Files.ReadWrite.All" + }, + { + "description": "Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. \u00a0It cannot update any threat indicators it does not own.", + "displayName": "Manage threat indicators this app creates or owns", + "id": "21792b6c-c986-4ffc-85de-df9da54b52fa", + "origin": "Application", + "value": "ThreatIndicators.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to read or update security actions, without a signed-in user.", + "displayName": "Read and update your organization's security actions", + "id": "f2bf083f-0179-402a-bedb-b2784de8a49b", + "origin": "Application", + "value": "SecurityActions.ReadWrite.All" + }, + { + "description": "Allows the app to read security actions, without a signed-in user.", + "displayName": "Read your organization's security actions", + "id": "5e0edab9-c148-49d0-b423-ac253e121825", + "origin": "Application", + "value": "SecurityActions.Read.All" + }, + { + "description": "Allows the app to read your organization\u2019s security events without a signed-in user. Also allows the app to update editable properties in security events.", + "displayName": "Read and update your organization\u2019s security events", + "id": "d903a879-88e0-4c09-b0c9-82f6a1333f84", + "origin": "Application", + "value": "SecurityEvents.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization\u2019s security events without a signed-in user.", + "displayName": "Read your organization\u2019s security events", + "id": "bf394140-e372-4bf9-a898-299cfc7564e5", + "origin": "Application", + "value": "SecurityEvents.Read.All" + }, + { + "description": "Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user.", + "displayName": "Read and write all chat messages", + "id": "294ce7c9-31ba-490a-ad7d-97a7d075e4ed", + "origin": "Application", + "value": "Chat.ReadWrite.All" + }, + { + "description": "Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections.\u00a0", + "displayName": "Read and write all risk detection information", + "id": "db06fb33-1953-4b7b-a2ac-f1e2c854f7ae", + "origin": "Application", + "value": "IdentityRiskEvent.ReadWrite.All" + }, + { + "description": "Allows the app to read and update identity risky user information for your organization without a signed-in user. \u00a0Update operations include dismissing risky users.", + "displayName": "Read and write all risky user information", + "id": "656f6061-f9fe-4807-9708-6a2e0934df76", + "origin": "Application", + "value": "IdentityRiskyUser.ReadWrite.All" + }, + { + "description": "Allows the app to read all files in all site collections without a signed in user.", + "displayName": "Read files in all site collections", + "id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6", + "origin": "Application", + "value": "Files.Read.All" + }, + { + "description": "Allows the app to read the identity risk event information for your organization without a signed in user.", + "displayName": "Read all identity risk event information", + "id": "6e472fd1-ad78-48da-a0f0-97ab2c6b769e", + "origin": "Application", + "value": "IdentityRiskEvent.Read.All" + }, + { + "description": "Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization's roster and education-specific information about all users. Includes name, status, role, email address and photo.", + "displayName": "Read a limited subset of the organization's roster", + "id": "0d412a8c-a06c-439f-b3ec-8abcf54d2f96", + "origin": "Application", + "value": "EduRoster.ReadBasic.All" + }, + { + "description": "Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read.", + "displayName": "Read the organization's roster", + "id": "e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648", + "origin": "Application", + "value": "EduRoster.Read.All" + }, + { + "description": "Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.", + "displayName": "Read and write the organization's roster", + "id": "d1808e82-ce13-47af-ae0d-f9b254e6d58a", + "origin": "Application", + "value": "EduRoster.ReadWrite.All" + }, + { + "description": "Read the state and settings of all Microsoft education apps.", + "displayName": "Read Education app settings", + "id": "7c9db06a-ec2d-4e7b-a592-5a1e30992566", + "origin": "Application", + "value": "EduAdministration.Read.All" + }, + { + "description": "Manage the state and settings of all Microsoft education apps.", + "displayName": "Manage education app settings", + "id": "9bc431c3-b8bc-4a8d-a219-40f10f92eff6", + "origin": "Application", + "value": "EduAdministration.ReadWrite.All" + }, + { + "description": "Allows the app to read the identity risky user information for your organization without a signed in user.", + "displayName": "Read all identity risky user information", + "id": "dc5007c0-2d7d-4c42-879c-2dab87571379", + "origin": "Application", + "value": "IdentityRiskyUser.Read.All" + }, + { + "description": "Allows the app to read and update user profiles without a signed in user.", + "displayName": "Read and write all users' full profiles", + "id": "741f803b-c850-494e-b5df-cde7c675a1ca", + "origin": "Application", + "value": "User.ReadWrite.All" + }, + { + "description": "Allows the app to read user profiles without a signed in user.", + "displayName": "Read all users' full profiles", + "id": "df021288-bdef-4463-88db-98f22de89214", + "origin": "Application", + "value": "User.Read.All" + }, + { + "description": "Allows the app to read and query your audit log activities, without a signed-in user.", + "displayName": "Read all audit log data", + "id": "b0afded3-3588-46d8-8b3d-9842eff778da", + "origin": "Application", + "value": "AuditLog.Read.All" + }, + { + "description": "Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. \u00a0It cannot update any apps that it is not an owner of.", + "displayName": "Manage apps that this app creates or owns", + "id": "18a4783c-866b-4cc7-a460-3d5e5662c884", + "origin": "Application", + "value": "Application.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).", + "displayName": "Export user's data", + "id": "405a51b5-8d8d-430b-9842-8be4b0e9f324", + "origin": "Application", + "value": "User.Export.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a signed-in user.", + "displayName": "Manage all programs", + "id": "60a901ed-09f7-4aa5-a16e-7dd3d6f9de36", + "origin": "Application", + "value": "ProgramControl.ReadWrite.All" + }, + { + "description": "Allows the app to read programs and program controls in the organization, without a signed-in user.", + "displayName": "Read all programs", + "id": "eedb7fdd-7539-4345-a38b-4839e4a84cbd", + "origin": "Application", + "value": "ProgramControl.Read.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user.", + "displayName": "Manage all access reviews", + "id": "ef5f7d5c-338f-44b0-86c3-351f46c8bb5f", + "origin": "Application", + "value": "AccessReview.ReadWrite.All" + }, + { + "description": "Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user.", + "displayName": "Read all access reviews", + "id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", + "origin": "Application", + "value": "AccessReview.Read.All" + }, + { + "description": "Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.", + "displayName": "Read all usage reports", + "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef", + "origin": "Application", + "value": "Reports.Read.All" + }, + { + "description": "Allows the app to read any user's scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).", + "displayName": "Read all users' relevant people lists", + "id": "b528084d-ad10-4598-8b93-929746b4d7d6", + "origin": "Application", + "value": "People.Read.All" + }, + { + "description": "Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.", + "displayName": "Flag chat messages for violating policy", + "id": "7e847308-e030-4183-9899-5235d7270f58", + "origin": "Application", + "value": "Chat.UpdatePolicyViolation.All" + }, + { + "description": "Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.", + "displayName": "Read all chat messages", + "id": "6b7d71aa-70aa-4810-a8d9-5d9fb2830017", + "origin": "Application", + "value": "Chat.Read.All" + }, + { + "description": "Allows the app to read all channel messages in Microsoft Teams", + "displayName": "Read all channel messages", + "id": "7b2449af-6ccd-4f4d-9f78-e550c193f0d1", + "origin": "Application", + "value": "ChannelMessage.Read.All" + }, + { + "description": "Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.", + "displayName": "Flag channel messages for violating policy", + "id": "4d02b0cc-d90b-441f-8d82-4fb55c34d6bb", + "origin": "Application", + "value": "ChannelMessage.UpdatePolicyViolation.All" + }, + { + "description": "Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.", + "displayName": "Read and write all applications", + "id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9", + "origin": "Application", + "value": "Application.ReadWrite.All" + }, + { + "description": "Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail.", + "displayName": "Read and write all user mailbox settings", + "id": "6931bccd-447a-43d1-b442-00a195474933", + "origin": "Application", + "value": "MailboxSettings.ReadWrite" + }, + { + "description": "Allows the app to read and write all domain properties without a signed in user. \u00a0Also allows the app to add, \u00a0verify and remove domains.", + "displayName": "Read and write domains", + "id": "7e05723c-0bb0-42da-be95-ae9f08a6e53c", + "origin": "Application", + "value": "Domain.ReadWrite.All" + }, + { + "description": "Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.", + "displayName": "Read all user mailbox settings", + "id": "40f97065-369a-49f4-947c-6a255697ae91", + "origin": "Application", + "value": "MailboxSettings.Read" + }, + { + "description": "Allows the app to read mail in all mailboxes without a signed-in user.", + "displayName": "Read mail in all mailboxes", + "id": "810c84a8-4a9e-49e6-bf7d-12d183f40d01", + "origin": "Application", + "value": "Mail.Read" + }, + { + "description": "Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.", + "displayName": "Read and write mail in all mailboxes", + "id": "e2a3a72e-5f79-4c64-b1b1-878b674786c9", + "origin": "Application", + "value": "Mail.ReadWrite" + }, + { + "description": "Allows the app to send mail as any user without a signed-in user.", + "displayName": "Send mail as any user", + "id": "b633e1c5-b582-4048-a93e-9f11b44c7e96", + "origin": "Application", + "value": "Mail.Send" + }, + { + "description": "Allows the app to read all contacts in all mailboxes without a signed-in user.", + "displayName": "Read contacts in all mailboxes", + "id": "089fe4d0-434a-44c5-8827-41ba8a0b17f5", + "origin": "Application", + "value": "Contacts.Read" + }, + { + "description": "Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.", + "displayName": "Read and write contacts in all mailboxes", + "id": "6918b873-d17a-4dc1-b314-35f528134491", + "origin": "Application", + "value": "Contacts.ReadWrite" + }, + { + "description": "Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.", + "displayName": "Read directory data", + "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", + "origin": "Application", + "value": "Directory.Read.All" + }, + { + "description": "Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.", + "displayName": "Read and write directory data", + "id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7", + "origin": "Application", + "value": "Directory.ReadWrite.All" + }, + { + "description": "Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.", + "displayName": "Read and write devices", + "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb", + "origin": "Application", + "value": "Device.ReadWrite.All" + }, + { + "description": "Allows the app to read events of all calendars without a signed-in user.", + "displayName": "Read calendars in all mailboxes", + "id": "798ee544-9d2d-430c-a058-570e29e34338", + "origin": "Application", + "value": "Calendars.Read" + }, + { + "description": "Allows the app to create, read, update, and delete events of all calendars without a signed-in user.", + "displayName": "Read and write calendars in all mailboxes", + "id": "ef54d2bf-783f-4e0f-bca1-3210c0444d99", + "origin": "Application", + "value": "Calendars.ReadWrite" + }, + { + "description": "Allows the app to read your organization's user flows, without a signed-in user.", + "displayName": "Read all identity user flows", + "id": "1b0c317f-dd31-4305-9932-259a8b6e8099", + "origin": "Application", + "value": "IdentityUserFlow.Read.All" + }, + { + "description": "Allows the app to read or write your organization's user flows, without a signed-in user.", + "displayName": "Read and write all identity user flows", + "id": "65319a09-a2be-469d-8782-f6b07debf789", + "origin": "Application", + "value": "IdentityUserFlow.ReadWrite.All" + }, + { + "description": "Allows the app to read and create online meetings as an application in your organization.", + "displayName": "Read and create online meetings", + "id": "b8bb2037-6e08-44ac-a4ea-4674e010e2a4", + "origin": "Application", + "value": "OnlineMeetings.ReadWrite.All" + }, + { + "description": "Allows the app to read online meeting details in your organization, without a signed-in user.", + "displayName": "Read online meeting details", + "id": "c1684f21-1984-47fa-9d61-2dc8c296bb70", + "origin": "Application", + "value": "OnlineMeetings.Read.All" + }, + { + "description": "Allows the app to get direct access to media streams in a call, without a signed-in user.", + "displayName": "Access media streams in a call as an app", + "id": "a7a681dc-756e-4909-b988-f160edc6655f", + "origin": "Application", + "value": "Calls.AccessMedia.All" + }, + { + "description": "Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. \u00a0The app will be joined as a guest to meetings in your organization.", + "displayName": "Join group calls and meetings as a guest", + "id": "fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4", + "origin": "Application", + "value": "Calls.JoinGroupCallAsGuest.All" + }, + { + "description": "Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. \u00a0The app will be joined with the privileges of a directory user to meetings in your organization.", + "displayName": "Join group calls and meetings as an app", + "id": "f6b49018-60ab-4f81-83bd-22caeabfed2d", + "origin": "Application", + "value": "Calls.JoinGroupCall.All" + }, + { + "description": "Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user.", + "displayName": "Initiate outgoing group calls from the app", + "id": "4c277553-8a09-487b-8023-29ee378d8324", + "origin": "Application", + "value": "Calls.InitiateGroupCall.All" + }, + { + "description": "Allows the app to place outbound calls to a single user and transfer calls to users in your organization\u2019s directory, without a signed-in user.", + "displayName": "Initiate outgoing 1 to 1 calls from the app", + "id": "284383ee-7f6e-4e40-a2a8-e85dcb029101", + "origin": "Application", + "value": "Calls.Initiate.All" + }, + { + "description": "Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts.", + "displayName": "Read organizational contacts", + "id": "e1a88a34-94c4-4418-be12-c87b00e26bea", + "origin": "Application", + "value": "OrgContact.Read.All" + }, + { + "description": "Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.", + "displayName": "Read and write Microsoft Intune apps", + "id": "78145de6-330d-4800-a6ce-494ff2d33d07", + "origin": "Application", + "value": "DeviceManagementApps.ReadWrite.All" + }, + { + "description": "Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.", + "displayName": "Read and write Microsoft Intune device configuration and policies", + "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4", + "origin": "Application", + "value": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "description": "Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user.", + "displayName": "Perform user-impacting remote actions on Microsoft Intune devices", + "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c", + "origin": "Application", + "value": "DeviceManagementManagedDevices.PrivilegedOperations.All" + }, + { + "description": "Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device\u2019s owner", + "displayName": "Read and write Microsoft Intune devices", + "id": "243333ab-4d21-40cb-a475-36241daa0842", + "origin": "Application", + "value": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.", + "displayName": "Read and write Microsoft Intune RBAC settings", + "id": "e330c4f0-4170-414e-a55a-2f022ec2b57b", + "origin": "Application", + "value": "DeviceManagementRBAC.ReadWrite.All" + }, + { + "description": "Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.", + "displayName": "Read and write Microsoft Intune configuration", + "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee", + "origin": "Application", + "value": "DeviceManagementServiceConfig.ReadWrite.All" + }, + { + "description": "Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.", + "displayName": "Manage app permission grants and app role assignments", + "id": "06b708a9-e830-4db3-a914-8e69da51d44f", + "origin": "Application", + "value": "AppRoleAssignment.ReadWrite.All" + }, + { + "description": "Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user.", + "displayName": "Manage all delegated permission grants", + "id": "8e8e4742-1d95-4f68-9d56-6ee75648c72a", + "origin": "Application", + "value": "DelegatedPermissionGrant.ReadWrite.All" + }, + { + "description": "Allows the app to read all users' teamwork activity feed, without a signed-in user.", + "displayName": "Read all users' teamwork activity feed", + "id": "70dec828-f620-4914-aa83-a29117306807", + "origin": "Application", + "value": "TeamsActivity.Read.All" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.", + "displayName": "Read privileged access to Azure AD roles", + "id": "4cdc2547-9148-4295-8d11-be0db1391d6b", + "origin": "Application", + "value": "PrivilegedAccess.Read.AzureAD" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user.", + "displayName": "Read privileged access to Azure AD groups", + "id": "01e37dc9-c035-40bd-b438-b2879c4870a6", + "origin": "Application", + "value": "PrivilegedAccess.Read.AzureADGroup" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user.", + "displayName": "Read privileged access to Azure resources", + "id": "5df6fe86-1be0-44eb-b916-7bd443a71236", + "origin": "Application", + "value": "PrivilegedAccess.Read.AzureResources" + }, + { + "description": "Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.", + "displayName": "Read and write privileged access to Azure AD roles", + "id": "854d9ab1-6657-4ec8-be45-823027bcd009", + "origin": "Application", + "value": "PrivilegedAccess.ReadWrite.AzureAD" + }, + { + "description": "Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user.", + "displayName": "Read and write privileged access to Azure AD groups", + "id": "2f6817f8-7b12-4f0f-bc18-eeaf60705a9e", + "origin": "Application", + "value": "PrivilegedAccess.ReadWrite.AzureADGroup" + }, + { + "description": "Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user.", + "displayName": "Read and write privileged access to Azure resources", + "id": "6f9d5abc-2db6-400b-a267-7de22a40fb87", + "origin": "Application", + "value": "PrivilegedAccess.ReadWrite.AzureResources" + }, + { + "description": "Allows the app to read all the indicators for your organization, without a signed-in user.", + "displayName": "Read all threat indicators", + "id": "197ee4e9-b993-4066-898f-d6aecc55125b", + "origin": "Application", + "value": "ThreatIndicators.Read.All" + }, + { + "description": "Allows the app to send, read, update and delete user\u2019s notifications, without a signed-in user.", + "displayName": "Deliver and manage all user's notifications", + "id": "4e774092-a092-48d1-90bd-baad67c7eb47", + "origin": "Application", + "value": "UserNotification.ReadWrite.CreatedByApp" + }, + { + "description": "Allows the app to read all applications and service principals without a signed-in user.", + "displayName": "Read all applications", + "id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30", + "origin": "Application", + "value": "Application.Read.All" + }, + { + "description": "Allows the app to read memberships and basic group properties for all groups without a signed-in user.", + "displayName": "Read all group memberships", + "id": "98830695-27a2-44f7-8c18-0c3ebc9698f6", + "origin": "Application", + "value": "GroupMember.Read.All" + }, + { + "description": "Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.", + "displayName": "Read and write all group memberships", + "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695", + "origin": "Application", + "value": "GroupMember.ReadWrite.All" + }, + { + "description": "Allows the app to create groups without a signed-in user.", + "displayName": "Create groups", + "id": "bf7b1a76-6e77-406b-b258-bf5c7720e98f", + "origin": "Application", + "value": "Group.Create" + }, + { + "description": "Allows an app to read your organization's threat assessment requests, without a signed-in user.", + "displayName": "Read threat assessment requests", + "id": "f8f035bb-2cce-47fb-8bf5-7baf3ecbee48", + "origin": "Application", + "value": "ThreatAssessment.Read.All" + }, + { + "description": "Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user.", + "displayName": "Read all schedule items", + "id": "7b2ebf90-d836-437f-b90d-7b62722c4456", + "origin": "Application", + "value": "Schedule.Read.All" + }, + { + "description": "Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user.", + "displayName": "Read and write all schedule items", + "id": "b7760610-0545-4e8a-9ec3-cce9e63db01c", + "origin": "Application", + "value": "Schedule.ReadWrite.All" + }, + { + "description": "Allows the app to read call records for all calls and online meetings without a signed-in user.", + "displayName": "Read all call records", + "id": "45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8", + "origin": "Application", + "value": "CallRecords.Read.All" + }, + { + "description": "Allows the app to read and write your organization's conditional access policies, without a signed-in user.", + "displayName": "Read and write your organization's conditional access policies", + "id": "01c0a623-fc9b-48e9-b794-0756f8e8f067", + "origin": "Application", + "value": "Policy.ReadWrite.ConditionalAccess" + }, + { + "description": "Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods", + "displayName": "Read and write all users' authentication methods ", + "id": "50483e42-d915-4231-9639-7fdb7fd190e5", + "origin": "Application", + "value": "UserAuthenticationMethod.ReadWrite.All" + }, + { + "description": " Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.", + "displayName": " Read all users' authentication methods", + "id": "38d9df27-64da-44fd-b7c5-a6fbac20248f", + "origin": "Application", + "value": "UserAuthenticationMethod.Read.All" + }, + { + "description": "Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.", + "displayName": "Create tabs in Microsoft Teams.", + "id": "49981c42-fd7b-4530-be03-e77b21aed25e", + "origin": "Application", + "value": "TeamsTab.Create" + }, + { + "description": "Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. ", + "displayName": "Read tabs in Microsoft Teams.", + "id": "46890524-499a-4bb2-ad64-1476b4f3e1cf", + "origin": "Application", + "value": "TeamsTab.Read.All" + }, + { + "description": "Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.", + "displayName": "Read and write tabs in Microsoft Teams.", + "id": "a96d855f-016b-47d7-b51c-1218a98d791c", + "origin": "Application", + "value": "TeamsTab.ReadWrite.All" + }, + { + "description": "Allows the app to read all domain properties without a signed-in user.", + "displayName": "Read domains", + "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664", + "origin": "Application", + "value": "Domain.Read.All" + }, + { + "description": "Allows the app to read and write your organization's application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.", + "displayName": "Read and write your organization's application configuration policies", + "id": "be74164b-cff1-491c-8741-e671cb536e13", + "origin": "Application", + "value": "Policy.ReadWrite.ApplicationConfiguration" + }, + { + "description": "Allows the app to read your organization's devices' configuration information without a signed-in user.", + "displayName": "Read all devices", + "id": "7438b122-aefc-4978-80ed-43db9fcc7715", + "origin": "Application", + "value": "Device.Read.All" + }, + { + "description": "Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This controls the identities users can sign-in with.", + "displayName": "Manage all users' identities", + "id": "c529cfca-c91b-489c-af2b-d92990b66ce6", + "origin": "Application", + "value": "User.ManageIdentities.All" + }, + { + "description": "Allows the app to read all users' shift schedule preferences without a signed-in user.", + "displayName": "Read all user shift preferences", + "id": "de023814-96df-4f53-9376-1e2891ef5a18", + "origin": "Application", + "value": "UserShiftPreferences.Read.All" + }, + { + "description": "Allows the app to manage all users' shift schedule preferences without a signed-in user.", + "displayName": "Read and write all user shift preferences", + "id": "d1eec298-80f3-49b0-9efb-d90e224798ac", + "origin": "Application", + "value": "UserShiftPreferences.ReadWrite.All" + }, + { + "description": "Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.", + "displayName": "Read and write all OneNote notebooks", + "id": "0c458cef-11f3-48c2-a568-c66751c238c0", + "origin": "Application", + "value": "Notes.ReadWrite.All" + }, + { + "description": "Allows the app to have full control of all site collections without a signed in user.", + "displayName": "Have full control of all site collections", + "id": "a82116e5-55eb-4c41-a434-62fe8a61c773", + "origin": "Application", + "value": "Sites.FullControl.All" + }, + { + "description": "Allows the app to create or delete document libraries and lists in all site collections without a signed in user.", + "displayName": "Create, edit, and delete items and lists in all site collections", + "id": "0c0bf378-bf22-4481-8f81-9e89a9b4960a", + "origin": "Application", + "value": "Sites.Manage.All" + }, + { + "description": "Allows the app to read access packages and related entitlement management resources without a signed-in user.", + "displayName": "Read all entitlement management resources", + "id": "c74fd47d-ed3c-45c3-9a9e-b8676de685d2", + "origin": "Application", + "value": "EntitlementManagement.Read.All" + }, + { + "description": "Allows the app to read and write access packages and related entitlement management resources without a signed-in user.", + "displayName": "Read and write all entitlement management resources", + "id": "9acd699f-1e81-4958-b001-93b1d2506e19", + "origin": "Application", + "value": "EntitlementManagement.ReadWrite.All" + }, + { + "description": "Create channels in any team, without a signed-in user.", + "displayName": "Create channels", + "id": "f3a65bd4-b703-46df-8f7e-0174fea562aa", + "origin": "Application", + "value": "Channel.Create" + }, + { + "description": "Delete channels in any team, without a signed-in user.", + "displayName": "Delete channels", + "id": "6a118a39-1227-45d4-af0c-ea7b40d210bc", + "origin": "Application", + "value": "Channel.Delete.All" + }, + { + "description": "Read all channel names, channel descriptions, and channel settings, without a signed-in user.", + "displayName": "Read the names, descriptions, and settings of all channels", + "id": "c97b873f-f59f-49aa-8a0e-52b32d762124", + "origin": "Application", + "value": "ChannelSettings.Read.All" + }, + { + "description": "Read and write the names, descriptions, and settings of all channels, without a signed-in user.", + "displayName": "Read and write the names, descriptions, and settings of all channels", + "id": "243cded2-bd16-4fd6-a953-ff8177894c3d", + "origin": "Application", + "value": "ChannelSettings.ReadWrite.All" + }, + { + "description": "Get a list of all teams, without a signed-in user.", + "displayName": "Get a list of all teams", + "id": "2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e", + "origin": "Application", + "value": "Team.ReadBasic.All" + }, + { + "description": "Read all channel names and channel descriptions, without a signed-in user.", + "displayName": "Read the names and descriptions of all channels", + "id": "59a6b24b-4225-4393-8165-ebaec5f55d7a", + "origin": "Application", + "value": "Channel.ReadBasic.All" + }, + { + "description": "Read and change all teams' settings, without a signed-in user.", + "displayName": "Read and change all teams' settings", + "id": "bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f", + "origin": "Application", + "value": "TeamSettings.ReadWrite.All" + }, + { + "description": "Read all team's settings, without a signed-in user.", + "displayName": "Read all teams' settings", + "id": "242607bd-1d2c-432c-82eb-bdb27baa23ab", + "origin": "Application", + "value": "TeamSettings.Read.All" + }, + { + "description": "Read the members of all teams, without a signed-in user.", + "displayName": "Read the members of all teams", + "id": "660b7406-55f1-41ca-a0ed-0b035e182f3e", + "origin": "Application", + "value": "TeamMember.Read.All" + }, + { + "description": "Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner.", + "displayName": "Add and remove members from all teams", + "id": "0121dc95-1b9f-4aed-8bac-58c5ac466691", + "origin": "Application", + "value": "TeamMember.ReadWrite.All" + }, + { + "description": "Read the members of all channels, without a signed-in user.", + "displayName": "Read the members of all channels", + "id": "3b55498e-47ec-484f-8136-9013221c06a9", + "origin": "Application", + "value": "ChannelMember.Read.All" + }, + { + "description": "Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.", + "displayName": "Add and remove members from all channels", + "id": "35930dcf-aceb-4bd1-b99a-8ffed403c974", + "origin": "Application", + "value": "ChannelMember.ReadWrite.All" + }, + { + "description": "Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user.", + "displayName": "Read and write authentication flow policies", + "id": "25f85f3c-f66c-4205-8cd5-de92dd7f0cec", + "origin": "Application", + "value": "Policy.ReadWrite.AuthenticationFlows" + }, + { + "description": "Allows the app to read and write all authentication method policies for the tenant, without a signed-in user.\u00a0", + "displayName": "Read and write all authentication method policies\u00a0", + "id": "29c18626-4985-4dcd-85c0-193eef327366", + "origin": "Application", + "value": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "description": "Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.", + "displayName": "Read and write your organization's authorization policy", + "id": "fb221be6-99f2-473f-bd32-01c6a0e9ca3b", + "origin": "Application", + "value": "Policy.ReadWrite.Authorization" + }, + { + "description": "Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.", + "displayName": "Read names and members of all chat threads", + "id": "b2e060da-3baf-4687-9611-f4ebc0f0cbde", + "origin": "Application", + "value": "Chat.ReadBasic.All" + }, + { + "description": "Allows the app to read policies related to consent and permission grants for applications, without a signed-in user.", + "displayName": "Read consent and permission grant policies", + "id": "9e640839-a198-48fb-8b9a-013fd6f6cbcd", + "origin": "Application", + "value": "Policy.Read.PermissionGrant" + }, + { + "description": "Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user.", + "displayName": "Manage consent and permission grant policies", + "id": "a402ca1c-2696-4531-972d-6e5ee4aa11ea", + "origin": "Application", + "value": "Policy.ReadWrite.PermissionGrant" + }, + { + "description": "Allows the application to read printers without a signed-in user.\u00a0", + "displayName": "Read printers", + "id": "9709bb33-4549-49d4-8ed9-a8f65e45bb0f", + "origin": "Application", + "value": "Printer.Read.All" + }, + { + "description": "Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers.", + "displayName": "Read and update printers", + "id": "f5b3f73d-6247-44df-a74c-866173fddab0", + "origin": "Application", + "value": "Printer.ReadWrite.All" + }, + { + "description": "Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs.", + "displayName": "Perform advanced operations on print jobs", + "id": "58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8", + "origin": "Application", + "value": "PrintJob.Manage.All" + }, + { + "description": "Allows the application to read the metadata and document content of print jobs without a signed-in user.\u00a0", + "displayName": "Read print jobs", + "id": "ac6f956c-edea-44e4-bd06-64b1b4b9aec9", + "origin": "Application", + "value": "PrintJob.Read.All" + }, + { + "description": "Allows the application to read the metadata of print jobs without a signed-in user.\u00a0Does not allow access to print job document content.", + "displayName": "Read basic information for print jobs", + "id": "fbf67eee-e074-4ef7-b965-ab5ce1c1f689", + "origin": "Application", + "value": "PrintJob.ReadBasic.All" + }, + { + "description": "Allows the application to read and update the metadata and document content of print jobs without a signed-in user.", + "displayName": "Read and write print jobs", + "id": "5114b07b-2898-4de7-a541-53b0004e2e13", + "origin": "Application", + "value": "PrintJob.ReadWrite.All" + }, + { + "description": "Allows the application to read and update the metadata of print jobs without a signed-in user.\u00a0Does not allow access to print job document content.", + "displayName": "Read and write basic information for print jobs", + "id": "57878358-37f4-4d3a-8c20-4816e0d457b1", + "origin": "Application", + "value": "PrintJob.ReadWriteBasic.All" + }, + { + "description": "Allows the application to read and update print task definitions without a signed-in user.\u00a0", + "displayName": "Read, write and update print task definitions", + "id": "456b71a7-0ee0-4588-9842-c123fcc8f664", + "origin": "Application", + "value": "PrintTaskDefinition.ReadWrite.All" + }, + { + "description": "Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization.", + "displayName": "Create chat and channel messages with anyone's identity and with any timestamp", + "id": "dfb0dd15-61de-45b2-be36-d6a69fba3c79", + "origin": "Application", + "value": "Teamwork.Migrate.All" + }, + { + "description": "Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Read installed Teams apps for all chats", + "id": "cc7e7635-2586-41d6-adaa-a8d3bcad5ee5", + "origin": "Application", + "value": "TeamsAppInstallation.ReadForChat.All" + }, + { + "description": "Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Read installed Teams apps for all teams", + "id": "1f615aea-6bf9-4b05-84bd-46388e138537", + "origin": "Application", + "value": "TeamsAppInstallation.ReadForTeam.All" + }, + { + "description": "Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Read installed Teams apps for all users", + "id": "9ce09611-f4f7-4abd-a629-a05450422a97", + "origin": "Application", + "value": "TeamsAppInstallation.ReadForUser.All" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Manage Teams apps for all chats", + "id": "9e19bae1-2623-4c4f-ab6e-2664615ff9a0", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteForChat.All" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Manage Teams apps for all teams", + "id": "5dad17ba-f6cc-4954-a5a2-a0dcc95154f0", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteForTeam.All" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Manage Teams apps for all users", + "id": "74ef0291-ca83-4d02-8c7e-d2391e6a444f", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteForUser.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user.", + "displayName": "Allow the Teams app to manage itself for all chats", + "id": "73a45059-f39c-4baf-9182-4954ac0e55cf", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteSelfForChat.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.", + "displayName": "Allow the Teams app to manage itself for all teams", + "id": "9f67436c-5415-4e7f-8ac1-3014a7132630", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteSelfForTeam.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user.", + "displayName": "Allow the app to manage itself for all users", + "id": "908de74d-f8b2-4d6b-a9ed-2a17b3b78179", + "origin": "Application", + "value": "TeamsAppInstallation.ReadWriteSelfForUser.All" + }, + { + "description": "Allows the app to create teams without a signed-in user.\u00a0", + "displayName": "Create teams", + "id": "23fc2474-f741-46ce-8465-674744c5c361", + "origin": "Application", + "value": "Team.Create" + }, + { + "description": "Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.", + "displayName": "Add and remove members with non-owner role for all teams", + "id": "4437522e-9a86-4a41-a7da-e380edd4a97d", + "origin": "Application", + "value": "TeamMember.ReadWriteNonOwnerRole.All" + }, + { + "description": "Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store.", + "displayName": "Read all term store data", + "id": "ea047cc2-df29-4f3e-83a3-205de61501ca", + "origin": "Application", + "value": "TermStore.Read.All" + }, + { + "description": "Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in the term store.", + "displayName": "Read and write all term store data", + "id": "f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95", + "origin": "Application", + "value": "TermStore.ReadWrite.All" + }, + { + "description": "Allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews.", + "displayName": "Read service health", + "id": "79c261e0-fe76-4144-aad5-bdc68fbe4037", + "origin": "Application", + "value": "ServiceHealth.Read.All" + }, + { + "description": "Allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features.", + "displayName": "Read service messages", + "id": "1b620472-6534-4fe6-9df2-4680e8aa28ec", + "origin": "Application", + "value": "ServiceMessage.Read.All" + }, + { + "description": "Allows the app to read all the short notes without a signed-in user.", + "displayName": "Read all users' short notes", + "id": "0c7d31ec-31ca-4f58-b6ec-9950b6b0de69", + "origin": "Application", + "value": "ShortNotes.Read.All" + }, + { + "description": "Allows the app to read, create, edit, and delete all the short notes without a signed-in user.", + "displayName": "Read, create, edit, and delete all users' short notes", + "id": "842c284c-763d-4a97-838d-79787d129bab", + "origin": "Application", + "value": "ShortNotes.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization's conditional access policies, without a signed-in user.", + "displayName": "Read your organization's conditional access policies", + "id": "37730810-e9ba-4e46-b07e-8ca78d182097", + "origin": "Application", + "value": "Policy.Read.ConditionalAccess" + }, + { + "description": "Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments.", + "displayName": "Read role management data for all RBAC providers", + "id": "c7fbd983-d9aa-4fa7-84b8-17382c103bc4", + "origin": "Application", + "value": "RoleManagement.Read.All" + }, + { + "description": "Allows the app to read all PSTN and direct routing call log data without a signed-in user.", + "displayName": "Read PSTN and direct routing call log data", + "id": "a2611786-80b3-417e-adaa-707d4261a5f0", + "origin": "Application", + "value": "CallRecord-PstnCalls.Read.All" + }, + { + "description": "Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user.", + "displayName": "Read all chat messages", + "id": "b9bb2381-47a4-46cd-aafb-00cb12f68504", + "origin": "Application", + "value": "ChatMessage.Read.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user.", + "displayName": "Allow the Teams app to manage all tabs for all chats", + "id": "fd9ce730-a250-40dc-bd44-8dc8d20f39ea", + "origin": "Application", + "value": "TeamsTab.ReadWriteForChat.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user.", + "displayName": "Allow the Teams app to manage all tabs for all teams", + "id": "6163d4f4-fbf8-43da-a7b4-060fe85ed148", + "origin": "Application", + "value": "TeamsTab.ReadWriteForTeam.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user.", + "displayName": "Allow the app to manage all tabs for all users", + "id": "425b4b59-d5af-45c8-832f-bb0b7402348a", + "origin": "Application", + "value": "TeamsTab.ReadWriteForUser.All" + }, + { + "description": "Allows the app to read the API connectors used in user authentication flows, without a signed-in user.", + "displayName": "Read API connectors for authentication flows", + "id": "b86848a7-d5b1-41eb-a9b4-54a4e6306e97", + "origin": "Application", + "value": "APIConnectors.Read.All" + }, + { + "description": "Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user.", + "displayName": "Read and write API connectors for authentication flows", + "id": "1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171", + "origin": "Application", + "value": "APIConnectors.ReadWrite.All" + }, + { + "description": "Read the members of all chats, without a signed-in user.", + "displayName": "Read the members of all chats", + "id": "a3410be2-8e48-4f32-8454-c29a7465209d", + "origin": "Application", + "value": "ChatMember.Read.All" + }, + { + "description": "Add and remove members from all chats, without a signed-in user.", + "displayName": "Add and remove members from all chats", + "id": "57257249-34ce-4810-a8a2-a03adf0c5693", + "origin": "Application", + "value": "ChatMember.ReadWrite.All" + }, + { + "description": "Allows the app to create chats without a signed-in user.\u00a0", + "displayName": "Create chats", + "id": "d9c48af6-9ad9-47ad-82c3-63757137b9af", + "origin": "Application", + "value": "Chat.Create" + }, + { + "description": "Allows the application to read tenant-wide print settings without a signed-in user.", + "displayName": "Read tenant-wide print settings", + "id": "b5991872-94cf-4652-9765-29535087c6d8", + "origin": "Application", + "value": "PrintSettings.Read.All" + }, + { + "description": "Allows an app to read and write all browser site lists configured for your organization, without a signed-in user.", + "displayName": "Read and write all browser site lists for your organization", + "id": "8349ca94-3061-44d5-9bfb-33774ea5e4f9", + "origin": "Application", + "value": "BrowserSiteLists.ReadWrite.All" + }, + { + "description": "Allows the application to read and change the tenant-level settings of SharePoint and OneDrive, without a signed-in user.", + "displayName": "Read and change SharePoint and OneDrive tenant settings", + "id": "19b94e34-907c-4f43-bde9-38b1909ed408", + "origin": "Application", + "value": "SharePointTenantSettings.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization's authentication event listeners without a signed-in user.", + "displayName": "Read all authentication event listeners", + "id": "b7f6385c-6ce6-4639-a480-e23c42ed9784", + "origin": "Application", + "value": "EventListener.Read.All" + }, + { + "description": "Allows the app to read or write your organization's authentication event listeners without a signed-in user.", + "displayName": "Read and write all authentication event listeners", + "id": "0edf5e9e-4ce8-468a-8432-d08631d18c43", + "origin": "Application", + "value": "EventListener.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization's custom authentication extensions without a signed-in user.", + "displayName": "Read all custom authentication extensions", + "id": "88bb2658-5d9e-454f-aacd-a3933e079526", + "origin": "Application", + "value": "CustomAuthenticationExtension.Read.All" + }, + { + "description": "Allows the app to read all users\u2019 tasks and task lists in your organization, without a signed-in user.", + "displayName": "Read all users\u2019 tasks and tasklist", + "id": "f10e1f91-74ed-437f-a6fd-d6ae88e26c1f", + "origin": "Application", + "value": "Tasks.Read.All" + }, + { + "description": "Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources without a signed-in user.", + "displayName": "Read and write all lifecycle workflows resources", + "id": "5c505cf4-8424-4b8e-aa14-ee06e3bb23e3", + "origin": "Application", + "value": "LifecycleWorkflows.ReadWrite.All" + }, + { + "description": "Allows an app to read all bookmarks without a signed-in user.", + "displayName": "Read all bookmarks", + "id": "be95e614-8ef3-49eb-8464-1c9503433b86", + "origin": "Application", + "value": "Bookmark.Read.All" + }, + { + "description": "Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem without a signed-in user.", + "displayName": "Read cross-tenant basic information", + "id": "cac88765-0581-4025-9725-5ebc13f729ee", + "origin": "Application", + "value": "CrossTenantInformation.ReadBasic.All" + }, + { + "description": "Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user.\u00a0 It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user.", + "displayName": "Read all shared cross-tenant user profiles and export or delete their data", + "id": "306785c5-c09b-4ba0-a4ee-023f3da165cb", + "origin": "Application", + "value": "CrossTenantUserProfileSharing.ReadWrite.All" + }, + { + "description": "Allows the app to read all learning content in the organization's directory, without a signed-in user.", + "displayName": "Read all learning content", + "id": "8740813e-d8aa-4204-860e-2a0f8f84dbc8", + "origin": "Application", + "value": "LearningContent.Read.All" + }, + { + "description": "Allows the app to read and update the authentication context information in your organization without a signed-in user.", + "displayName": "Read and write all authentication context information", + "id": "a88eef72-fed0-4bf7-a2a9-f19df33f8b83", + "origin": "Application", + "value": "AuthenticationContext.ReadWrite.All" + }, + { + "description": "Allows the app to read all admin report settings, such as whether to display concealed information in reports, without a signed-in user.", + "displayName": "Read all admin report settings", + "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95", + "origin": "Application", + "value": "ReportSettings.Read.All" + }, + { + "description": "Allows the app to read the members of all chats where the associated Teams application is installed, without a signed-in user.", + "displayName": "Read the members of all chats where the associated Teams application is installed.", + "id": "93e7c9e4-54c5-4a41-b796-f2a5adaacda7", + "origin": "Application", + "value": "ChatMember.Read.WhereInstalled" + }, + { + "description": "Allows the app to add and remove members from all chats where the associated Teams application is installed, without a signed-in user.", + "displayName": "Add and remove members from all chats where the associated Teams application is installed.", + "id": "e32c2cd9-0124-4e44-88fc-772cd98afbdb", + "origin": "Application", + "value": "ChatMember.ReadWrite.WhereInstalled" + }, + { + "description": "Allows the app to read your organization's threat submissions and to view threat submission policies without a signed-in user.", + "displayName": "Read all of the organization's threat submissions", + "id": "86632667-cd15-4845-ad89-48a88e8412e1", + "origin": "Application", + "value": "ThreatSubmission.Read.All" + }, + { + "description": "Allows an app to sign digests for data without a signed-in user.", + "displayName": "Sign digests for data", + "id": "cbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54", + "origin": "Application", + "value": "InformationProtectionContent.Sign.All" + }, + { + "description": "Allows the app to read your organization's threat submission policies without a signed-in user. Also allows the app to create new threat submission polices without a signed-in user.", + "displayName": "Read and write all of the organization's threat submission policies", + "id": "926a6798-b100-4a20-a22f-a4918f13951d", + "origin": "Application", + "value": "ThreatSubmissionPolicy.ReadWrite.All" + }, + { + "description": "Allows the app to read all one-to-one or group chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user.", + "displayName": "Read all chat messages for chats where the associated Teams application is installed.", + "id": "1c1b4c8e-3cc7-4c58-8470-9b92c9d5848b", + "origin": "Application", + "value": "Chat.Read.WhereInstalled" + }, + { + "description": "Allows the app to read and write all chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user.", + "displayName": "Read and write all chat messages for chats where the associated Teams application is installed.", + "id": "ad73ce80-f3cd-40ce-b325-df12c33df713", + "origin": "Application", + "value": "Chat.ReadWrite.WhereInstalled" + }, + { + "description": "Allows the app to read and update all Azure AD recommendations, without a signed-in user. ", + "displayName": "Read and update all Azure AD recommendations", + "id": "0e9eea12-4f01-45f6-9b8d-3ea4c8144158", + "origin": "Application", + "value": "DirectoryRecommendations.ReadWrite.All" + }, + { + "description": "Allows the app to read all recordings of all online meetings, without a signed-in user.", + "displayName": "Read all recordings of online meetings.", + "id": "a4a08342-c95d-476b-b943-97e100569c8d", + "origin": "Application", + "value": "OnlineMeetingRecording.Read.All" + }, + { + "description": "Allows an app to manage license assignments for users and groups, without a signed-in user.", + "displayName": "Manage all license assignments", + "id": "5facf0c1-8979-4e95-abcf-ff3d079771c0", + "origin": "Application", + "value": "LicenseAssignment.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the Teams app settings without a signed-in user.", + "displayName": "Read and write Teams app settings", + "id": "ab5b445e-8f10-45f4-9c79-dd3f8062cc4e", + "origin": "Application", + "value": "TeamworkAppSettings.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user.", + "displayName": "Read and write all users' lifecycle information", + "id": "925f1248-0f97-47b9-8ec8-538c54e01325", + "origin": "Application", + "value": "User-LifeCycleInfo.ReadWrite.All" + }, + { + "description": "Allows the app to read all Azure AD recommendations, without a signed-in user. ", + "displayName": "Read all Azure AD recommendations", + "id": "ae73097b-cb2a-4447-b064-5d80f6093921", + "origin": "Application", + "value": "DirectoryRecommendations.Read.All" + }, + { + "description": "Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user.\u00a0 It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user.", + "displayName": "Read all shared cross-tenant user profiles and export their data", + "id": "8b919d44-6192-4f3d-8a3b-f86f8069ae3c", + "origin": "Application", + "value": "CrossTenantUserProfileSharing.Read.All" + }, + { + "description": "Allows the app to manage restricted resources based on the other permissions granted to the app, without a signed-in user.", + "displayName": "Manage restricted resources in the directory", + "id": "f20584af-9290-4153-9280-ff8bb2c0ea7f", + "origin": "Application", + "value": "Directory.Write.Restricted" + }, + { + "description": "Allows the app to read all transcripts of all online meetings, without a signed-in user.", + "displayName": "Read all transcripts of online meetings.", + "id": "a4a80d8d-d283-4bd8-8504-555ec3870630", + "origin": "Application", + "value": "OnlineMeetingTranscript.Read.All" + }, + { + "description": "Allows\u00a0the\u00a0app\u00a0to\u00a0manage all learning\u00a0content\u00a0in\u00a0the\u00a0organization's\u00a0directory, without a signed-in user.", + "displayName": "Manage all\u00a0learning\u00a0content", + "id": "444d6fcb-b738-41e5-b103-ac4f2a2628a3", + "origin": "Application", + "value": "LearningContent.ReadWrite.All" + }, + { + "description": "Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user.", + "displayName": "Read SharePoint and OneDrive tenant settings", + "id": "83d4163d-a2d8-4d3b-9695-4ae3ca98f888", + "origin": "Application", + "value": "SharePointTenantSettings.Read.All" + }, + { + "description": "Allows the app to read or write your organization's custom authentication extensions without a signed-in user.", + "displayName": "Read and write all custom authentication extensions", + "id": "c2667967-7050-4e7e-b059-4cbbb3811d03", + "origin": "Application", + "value": "CustomAuthenticationExtension.ReadWrite.All" + }, + { + "description": "Allows the app to read names and members of all one-to-one and group chats in Microsoft Teams where the associated Teams application is installed, without a signed-in user.", + "displayName": "Read names and members of all chat threads where the associated Teams application is installed.", + "id": "818ba5bd-5b3e-4fe0-bbe6-aa4686669073", + "origin": "Application", + "value": "Chat.ReadBasic.WhereInstalled" + }, + { + "description": "Allows the app to list and read all workflows, tasks and related lifecycle workflows resources without a signed-in user.", + "displayName": "Read all lifecycle workflows resources", + "id": "7c67316a-232a-4b84-be22-cea2c0906404", + "origin": "Application", + "value": "LifecycleWorkflows.Read.All" + }, + { + "description": "Allows the app to create protected content without a signed-in user. ", + "displayName": "Create protected content", + "id": "287bd98c-e865-4e8c-bade-1a85523195b9", + "origin": "Application", + "value": "InformationProtectionContent.Write.All" + }, + { + "description": "Allows the app to create, read, update and delete all users\u2019 tasks and task lists in your organization, without a signed-in user", + "displayName": "Read and write all users\u2019 tasks and tasklists", + "id": "44e666d1-d276-445b-a5fc-8815eeb81d55", + "origin": "Application", + "value": "Tasks.ReadWrite.All" + }, + { + "description": "Allows the app to read the Teams app settings without a signed-in user.", + "displayName": "Read Teams app settings", + "id": "475ebe88-f071-4bd7-af2b-642952bd4986", + "origin": "Application", + "value": "TeamworkAppSettings.Read.All" + }, + { + "description": "Allows the app to read the authentication context information in your organization without a signed-in user.", + "displayName": "Read all authentication context information", + "id": "381f742f-e1f8-4309-b4ab-e3d91ae4c5c1", + "origin": "Application", + "value": "AuthenticationContext.Read.All" + }, + { + "description": "Allows the app to read and update all admin report settings, such as whether to display concealed information in reports, without a signed-in user.", + "displayName": "Read and write all admin report settings", + "id": "2a60023f-3219-47ad-baa4-40e17cd02a1d", + "origin": "Application", + "value": "ReportSettings.ReadWrite.All" + }, + { + "description": "Allows an app to read all browser site lists configured for your organization, without a signed-in user.", + "displayName": "Read all browser site lists for your organization", + "id": "c5ee1f21-fc7f-4937-9af0-c91648ff9597", + "origin": "Application", + "value": "BrowserSiteLists.Read.All" + }, + { + "description": "Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user.", + "displayName": "Read all users' lifecycle information", + "id": "8556a004-db57-4d7a-8b82-97a13428e96f", + "origin": "Application", + "value": "User-LifeCycleInfo.Read.All" + }, + { + "description": "Allows an app to read all acronyms without a signed-in user.", + "displayName": "Read all acronyms", + "id": "8c0aed2c-0c61-433d-b63c-6370ddc73248", + "origin": "Application", + "value": "Acronym.Read.All" + }, + { + "description": "Allows the app to see your users' basic profile (e.g., name, picture, user name, email address)", + "displayName": "View users' basic profile", + "id": "14dad69e-099b-42c9-810b-d002981feec1", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to see your basic profile (e.g., name, picture, user name, email address)", + "userConsentDisplayName": "View your basic profile", + "value": "profile" + }, + { + "description": "Allows the app to read attack simulation and training data for an organization for the signed-in user.", + "displayName": "Read attack simulation data of an organization", + "id": "104a7a4b-ca76-4677-b7e7-2f4bc482f381", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read attack simulation and training data for an organization on your behalf.", + "userConsentDisplayName": "Read attack simulation data of an organization", + "value": "AttackSimulation.Read.All" + }, + { + "description": "Allows the app to read and write your organization's directory access review default policy on behalf of the signed-in user.", + "displayName": "Read and write your organization's directory access review default policy", + "id": "4f5bc9c8-ea54-4772-973a-9ca119cb0409", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's directory access review default policy on your behalf.", + "userConsentDisplayName": "Read and write your organization's directory access review default policy", + "value": "Policy.ReadWrite.AccessReview" + }, + { + "description": "Allows the app to read your organization's threat submissions and threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user.", + "displayName": "Read and write all threat submissions", + "id": "8458e264-4eb9-4922-abe9-768d58f13c7f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's threat submissions and threat submission policies on your behalf. Also allows the app to create new threat submissions on your behalf.", + "userConsentDisplayName": "Read and write all threat submissions", + "value": "ThreatSubmission.ReadWrite.All" + }, + { + "description": "Allows the application to read any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.", + "displayName": "Read Records Management configuration,\u00a0labels, and policies", + "id": "07f995eb-fc67-4522-ad66-2b8ca8ea3efd", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read any data from Records Management, such as configuration, labels and policies on your behalf.", + "userConsentDisplayName": "Read Records Management configuration,\u00a0labels, and policies", + "value": "RecordsManagement.Read.All" + }, + { + "description": "Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.", + "displayName": "Read and write Records Management configuration, labels, and policies", + "id": "f2833d75-a4e6-40ab-86d4-6dfe73c97605", + "Origin": "Delegated", + "userConsentDescription": "Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on your behalf.", + "userConsentDisplayName": "Read and write Records Management configuration, labels, and policies", + "value": "RecordsManagement.ReadWrite.All" + }, + { + "description": "Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on behalf of the signed-in user.", + "displayName": "Read Delegated Admin relationships with customers", + "id": "0c0064ea-477b-4130-82a5-4c2cc4ff68aa", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read details of Delegated Admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on your behalf.", + "userConsentDisplayName": "Read Delegated Admin relationships with customers", + "value": "DelegatedAdminRelationship.Read.All" + }, + { + "description": "Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.", + "displayName": "Manage Delegated Admin relationships with customers", + "id": "885f682f-a990-4bad-a642-36736a74b0c7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships on your behalf.", + "userConsentDisplayName": "Manage Delegated Admin relationships with customers", + "value": "DelegatedAdminRelationship.ReadWrite.All" + }, + { + "description": "Allows the app to read and write all managed tenant information on behalf of the signed-in user.", + "displayName": "Read and write all managed tenant information", + "id": "b31fa710-c9b3-4d9e-8f5e-8036eecddab9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all managed tenant information on your behalf.", + "userConsentDisplayName": "Read and write all managed tenant information", + "value": "ManagedTenants.ReadWrite.All" + }, + { + "description": "Allows the app to read all managed tenant information on behalf of the signed-in user.", + "displayName": "Read all managed tenant information", + "id": "dc34164e-6c4a-41a0-be89-3ae2fbad7cd3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all managed tenant information on your behalf.", + "userConsentDisplayName": "Read all managed tenant information", + "value": "ManagedTenants.Read.All" + }, + { + "description": "Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading and managing Cloud PC role definitions and role assignments.", + "displayName": "Read and write Cloud PC RBAC settings", + "id": "501d06f8-07b8-4f18-b5c6-c191a4af7a82", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on your behalf. This includes reading and managing Cloud PC role definitions and memberships.", + "userConsentDisplayName": "Read and write Cloud PC RBAC settings", + "value": "RoleManagement.ReadWrite.CloudPC" + }, + { + "description": "Allows the app to read the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user.\u00a0 This includes reading Cloud PC role definitions and role assignments.", + "displayName": "Read Cloud PC RBAC settings", + "id": "9619b88a-8a25-48a7-9571-d23be0337a79", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the Cloud PC role-based access control (RBAC) settings, on your behalf.\u00a0 This includes reading Cloud PC role definitions and role assignments.", + "userConsentDisplayName": "Read Cloud PC RBAC settings", + "value": "RoleManagement.Read.CloudPC" + }, + { + "description": "Allows the app to read and write settings of external connections on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read and write settings of connections that it is authorized to.", + "displayName": "Read and write external connections", + "id": "4082ad95-c812-4f02-be92-780c4c4f1830", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write external connections on your behalf. The signed-in user must be an administrator. The app can only read and write external connections that it is authorized to, or it can create new external connections. ", + "userConsentDisplayName": "Read and write external connections", + "value": "ExternalConnection.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to read all external connections on behalf of a signed-in user. The signed-in user must be an administrator.", + "displayName": "Read all external connections", + "id": "a38267a5-26b6-4d76-9493-935b7599116b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all external connections on your behalf. The signed-in user must be an administrator.", + "userConsentDisplayName": "Read all external connections", + "value": "ExternalConnection.Read.All" + }, + { + "description": "Allows the app to read and write all external connections on behalf of a signed-in user. The signed-in user must be an administrator.", + "displayName": "Read and write all external connections", + "id": "bbbbd9b3-3566-4931-ac37-2b2180d9e334", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all external connections on your behalf. The signed-in user must be an administrator.", + "userConsentDisplayName": "Read and write all external connections", + "value": "ExternalConnection.ReadWrite.All" + }, + { + "description": "Allows the app to read and write external items on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to.", + "displayName": "Read and write external items", + "id": "4367b9d7-cee7-4995-853c-a0bdfe95c1f9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write external items on your behalf. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to.", + "userConsentDisplayName": "Read and write external items", + "value": "ExternalItem.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to read and write all external items on behalf of a signed-in user. The signed-in user must be an administrator.", + "displayName": "Read and write all external items", + "id": "b02c54f8-eb48-4c50-a9f0-a149e5a2012f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all external items on your behalf. The signed-in user must be an administrator.", + "userConsentDisplayName": "Read and write all external items", + "value": "ExternalItem.ReadWrite.All" + }, + { + "description": "Allows the app to read custom security attribute assignments for all principals in the tenant on behalf of a signed in user.", + "displayName": "Read custom security attribute assignments", + "id": "b46ffa80-fe3d-4822-9a1a-c200932d54d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read custom security attribute assignments for all principals in the tenant on your behalf.", + "userConsentDisplayName": "Read custom security attribute assignments", + "value": "CustomSecAttributeAssignment.Read.All" + }, + { + "description": "Allows the app to read custom security attribute definitions for the tenant on behalf of a signed in user.", + "displayName": "Read custom security attribute definitions", + "id": "ce026878-a0ff-4745-a728-d4fedd086c07", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read custom security attribute definitions for the tenant on your behalf.", + "userConsentDisplayName": "Read custom security attribute definitions", + "value": "CustomSecAttributeDefinition.Read.All" + }, + { + "description": "Allows the app to read and write your organization's cross tenant access policies on behalf of the signed-in user.", + "displayName": "Read and write your organization's cross tenant access policies", + "id": "014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's cross tenant access policies on your behalf.", + "userConsentDisplayName": "Read and write your organization's cross tenant access policies", + "value": "Policy.ReadWrite.CrossTenantAccess" + }, + { + "description": "Allows the app to read and write tags in Teams, on behalf of the signed-in user.", + "displayName": "Read and write tags in Teams", + "id": "539dabd7-b5b6-4117-b164-d60cd15a8671", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write tags in Teams, on your behalf.", + "userConsentDisplayName": "Read and write tags in Teams", + "value": "TeamworkTag.ReadWrite" + }, + { + "description": "Allows the app to read tags in Teams, on behalf of the signed-in user.", + "displayName": "Read tags in Teams", + "id": "57587d0b-8399-45be-b207-8050cec54575", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read tags in Teams, on your behalf.", + "userConsentDisplayName": "Read tags in Teams", + "value": "TeamworkTag.Read" + }, + { + "description": "Allows the app to read and write security incidents, on behalf of the signed-in user.", + "displayName": "Read and write to incidents", + "id": "128ca929-1a19-45e6-a3b8-435ec44a36ba", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write to all security incidents that you have access to.", + "userConsentDisplayName": "Read and write to security incidents", + "value": "SecurityIncident.ReadWrite.All" + }, + { + "description": "Allows the app to read security incidents, on behalf of the signed-in user.", + "displayName": "Read incidents", + "id": "b9abcc4f-94fc-4457-9141-d20ce80ec952", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all security incidents that you have access to.", + "userConsentDisplayName": "Read security incidents", + "value": "SecurityIncident.Read.All" + }, + { + "description": "Allows the app to read and write to all security alerts, on behalf of the signed-in user.", + "displayName": "Read and write to all security alerts", + "id": "471f2a7f-2a42-4d45-a2bf-594d0838070d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all alerts that you have access to.", + "userConsentDisplayName": "Read and write all alerts", + "value": "SecurityAlert.ReadWrite.All" + }, + { + "description": "Allows the app to read all security alerts, on behalf of the signed-in user.", + "displayName": "Read all security alerts", + "id": "bc257fb8-46b4-4b15-8713-01e91bfbe4ea", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all security alerts that you have access to.", + "userConsentDisplayName": "Read all alerts", + "value": "SecurityAlert.Read.All" + }, + { + "description": "Allows the app to update service announcement messages' user status on behalf of the signed-in user. The message status can be marked as read, archive, or favorite.", + "displayName": "Update user status on service announcement messages", + "id": "636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to update service announcement messages' status on your behalf. Your status for messages can be marked as read, archive, or favorite.", + "userConsentDisplayName": "Update your user status on service announcement messages", + "value": "ServiceMessageViewpoint.Write" + }, + { + "description": "Allows the app to run hunting queries, on behalf of the signed-in user.", + "displayName": "Run hunting queries", + "id": "b152eca8-ea73-4a48-8c98-1a6742673d99", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to run hunting queries that you can execute.", + "userConsentDisplayName": "Run hunting queries", + "value": "ThreatHunting.Read.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access.", + "displayName": "Allow the app to manage itself in teams", + "id": "0f4595f7-64b1-4e13-81bc-11a249df07a9", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall itself to teams you can access.", + "userConsentDisplayName": "Allow the Teams app to manage itself in teams", + "value": "TeamsAppInstallation.ReadWriteSelfForTeam" + }, + { + "description": "Allow the app to read the management data for Teams devices on behalf of the signed-in user.", + "displayName": "Read Teams devices", + "id": "b659488b-9d28-4208-b2be-1c6652b3c970", + "Origin": "Delegated", + "userConsentDescription": "Allow the app to read the management data for Teams devices on your behalf.", + "userConsentDisplayName": "Read Teams devices", + "value": "TeamworkDevice.Read.All" + }, + { + "description": "Allow the app to read and write the management data for Teams devices on behalf of the signed-in user.", + "displayName": "Read and write Teams devices", + "id": "ddd97ecb-5c31-43db-a235-0ee20e635c40", + "Origin": "Delegated", + "userConsentDescription": "Allow the app to read and write the management data for Teams devices on your behalf.", + "userConsentDisplayName": "Read and write Teams devices", + "value": "TeamworkDevice.ReadWrite.All" + }, + { + "description": "Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user.", + "displayName": "Read all identity risky service principal information", + "id": "ea5c4ab0-5a73-4f35-8272-5d5337884e5d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all identity risky service principal information for your organization, on your behalf.", + "userConsentDisplayName": "Read all identity risky service principal information", + "value": "IdentityRiskyServicePrincipal.Read.All" + }, + { + "description": "Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals.", + "displayName": "Read and write all identity risky service principal information", + "id": "bb6f654c-d7fd-4ae3-85c3-fc380934f515", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update identity risky service principal information for all service principals in your organization, on your behalf. Update operations include dismissing risky service principals.", + "userConsentDisplayName": "Read and write all identity risky service principal information", + "value": "IdentityRiskyServicePrincipal.ReadWrite.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams the signed-in user can access.", + "displayName": "Allow the Teams app to manage only its own tabs in teams", + "id": "f266662f-120a-4314-b26a-99b08617c7ef", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams you can access.", + "userConsentDisplayName": "Allow the Teams app to manage only its own tabs in teams", + "value": "TeamsTab.ReadWriteSelfForTeam" + }, + { + "description": "Allows the app to read the presence information and write activity and availability on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "displayName": "Read and write a user's presence information", + "id": "8d3c54a7-cf58-4773-bf81-c0cd6ad522bb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the presence information and write activity and availability on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "userConsentDisplayName": "Read and write your presence information", + "value": "Presence.ReadWrite" + }, + { + "description": "Allows the app to read subject rights requests on behalf of the signed-in user", + "displayName": "Read subject rights requests", + "id": "9c3af74c-fd0f-4db4-b17a-71939e2a9d77", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read subject rights requests on your behalf.", + "userConsentDisplayName": "Read data subject requests", + "value": "SubjectRightsRequest.Read.All" + }, + { + "description": "Allows the app to read and write subject rights requests on behalf of the signed-in user", + "displayName": "Read and write subject rights requests", + "id": "2b8fcc74-bce1-4ae3-a0e8-60c53739299d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write subject rights requests on your behalf.", + "userConsentDisplayName": "Read and write data subject requests", + "value": "SubjectRightsRequest.ReadWrite.All" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs for the signed-in user.", + "displayName": "Allow the Teams app to manage only its own tabs for a user", + "id": "395dfec1-a0b9-465f-a783-8250a430cb8c", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs for you.", + "userConsentDisplayName": "Allow the Teams app to manage only its own tabs for you", + "value": "TeamsTab.ReadWriteSelfForUser" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats the signed-in user can access.", + "displayName": "Allow the Teams app to manage only its own tabs in chats", + "id": "0c219d04-3abf-47f7-912d-5cca239e90e6", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats you can access.", + "userConsentDisplayName": "Allow the Teams app to manage only its own tabs in chats", + "value": "TeamsTab.ReadWriteSelfForChat" + }, + { + "description": "Allows the app to read and write search configuration, on behalf of the signed-in user.", + "displayName": "Read and write your organization's search configuration", + "id": "b1a7d408-cab0-47d2-a2a5-a74a3733600d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write search configuration, on your behalf.", + "userConsentDisplayName": "Read and write your organization's search configuration", + "value": "SearchConfiguration.ReadWrite.All" + }, + { + "description": "Allows the app to read search configuration, on behalf of the signed-in user.", + "displayName": "Read your organization's search configuration", + "id": "7d307522-aa38-4cd0-bd60-90c6f0ac50bd", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read search configuration, on your behalf.", + "userConsentDisplayName": "Read your organization's search configuration", + "value": "SearchConfiguration.Read.All" + }, + { + "description": "Allows the app to read online meeting artifacts on behalf of the signed-in user.", + "displayName": "Read user's online meeting artifacts", + "id": "110e5abb-a10c-4b59-8b55-9b4daa4ef743", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read online meeting artifacts on your behalf.", + "userConsentDisplayName": "Read user's online meeting artifacts", + "value": "OnlineMeetingArtifact.Read.All" + }, + { + "description": "Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.", + "displayName": "Read, update, and delete all active role assignments for your company's directory", + "id": "8c026be3-8e26-4774-9372-8d5d6f21daff", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on your behalf. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.", + "userConsentDisplayName": "Read, update, and delete all active role assignments for your company's directory", + "value": "RoleAssignmentSchedule.ReadWrite.Directory" + }, + { + "description": "Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships.", + "displayName": "Read, update, and delete all eligible role assignments for your company's directory", + "id": "62ade113-f8e0-4bf9-a6ba-5acb31db32fd", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company's directory, on your behalf. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships.", + "userConsentDisplayName": "Read, update, and delete all eligible role assignments for your company's directory", + "value": "RoleEligibilitySchedule.ReadWrite.Directory" + }, + { + "description": "Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.", + "displayName": "Read, update, and delete all policies for privileged role assignments of your company's directory", + "id": "1ff1be21-34eb-448c-9ac9-ce1f506b2a68", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on your behalf.", + "userConsentDisplayName": "Read, update, and delete all policies for privileged role assignments of your company's directory", + "value": "RoleManagementPolicy.ReadWrite.Directory" + }, + { + "description": "Allows the app to read the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.", + "displayName": "Read all active role assignments for your company's directory", + "id": "344a729c-0285-42c6-9014-f12b9b8d6129", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the active role-based access control (RBAC) assignments for your company's directory, on your behalf. This includes reading directory role templates, and directory roles.", + "userConsentDisplayName": "Read all active role assignments for your company's directory", + "value": "RoleAssignmentSchedule.Read.Directory" + }, + { + "description": "Allows the app to read the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.", + "displayName": "Read all eligible role assignments for your company's directory", + "id": "eb0788c2-6d4e-4658-8c9e-c0fb8053f03d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the eligible role-based access control (RBAC) assignments for your company's directory, on your behalf. This includes reading directory role templates, and directory roles.", + "userConsentDisplayName": "Read all eligible role assignments for your company's directory", + "value": "RoleEligibilitySchedule.Read.Directory" + }, + { + "description": "Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.", + "displayName": "Read all policies for privileged role assignments of your company's directory", + "id": "3de2cdbe-0ff5-47d5-bdee-7f45b4749ead", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company's directory, on your behalf.", + "userConsentDisplayName": "Read all policies for privileged role assignments of your company's directory", + "value": "RoleManagementPolicy.Read.Directory" + }, + { + "description": "Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user.", + "displayName": "Read and write all Windows update deployment settings", + "id": "11776c0c-6138-4db3-a668-ee621bea2555", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all Windows update deployment settings for the organization on your behalf.", + "userConsentDisplayName": "Read and write all Windows update deployment settings", + "value": "WindowsUpdates.ReadWrite.All" + }, + { + "description": "Allows the app to read and write your organization's mobility management policies on behalf of the signed-in user. For example, a mobility management policy can set the enrollment scope for a given mobility management application.", + "displayName": "Read and write your organization's mobility management policies", + "id": "a8ead177-1889-4546-9387-f25e658e2a79", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's mobility management policies on your behalf. For example, a mobility management policy can set the enrollment scope for a given mobility management application.", + "userConsentDisplayName": "Read and write your organization's mobility management policies", + "value": "Policy.ReadWrite.MobilityManagement" + }, + { + "description": "Allows the app to read basic unified group properties, memberships and owners of the group the signed-in guest is a member of.", + "displayName": "Read unified group memberships as guest", + "id": "73e75199-7c3e-41bb-9357-167164dbb415", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read basic unified group properties, memberships and owners of the group you are a member of.", + "userConsentDisplayName": "Read unified group memberships as guest", + "value": "UnifiedGroupMember.Read.AsGuest" + }, + { + "description": "Allows the app to update service principal endpoints", + "displayName": "Read and update service principal endpoints", + "id": "7297d82c-9546-4aed-91df-3d4f0a9b3ff0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to update service principal endpoints", + "userConsentDisplayName": "Read and update service principal endpoints", + "value": "ServicePrincipalEndpoint.ReadWrite.All" + }, + { + "description": "Allows the app to read service principal endpoints", + "displayName": "Read service principal endpoints", + "id": "9f9ce928-e038-4e3b-8faf-7b59049a8ddc", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read service principal endpoints", + "userConsentDisplayName": "Read service principal endpoints", + "value": "ServicePrincipalEndpoint.Read.All" + }, + { + "description": "Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.", + "displayName": "Send a teamwork activity as the user", + "id": "7ab1d787-bae7-4d5d-8db6-37ea32df9186", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create new activities in your teamwork activity feed, and send new activities to other users' activity feed, on your behalf.", + "userConsentDisplayName": "Send a teamwork activity", + "value": "TeamsActivity.Send" + }, + { + "description": "Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.", + "displayName": "Read and write all eDiscovery objects", + "id": "acb8f680-0834-4146-b69e-4ab1b39745ad", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf.", + "userConsentDisplayName": "Read and write all eDiscovery objects", + "value": "eDiscovery.ReadWrite.All" + }, + { + "description": "Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.", + "displayName": "Read all eDiscovery objects", + "id": "99201db3-7652-4d5a-809a-bdb94f85fe3c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf.", + "userConsentDisplayName": "Read all eDiscovery objects", + "value": "eDiscovery.Read.All" + }, + { + "description": "Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user.", + "displayName": "Read and write custom security attribute assignments", + "id": "ca46335e-8453-47cd-a001-8459884efeae", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write custom security attribute assignments for all principals in the tenant on your behalf.", + "userConsentDisplayName": "Read and write custom security attribute assignments", + "value": "CustomSecAttributeAssignment.ReadWrite.All" + }, + { + "description": "Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.", + "displayName": "Read and write custom security attribute definitions", + "id": "8b0160d4-5743-482b-bb27-efc0a485ca4a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write custom security attribute definitions for the tenant on your behalf.", + "userConsentDisplayName": "Read and write custom security attribute definitions", + "value": "CustomSecAttributeDefinition.ReadWrite.All" + }, + { + "description": "Allows the app to read email in the signed-in user's mailbox except body, previewBody, attachments and any extended properties.", + "displayName": "Read user basic mail", + "id": "a4b8392a-d8d1-4954-a029-8e668a39a170", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read email in the signed-in user's mailbox except body, previewBody, attachments and any extended properties.", + "userConsentDisplayName": "Read user basic mail", + "value": "Mail.ReadBasic" + }, + { + "description": "Allows the app to read and write your organization's feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature.", + "displayName": "Read and write your organization's feature rollout policies", + "id": "92a38652-f13b-4875-bc77-6e1dbb63e1b2", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's feature rollout policies on your behalf. Includes abilities to assign and remove users and groups to rollout of a specific feature.", + "userConsentDisplayName": "Read and write your organization's feature rollout policies", + "value": "Policy.ReadWrite.FeatureRollout" + }, + { + "description": "Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.", + "displayName": "Read and write directory RBAC settings", + "id": "d01b97e9-cbc0-49fe-810a-750afd5527a3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.", + "userConsentDisplayName": "Read and write directory RBAC settings", + "value": "RoleManagement.ReadWrite.Directory" + }, + { + "description": "Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships.", + "displayName": "Read directory RBAC settings", + "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes reading directory role templates, directory roles and memberships.", + "userConsentDisplayName": "Read directory RBAC settings", + "value": "RoleManagement.Read.Directory" + }, + { + "description": "Allows the app to read and write the organization and related resources, on behalf of the signed-in user.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "displayName": "Read and write organization information", + "id": "46ca0847-7e6b-426e-9775-ea810a948356", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the organization and related resources, on your behalf.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "userConsentDisplayName": "Read and write organization information", + "value": "Organization.ReadWrite.All" + }, + { + "description": "Allows the app to read the organization and related resources, on behalf of the signed-in user.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "displayName": "Read organization information", + "id": "4908d5b9-3fb2-4b1e-9336-1888b7937185", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the organization and related resources, on your behalf.\u00a0Related resources include things like subscribed skus and tenant branding information.", + "userConsentDisplayName": "Read organization information", + "value": "Organization.Read.All" + }, + { + "description": "Allows the app to read your company's places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.", + "displayName": "Read all company places", + "id": "cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your company's places (conference rooms and room lists) for calendar events and other applications, on your behalf.", + "userConsentDisplayName": "Read all company places", + "value": "Place.Read.All" + }, + { + "description": "Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.", + "displayName": "Read and write workforce integrations", + "id": "08c4b377-0d23-4a8b-be2a-23c1c1d88545", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf.", + "userConsentDisplayName": "Read and write workforce integrations", + "value": "WorkforceIntegration.ReadWrite.All" + }, + { + "description": "Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.", + "displayName": "Read workforce integrations", + "id": "f1ccd5a7-6383-466a-8db8-1a656f7d06fa", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf.", + "userConsentDisplayName": "Read workforce integrations", + "value": "WorkforceIntegration.Read.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization.", + "displayName": "Manage access reviews for group and app memberships", + "id": "5af8c3f5-baca-439a-97b0-ea58a435e269", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to.", + "userConsentDisplayName": "Manage access reviews for group and app memberships", + "value": "AccessReview.ReadWrite.Membership" + }, + { + "description": "Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user.", + "displayName": "Manage on-premises published resources", + "id": "8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on your behalf.", + "userConsentDisplayName": "Manage on-premises published resources", + "value": "OnPremisesPublishingProfiles.ReadWrite.All" + }, + { + "description": "Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user.", + "displayName": "Read user sensitivity labels and label policies.", + "id": "4ad84827-5578-4e18-ad7a-86530b12f884", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user.", + "userConsentDisplayName": "Read user sensitivity labels and label policies.", + "value": "InformationProtectionPolicy.Read" + }, + { + "description": "Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user.", + "displayName": "Read administrative units", + "id": "3361d15d-be43-4de6-b441-3c746d05163d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read administrative units and administrative unit membership on your behalf.", + "userConsentDisplayName": "Read administrative units", + "value": "AdministrativeUnit.Read.All" + }, + { + "description": "Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user.", + "displayName": "Read and write administrative units", + "id": "7b8a2d34-6b3f-4542-a343-54651608ad81", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on your behalf.", + "userConsentDisplayName": "Read and write administrative units", + "value": "AdministrativeUnit.ReadWrite.All" + }, + { + "description": "Allows the app to read your family information, members and their basic profile.", + "displayName": "Read your family info", + "id": "3a1e4806-a744-4c70-80fc-223bf8582c46", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your family information, members and their basic profile.", + "userConsentDisplayName": "Read your family info", + "value": "Family.Read" + }, + { + "description": "Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on behalf of the signed-in user. \u00a0It cannot update any threat indicators it does not own.", + "displayName": "Manage threat indicators this app creates or owns", + "id": "91e7d36d-022a-490f-a748-f8e011357b42", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on your behalf. \u00a0It cannot update any threat indicators that it is not an owner of.", + "userConsentDisplayName": "Manage threat indicators this app creates or owns", + "value": "ThreatIndicators.ReadWrite.OwnedBy" + }, + { + "description": "Allows the app to read or update security actions, on behalf of the signed-in user.", + "displayName": "Read and update your organization's security actions", + "id": "dc38509c-b87d-4da0-bd92-6bec988bac4a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update security actions, on your behalf.", + "userConsentDisplayName": "Read and update your organization's security actions", + "value": "SecurityActions.ReadWrite.All" + }, + { + "description": "Allows the app to read security actions, on behalf of the signed-in user.", + "displayName": "Read your organization's security actions", + "id": "1638cddf-07a4-4de2-8645-69c96cacad73", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read security actions, on your behalf.", + "userConsentDisplayName": "Read your organization's security actions", + "value": "SecurityActions.Read.All" + }, + { + "description": "Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user.", + "displayName": "Read user chat messages", + "id": "f501c180-9344-439a-bca0-6cbf209fd270", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Read your chat messages", + "value": "Chat.Read" + }, + { + "description": "Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.", + "displayName": "Read and write user chat messages", + "id": "9ff7295e-131b-4d94-90e1-69fde507ac11", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read and write your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Read and write your chat messages", + "value": "Chat.ReadWrite" + }, + { + "description": "Allows the app to read and write your organization's trust framework policies on behalf of the signed-in user.", + "displayName": "Read and write your organization's trust framework policies", + "id": "cefba324-1a70-4a6e-9c1d-fd670b7ae392", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's trust framework policies on your behalf.", + "userConsentDisplayName": "Read and write trust framework policies", + "value": "Policy.ReadWrite.TrustFramework" + }, + { + "description": "Allows the app to read trust framework key set properties on behalf of the signed-in user.", + "displayName": "Read trust framework key sets", + "id": "7ad34336-f5b1-44ce-8682-31d7dfcd9ab9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read trust framework key sets, on your behalf.", + "userConsentDisplayName": "Read trust framework key sets", + "value": "TrustFrameworkKeySet.Read.All" + }, + { + "description": "Allows the app to read and write trust framework key set properties on behalf of the signed-in user.", + "displayName": "Read and write trust framework key sets", + "id": "39244520-1e7d-4b4a-aee0-57c65826e427", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read or write trust framework key sets, on your behalf.", + "userConsentDisplayName": "Read and write trust framework key sets", + "value": "TrustFrameworkKeySet.ReadWrite.All" + }, + { + "description": "Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user.\u00a0Update operations include confirming risk event detections.\u00a0", + "displayName": "Read and write risk event information", + "id": "9e4862a5-b68f-479e-848a-4e07e25c9916", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update identity risk event information for all users in your organization on your behalf.\u00a0Update operations include confirming risk event detections.\u00a0", + "userConsentDisplayName": "Read and write risk event information", + "value": "IdentityRiskEvent.ReadWrite.All" + }, + { + "description": "Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user.\u00a0Update operations include dismissing risky users.", + "displayName": "Read and write risky user information", + "id": "e0a7cdbb-08b0-4697-8264-0069786e9674", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update identity risky user information for all users in your organization on your behalf.\u00a0Update operations include dismissing risky users.", + "userConsentDisplayName": "Read and write identity risky user information", + "value": "IdentityRiskyUser.ReadWrite.All" + }, + { + "description": "Allows the app to read the signed-in user's mailbox.", + "displayName": "Read user mail ", + "id": "570282fd-fa5c-430d-a7fd-fc8dc98a9dca", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read email in your mailbox. ", + "userConsentDisplayName": "Read your mail ", + "value": "Mail.Read" + }, + { + "description": "Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.", + "displayName": "Read identity risky user information", + "id": "d04bb851-cb7c-4146-97c7-ca3e71baf56c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.", + "userConsentDisplayName": "Read identity risky user information", + "value": "IdentityRiskyUser.Read.All" + }, + { + "description": "Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions.", + "displayName": "Read user activity statistics", + "id": "e03cf23f-8056-446a-8994-7d93dfc8b50e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your activity statistics, such as how much time you've spent on emails, in meetings, or in chat sessions.", + "userConsentDisplayName": "Read your activity statistics", + "value": "Analytics.Read" + }, + { + "description": "Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.", + "displayName": "Maintain access to data you have given it access to", + "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.", + "userConsentDisplayName": "Maintain access to data you have given it access to", + "value": "offline_access" + }, + { + "description": "Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.", + "displayName": "Access mailboxes as the signed-in user via Exchange Web Services", + "id": "9769c687-087d-48ac-9cb3-c37dde652038", + "Origin": "Delegated", + "userConsentDescription": "Allows the app full access to your mailboxes on your behalf.", + "userConsentDisplayName": "Access your mailboxes", + "value": "EWS.AccessAsUser.All" + }, + { + "description": "Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).", + "displayName": "Export user's data", + "id": "405a51b5-8d8d-430b-9842-8be4b0e9f324", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).", + "userConsentDisplayName": "Export user's data", + "value": "User.Export.All" + }, + { + "description": "Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user's notification items for this app.", + "displayName": "Deliver and manage user notifications for this app", + "id": "89497502-6e42-46a2-8cb2-427fd3df970a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to deliver its notifications, on your behalf. Also allows the app to read, update, and delete your notification items for this app.", + "userConsentDisplayName": "Deliver and manage your notifications for this app", + "value": "Notifications.ReadWrite.CreatedByApp" + }, + { + "description": "Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.", + "displayName": "Read and write your organization's conditional access policies", + "id": "ad902697-1014-4ef5-81ef-2b4301988e8c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's conditional access policies on your behalf.", + "userConsentDisplayName": "Read and write your organization's conditional access policies", + "value": "Policy.ReadWrite.ConditionalAccess" + }, + { + "description": "Allows the app to read your organization's policies on behalf of the signed-in user.", + "displayName": "Read your organization's policies", + "id": "572fea84-0151-49b2-9301-11cb16974376", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's policies on your behalf.", + "userConsentDisplayName": "Read your organization's policies", + "value": "Policy.Read.All" + }, + { + "description": "Allows the app to read access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.", + "displayName": "Read all access reviews that user can access", + "id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read information on access reviews, reviewers, decisions and settings that you have access to.", + "userConsentDisplayName": "Read access reviews that you can access", + "value": "AccessReview.Read.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.", + "displayName": "Manage all access reviews that user can access", + "id": "e4aa47b9-9a69-4109-82ed-36ec70d85ff1", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to.", + "userConsentDisplayName": "Manage access reviews that you can access", + "value": "AccessReview.ReadWrite.All" + }, + { + "description": "Allows the app to read programs and program controls that the signed-in user has access to in the organization.", + "displayName": "Read all programs that user can access", + "id": "c492a2e1-2f8f-4caa-b076-99bbf6e40fe4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read information on programs and program controls that you have access to.", + "userConsentDisplayName": "Read programs that you can access", + "value": "ProgramControl.Read.All" + }, + { + "description": "Allows the app to read, update, delete and perform actions on programs and program controls that the signed-in user has access to in the organization.", + "displayName": "Manage all programs that user can access", + "id": "50fd364f-9d93-4ae1-b170-300e87cccf84", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update and perform action on programs and program controls that you have access to.", + "userConsentDisplayName": "Manage programs that you can access", + "value": "ProgramControl.ReadWrite.All" + }, + { + "description": "Allows the app to create, read, update, and delete apps in the app catalogs.", + "displayName": "Read and write to all app catalogs", + "id": "1ca167d5-1655-44a1-8adf-1414072e1ef9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create, read, update, and delete apps in the app catalogs.", + "userConsentDisplayName": "Read and write to all app catalogs", + "value": "AppCatalog.ReadWrite.All" + }, + { + "description": "Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.", + "displayName": "Read and write privileged access to Azure AD", + "id": "3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on your behalf.", + "userConsentDisplayName": "Read and write privileged access to Azure AD", + "value": "PrivilegedAccess.ReadWrite.AzureAD" + }, + { + "description": "Allows the app to read terms of use agreements on behalf of the signed-in user.", + "displayName": "Read all terms of use agreements", + "id": "af2819c9-df71-4dd3-ade7-4d7c9dc653b7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read terms of use agreements on your behalf.", + "userConsentDisplayName": "Read all terms of use agreements", + "value": "Agreement.Read.All" + }, + { + "description": "Allows the app to read and write terms of use agreements on behalf of the signed-in user.", + "displayName": "Read and write all terms of use agreements", + "id": "ef4b5d93-3104-4664-9053-a5c49ab44218", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write terms of use agreements on your behalf.", + "userConsentDisplayName": "Read and write all terms of use agreements", + "value": "Agreement.ReadWrite.All" + }, + { + "description": "Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.", + "displayName": "Read user terms of use acceptance statuses", + "id": "0b7643bb-5336-476f-80b5-18fbfbc91806", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your terms of use acceptance statuses.", + "userConsentDisplayName": "Read your terms of use acceptance statuses", + "value": "AgreementAcceptance.Read" + }, + { + "description": "Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.", + "displayName": "Read terms of use acceptance statuses that user can access", + "id": "a66a5341-e66e-4897-9d52-c2df58c2bfb9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read terms of use acceptance statuses on your behalf.", + "userConsentDisplayName": "Read all terms of use acceptance statuses", + "value": "AgreementAcceptance.Read.All" + }, + { + "description": "Read activity data for your organization", + "displayName": "Allows the application to read activity data for your organization.", + "id": "594c1fb6-4f81-4475-ae41-0c394909246c", + "Origin": "Delegated (Office 365 Management)", + "userConsentDescription": "Read activity data for your organization", + "userConsentDisplayName": "Allows the application to read activity data for your organization.", + "value": "ActivityFeed.Read" + }, + { + "description": "Allows the app to read and query your audit log activities, on behalf of the signed-in user.", + "displayName": "Read audit log data", + "id": "e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and query your audit log activities, on your behalf.", + "userConsentDisplayName": "Read audit log data", + "value": "AuditLog.Read.All" + }, + { + "description": "Allows the app to read and report the signed-in user's activity in the app.", + "displayName": "Read and write app activity to users' activity feed", + "id": "47607519-5fb1-47d9-99c7-da4b48f369b1", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and report your activity in the app.", + "userConsentDisplayName": "Read and write app activity to your activity feed", + "value": "UserActivity.ReadWrite.CreatedByApp" + }, + { + "description": "Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.", + "displayName": "Read Microsoft Intune Device Configuration and Policies", + "id": "f1493658-876a-4c87-8fa7-edb559b3476a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.", + "userConsentDisplayName": "Read Microsoft Intune Device Configuration and Policies", + "value": "DeviceManagementConfiguration.Read.All" + }, + { + "description": "Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.", + "displayName": "Read and write Microsoft Intune Device Configuration and Policies", + "id": "0883f392-0a7a-443d-8c76-16a6d39c7b63", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.", + "userConsentDisplayName": "Read and write Microsoft Intune Device Configuration and Policies", + "value": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "description": "Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.", + "displayName": "Read Microsoft Intune apps", + "id": "4edf5f54-4666-44af-9de9-0144fb4b6e8c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.", + "userConsentDisplayName": "Read Microsoft Intune apps", + "value": "DeviceManagementApps.Read.All" + }, + { + "description": "Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.", + "displayName": "Read and write Microsoft Intune apps", + "id": "7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.", + "userConsentDisplayName": "Read and write Microsoft Intune apps", + "value": "DeviceManagementApps.ReadWrite.All" + }, + { + "description": "Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.", + "displayName": "Read Microsoft Intune RBAC settings", + "id": "49f0cc30-024c-4dfd-ab3e-82e137ee5431", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.", + "userConsentDisplayName": "Read Microsoft Intune RBAC settings", + "value": "DeviceManagementRBAC.Read.All" + }, + { + "description": "Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.", + "displayName": "Read and write Microsoft Intune RBAC settings", + "id": "0c5e8a55-87a6-4556-93ab-adc52c4d862d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.", + "userConsentDisplayName": "Read and write Microsoft Intune RBAC settings", + "value": "DeviceManagementRBAC.ReadWrite.All" + }, + { + "description": "Allows the app to read the properties of devices managed by Microsoft Intune.", + "displayName": "Read Microsoft Intune devices", + "id": "314874da-47d6-4978-88dc-cf0d37f0bb82", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the properties of devices managed by Microsoft Intune.", + "userConsentDisplayName": "Read devices Microsoft Intune devices", + "value": "DeviceManagementManagedDevices.Read.All" + }, + { + "description": "Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device\u2019s owner.", + "displayName": "Read and write Microsoft Intune devices", + "id": "44642bfe-8385-4adc-8fc6-fe3cb2c375c3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device\u2019s owner.", + "userConsentDisplayName": "Read and write Microsoft Intune devices", + "value": "DeviceManagementManagedDevices.ReadWrite.All" + }, + { + "description": "Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.", + "displayName": "Perform user-impacting remote actions on Microsoft Intune devices", + "id": "3404d2bf-2b13-457e-a330-c24615765193", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.", + "userConsentDisplayName": "Perform user-impacting remote actions on Microsoft Intune devices", + "value": "DeviceManagementManagedDevices.PrivilegedOperations.All" + }, + { + "description": "Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.", + "displayName": "Read and write Microsoft Intune configuration", + "id": "662ed50a-ac44-4eef-ad86-62eed9be2a29", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.", + "userConsentDisplayName": "Read and write Microsoft Intune configuration", + "value": "DeviceManagementServiceConfig.ReadWrite.All" + }, + { + "description": "Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.", + "displayName": "Read Microsoft Intune configuration", + "id": "8696daa5-bce5-4b2e-83f9-51b6defc4e1e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.", + "userConsentDisplayName": "Read Microsoft Intune configuration", + "value": "DeviceManagementServiceConfig.Read.All" + }, + { + "description": "Allows the app to read your organization\u2019s security events on behalf of the signed-in user.", + "displayName": "Read your organization\u2019s security events", + "id": "64733abd-851e-478a-bffb-e47a14b18235", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization\u2019s security events on your behalf.", + "userConsentDisplayName": "Read your organization\u2019s security events", + "value": "SecurityEvents.Read.All" + }, + { + "description": "Allows the app to read your organization\u2019s security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user.", + "displayName": "Read and update your organization\u2019s security events", + "id": "6aedf524-7e1c-45a7-bd76-ded8cab8d0fc", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization\u2019s security events on your behalf. Also allows you to update editable properties in security events.", + "userConsentDisplayName": "Read and update your organization\u2019s security events", + "value": "SecurityEvents.ReadWrite.All" + }, + { + "description": "Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).", + "displayName": "Read all users' relevant people lists", + "id": "b89f9189-71a5-4e70-b041-9887f0bc7e4a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read a list of people in the order that is most relevant to you. Allows the app to read a list of people in the order that is most relevant to another user in your organization. These can include local contacts, contacts from social networking, people listed in your organization\u2019s directory, and people from recent communications.", + "userConsentDisplayName": "Read all users\u2019 relevant people lists", + "value": "People.Read.All" + }, + { + "description": "Manage the state and settings of all Microsoft education apps on behalf of the user.", + "displayName": "Manage education app settings", + "id": "63589852-04e3-46b4-bae9-15d5b1050748", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage the state and settings of all Microsoft education apps on your behalf.", + "userConsentDisplayName": "Manage your education app settings", + "value": "EduAdministration.ReadWrite" + }, + { + "description": "Read the state and settings of all Microsoft education apps on behalf of the user.", + "displayName": "Read education app settings", + "id": "8523895c-6081-45bf-8a5d-f062a2f12c9f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view the state and settings of all Microsoft education apps on your behalf.", + "userConsentDisplayName": "View your education app settings", + "value": "EduAdministration.Read" + }, + { + "description": "Allows the app to read and write assignments and their grades on behalf of the user.", + "displayName": "Read and write users' class assignments and their grades", + "id": "2f233e90-164b-4501-8bce-31af2559a2d3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view and modify your assignments on your behalf including \u00a0grades.", + "userConsentDisplayName": "View and modify your assignments and grades", + "value": "EduAssignments.ReadWrite" + }, + { + "description": "Allows the app to read assignments and their grades on behalf of the user.", + "displayName": "Read users' class assignments and their grades", + "id": "091460c9-9c4a-49b2-81ef-1f3d852acce2", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view your assignments on your behalf including grades.", + "userConsentDisplayName": "View your assignments and grades", + "value": "EduAssignments.Read" + }, + { + "description": "Allows the app to read and write assignments without grades on behalf of the user.", + "displayName": "Read and write users' class assignments without grades", + "id": "2ef770a1-622a-47c4-93ee-28d6adbed3a0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view and modify your assignments on your behalf without seeing grades.", + "userConsentDisplayName": "View and modify your assignments without grades", + "value": "EduAssignments.ReadWriteBasic" + }, + { + "description": "Allows the app to read assignments without grades on behalf of the user.", + "displayName": "Read users' class assignments without grades", + "id": "c0b0103b-c053-4b2e-9973-9f3a544ec9b8", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view your assignments on your behalf without seeing grades.", + "userConsentDisplayName": "View your assignments without grades", + "value": "EduAssignments.ReadBasic" + }, + { + "description": "Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user.", + "displayName": "Read and write users' view of the roster", + "id": "359e19a6-e3fa-4d7f-bcab-d28ec592b51e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view and modify information about schools and classes in your organization and education-related information about you and other users on your behalf.", + "userConsentDisplayName": "View and modify your school, class and user information", + "value": "EduRoster.ReadWrite" + }, + { + "description": "Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user.", + "displayName": "Read users' view of the roster", + "id": "a4389601-22d9-4096-ac18-36a927199112", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view information about schools and classes in your organization and education-related information about you and other users on your behalf.", + "userConsentDisplayName": "View your school, class and user information", + "value": "EduRoster.Read" + }, + { + "description": "Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user.\u00a0Includes name, status, education role, email address and photo.", + "displayName": "Read a limited subset of users' view of the roster", + "id": "5d186531-d1bf-4f07-8cea-7c42119e1bd9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view minimal \u00a0information about both schools and classes in your organization and education-related information about you and other users on your behalf.", + "userConsentDisplayName": "View a limited subset of your school, class and user information", + "value": "EduRoster.ReadBasic" + }, + { + "description": "Allows the app to report the signed-in user's app activity information to Microsoft Timeline.", + "displayName": "Write app activity to users' timeline", + "id": "367492fc-594d-4972-a9b5-0d58c622c91c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to report your app activity information to Microsoft Timeline.", + "userConsentDisplayName": "Write app activity to your timeline", + "value": "UserTimelineActivity.Write.CreatedByApp" + }, + { + "description": "Allows the app to create, read, update, and delete user's mailbox settings. Does not include permission to send mail.", + "displayName": "Read and write user mailbox settings", + "id": "818c620a-27a9-40bd-a6a5-d96f7d610b4b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create, and delete your mailbox settings.", + "userConsentDisplayName": "Read and write to your mailbox settings", + "value": "MailboxSettings.ReadWrite" + }, + { + "description": "Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user.", + "displayName": "Communicate with user devices", + "id": "bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to launch another app or communicate with another app on a device that you own.", + "userConsentDisplayName": "Communicate with your other devices", + "value": "Device.Command" + }, + { + "description": "Allows the app to read a user's list of devices on behalf of the signed-in user.", + "displayName": "Read user devices", + "id": "11d4cd79-5ba5-460f-803f-e22c8ab85ccd", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to see your list of devices.", + "userConsentDisplayName": "View your list of devices", + "value": "Device.Read" + }, + { + "description": "Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.", + "displayName": "Read and write all OneNote notebooks that user can access", + "id": "64ac0503-b4fa-45d9-b544-71a463f05da0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, share, and modify all the OneNote notebooks that you have access to.", + "userConsentDisplayName": "Read and write all OneNote notebooks that you can access", + "value": "Notes.ReadWrite.All" + }, + { + "description": "Allows the app to read OneNote notebooks that the signed-in user has access to in the organization.", + "displayName": "Read all OneNote notebooks that user can access", + "id": "dfabfca6-ee36-4db2-8208-7a28381419b3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all the OneNote notebooks that you have access to.", + "userConsentDisplayName": "Read all OneNote notebooks that you can access", + "value": "Notes.Read.All" + }, + { + "description": "Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user.", + "displayName": "Read and write user OneNote notebooks", + "id": "615e26af-c38a-4150-ae3e-c3b0d4cb1d6a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, share, and modify OneNote notebooks on your behalf.", + "userConsentDisplayName": "Read and write your OneNote notebooks", + "value": "Notes.ReadWrite" + }, + { + "description": "Allows the app to read OneNote notebooks on behalf of the signed-in user.", + "displayName": "Read user OneNote notebooks", + "id": "371361e4-b9e2-4a3f-8315-2a301a3b0a3d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read OneNote notebooks on your behalf.", + "userConsentDisplayName": "Read your OneNote notebooks", + "value": "Notes.Read" + }, + { + "description": "This is deprecated! Do not use! This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app.", + "displayName": "Limited notebook access (deprecated)", + "id": "ed68249d-017c-4df5-9113-e684c7f8760b", + "Origin": "Delegated", + "userConsentDescription": "This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app.", + "userConsentDisplayName": "Limited access to your OneNote notebooks for this app (preview)", + "value": "Notes.ReadWrite.CreatedByApp" + }, + { + "description": "Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user.", + "displayName": "Create user OneNote notebooks", + "id": "9d822255-d64d-4b7a-afdb-833b9a97ed02", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to view the titles of your OneNote notebooks and sections and to create new pages, notebooks, and sections on your behalf.", + "userConsentDisplayName": "Create your OneNote notebooks", + "value": "Notes.Create" + }, + { + "description": "Allows the app to invite guest users to the organization, on behalf of the signed-in user.", + "displayName": "Invite guest users to the organization", + "id": "63dd7cd9-b489-4adf-a28c-ac38b9a0f962", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to invite guest users to the organization, on your behalf.", + "userConsentDisplayName": "Invite guest users to the organization", + "value": "User.Invite.All" + }, + { + "description": "Allows the app to the read user's mailbox settings. Does not include permission to send mail.", + "displayName": "Read user mailbox settings", + "id": "87f447af-9fa4-4c32-9dfa-4a57a73d18ce", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your mailbox settings.", + "userConsentDisplayName": "Read your mailbox settings", + "value": "MailboxSettings.Read" + }, + { + "description": "(Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.", + "displayName": "Read files that the user selects (preview)", + "id": "5447fe39-cb82-4c1a-b977-520e67e724eb", + "Origin": "Delegated", + "userConsentDescription": "(Preview) Allows the app to read files that you select. After you select a file, the app has access to the file for several hours.", + "userConsentDisplayName": "Read selected files", + "value": "Files.Read.Selected" + }, + { + "description": "(Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.", + "displayName": "Read and write files that the user selects (preview)", + "id": "17dde5bd-8c17-420f-a486-969730c1b827", + "Origin": "Delegated", + "userConsentDescription": "(Preview) Allows the app to read and write files that you select. After you select a file, the app has access to the file for several hours.", + "userConsentDisplayName": "Read and write selected files", + "value": "Files.ReadWrite.Selected" + }, + { + "description": "(Preview) Allows the app to read, create, update and delete files in the application's folder.", + "displayName": "Have full access to the application's folder (preview)", + "id": "8019c312-3263-48e6-825e-2b833497195b", + "Origin": "Delegated", + "userConsentDescription": "(Preview) Allows the app to read, create, update and delete files in the application's folder.", + "userConsentDisplayName": "Have full access to the application's folder", + "value": "Files.ReadWrite.AppFolder" + }, + { + "description": "Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.", + "displayName": "Read all usage reports", + "id": "02e97553-ed7b-43d0-ab3c-f8bace0d040c", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read all service usage reports on your behalf. Services that provide usage reports include Office 365 and Azure Active Directory.", + "userConsentDisplayName": "Read all usage reports", + "value": "Reports.Read.All" + }, + { + "description": "Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.", + "displayName": "Edit or delete items in all site collections", + "id": "89fe6a52-be36-487e-b7d8-d061c450a026", + "Origin": "Delegated", + "userConsentDescription": "Allow the application to edit or delete documents and list items in all site collections on your behalf.", + "userConsentDisplayName": "Edit or delete items in all site collections", + "value": "Sites.ReadWrite.All" + }, + { + "description": "Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks.", + "displayName": "Read and write user and shared tasks", + "id": "c5ddf11b-c114-4886-8558-8a4e557cd52b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create, and delete tasks you have permissions to access, including your own and shared tasks.", + "userConsentDisplayName": "Read and write to your and shared tasks", + "value": "Tasks.ReadWrite.Shared" + }, + { + "description": "Allows the app to read tasks a user has permissions to access, including their own and shared tasks.", + "displayName": "Read user and shared tasks", + "id": "88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read tasks you have permissions to access, including your own and shared tasks.", + "userConsentDisplayName": "Read your and shared tasks", + "value": "Tasks.Read.Shared" + }, + { + "description": "Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts.", + "displayName": "Read and write user and shared contacts", + "id": "afb6c84b-06be-49af-80bb-8f3f77004eab", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create, and delete contacts you have permissions to access, including your own and shared contacts.", + "userConsentDisplayName": "Read and write to your and shared contacts", + "value": "Contacts.ReadWrite.Shared" + }, + { + "description": "Allows the app to read contacts a user has permissions to access, including their own and shared contacts.", + "displayName": "Read user and shared contacts", + "id": "242b9d9e-ed24-4d09-9a52-f43769beb9d4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read contacts you have permissions to access, including your own and shared contacts.", + "userConsentDisplayName": "Read your and shared contacts", + "value": "Contacts.Read.Shared" + }, + { + "description": "Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.", + "displayName": "Read and write user and shared calendars", + "id": "12466101-c9b8-439a-8589-dd09ee67e8e9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars.", + "userConsentDisplayName": "Read and write to your and shared calendars", + "value": "Calendars.ReadWrite.Shared" + }, + { + "description": "Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.", + "displayName": "Read user and shared calendars", + "id": "2b9c4092-424d-4249-948d-b43879977640", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read events in all calendars that you can access, including delegate and shared calendars.\u00a0", + "userConsentDisplayName": "Read calendars\u00a0you can access", + "value": "Calendars.Read.Shared" + }, + { + "description": "Allows the app to send mail as the signed-in user, including sending on-behalf of others.", + "displayName": "Send mail on behalf of others", + "id": "a367ab51-6b49-43bf-a716-a1fb06d2a174", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to send mail as you or on-behalf of someone else.", + "userConsentDisplayName": "Send mail on behalf of others or yourself", + "value": "Mail.Send.Shared" + }, + { + "description": "Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail.", + "displayName": "Read and write user and shared mail", + "id": "5df07973-7d5d-46ed-9847-1271055cbd51", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create, and delete mail you have permission to access, including your own and shared mail. Does not allow the app to send mail on your behalf.", + "userConsentDisplayName": "Read and write mail\u00a0you can access", + "value": "Mail.ReadWrite.Shared" + }, + { + "description": "Allows the app to read mail a user can access, including their own and shared mail.", + "displayName": "Read user and shared mail", + "id": "7b9103a5-4610-446b-9670-80643382c1fa", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read mail you can access, including shared mail.", + "userConsentDisplayName": "Read mail you can access", + "value": "Mail.Read.Shared" + }, + { + "description": "Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.", + "displayName": "Sign in and read user profile", + "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", + "Origin": "Delegated", + "userConsentDescription": "Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.", + "userConsentDisplayName": "Sign you in and read your profile", + "value": "User.Read" + }, + { + "description": "Allows the app to read your profile. It also allows the app to update your profile information on your behalf.", + "displayName": "Read and write access to user profile", + "id": "b4e74841-8e56-480b-be8b-910348b18b4c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your profile, and discover your group membership, reports and manager. It also allows the app to update your profile information on your behalf.", + "userConsentDisplayName": "Read and update your profile", + "value": "User.ReadWrite" + }, + { + "description": "Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.", + "displayName": "Read all users' basic profiles", + "id": "b340eb25-3456-403f-be2f-af7a0d370277", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read a basic set of profile properties of other users in your organization on your behalf. Includes display name, first and last name, email address and photo.", + "userConsentDisplayName": "Read all users' basic profiles", + "value": "User.ReadBasic.All" + }, + { + "description": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.", + "displayName": "Read all users' full profiles", + "id": "a154be20-db9c-4678-8ab7-66f6cc099a59", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.", + "userConsentDisplayName": "Read all users' full profiles", + "value": "User.Read.All" + }, + { + "description": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.", + "displayName": "Read and write all users' full profiles", + "id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.", + "userConsentDisplayName": "Read and write all users' full profiles", + "value": "User.ReadWrite.All" + }, + { + "description": "Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. ", + "displayName": "Read all groups", + "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access. ", + "userConsentDisplayName": "Read all groups", + "value": "Group.Read.All" + }, + { + "description": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.", + "displayName": "Read and write all groups", + "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of.", + "userConsentDisplayName": "Read and write all groups", + "value": "Group.ReadWrite.All" + }, + { + "description": "Allows the app to read data in your organization's directory, such as users, groups and apps.", + "displayName": "Read directory data", + "id": "06da0dbc-49e2-44d2-8312-53f166ab848a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read data in your organization's directory.", + "userConsentDisplayName": "Read directory data", + "value": "Directory.Read.All" + }, + { + "description": "Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.", + "displayName": "Read and write directory data", + "id": "c5366453-9fb0-48a5-a156-24f0c49a4b84", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.", + "userConsentDisplayName": "Read and write directory data", + "value": "Directory.ReadWrite.All" + }, + { + "description": "Allows the app to have the same access to information in the directory as the signed-in user.", + "displayName": "Access directory as the signed in user", + "id": "0e263e50-5827-48a4-b97c-d940288653c7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to have the same access to information in your work or school directory as you do.", + "userConsentDisplayName": "Access the directory as you", + "value": "Directory.AccessAsUser.All" + }, + { + "description": "Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. ", + "displayName": "Read and write access to user mail ", + "id": "024d486e-b451-40bb-833d-3e66d98c5c73", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail. ", + "userConsentDisplayName": "Read and write access to your mail ", + "value": "Mail.ReadWrite" + }, + { + "description": "Allows the app to send mail as users in the organization. ", + "displayName": "Send mail as a user ", + "id": "e383f46e-2787-4529-855e-0e479a3ffac0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to send mail as you. ", + "userConsentDisplayName": "Send mail as you ", + "value": "Mail.Send" + }, + { + "description": "Allows the app to read events in user calendars . ", + "displayName": "Read user calendars ", + "id": "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read events in your calendars. ", + "userConsentDisplayName": "Read your calendars ", + "value": "Calendars.Read" + }, + { + "description": "Allows the app to create, read, update, and delete events in user calendars. ", + "displayName": "Have full access to user calendars ", + "id": "1ec239c2-d7c9-4623-a91a-a9775856bb36", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete events in your calendars. ", + "userConsentDisplayName": "Have full access to your calendars ", + "value": "Calendars.ReadWrite" + }, + { + "description": "Allows the app to read user contacts. ", + "displayName": "Read user contacts ", + "id": "ff74d97f-43af-4b68-9f2a-b77ee6968c5d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read contacts in your contact folders. ", + "userConsentDisplayName": "Read your contacts ", + "value": "Contacts.Read" + }, + { + "description": "Allows the app to create, read, update, and delete user contacts. ", + "displayName": "Have full access to user contacts ", + "id": "d56682ec-c09e-4743-aaf4-1a3aac4caa21", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete contacts in your contact folders. ", + "userConsentDisplayName": "Have full access of your contacts ", + "value": "Contacts.ReadWrite" + }, + { + "description": "Allows the app to read the signed-in user's files.", + "displayName": "Read user files", + "id": "10465720-29dd-4523-a11a-6a75c743c9d9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your files.", + "userConsentDisplayName": "Read your files", + "value": "Files.Read" + }, + { + "description": "Allows the app to read, create, update and delete the signed-in user's files.", + "displayName": "Have full access to user files", + "id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, create, update, and delete your files.", + "userConsentDisplayName": "Have full access to your files", + "value": "Files.ReadWrite" + }, + { + "description": "Allows the app to read all files the signed-in user can access.", + "displayName": "Read all files that user can access", + "id": "df85f4d6-205c-4ac5-a5ea-6bf408dba283", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all files you can access.", + "userConsentDisplayName": "Read all files that you have access to", + "value": "Files.Read.All" + }, + { + "description": "Allows the app to read, create, update and delete all files the signed-in user can access.", + "displayName": "Have full access to all files user can access", + "id": "863451e7-0667-486c-a5d6-d135439485f0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, create, update and delete all files that you can access.", + "userConsentDisplayName": "Have full access to all files you have access to", + "value": "Files.ReadWrite.All" + }, + { + "description": "Allows the application to read documents and list items in all site collections on behalf of the signed-in user", + "displayName": "Read items in all site collections", + "id": "205e70e5-aba6-4c52-a976-6d2d46c48043", + "Origin": "Delegated", + "userConsentDescription": "Allow the application to read documents and list items in all site collections on your behalf", + "userConsentDisplayName": "Read items in all site collections", + "value": "Sites.Read.All" + }, + { + "description": "Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.", + "displayName": "Sign users in", + "id": "37f7f235-527c-4136-accd-4a02d197296e", + "Origin": "Delegated", + "userConsentDescription": "Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information.", + "userConsentDisplayName": "Sign in as you", + "value": "openid" + }, + { + "description": "Allows the app to read your users' primary email address", + "displayName": "View users' email address", + "id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your primary email address", + "userConsentDisplayName": "View your email address", + "value": "email" + }, + { + "description": "Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. ", + "displayName": "Read identity risk event information", + "id": "8f6a01e7-0391-4ee5-aa22-a3af122cef27", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. ", + "userConsentDisplayName": "Read identity risk event information", + "value": "IdentityRiskEvent.Read.All" + }, + { + "description": "Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to.", + "displayName": "Read hidden memberships", + "id": "f6a3db3e-f7e8-4ed2-a414-557c8c9830be", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the memberships of hidden groups or administrative units on your behalf, for those hidden groups or adminstrative units that you have access to.", + "userConsentDisplayName": "Read your hidden memberships", + "value": "Member.Read.Hidden" + }, + { + "description": "Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).", + "displayName": "Read users' relevant people lists", + "id": "ba47897c-39ec-4d83-8086-ee8256fa737d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read a list of people in the order that's most relevant to you. This includes your local contacts, your contacts from social networking, people listed in your organization's directory, and people from recent communications.", + "userConsentDisplayName": "Read your relevant people list", + "value": "People.Read" + }, + { + "description": "Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.", + "displayName": "Create, edit, and delete items and lists in all site collections", + "id": "65e50fdc-43b7-4915-933e-e8138f11f40a", + "Origin": "Delegated", + "userConsentDescription": "Allow the application to create or delete document libraries and lists in all site collections on your behalf.", + "userConsentDisplayName": "Create, edit, and delete items and lists in all your site collections", + "value": "Sites.Manage.All" + }, + { + "description": "Allows the application to have full control of all site collections on behalf of the signed-in user.", + "displayName": "Have full control of all site collections", + "id": "5a54b8b3-347c-476d-8f8e-42d5c7424d29", + "Origin": "Delegated", + "userConsentDescription": "Allow the application to have full control of all site collections on your behalf.", + "userConsentDisplayName": "Have full control of all your site collections", + "value": "Sites.FullControl.All" + }, + { + "description": "Allows the app to read and write your organization\u2019s identity (authentication) providers\u2019 properties on behalf of the user.", + "displayName": "Read and write identity providers", + "id": "f13ce604-1677-429f-90bd-8a10b9f01325", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization\u2019s identity (authentication) providers\u2019 properties on your behalf.", + "userConsentDisplayName": "Read and write identity providers", + "value": "IdentityProvider.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization\u2019s identity (authentication) providers\u2019 properties on behalf of the user.", + "displayName": "Read identity providers", + "id": "43781733-b5a7-4d1b-98f4-e8edff23e1a9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization\u2019s identity (authentication) providers\u2019 properties on your behalf.", + "userConsentDisplayName": "Read identity providers", + "value": "IdentityProvider.Read.All" + }, + { + "description": "Allows an app to read bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.", + "displayName": "Read bookings information", + "id": "33b1df99-4b29-4548-9339-7a7b83eaeebc", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read bookings appointments, businesses, customers, services, and staff on your behalf.", + "userConsentDisplayName": "Read bookings information", + "value": "Bookings.Read.All" + }, + { + "description": "Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on behalf of the signed-in user.", + "displayName": "Read and write booking appointments", + "id": "02a5a114-36a6-46ff-a102-954d89d9ab02", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on your behalf.", + "userConsentDisplayName": "Read and write booking appointments", + "value": "BookingsAppointment.ReadWrite.All" + }, + { + "description": "Allows an app to read and write bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete and publish of booking businesses.", + "displayName": "Read and write bookings information", + "id": "948eb538-f19d-4ec5-9ccc-f059e1ea4c72", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on your behalf. Does not allow create, delete and publish of booking businesses.", + "userConsentDisplayName": "Read and write bookings information", + "value": "Bookings.ReadWrite.All" + }, + { + "description": "Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.", + "displayName": "Manage bookings information", + "id": "7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on your behalf.", + "userConsentDisplayName": "Manage bookings information", + "value": "Bookings.Manage.All" + }, + { + "description": "Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync.", + "displayName": "Access mailboxes via Exchange ActiveSync", + "id": "ff91d191-45a0-43fd-b837-bd682c4a0b0f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app full access to your mailboxes on your behalf.", + "userConsentDisplayName": "Access your mailboxes", + "value": "EAS.AccessAsUser.All" + }, + { + "description": "Allows the app to read and write financials data on behalf of the signed-in user.", + "displayName": "Read and write financials data", + "id": "f534bf13-55d4-45a9-8f3c-c92fe64d6131", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write financials data on your behalf.", + "userConsentDisplayName": "Read and write financials data", + "value": "Financials.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization's user flows, on behalf of the signed-in user.", + "displayName": "Read all identity user flows", + "id": "2903d63d-4611-4d43-99ce-a33f3f52e343", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's user flows, on your behalf.", + "userConsentDisplayName": "Read all identity user flows", + "value": "IdentityUserFlow.Read.All" + }, + { + "description": "Allows the app to read or write your organization's user flows, on behalf of the signed-in user.", + "displayName": "Read and write all identity user flows", + "id": "281892cc-4dbf-4e3a-b6cc-b21029bb4e82", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read or write your organization's user flows, on your behalf.", + "userConsentDisplayName": "Read and write all identity user flows", + "value": "IdentityUserFlow.ReadWrite.All" + }, + { + "description": "Allows the app to read all organizational contacts on behalf of the signed-in user. \u00a0These contacts are managed by the organization and are different from a user's personal contacts.", + "displayName": "Read organizational contacts", + "id": "08432d1b-5911-483c-86df-7980af5cdee0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all organizational contacts on your behalf.\u00a0 These contacts are managed by the organization and are different from your personal contacts.", + "userConsentDisplayName": "Read organizational contacts", + "value": "OrgContact.Read.All" + }, + { + "description": "Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.", + "displayName": "Manage app permission grants and app role assignments", + "id": "84bccea3-f856-4a8a-967b-dbe0a3d53a64", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on your behalf.", + "userConsentDisplayName": "Manage app permission grants and app role assignments", + "value": "AppRoleAssignment.ReadWrite.All" + }, + { + "description": "Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user.", + "displayName": "Manage all delegated permission grants", + "id": "41ce6ca6-6826-4807-84f1-1c82854f7ee5", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on your behalf. ", + "userConsentDisplayName": "Manage all delegated permission grants", + "value": "DelegatedPermissionGrant.ReadWrite.All" + }, + { + "description": "Allows the app to read online meeting details on behalf of the signed-in user.", + "displayName": "Read user's online meetings", + "id": "9be106e1-f4e3-4df5-bdff-e4bc531cbe43", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read online meeting details on your behalf.", + "userConsentDisplayName": "Read your online meetings", + "value": "OnlineMeetings.Read" + }, + { + "description": "Allows the app to read and create online meetings on behalf of the signed-in user.", + "displayName": "Read and create user's online meetings", + "id": "a65f2972-a4f8-4f5e-afd7-69ccb046d5dc", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and create online meetings on your behalf.", + "userConsentDisplayName": "Read and create your online meetings", + "value": "OnlineMeetings.ReadWrite" + }, + { + "description": "Allows the app to read the signed-in user's teamwork activity feed.", + "displayName": "Read user's teamwork activity feed", + "id": "0e755559-83fb-4b44-91d0-4cc721b9323e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your teamwork activity feed.", + "userConsentDisplayName": "Read your teamwork activity feed", + "value": "TeamsActivity.Read" + }, + { + "description": "Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.", + "displayName": "Read and write privileged access to Azure resources", + "id": "a84a9652-ffd3-496e-a991-22ba5529156a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage \u00a0your Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf.", + "userConsentDisplayName": "Read and write privileged access to Azure resources", + "value": "PrivilegedAccess.ReadWrite.AzureResources" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.", + "displayName": "Read privileged access to Azure AD", + "id": "b3a539c9-59cb-4ad5-825a-041ddbdc2bdb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on your behalf.", + "userConsentDisplayName": "Read privileged access to Azure AD", + "value": "PrivilegedAccess.Read.AzureAD" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.", + "displayName": "Read privileged access to Azure AD groups", + "id": "d329c81c-20ad-4772-abf9-3f6fdb7e5988", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf.", + "userConsentDisplayName": "Read privileged access to Azure AD groups", + "value": "PrivilegedAccess.Read.AzureADGroup" + }, + { + "description": "Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user.", + "displayName": "Read privileged access to Azure resources", + "id": "1d89d70c-dcac-4248-b214-903c457af83a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf.", + "userConsentDisplayName": "Read privileged access to your Azure resources", + "value": "PrivilegedAccess.Read.AzureResources" + }, + { + "description": "Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.", + "displayName": "Read and write privileged access to Azure AD groups", + "id": "32531c59-1f32-461f-b8df-6f8a3b89f73b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf.", + "userConsentDisplayName": "Read and write privileged access to Azure AD groups", + "value": "PrivilegedAccess.ReadWrite.AzureADGroup" + }, + { + "description": "Allows the app to read all the indicators for your organization, on behalf of the signed-in user.", + "displayName": "Read all threat indicators", + "id": "9cc427b4-2004-41c5-aa22-757b755e9796", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all the indicators for your organization, on your behalf.", + "userConsentDisplayName": "Read all threat indicators", + "value": "ThreatIndicators.Read.All" + }, + { + "description": "Allow the app to read external datasets and content, on behalf of the signed-in user.", + "displayName": "Read items in external datasets", + "id": "922f9392-b1b7-483c-a4be-0089be7704fb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read external datasets and content that you have access to.", + "userConsentDisplayName": "Read items in external datasets", + "value": "ExternalItem.Read.All" + }, + { + "description": "Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user.", + "displayName": "Edit user's channel messages", + "id": "2b61aa8a-6d36-4b2f-ac7b-f29867937c53", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to edit channel messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Edit your channel messages", + "value": "ChannelMessage.Edit" + }, + { + "description": "Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.", + "displayName": "Send channel messages", + "id": "ebf0f66e-9fb1-49e4-a278-222f76911cf4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to send channel messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Send channel messages", + "value": "ChannelMessage.Send" + }, + { + "description": "Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.", + "displayName": "Read and write organization places", + "id": "4c06a06a-098a-4063-868e-5dfee3827264", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on your behalf.", + "userConsentDisplayName": "Read and write organization places", + "value": "Place.ReadWrite.All" + }, + { + "description": "Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.", + "displayName": "Read and write entitlement management resources", + "id": "ae7a573d-81d7-432b-ad44-4ed5c9d89038", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to request access to and management of access packages and related entitlement management resources that you have access to.", + "userConsentDisplayName": "Read and write entitlement management resources", + "value": "EntitlementManagement.ReadWrite.All" + }, + { + "description": "Allows the app to send, read, update and delete user\u2019s notifications.", + "displayName": "Deliver and manage user's notifications", + "id": "26e2f3e8-b2a1-47fc-9620-89bb5b042024", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to send, read, update and delete your app-specific notifications.", + "userConsentDisplayName": "Deliver and manage your notifications", + "value": "UserNotification.ReadWrite.CreatedByApp" + }, + { + "description": "Allows the app to read applications and service principals on behalf of the signed-in user.", + "displayName": "Read applications", + "id": "c79f8feb-a9db-4090-85f9-90d820caa0eb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read applications and service principals on your behalf.", + "userConsentDisplayName": "Read applications", + "value": "Application.Read.All" + }, + { + "description": "Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants.", + "displayName": "Read and write all applications", + "id": "bdfbf15f-ee85-4955-8675-146e8e5296b5", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create, read, update and delete applications and service principals on your behalf. Does not allow management of consent grants.", + "userConsentDisplayName": "Read and write applications", + "value": "Application.ReadWrite.All" + }, + { + "description": "Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key.", + "displayName": "Read BitLocker keys", + "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read BitLocker keys for your owned devices. Allows read of the recovery key.", + "userConsentDisplayName": "Read your BitLocker keys", + "value": "BitlockerKey.Read.All" + }, + { + "description": "Allows the app to read basic BitLocker key properties on behalf of the signed-in user, for their owned devices. Does not allow read of the recovery key itself.", + "displayName": "Read BitLocker keys basic information", + "id": "5a107bfc-4f00-4e1a-b67e-66451267bc68", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read basic BitLocker key properties for your owned devices. Does not allow read of the recovery key itself.", + "userConsentDisplayName": "Read your BitLocker keys basic information", + "value": "BitlockerKey.ReadBasic.All" + }, + { + "description": "Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.", + "displayName": "Read group memberships", + "id": "bc024368-1153-4739-b217-4326f2e966d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to list groups, read basic group properties and read membership of all your groups.", + "userConsentDisplayName": "Read group memberships", + "value": "GroupMember.Read.All" + }, + { + "description": "Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.", + "displayName": "Read and write group memberships", + "id": "f81125ac-d3b7-4573-a3b2-7099cc39df9e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to list groups, read basic properties, read and update the membership of your groups. Group properties and owners cannot be updated and groups cannot be deleted.", + "userConsentDisplayName": "Read and write group memberships", + "value": "GroupMember.ReadWrite.All" + }, + { + "description": "Allows an app to read your organization's threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user.", + "displayName": "Read and write threat assessment requests", + "id": "cac97e40-6730-457d-ad8d-4852fddab7ad", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read your organization's threat assessment requests on your behalf. Also allows the app to create new requests to assess threats received by your organization on your behalf.", + "userConsentDisplayName": "Read and write threat assessment requests", + "value": "ThreatAssessment.ReadWrite.All" + }, + { + "description": "Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.", + "displayName": "Read user schedule items", + "id": "fccf6dd8-5706-49fa-811f-69e2e1b585d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf.", + "userConsentDisplayName": "Read your schedule items", + "value": "Schedule.Read.All" + }, + { + "description": "Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.", + "displayName": "Read and write user schedule items", + "id": "63f27281-c9d9-4f29-94dd-6942f7f1feb0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf.", + "userConsentDisplayName": "Read and write your schedule items", + "value": "Schedule.ReadWrite.All" + }, + { + "description": " Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.", + "displayName": "Read and write all users' authentication methods.", + "id": "b7887744-6746-4312-813d-72daeaee7e2d", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write authentication methods of all users you have access to in your organization. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.", + "userConsentDisplayName": "Read and write all users' authentication methods", + "value": "UserAuthenticationMethod.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. ", + "displayName": "Read and write user authentication methods", + "id": "48971fc1-70d7-4245-af77-0beb29b53ee2", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your authentication methods, including phone numbers and Authenticator app settings.This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods.", + "userConsentDisplayName": "Read and write your authentication methods", + "value": "UserAuthenticationMethod.ReadWrite" + }, + { + "description": "Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.", + "displayName": "Read all users' authentication methods", + "id": "aec28ec7-4d02-4e8c-b864-50163aea77eb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read authentication methods of all users you have access to in your organization. Authentication methods include things like a user\u2019s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.", + "userConsentDisplayName": "Read all users' authentication methods", + "value": "UserAuthenticationMethod.Read.All" + }, + { + "description": "Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods.", + "displayName": "Read user authentication methods.", + "id": "1f6b61c5-2f65-4135-9c9f-31c0f8d32b52", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods.", + "userConsentDisplayName": "Read your authentication methods.", + "value": "UserAuthenticationMethod.Read" + }, + { + "description": "Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.", + "displayName": "Create tabs in Microsoft Teams.", + "id": "a9ff19c2-f369-4a95-9a25-ba9d460efc8e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create tabs in any team in Microsoft Teams, on your behalf. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.", + "userConsentDisplayName": "Create tabs in Microsoft Teams.", + "value": "TeamsTab.Create" + }, + { + "description": "Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.", + "displayName": "Read tabs in Microsoft Teams.", + "id": "59dacb05-e88d-4c13-a684-59f1afc8cc98", + "Origin": "Delegated", + "userConsentDescription": "Read the names and settings of tabs inside any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs.", + "userConsentDisplayName": "Read tabs in Microsoft Teams.", + "value": "TeamsTab.Read.All" + }, + { + "description": "Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.", + "displayName": "Read and write tabs in Microsoft Teams.", + "id": "b98bfd41-87c6-45cc-b104-e2de4f0dafb9", + "Origin": "Delegated", + "userConsentDescription": "Read and write tabs in any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs.", + "userConsentDisplayName": "Read and write tabs in Microsoft Teams.", + "value": "TeamsTab.ReadWrite.All" + }, + { + "description": "Allows the app to have the same access to mailboxes as the signed-in user via IMAP protocol.", + "displayName": "Read and write access to mailboxes via IMAP.", + "id": "652390e4-393a-48de-9484-05f9b1212954", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.", + "userConsentDisplayName": "Read and write access to your mail.", + "value": "IMAP.AccessAsUser.All" + }, + { + "description": "Allows the app to have the same access to mailboxes as the signed-in user via POP protocol.", + "displayName": "Read and write access to mailboxes via POP.", + "id": "d7b7f2d9-0f45-4ea1-9d42-e50810c06991", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.", + "userConsentDisplayName": "Read and write access to your mail.", + "value": "POP.AccessAsUser.All" + }, + { + "description": "Allows the app to be able to send emails from the user\u2019s mailbox using the SMTP AUTH client submission protocol.", + "displayName": "Send emails from mailboxes using SMTP AUTH.", + "id": "258f6531-6087-4cc4-bb90-092c5fb3ed3f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to send emails on your behalf from your mailbox.", + "userConsentDisplayName": "Access to sending emails from your mailbox.", + "value": "SMTP.Send" + }, + { + "description": "Allows the app to read all domain properties on behalf of the signed-in user.", + "displayName": "Read domains.", + "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all domain properties on your behalf.", + "userConsentDisplayName": "Read domains.", + "value": "Domain.Read.All" + }, + { + "description": "Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains.", + "displayName": "Read and write domains", + "id": "0b5d694c-a244-4bde-86e6-eb5cd07730fe", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write all domain properties on your behalf. Also allows the app to add, verify and remove domains.", + "userConsentDisplayName": "Read and write domains", + "value": "Domain.ReadWrite.All" + }, + { + "description": "Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.", + "displayName": "Read and write your organization's application configuration policies", + "id": "b27add92-efb2-4f16-84f5-8108ba77985c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's application configuration policies on your behalf. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.", + "userConsentDisplayName": "Read and write your organization's application configuration policies", + "value": "Policy.ReadWrite.ApplicationConfiguration" + }, + { + "description": "Allows the app to read your organization's devices' configuration information on behalf of the signed-in user.", + "displayName": "Read all devices", + "id": "951183d1-1a61-466f-a6d1-1fde911bfd95", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read devices' configuration information on your behalf.", + "userConsentDisplayName": "Read all devices", + "value": "Device.Read.All" + }, + { + "description": "Allows the app to read, update and delete identities that are associated with a user's account that the signed-in user has access to. This controls the identities users can sign-in with.", + "displayName": "Manage user identities", + "id": "637d7bec-b31e-4deb-acc9-24275642a2c9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, update and delete identities that are associated with a user's account that you have access to. This controls the identities users can sign-in with.", + "userConsentDisplayName": "Manage user identities", + "value": "User.ManageIdentities.All" + }, + { + "description": "Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user.", + "displayName": "Read all entitlement management resources", + "id": "5449aa12-1393-4ea2-a7c7-d0e06c1a56b2", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read access packages and related entitlement management resources that you have access to.", + "userConsentDisplayName": "Read all entitlement management resources", + "value": "EntitlementManagement.Read.All" + }, + { + "description": "Create channels in any team, on behalf of the signed-in user.", + "displayName": "Create channels", + "id": "101147cf-4178-4455-9d58-02b5c164e759", + "Origin": "Delegated", + "userConsentDescription": "Create channels in any team, on your behalf.", + "userConsentDisplayName": "Create channels", + "value": "Channel.Create" + }, + { + "description": "Delete channels in any team, on behalf of the signed-in user.", + "displayName": "Delete channels", + "id": "cc83893a-e232-4723-b5af-bd0b01bcfe65", + "Origin": "Delegated", + "userConsentDescription": "Delete channels in any team, on your behalf.", + "userConsentDisplayName": "Delete channels", + "value": "Channel.Delete.All" + }, + { + "description": "Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user.", + "displayName": "Read the names, descriptions, and settings of channels", + "id": "233e0cf1-dd62-48bc-b65b-b38fe87fcf8e", + "Origin": "Delegated", + "userConsentDescription": "Read all channel names, channel descriptions, and channel settings, on your behalf.", + "userConsentDisplayName": "Read the names, descriptions, and settings of channels", + "value": "ChannelSettings.Read.All" + }, + { + "description": "Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user.", + "displayName": "Read and write the names, descriptions, and settings of channels", + "id": "d649fb7c-72b4-4eec-b2b4-b15acf79e378", + "Origin": "Delegated", + "userConsentDescription": "Read and write the names, descriptions, and settings of all channels, on your behalf.", + "userConsentDisplayName": "Read and write the names, descriptions, and settings of channels", + "value": "ChannelSettings.ReadWrite.All" + }, + { + "description": "Allows the app to read all webhook subscriptions on behalf of the signed-in user.", + "displayName": "Read all webhook subscriptions ", + "id": "5f88184c-80bb-4d52-9ff2-757288b2e9b7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all webhook subscriptions on your behalf.", + "userConsentDisplayName": "Read all webhook subscriptions ", + "value": "Subscription.Read.All" + }, + { + "description": "Read the names and descriptions of teams, on behalf of the signed-in user.", + "displayName": "Read the names and descriptions of teams", + "id": "485be79e-c497-4b35-9400-0e3fa7f2a5d4", + "Origin": "Delegated", + "userConsentDescription": "Read the names and descriptions of teams, on your behalf.", + "userConsentDisplayName": "Read the names and descriptions of teams", + "value": "Team.ReadBasic.All" + }, + { + "description": "Read channel names and channel descriptions, on behalf of the signed-in user.", + "displayName": "Read the names and descriptions of channels", + "id": "9d8982ae-4365-4f57-95e9-d6032a4c0b87", + "Origin": "Delegated", + "userConsentDescription": "Read channel names and channel descriptions, on your behalf.", + "userConsentDisplayName": "Read the names and descriptions of channels", + "value": "Channel.ReadBasic.All" + }, + { + "description": "Read all teams' settings, on behalf of the signed-in user.", + "displayName": "Read teams' settings", + "id": "48638b3c-ad68-4383-8ac4-e6880ee6ca57", + "Origin": "Delegated", + "userConsentDescription": "Read all teams' settings, on your behalf.", + "userConsentDisplayName": "Read teams' settings", + "value": "TeamSettings.Read.All" + }, + { + "description": "Read and change all teams' settings, on behalf of the signed-in user.", + "displayName": "Read and change teams' settings", + "id": "39d65650-9d3e-4223-80db-a335590d027e", + "Origin": "Delegated", + "userConsentDescription": "Read and change all teams' settings, on your behalf.", + "userConsentDisplayName": "Read and change teams' settings", + "value": "TeamSettings.ReadWrite.All" + }, + { + "description": "Read the members of teams, on behalf of the signed-in user.", + "displayName": "Read the members of teams", + "id": "2497278c-d82d-46a2-b1ce-39d4cdde5570", + "Origin": "Delegated", + "userConsentDescription": "Read the members of teams, on your behalf.", + "userConsentDisplayName": "Read the members of teams", + "value": "TeamMember.Read.All" + }, + { + "description": "Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.", + "displayName": "Add and remove members from teams", + "id": "4a06efd2-f825-4e34-813e-82a57b03d1ee", + "Origin": "Delegated", + "userConsentDescription": "Add and remove members from teams, on your behalf. Also allows changing a member's role, for example from owner to non-owner.", + "userConsentDisplayName": "Add and remove members from teams and channels", + "value": "TeamMember.ReadWrite.All" + }, + { + "description": "Allows the app to read consent requests and approvals on behalf of the signed-in user.", + "displayName": "Read consent requests", + "id": "f3bfad56-966e-4590-a536-82ecf548ac1e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read consent requests and approvals, on your behalf.", + "userConsentDisplayName": "Read consent requests", + "value": "ConsentRequest.Read.All" + }, + { + "description": "Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user.", + "displayName": "Read and write consent requests", + "id": "497d9dfa-3bd1-481a-baab-90895e54568c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read app consent requests for your approval, and deny or approve those request on your behalf.", + "userConsentDisplayName": "Read and write consent requests", + "value": "ConsentRequest.ReadWrite.All" + }, + { + "description": "Allows the app to read and write your organization's consent requests policy on behalf of the signed-in user.", + "displayName": "Read and write consent request policy", + "id": "4d135e65-66b8-41a8-9f8b-081452c91774", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's consent request policy on your behalf.", + "userConsentDisplayName": "Read and write consent request policy", + "value": "Policy.ReadWrite.ConsentRequest" + }, + { + "description": "Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "displayName": "Read user's presence information", + "id": "76bc735e-aecd-4a1d-8b4c-2b915deabb79", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your presence information on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "userConsentDisplayName": "Read your presence information", + "value": "Presence.Read" + }, + { + "description": "Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "displayName": "Read presence information of all users in your organization", + "id": "9c7a330d-35b3-4aa1-963d-cb2b9f927841", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read presence information of all users in the directory on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.", + "userConsentDisplayName": "Read presence information of all users in your organization", + "value": "Presence.Read.All" + }, + { + "description": "Read the members of channels, on behalf of the signed-in user.", + "displayName": "Read the members of channels", + "id": "2eadaff8-0bce-4198-a6b9-2cfc35a30075", + "Origin": "Delegated", + "userConsentDescription": "Read the members of channels, on your behalf.", + "userConsentDisplayName": "Read the members of teams and channels", + "value": "ChannelMember.Read.All" + }, + { + "description": "Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.", + "displayName": "Add and remove members from channels", + "id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11", + "Origin": "Delegated", + "userConsentDescription": "Add and remove members from channels, on your behalf. Also allows changing a member's role, for example from owner to non-owner.", + "userConsentDisplayName": "Add and remove members from teams and channels", + "value": "ChannelMember.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. ", + "displayName": "Read and write authentication flow policies", + "id": "edb72de9-4252-4d03-a925-451deef99db7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the authentication flow policies for your tenant, on your behalf.", + "userConsentDisplayName": "Read and write your authentication flow policies", + "value": "Policy.ReadWrite.AuthenticationFlows" + }, + { + "description": "Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user.", + "displayName": "Read user channel messages", + "id": "767156cb-16ae-4d10-8f8b-41b657c8c8c8", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read a channel's messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Read your channel messages", + "value": "ChannelMessage.Read.All" + }, + { + "description": "Allows the app to read the apps in the app catalogs.", + "displayName": "Read all app catalogs", + "id": "88e58d74-d3df-44f3-ad47-e89edf4472e4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read apps in the app catalogs.", + "userConsentDisplayName": "Read all app catalogs", + "value": "AppCatalog.Read.All" + }, + { + "description": "Allows the app to read and write the authentication method policies, on behalf of the signed-in user.\u00a0", + "displayName": "Read and write authentication method policies", + "id": "7e823077-d88e-468f-a337-e18f1f0e6c7c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the authentication method policies for your tenant, on your behalf.", + "userConsentDisplayName": "Read and write your authentication method policies ", + "value": "Policy.ReadWrite.AuthenticationMethod" + }, + { + "description": "Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.", + "displayName": "Read and write your organization's authorization policy", + "id": "edd3c878-b384-41fd-95ad-e7407dd775be", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's authorization policy on your behalf. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.", + "userConsentDisplayName": "Read and write your organization's authorization policy", + "value": "Policy.ReadWrite.Authorization" + }, + { + "description": "Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user.", + "displayName": "Read consent and permission grant policies", + "id": "414de6ea-2d92-462f-b120-6e2a809a6d01", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read policies related to consent and permission grants for applications, on your behalf.", + "userConsentDisplayName": "Read consent and permission grant policies", + "value": "Policy.Read.PermissionGrant" + }, + { + "description": "Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.", + "displayName": "Manage consent and permission grant policies", + "id": "2672f8bb-fd5e-42e0-85e1-ec764dd2614e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.", + "userConsentDisplayName": "Manage consent and permission grant policies", + "value": "Policy.ReadWrite.PermissionGrant" + }, + { + "description": "Allows the application to create (register) printers on behalf of the signed-in user.\u00a0", + "displayName": "Register printers\u202f\u00a0", + "id": "90c30bed-6fd1-4279-bf39-714069619721", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to create (register) printers on your behalf.\u00a0", + "userConsentDisplayName": "Register printers\u202f\u00a0", + "value": "Printer.Create" + }, + { + "description": "Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user.\u00a0", + "displayName": "Register, read, update, and unregister printers", + "id": "93dae4bd-43a1-4a23-9a1a-92957e1d9121", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to create (register), read, update, and delete (unregister) printers on your behalf.\u00a0\u00a0", + "userConsentDisplayName": "Register, read, update, and unregister printers", + "value": "Printer.FullControl.All" + }, + { + "description": "Allows the application to read printers on behalf of the signed-in user.\u00a0", + "displayName": "Read printers", + "id": "3a736c8a-018e-460a-b60c-863b2683e8bf", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read printers on your behalf.\u00a0", + "userConsentDisplayName": "Read printers", + "value": "Printer.Read.All" + }, + { + "description": "Allows the application to read and update printers on behalf of the signed-in user.\u00a0Does not allow creating (registering) or deleting (unregistering) printers.", + "displayName": "Read and update printers", + "id": "89f66824-725f-4b8f-928e-e1c5258dc565", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update printers on your behalf.\u00a0Does not allow creating (registering) or deleting (unregistering) printers.", + "userConsentDisplayName": "Read and update printers", + "value": "Printer.ReadWrite.All" + }, + { + "description": "Allows the application to read printer shares on behalf of the signed-in user.\u00a0", + "displayName": "Read printer shares", + "id": "ed11134d-2f3f-440d-a2e1-411efada2502", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read printer shares on your behalf.\u00a0", + "userConsentDisplayName": "Read printer shares", + "value": "PrinterShare.Read.All" + }, + { + "description": "Allows the application to read and update printer shares on behalf of the signed-in user.\u00a0", + "displayName": "Read and write printer shares", + "id": "06ceea37-85e2-40d7-bec3-91337a46038f", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update printer shares on your behalf.\u00a0", + "userConsentDisplayName": "Read and update printer shares", + "value": "PrinterShare.ReadWrite.All" + }, + { + "description": "Allows the application to read the metadata and document content of print jobs that the signed-in user created.", + "displayName": "Read user's print jobs", + "id": "248f5528-65c0-4c88-8326-876c7236df5e", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read the metadata and document content of print jobs that you created.", + "userConsentDisplayName": "Read your print jobs", + "value": "PrintJob.Read" + }, + { + "description": "Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user.\u00a0", + "displayName": "Read print jobs", + "id": "afdd6933-a0d8-40f7-bd1a-b5d778e8624b", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read the metadata and document content of print jobs on your behalf.\u00a0", + "userConsentDisplayName": "Read print jobs", + "value": "PrintJob.Read.All" + }, + { + "description": "Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.", + "displayName": "Read basic information of user's print jobs", + "id": "6a71a747-280f-4670-9ca0-a9cbf882b274", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read the metadata of print jobs that you created. Does not allow access to print job document content.", + "userConsentDisplayName": "Read basic information of your print jobs", + "value": "PrintJob.ReadBasic" + }, + { + "description": "Allows the application to read the metadata of print jobs on behalf of the signed-in user.\u00a0Does not allow access to print job document content.", + "displayName": "Read basic information of print jobs", + "id": "04ce8d60-72ce-4867-85cf-6d82f36922f3", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read the metadata of print jobs on your behalf.\u00a0Does not allow access to print job document content.", + "userConsentDisplayName": "Read basic information of print jobs", + "value": "PrintJob.ReadBasic.All" + }, + { + "description": "Allows the application to read and update the metadata and document content of print jobs that the signed-in user created.", + "displayName": "Read and write user's print jobs", + "id": "b81dd597-8abb-4b3f-a07a-820b0316ed04", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update the metadata and document content of print jobs that you created.", + "userConsentDisplayName": "Read and update your print jobs", + "value": "PrintJob.ReadWrite" + }, + { + "description": "Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user.\u00a0", + "displayName": "Read and write print jobs", + "id": "036b9544-e8c5-46ef-900a-0646cc42b271", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update the metadata and document content of print jobs on your behalf.\u00a0", + "userConsentDisplayName": "Read and update print jobs", + "value": "PrintJob.ReadWrite.All" + }, + { + "description": "Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.", + "displayName": "Read and write basic information of user's print jobs", + "id": "6f2d22f2-1cb6-412c-a17c-3336817eaa82", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update the metadata of print jobs that you created. Does not allow access to print job document content.", + "userConsentDisplayName": "Read and write basic information of your print jobs", + "value": "PrintJob.ReadWriteBasic" + }, + { + "description": "Allows the application to read and update the metadata of print jobs on behalf of the signed-in user.\u00a0Does not allow access to print job document content.", + "displayName": "Read and write basic information of print jobs", + "id": "3a0db2f6-0d2a-4c19-971b-49109b19ad3d", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and update the metadata of print jobs on your behalf.\u00a0Does not allow access to print job document content.", + "userConsentDisplayName": "Read and write basic information of print jobs", + "value": "PrintJob.ReadWriteBasic.All" + }, + { + "description": "Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.", + "displayName": "Read and write your organization's device configuration policies", + "id": "40b534c3-9552-4550-901b-23879c90bcf9", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write your organization's device configuration policies on your behalf. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.", + "userConsentDisplayName": "Read and write your organization's device configuration policies", + "value": "Policy.ReadWrite.DeviceConfiguration" + }, + { + "description": "Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user.", + "displayName": "Submit application packages to the catalog and cancel pending submissions", + "id": "3db89e36-7fa6-4012-b281-85f3d9d9fd2e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to submit application packages to the catalog and cancel submissions that are pending review on your behalf.", + "userConsentDisplayName": "Submit application packages to your organization's catalog and cancel pending submissions", + "value": "AppCatalog.Submit" + }, + { + "description": "Allows the app to read the Teams apps that are installed in chats the signed-in user can access. Does not give the ability to read application-specific settings.", + "displayName": "Read installed Teams apps in chats", + "id": "bf3fbf03-f35f-4e93-963e-47e4d874c37a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the Teams apps that are installed in chats that you can access. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Read installed Teams apps in chats", + "value": "TeamsAppInstallation.ReadForChat" + }, + { + "description": "Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings.", + "displayName": "Read installed Teams apps in teams", + "id": "5248dcb1-f83b-4ec3-9f4d-a4428a961a72", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the Teams apps that are installed in teams that you can access. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Read installed Teams apps in teams", + "value": "TeamsAppInstallation.ReadForTeam" + }, + { + "description": "Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Read user's installed Teams apps", + "id": "c395395c-ff9a-4dba-bc1f-8372ba9dca84", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Read your installed Teams apps", + "value": "TeamsAppInstallation.ReadForUser" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings.", + "displayName": "Manage installed Teams apps in teams", + "id": "2e25a044-2580-450d-8859-42eeb6e996c0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, install, upgrade, and uninstall Teams apps in teams you can access. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Manage installed Teams apps in teams", + "value": "TeamsAppInstallation.ReadWriteForTeam" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access.", + "displayName": "Allow the Teams app to manage itself in chats", + "id": "0ce33576-30e8-43b7-99e5-62f8569a4002", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall itself in chats you can access.", + "userConsentDisplayName": "Allow the Teams app to manage itself in chats", + "value": "TeamsAppInstallation.ReadWriteSelfForChat" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall itself for the signed-in user.", + "displayName": "Allow the Teams app to manage itself for a user", + "id": "207e0cb1-3ce7-4922-b991-5a760c346ebc", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall itself for you.", + "userConsentDisplayName": "Allow the Teams app to manage itself for you", + "value": "TeamsAppInstallation.ReadWriteSelfForUser" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed-in user. Does not give the ability to read application-specific settings.", + "displayName": "Manage user's installed Teams apps", + "id": "093f8818-d05f-49b8-95bc-9d2a73e9a43c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, install, upgrade, and uninstall Teams apps installed for you. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Manage your installed Teams apps", + "value": "TeamsAppInstallation.ReadWriteForUser" + }, + { + "description": "Allows the app to create teams on behalf of the signed-in user.", + "displayName": "Create teams", + "id": "7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create teams on your behalf.\u00a0", + "userConsentDisplayName": "Create teams", + "value": "Team.Create" + }, + { + "description": "Add and remove members from all teams, on behalf of the signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.", + "displayName": "Add and remove members with non-owner role for all teams", + "id": "2104a4db-3a2f-4ea0-9dba-143d457dc666", + "Origin": "Delegated", + "userConsentDescription": "Add and remove members from all teams, on your behalf. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.", + "userConsentDisplayName": "Add and remove members with non-owner role for all teams", + "value": "TeamMember.ReadWriteNonOwnerRole.All" + }, + { + "description": "Allows the app to read the term store data that the signed-in user has access to. This includes all sets, groups and terms in the term store.", + "displayName": "Read term store data", + "id": "297f747b-0005-475b-8fef-c890f5152b38", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the term store data that you have access to. This includes all sets, groups and terms in the term store.", + "userConsentDisplayName": "Read term store data", + "value": "TermStore.Read.All" + }, + { + "description": "Allows the app to read or modify data that the signed-in user has access to.\u00a0This includes all sets, groups and terms in the term store.", + "displayName": "Read and write term store data", + "id": "6c37c71d-f50f-4bff-8fd3-8a41da390140", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read or modify data that you have access to. This includes all sets, groups and terms in the term store.", + "userConsentDisplayName": "Read and write term store data", + "value": "TermStore.ReadWrite.All" + }, + { + "description": "Allows the app to read your tenant's service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features.", + "displayName": "Read service announcement messages", + "id": "eda39fa6-f8cf-4c3c-a909-432c683e4c9b", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your tenant's service announcement messages on your behalf. Messages may include information about new or changed features.", + "userConsentDisplayName": "Read service messages", + "value": "ServiceMessage.Read.All" + }, + { + "description": "Allows the app to read your tenant's service health information on behalf of the signed-in user. Health information may include service issues or service health overviews.", + "displayName": "Read service health", + "id": "55896846-df78-47a7-aa94-8d3d4442ca7f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your tenant's service health information on your behalf.Health information may include service issues or service health overviews.", + "userConsentDisplayName": "Read service health", + "value": "ServiceHealth.Read.All" + }, + { + "description": "Allows the app to read all the short notes a sign-in user has access to.", + "displayName": "Read short notes of the signed-in user", + "id": "50f66e47-eb56-45b7-aaa2-75057d9afe08", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your short notes.", + "userConsentDisplayName": "Read your short notes", + "value": "ShortNotes.Read" + }, + { + "description": "Allows the app to read, create, edit, and delete short notes of a signed-in user.", + "displayName": "Read, create, edit, and delete short notes of the signed-in user", + "id": "328438b7-4c01-4c07-a840-e625a749bb89", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, create, edit, and delete your short notes.", + "userConsentDisplayName": "Read, create, edit, and delete your short notes", + "value": "ShortNotes.ReadWrite" + }, + { + "description": "Allows the app to read your organization's conditional access policies on behalf of the signed-in user.", + "displayName": "Read your organization's conditional access policies", + "id": "633e0fce-8c58-4cfb-9495-12bbd5a24f7c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's conditional access policies on your behalf.", + "userConsentDisplayName": "Read your organization's conditional access policies", + "value": "Policy.Read.ConditionalAccess" + }, + { + "description": "Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.", + "displayName": "Read role management data for all RBAC providers", + "id": "48fec646-b2ba-4019-8681-8eb31435aded", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on your behalf. This includes reading role definitions and role assignments.", + "userConsentDisplayName": "Read role management data for all RBAC providers", + "value": "RoleManagement.Read.All" + }, + { + "description": "Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user.", + "displayName": "Send user chat messages", + "id": "116b7235-7cc6-461e-b163-8e55691d839e", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to send one-to-one and group chat messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Send chat messages", + "value": "ChatMessage.Send" + }, + { + "description": "Allows an app to read the members and descriptions of one-to-one and group chat threads, on behalf of the signed-in user.", + "displayName": "Read names and members of user chat threads", + "id": "9547fcb5-d03f-419d-9948-5928bbf71b0f", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read the members and descriptions of one-to-one and group chat threads, on your behalf.", + "userConsentDisplayName": "Read names and members of your chat threads", + "value": "Chat.ReadBasic" + }, + { + "description": "Allows the app to read and write the properties of Cloud PCs on behalf of the signed-in user.", + "displayName": "Read and write Cloud PCs", + "id": "9d77138f-f0e2-47ba-ab33-cd246c8b79d1", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the properties of Cloud PCs, on your behalf.", + "userConsentDisplayName": "Read and write Cloud PCs", + "value": "CloudPC.ReadWrite.All" + }, + { + "description": "Allows the app to read the properties of Cloud PCs on behalf of the signed-in user.", + "displayName": "Read Cloud PCs", + "id": "5252ec4e-fd40-4d92-8c68-89dd1d3c6110", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the properties of Cloud PCs, on your behalf.", + "userConsentDisplayName": "Read Cloud PCs", + "value": "CloudPC.Read.All" + }, + { + "description": "Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Does not give the ability to read application-specific settings.", + "displayName": "Manage installed Teams apps in chats", + "id": "aa85bf13-d771-4d5d-a9e6-bca04ce44edf", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, install, upgrade, and uninstall Teams apps in chats you can access. Does not give the ability to read application-specific settings.", + "userConsentDisplayName": "Manage installed Teams apps in chats", + "value": "TeamsAppInstallation.ReadWriteForChat" + }, + { + "description": "Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user.", + "displayName": "Create, read, update, and delete user\u2019s tasks and task lists", + "id": "2219042f-cab5-40cc-b0d2-16b1540b4c5f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create, read, update, and delete your tasks and task lists, including any shared with you.", + "userConsentDisplayName": "Create, read, update, and delete your tasks and task lists", + "value": "Tasks.ReadWrite" + }, + { + "description": "Allows the app to read the signed-in user\u2019s tasks and task lists, including any shared with the user. Doesn't include permission to create, delete, or update anything.", + "displayName": "Read user's tasks and task lists", + "id": "f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your tasks and task lists, including any shared with you. Doesn't include permission to create, delete, or update anything.", + "userConsentDisplayName": "Read your tasks and task lists", + "value": "Tasks.Read" + }, + { + "description": "Allows an app to read one-to-one and group chat messages, on behalf of the signed-in user.", + "displayName": "Read user chat messages", + "id": "cdcdac3a-fd45-410d-83ef-554db620e5c7", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read one-to-one or group chat messages in Microsoft Teams, on your behalf.", + "userConsentDisplayName": "Read user chat messages", + "value": "ChatMessage.Read" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access.", + "displayName": "Allow the Teams app to manage all tabs in chats", + "id": "ee928332-e9c2-4747-b4a0-f8c164b68de6", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats you can access.", + "userConsentDisplayName": "Allow the Teams app to manage all tabs in chats", + "value": "TeamsTab.ReadWriteForChat" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams the signed-in user can access.", + "displayName": "Allow the Teams app to manage all tabs in teams", + "id": "c975dd04-a06e-4fbb-9704-62daad77bb49", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams you can access.", + "userConsentDisplayName": "Allow the app to manage all tabs in teams", + "value": "TeamsTab.ReadWriteForTeam" + }, + { + "description": "Allows a Teams app to read, install, upgrade, and uninstall all tabs for the signed-in user.", + "displayName": "Allow the Teams app to manage all tabs for a user", + "id": "c37c9b61-7762-4bff-a156-afc0005847a0", + "Origin": "Delegated", + "userConsentDescription": "Allows a Teams app to read, install, upgrade, and uninstall all tabs for you.", + "userConsentDisplayName": "Allow the Teams app to manage all tabs for you", + "value": "TeamsTab.ReadWriteForUser" + }, + { + "description": "Allows the app to read the API connectors used in user authentication flows, on behalf of the signed-in user.", + "displayName": "Read API connectors for authentication flows", + "id": "1b6ff35f-31df-4332-8571-d31ea5a4893f", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the API connectors used in user authentication flows, on your behalf.", + "userConsentDisplayName": "Read API connectors for authentication flows", + "value": "APIConnectors.Read.All" + }, + { + "description": "Allows the app to read, create and manage the API connectors used in user authentication flows, on behalf of the signed-in user.", + "displayName": "Read and write API connectors for authentication flows", + "id": "c67b52c5-7c69-48b6-9d48-7b3af3ded914", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read, create and manage the API connectors used in user authentication flows, on your behalf.", + "userConsentDisplayName": "Read and write API connectors for authentication flows", + "value": "APIConnectors.ReadWrite.All" + }, + { + "description": "Read the members of chats, on behalf of the signed-in user.", + "displayName": "Read the members of chats", + "id": "c5a9e2b1-faf6-41d4-8875-d381aa549b24", + "Origin": "Delegated", + "userConsentDescription": "Read the members of chats, on your behalf.", + "userConsentDisplayName": "Read the members of chats", + "value": "ChatMember.Read" + }, + { + "description": "Add and remove members from chats, on behalf of the signed-in user.", + "displayName": "Add and remove members from chats", + "id": "dea13482-7ea6-488f-8b98-eb5bbecf033d", + "Origin": "Delegated", + "userConsentDescription": "Add and remove members from chats, on your behalf.", + "userConsentDisplayName": "Add and remove members from chats", + "value": "ChatMember.ReadWrite" + }, + { + "description": "Allows the app to create chats on behalf of the signed-in user.", + "displayName": "Create chats", + "id": "38826093-1258-4dea-98f0-00003be2b8d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create chats on your behalf.\u00a0", + "userConsentDisplayName": "Create chats", + "value": "Chat.Create" + }, + { + "description": "Allows the application to read and write tenant-wide print settings on behalf of the signed-in user.", + "displayName": "Read and write tenant-wide print settings", + "id": "9ccc526a-c51c-4e5c-a1fd-74726ef50b8f", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and write tenant-wide print settings on your behalf.", + "userConsentDisplayName": "Read and write tenant-wide print settings", + "value": "PrintSettings.ReadWrite.All" + }, + { + "description": "Allows the application to read tenant-wide print settings on behalf of the signed-in user.", + "displayName": "Read tenant-wide print settings", + "id": "490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read tenant-wide print settings on your behalf.", + "userConsentDisplayName": "Read tenant-wide print settings", + "value": "PrintSettings.Read.All" + }, + { + "description": "Allows the application to read and write print connectors on behalf of the signed-in user. ", + "displayName": "Read and write print connectors", + "id": "79ef9967-7d59-4213-9c64-4b10687637d8", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and write print connectors on your behalf.", + "userConsentDisplayName": "Read and write print connectors", + "value": "PrintConnector.ReadWrite.All" + }, + { + "description": "Allows the application to read print connectors on behalf of the signed-in user.", + "displayName": "Read print connectors", + "id": "d69c2d6d-4f72-4f99-a6b9-663e32f8cf68", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read print connectors on your behalf.", + "userConsentDisplayName": "Read print connectors", + "value": "PrintConnector.Read.All" + }, + { + "description": "Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information.", + "displayName": "Read basic information about printer shares", + "id": "5fa075e9-b951-4165-947b-c63396ff0a37", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read basic information about printer shares on your behalf.", + "userConsentDisplayName": "Read basic information about printer shares", + "value": "PrinterShare.ReadBasic.All" + }, + { + "description": "Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created.", + "displayName": "Create print jobs", + "id": "21f0d9c0-9f13-48b3-94e0-b6b231c7d320", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to create print jobs on your behalf and upload document content to print jobs that you created.", + "userConsentDisplayName": "Create your print jobs", + "value": "PrintJob.Create" + }, + { + "description": "Allows the app to read Azure AD recommendations, on behalf of the signed-in user.", + "displayName": "Read Azure AD recommendations", + "id": "34d3bd24-f6a6-468c-b67c-0c365c1d6410", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read Azure AD recommendations, on your behalf.", + "userConsentDisplayName": "Read Azure AD recommendations", + "value": "DirectoryRecommendations.Read.All" + }, + { + "description": "Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user.\u00a0 It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.", + "displayName": "Read shared cross-tenant user profile and export or delete data", + "id": "eed0129d-dc60-4f30-8641-daf337a39ffd", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to list and query shared user profile information associated with the current tenant on your behalf.\u00a0 It also permits the application to export and remove your external user data (e.g. customer content or system-generated logs), associated with the current tenant on your behalf.", + "userConsentDisplayName": "Read shared cross-tenant user profile and export or delete data", + "value": "CrossTenantUserProfileSharing.ReadWrite" + }, + { + "description": "Allows the app to manage restricted resources based on the other permissions granted to the app, on behalf of the signed-in user.", + "displayName": "Manage restricted resources in the directory", + "id": "cba5390f-ed6a-4b7f-b657-0efc2210ed20", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage restricted resources based on the other permissions granted to the app, on your behalf.", + "userConsentDisplayName": "Manage restricted resources in the directory", + "value": "Directory.Write.Restricted" + }, + { + "description": "Allows the app to read your organization's threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submission policies on behalf of the signed-in user.", + "displayName": "Read and write all threat submission policies", + "id": "059e5840-5353-4c68-b1da-666a033fc5e8", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's threat submission policies on your behalf. Also allows the app to create new threat submission policies on your behalf.", + "userConsentDisplayName": "Read and write all threat submission policies", + "value": "ThreatSubmissionPolicy.ReadWrite.All" + }, + { + "description": "Allows an app to read the browser site lists configured for your organization, on behalf of the signed-in user.", + "displayName": "Read browser site lists for your organization", + "id": "fb9be2b7-a7fc-4182-aec1-eda4597c43d5", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read the browser site lists configured for your organization, on your behalf.", + "userConsentDisplayName": "Read browser site lists for your organization", + "value": "BrowserSiteLists.Read.All" + }, + { + "description": "Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user.\u00a0 It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.", + "displayName": "Read all shared cross-tenant user profiles and export or delete their data", + "id": "64dfa325-cbf8-48e3-938d-51224a0cac01", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to list and query any shared user profile information associated with the current tenant on your behalf.\u00a0 It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on your behalf.", + "userConsentDisplayName": "Read any shared cross-tenant user profiles and export or delete data", + "value": "CrossTenantUserProfileSharing.ReadWrite.All" + }, + { + "description": "Allows the app to read the threat submissions and threat submission policies owned by the signed-in user.", + "displayName": "Read threat submissions", + "id": "fd5353c6-26dd-449f-a565-c4e16b9fce78", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the threat submissions and threat submission policies that you own on your behalf.", + "userConsentDisplayName": "Read threat submissions", + "value": "ThreatSubmission.Read" + }, + { + "description": "Allows the app to read the threat submissions and threat submission policies owned by the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user.", + "displayName": "Read and write threat submissions", + "id": "68a3156e-46c9-443c-b85c-921397f082b5", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the threat submissions and threat submission policies that you own. Also allows the app to create new threat submissions on your behalf.", + "userConsentDisplayName": "Read and write threat submissions", + "value": "ThreatSubmission.ReadWrite" + }, + { + "description": "Allows the app to read all recordings of online meetings, on behalf of the signed-in user.", + "displayName": "Read all recordings of online meetings.", + "id": "190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all recordings of online meetings, on your behalf.\u00a0", + "userConsentDisplayName": "Read all recordings of online meetings.\u00a0", + "value": "OnlineMeetingRecording.Read.All" + }, + { + "description": "Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on behalf of the signed-in user.", + "displayName": "Read cross-tenant basic information", + "id": "81594d25-e88e-49cf-ac8c-fecbff49f994", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on your behalf.", + "userConsentDisplayName": "Read cross-tenant basic information", + "value": "CrossTenantInformation.ReadBasic.All" + }, + { + "description": "Allows the app to read your organization's authentication event listeners on behalf of the signed-in user.", + "displayName": "Read your organization's authentication event listeners", + "id": "f7dd3bed-5eec-48da-bc73-1c0ef50bc9a1", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's authentication event listeners on your behalf.", + "userConsentDisplayName": "Read your organization's authentication event listeners", + "value": "EventListener.Read.All" + }, + { + "description": "Allows the app to read the Teams app settings on behalf of the signed-in user.", + "displayName": "Read Teams app settings", + "id": "44e060c4-bbdc-4256-a0b9-dcc0396db368", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the Teams app settings on your behalf.", + "userConsentDisplayName": "Read Teams app settings", + "value": "TeamworkAppSettings.Read.All" + }, + { + "description": "Allows\u00a0the\u00a0app\u00a0to\u00a0manage learning\u00a0content\u00a0in\u00a0the\u00a0organization's\u00a0directory, on behalf of the signed-in user.", + "displayName": "Manage\u00a0learning\u00a0content", + "id": "53cec1c4-a65f-4981-9dc1-ad75dbf1c077", + "Origin": "Delegated", + "userConsentDescription": "Allows\u00a0the\u00a0app\u00a0to\u00a0manage learning\u00a0content\u00a0in\u00a0the\u00a0organization's\u00a0directory, on your behalf.", + "userConsentDisplayName": "Manage learning content", + "value": "LearningContent.ReadWrite.All" + }, + { + "description": "Allows the app to create, update, read, and delete data for the learning provider in the organization's directory, on behalf of the signed-in user.", + "displayName": "Manage\u00a0learning\u00a0provider", + "id": "40c2eb57-abaf-49f5-9331-e90fd01f7130", + "Origin": "Delegated", + "userConsentDescription": "Allows\u00a0the\u00a0app\u00a0to\u00a0create, update, read, and delete\u00a0data\u00a0for\u00a0the learning\u00a0provider\u00a0in\u00a0the organization's\u00a0directory, on your behalf.", + "userConsentDisplayName": "Manage learning provider", + "value": "LearningProvider.ReadWrite" + }, + { + "description": "Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.", + "displayName": "Read all users' lifecycle information", + "id": "ed8d2a04-0374-41f1-aefe-da8ac87ccc87", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.", + "userConsentDisplayName": "Read all users' lifecycle information", + "value": "User-LifeCycleInfo.Read.All" + }, + { + "description": "Allows an app to read and write the browser site lists configured for your organization, on behalf of the signed-in user.", + "displayName": "Read and write browser site lists for your organization", + "id": "83b34c85-95bf-497b-a04e-b58eca9d49d0", + "Origin": "Delegated", + "userConsentDescription": "Allows an app to read and write the browser site lists configured for your organization, on your behalf.", + "userConsentDisplayName": "Read and write browser site lists for your organization", + "value": "BrowserSiteLists.ReadWrite.All" + }, + { + "description": "Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user.\u00a0 It also permits the application to export external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.", + "displayName": "Read shared cross-tenant user profile and export data", + "id": "cb1ba48f-d22b-4325-a07f-74135a62ee41", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to list and query shared user profile information associated with the current tenant on your behalf.\u00a0 It also permits the application to export your external user data (e.g. customer content or system-generated logs), associated with the current tenant on your behalf.", + "userConsentDisplayName": "Read shared cross-tenant user profile and export data", + "value": "CrossTenantUserProfileSharing.Read" + }, + { + "description": "Allows the app to read admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user", + "displayName": "Read admin report settings", + "id": "84fac5f4-33a9-4100-aa38-a20c6d29e5e7", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read admin report settings, such as whether to display concealed information in reports, on your behalf.", + "userConsentDisplayName": "Read admin report settings", + "value": "ReportSettings.Read.All" + }, + { + "description": "Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.", + "displayName": "Read and write all users' lifecycle information", + "id": "7ee7473e-bd4b-4c9f-987c-bd58481f5fa2", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.", + "userConsentDisplayName": "Read and write all users' lifecycle information", + "value": "User-LifeCycleInfo.ReadWrite.All" + }, + { + "description": "Allows the app to read and update Azure AD recommendations, on behalf of the signed-in user. ", + "displayName": "Read and update Azure AD recommendations", + "id": "f37235e8-90a0-4189-93e2-e55b53867ccd", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update Azure AD recommendations, on your behalf.", + "userConsentDisplayName": "Read and update Azure AD recommendations", + "value": "DirectoryRecommendations.ReadWrite.All" + }, + { + "description": "Allows the app to read your organization's threat submissions and threat submission policies on behalf of the signed-in user.", + "displayName": "Read all threat submissions", + "id": "7083913a-4966-44b6-9886-c5822a5fd910", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's threat submissions and threat submission policies on your behalf.", + "userConsentDisplayName": "Read all threat submissions", + "value": "ThreatSubmission.Read.All" + }, + { + "description": "Allows the app to read learning content in the organization's directory, on behalf of the signed-in user.", + "displayName": "Read learning content", + "id": "ea4c1fd9-6a9f-4432-8e5d-86e06cc0da77", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read learning content in the organization's directory, on your behalf.", + "userConsentDisplayName": "Read learning content", + "value": "LearningContent.Read.All" + }, + { + "description": "Allows the app to read data for the learning provider in the organization's directory, on behalf of the signed-in user.", + "displayName": "Read learning provider", + "id": "dd8ce36f-9245-45ea-a99e-8ac398c22861", + "Origin": "Delegated", + "userConsentDescription": "Allows\u00a0the\u00a0app\u00a0to\u00a0read\u00a0data\u00a0for\u00a0the learning\u00a0provider\u00a0in\u00a0the organization's\u00a0directory, on your behalf.", + "userConsentDisplayName": "Read learning provider", + "value": "LearningProvider.Read" + }, + { + "description": "Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user.", + "displayName": "Read and write all lifecycle workflows resources", + "id": "84b9d731-7db8-4454-8c90-fd9e95350179", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources on your behalf.", + "userConsentDisplayName": "Read and write all lifecycle workflows resources", + "value": "LifecycleWorkflows.ReadWrite.All" + }, + { + "description": "Allows an app to read all bookmarks that the signed-in user can access.", + "displayName": "Read all bookmarks that the user can access", + "id": "98b17b35-f3b1-4849-a85f-9f13733002f0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all bookmarks you can access.", + "userConsentDisplayName": "Read all bookmarks that you have access to", + "value": "Bookmark.Read.All" + }, + { + "description": "Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on behalf of the signed-in user.", + "displayName": "Read and change SharePoint and OneDrive tenant settings", + "id": "aa07f155-3612-49b8-a147-6c590df35536", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on your behalf.", + "userConsentDisplayName": "Read and change SharePoint and OneDrive tenant settings", + "value": "SharePointTenantSettings.ReadWrite.All" + }, + { + "description": "Allows the app to read or write your organization's authentication event listeners on behalf of the signed-in user.", + "displayName": "Read and write your organization's authentication event listeners", + "id": "d11625a6-fe21-4fc6-8d3d-063eba5525ad", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read or write your organization's authentication event listeners on your behalf.", + "userConsentDisplayName": "Read and write your organization's authentication event listeners", + "value": "EventListener.ReadWrite.All" + }, + { + "description": "Allows the app to read and write the Teams app settings on behalf of the signed-in user.", + "displayName": "Read and write Teams app settings", + "id": "87c556f0-2bd9-4eed-bd74-5dd8af6eaf7e", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write the Teams app settings on your behalf.", + "userConsentDisplayName": "Read and write Teams app settings", + "value": "TeamworkAppSettings.ReadWrite.All" + }, + { + "description": "Allows the app to read all authentication context information in your organization on behalf of the signed-in user.", + "displayName": "Read all authentication context information", + "id": "57b030f1-8c35-469c-b0d9-e4a077debe70", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all authentication context information in your organization on your behalf.", + "userConsentDisplayName": "Read all authentication context information", + "value": "AuthenticationContext.Read.All" + }, + { + "description": "Allows the app to read and update all authentication context information in your organization on behalf of the signed-in user.", + "displayName": "Read and write all authentication context information", + "id": "ba6d575a-1344-4516-b777-1404f5593057", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update all authentication context information in your organization on your behalf.", + "userConsentDisplayName": "Read and write all authentication context information", + "value": "AuthenticationContext.ReadWrite.All" + }, + { + "description": "Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user.", + "displayName": "Read and write admin report settings", + "id": "b955410e-7715-4a88-a940-dfd551018df3", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on your behalf.", + "userConsentDisplayName": "Read and write admin report settings", + "value": "ReportSettings.ReadWrite.All" + }, + { + "description": "Allows the app to list and read all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user.", + "displayName": "Read all lifecycle workflows resources", + "id": "9bcb9916-765a-42af-bf77-02282e26b01a", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to list and read all workflows, tasks and related lifecycle workflows resources on your behalf.", + "userConsentDisplayName": "Read all lifecycle workflows resources", + "value": "LifecycleWorkflows.Read.All" + }, + { + "description": "Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user.\u00a0 It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.", + "displayName": "Read all shared cross-tenant user profiles and export their data", + "id": "759dcd16-3c90-463c-937e-abf89f991c18", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to list and query any shared user profile information associated with the current tenant on your behalf.\u00a0 It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on your behalf.", + "userConsentDisplayName": "Read any shared cross-tenant user profiles and export data", + "value": "CrossTenantUserProfileSharing.Read.All" + }, + { + "description": "Allows the application to read the tenant-level settings in SharePoint and OneDrive on behalf of the signed-in user.", + "displayName": "Read SharePoint and OneDrive tenant settings", + "id": "2ef70e10-5bfd-4ede-a5f6-67720500b258", + "Origin": "Delegated", + "userConsentDescription": "Allows the application to read the tenant-level settings in SharePoint and OneDrive on your behalf.", + "userConsentDisplayName": "Read SharePoint and OneDrive tenant settings", + "value": "SharePointTenantSettings.Read.All" + }, + { + "description": "Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user.", + "displayName": "Read and write your organization's custom authentication extensions", + "id": "8dfcf82f-15d0-43b3-bc78-a958a13a5792", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read or write your organization's custom authentication extensions on your behalf.", + "userConsentDisplayName": "Read and write your organization's custom authentication extensions", + "value": "CustomAuthenticationExtension.ReadWrite.All" + }, + { + "description": "Allows an app to manage license assignments for users and groups, on behalf of the signed-in user.", + "displayName": "Manage all license assignments", + "id": "f55016cc-149c-447e-8f21-7cf3ec1d6350", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to manage all license assignments, on your behalf.", + "userConsentDisplayName": "Manage all license assignments", + "value": "LicenseAssignment.ReadWrite.All" + }, + { + "description": "Allows an app to read all acronyms that the signed-in user can access.", + "displayName": "Read all acronyms that the user can access", + "id": "9084c10f-a2d6-4713-8732-348def50fe02", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all acronyms you can access.", + "userConsentDisplayName": "Read all acronyms that you have access to", + "value": "Acronym.Read.All" + }, + { + "description": "Allows the app to read your organization's custom authentication extensions on behalf of the signed-in user.", + "displayName": "Read your oganization's custom authentication extensions", + "id": "b2052569-c98c-4f36-a5fb-43e5c111e6d0", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read your organization's custom authentication extensions on your behalf.", + "userConsentDisplayName": "Read your organization's custom authentication extensions", + "value": "CustomAuthenticationExtension.Read.All" + }, + { + "description": "Allows the app to read all transcripts of online meetings, on behalf of the signed-in user.", + "displayName": "Read all transcripts of online meetings. ", + "id": "30b87d18-ebb1-45db-97f8-82ccb1f0190c", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read all transcripts of online meetings, on your behalf.", + "userConsentDisplayName": "Read all transcripts of online meetings.", + "value": "OnlineMeetingTranscript.Read.All" + }, + { + "description": "Allows the app to read and write channel messages, on behalf of the signed-in user. This doesn't allow the app to edit the policyViolation of a channel message.", + "displayName": "Read and write user channel messages", + "id": "5922d31f-46c8-4404-9eaf-2117e390a8a4", + "Origin": "Delegated", + "userConsentDescription": "Allows the app to read and write channel messages, on your behalf. This doesn't allow the app to edit the policyViolation of a channel message.", + "userConsentDisplayName": "Read and write user channel messages", + "value": "ChannelMessage.ReadWrite" + }, + { + "description": "Read Threat and Vulnerability Management vulnerability information", + "displayName": "Allows the app to read any Threat and Vulnerability Management vulnerability information", + "id": "63a677ce-818c-4409-9d12-5c6d2e2a6bfe", + "Origin": "Application (WindowsDefenderATP)", + "userConsentDescription": "Allows the app to read any Threat and Vulnerability Management vulnerability information", + "userConsentDisplayName": "Allows the app to read any Threat and Vulnerability Management vulnerability information", + "value": "Vulnerability.Read.All" + }, + { + "description": "Allows the app to read Threat and Vulnerability Management vulnerability information on behalf of the signed-in user", + "displayName": "Read Threat and Vulnerability Management vulnerability information", + "id": "41269fc5-d04d-4bfd-bce7-43a51cea049a", + "Origin": "Delegated (WindowsDefenderATP)", + "userConsentDescription": "Allows the app to read Threat and Vulnerability Management vulnerability information on behalf of the signed-in user", + "userConsentDisplayName": "Read Threat and Vulnerability Management vulnerability information", + "value": "Vulnerability.Read" + }, + { + "description": "Allows the app to manage Exchange Online", + "displayName": "Manage Exchange online", + "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", + "Origin": "Delegated (Office 365 Exchange Online)", + "userConsentDescription": "Allows the app to read Threat and Vulnerability Management vulnerability information on behalf of the signed-in user", + "userConsentDisplayName": "Read Threat and Vulnerability Management vulnerability information", + "value": "Exchange.Manage" + }, + { + "description": "Allows the app to have full control of all site collections on behalf of the signed-in user.", + "displayName": "Manage Sharepoint Online", + "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", + "Origin": "Delegated (Office 365 SharePoint Online)", + "userConsentDescription": "Have full control of all site collections", + "userConsentDisplayName": "Allows the app to have full control of all site collections on your behalf.", + "value": "AllSites.FullControl" + }, + { + "description": "Allows to read the LAPs passwords.", + "displayName": "Manage LAPs passwords", + "id": "280b3b69-0437-44b1-bc20-3b2fca1ee3e9", + "Origin": "Delegated", + "userConsentDescription": "Allows to read the LAPs passwords.", + "userConsentDisplayName": "Manage LAPs passwords", + "value": "DeviceLocalCredential.Read.All" + }, + { + "description": "Access Microsoft Teams and Skype for Business data as the signed in user", + "displayName": "Access Microsoft Teams and Skype for Business data based on the user's role membership", + "id": "e60370c1-e451-437e-aa6e-d76df38e5f15", + "Origin": "Delegated (Skype and Teams Tenant Admin API)", + "userConsentDescription": "Access Microsoft Teams and Skype for Business data as the signed in user", + "userConsentDisplayName": "Access Microsoft Teams and Skype for Business data based on the user's role membership", + "value": "user_impersonation" + } +] diff --git a/Modules/CIPPCore/Public/SAMManifest.json b/Modules/CIPPCore/Public/SAMManifest.json new file mode 100644 index 0000000000000..ef0dfd36758cd --- /dev/null +++ b/Modules/CIPPCore/Public/SAMManifest.json @@ -0,0 +1,203 @@ +{ + "isFallbackPublicClient": true, + "signInAudience": "AzureADMultipleOrgs", + "displayName": "CIPP-SAM", + "web": { + "redirectUris": [ + "https://login.microsoftonline.com/common/oauth2/nativeclient", + "https://localhost", + "http://localhost", + "http://localhost:8400" + ] + }, + "requiredResourceAccess": [ + { + "resourceAppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd", + "resourceAccess": [ + { "id": "1cebfa2a-fb4d-419e-b5f9-839b4383e05a", "type": "Scope" } + ] + }, + { + "resourceAppId": "00000003-0000-0000-c000-000000000000", + "resourceAccess": [ + { "id": "aa07f155-3612-49b8-a147-6c590df35536", "type": "Scope" }, + { "id": "0f4595f7-64b1-4e13-81bc-11a249df07a9", "type": "Scope" }, + { "id": "73e75199-7c3e-41bb-9357-167164dbb415", "type": "Scope" }, + { "id": "7ab1d787-bae7-4d5d-8db6-37ea32df9186", "type": "Scope" }, + { "id": "d01b97e9-cbc0-49fe-810a-750afd5527a3", "type": "Scope" }, + { "id": "46ca0847-7e6b-426e-9775-ea810a948356", "type": "Scope" }, + { "id": "dc38509c-b87d-4da0-bd92-6bec988bac4a", "type": "Scope" }, + { "id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182", "type": "Scope" }, + { "id": "ad902697-1014-4ef5-81ef-2b4301988e8c", "type": "Scope" }, + { "id": "572fea84-0151-49b2-9301-11cb16974376", "type": "Scope" }, + { "id": "e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20", "type": "Scope" }, + { "id": "0883f392-0a7a-443d-8c76-16a6d39c7b63", "type": "Scope" }, + { "id": "7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af", "type": "Scope" }, + { "id": "0c5e8a55-87a6-4556-93ab-adc52c4d862d", "type": "Scope" }, + { "id": "44642bfe-8385-4adc-8fc6-fe3cb2c375c3", "type": "Scope" }, + { "id": "662ed50a-ac44-4eef-ad86-62eed9be2a29", "type": "Scope" }, + { "id": "8696daa5-bce5-4b2e-83f9-51b6defc4e1e", "type": "Scope" }, + { "id": "6aedf524-7e1c-45a7-bd76-ded8cab8d0fc", "type": "Scope" }, + { "id": "bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804", "type": "Scope" }, + { "id": "11d4cd79-5ba5-460f-803f-e22c8ab85ccd", "type": "Scope" }, + { "id": "02e97553-ed7b-43d0-ab3c-f8bace0d040c", "type": "Scope" }, + { "id": "89fe6a52-be36-487e-b7d8-d061c450a026", "type": "Scope" }, + { "id": "a367ab51-6b49-43bf-a716-a1fb06d2a174", "type": "Scope" }, + { "id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4", "type": "Scope" }, + { "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0", "type": "Scope" }, + { "id": "0e263e50-5827-48a4-b97c-d940288653c7", "type": "Scope" }, + { "id": "e383f46e-2787-4529-855e-0e479a3ffac0", "type": "Scope" }, + { "id": "37f7f235-527c-4136-accd-4a02d197296e", "type": "Scope" }, + { "id": "14dad69e-099b-42c9-810b-d002981feec1", "type": "Scope" }, + { "id": "f6a3db3e-f7e8-4ed2-a414-557c8c9830be", "type": "Scope" }, + { "id": "0e755559-83fb-4b44-91d0-4cc721b9323e", "type": "Scope" }, + { "id": "a84a9652-ffd3-496e-a991-22ba5529156a", "type": "Scope" }, + { "id": "1d89d70c-dcac-4248-b214-903c457af83a", "type": "Scope" }, + { "id": "2b61aa8a-6d36-4b2f-ac7b-f29867937c53", "type": "Scope" }, + { "id": "ebf0f66e-9fb1-49e4-a278-222f76911cf4", "type": "Scope" }, + { "id": "c79f8feb-a9db-4090-85f9-90d820caa0eb", "type": "Scope" }, + { "id": "bdfbf15f-ee85-4955-8675-146e8e5296b5", "type": "Scope" }, + { "id": "f81125ac-d3b7-4573-a3b2-7099cc39df9e", "type": "Scope" }, + { "id": "cac97e40-6730-457d-ad8d-4852fddab7ad", "type": "Scope" }, + { "id": "b7887744-6746-4312-813d-72daeaee7e2d", "type": "Scope" }, + { "id": "48971fc1-70d7-4245-af77-0beb29b53ee2", "type": "Scope" }, + { "id": "aec28ec7-4d02-4e8c-b864-50163aea77eb", "type": "Scope" }, + { "id": "a9ff19c2-f369-4a95-9a25-ba9d460efc8e", "type": "Scope" }, + { "id": "59dacb05-e88d-4c13-a684-59f1afc8cc98", "type": "Scope" }, + { "id": "b98bfd41-87c6-45cc-b104-e2de4f0dafb9", "type": "Scope" }, + { "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311", "type": "Scope" }, + { "id": "951183d1-1a61-466f-a6d1-1fde911bfd95", "type": "Scope" }, + { "id": "637d7bec-b31e-4deb-acc9-24275642a2c9", "type": "Scope" }, + { "id": "101147cf-4178-4455-9d58-02b5c164e759", "type": "Scope" }, + { "id": "cc83893a-e232-4723-b5af-bd0b01bcfe65", "type": "Scope" }, + { "id": "233e0cf1-dd62-48bc-b65b-b38fe87fcf8e", "type": "Scope" }, + { "id": "d649fb7c-72b4-4eec-b2b4-b15acf79e378", "type": "Scope" }, + { "id": "485be79e-c497-4b35-9400-0e3fa7f2a5d4", "type": "Scope" }, + { "id": "9d8982ae-4365-4f57-95e9-d6032a4c0b87", "type": "Scope" }, + { "id": "48638b3c-ad68-4383-8ac4-e6880ee6ca57", "type": "Scope" }, + { "id": "39d65650-9d3e-4223-80db-a335590d027e", "type": "Scope" }, + { "id": "4a06efd2-f825-4e34-813e-82a57b03d1ee", "type": "Scope" }, + { "id": "f3bfad56-966e-4590-a536-82ecf548ac1e", "type": "Scope" }, + { "id": "4d135e65-66b8-41a8-9f8b-081452c91774", "type": "Scope" }, + { "id": "2eadaff8-0bce-4198-a6b9-2cfc35a30075", "type": "Scope" }, + { "id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11", "type": "Scope" }, + { "id": "edb72de9-4252-4d03-a925-451deef99db7", "type": "Scope" }, + { "id": "767156cb-16ae-4d10-8f8b-41b657c8c8c8", "type": "Scope" }, + { "id": "7e823077-d88e-468f-a337-e18f1f0e6c7c", "type": "Scope" }, + { "id": "edd3c878-b384-41fd-95ad-e7407dd775be", "type": "Scope" }, + { "id": "40b534c3-9552-4550-901b-23879c90bcf9", "type": "Scope" }, + { "id": "bf3fbf03-f35f-4e93-963e-47e4d874c37a", "type": "Scope" }, + { "id": "5248dcb1-f83b-4ec3-9f4d-a4428a961a72", "type": "Scope" }, + { "id": "c395395c-ff9a-4dba-bc1f-8372ba9dca84", "type": "Scope" }, + { "id": "2e25a044-2580-450d-8859-42eeb6e996c0", "type": "Scope" }, + { "id": "0ce33576-30e8-43b7-99e5-62f8569a4002", "type": "Scope" }, + { "id": "207e0cb1-3ce7-4922-b991-5a760c346ebc", "type": "Scope" }, + { "id": "093f8818-d05f-49b8-95bc-9d2a73e9a43c", "type": "Scope" }, + { "id": "7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0", "type": "Scope" }, + { "id": "2104a4db-3a2f-4ea0-9dba-143d457dc666", "type": "Scope" }, + { "id": "eda39fa6-f8cf-4c3c-a909-432c683e4c9b", "type": "Scope" }, + { "id": "55896846-df78-47a7-aa94-8d3d4442ca7f", "type": "Scope" }, + { "id": "aa85bf13-d771-4d5d-a9e6-bca04ce44edf", "type": "Scope" }, + { "id": "ee928332-e9c2-4747-b4a0-f8c164b68de6", "type": "Scope" }, + { "id": "c975dd04-a06e-4fbb-9704-62daad77bb49", "type": "Scope" }, + { "id": "c37c9b61-7762-4bff-a156-afc0005847a0", "type": "Scope" }, + { "id": "b9abcc4f-94fc-4457-9141-d20ce80ec952", "type": "Scope" }, + { "id": "128ca929-1a19-45e6-a3b8-435ec44a36ba", "type": "Scope" }, + { "id": "b27add92-efb2-4f16-84f5-8108ba77985c", "type": "Scope" }, + { "id": "3404d2bf-2b13-457e-a330-c24615765193", "type": "Scope" }, + { "id": "b955410e-7715-4a88-a940-dfd551018df3", "type": "Scope" }, + { "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c", "type": "Role" }, + { "id": "19b94e34-907c-4f43-bde9-38b1909ed408", "type": "Role" }, + { "id": "999f8c63-0a38-4f1b-91fd-ed1947bdd1a9", "type": "Role" }, + { "id": "292d869f-3427-49a8-9dab-8c70152b74e9", "type": "Role" }, + { "id": "2f51be20-0bb4-4fed-bf7b-db946066c75e", "type": "Role" }, + { "id": "58ca0d9a-1575-47e1-a3cb-007ef2e4583b", "type": "Role" }, + { "id": "06a5fe6d-c49d-46a7-b082-56b1b14103c7", "type": "Role" }, + { "id": "246dd0d5-5bd0-4def-940b-0421030a5b68", "type": "Role" }, + { "id": "bf394140-e372-4bf9-a898-299cfc7564e5", "type": "Role" }, + { "id": "741f803b-c850-494e-b5df-cde7c675a1ca", "type": "Role" }, + { "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef", "type": "Role" }, + { "id": "b633e1c5-b582-4048-a93e-9f11b44c7e96", "type": "Role" }, + { "id": "5b567255-7703-4780-807c-7be8301ae99b", "type": "Role" }, + { "id": "62a82d76-70ea-41e2-9197-370581804d09", "type": "Role" }, + { "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", "type": "Role" }, + { "id": "1138cb37-bd11-4084-a2b7-9f71582aeddb", "type": "Role" }, + { "id": "78145de6-330d-4800-a6ce-494ff2d33d07", "type": "Role" }, + { "id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4", "type": "Role" }, + { "id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c", "type": "Role" }, + { "id": "243333ab-4d21-40cb-a475-36241daa0842", "type": "Role" }, + { "id": "e330c4f0-4170-414e-a55a-2f022ec2b57b", "type": "Role" }, + { "id": "5ac13192-7ace-4fcf-b828-1a26f28068ee", "type": "Role" }, + { "id": "2f6817f8-7b12-4f0f-bc18-eeaf60705a9e", "type": "Role" }, + { "id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695", "type": "Role" }, + { "id": "bf7b1a76-6e77-406b-b258-bf5c7720e98f", "type": "Role" }, + { "id": "01c0a623-fc9b-48e9-b794-0756f8e8f067", "type": "Role" }, + { "id": "50483e42-d915-4231-9639-7fdb7fd190e5", "type": "Role" }, + { "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664", "type": "Role" }, + { "id": "a82116e5-55eb-4c41-a434-62fe8a61c773", "type": "Role" }, + { "id": "f3a65bd4-b703-46df-8f7e-0174fea562aa", "type": "Role" }, + { "id": "59a6b24b-4225-4393-8165-ebaec5f55d7a", "type": "Role" }, + { "id": "0121dc95-1b9f-4aed-8bac-58c5ac466691", "type": "Role" }, + { "id": "3b55498e-47ec-484f-8136-9013221c06a9", "type": "Role" }, + { "id": "35930dcf-aceb-4bd1-b99a-8ffed403c974", "type": "Role" }, + { "id": "25f85f3c-f66c-4205-8cd5-de92dd7f0cec", "type": "Role" }, + { "id": "29c18626-4985-4dcd-85c0-193eef327366", "type": "Role" }, + { "id": "4437522e-9a86-4a41-a7da-e380edd4a97d", "type": "Role" }, + { "id": "34bf0e97-1971-4929-b999-9e2442d941d7", "type": "Role" }, + { "id": "45cc0394-e837-488b-a098-1918f48d186c", "type": "Role" }, + { "id": "be74164b-cff1-491c-8741-e671cb536e13", "type": "Role" }, + { "id": "2a60023f-3219-47ad-baa4-40e17cd02a1d", "type": "Role" }, + { "id": "338163d7-f101-4c92-94ba-ca46fe52447c", "type": "Role" }, + { "id": "cac88765-0581-4025-9725-5ebc13f729ee", "type": "Role" }, + { "id": "75359482-378d-4052-8f01-80520e7db3cd", "type": "Role" }, + { "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", "type": "Scope" }, + { "id": "84bccea3-f856-4a8a-967b-dbe0a3d53a64", "type": "Scope" }, + { "id": "280b3b69-0437-44b1-bc20-3b2fca1ee3e9", "type": "Scope" }, + { + "id": "885f682f-a990-4bad-a642-36736a74b0c7", + "type": "Scope" + } + ] + }, + { + "resourceAppId": "00000002-0000-0000-c000-000000000000", + "resourceAccess": [ + { "id": "5778995a-e1bf-45b8-affa-663a9f3f4d04", "type": "Role" }, + { "id": "a42657d6-7f20-40e3-b6f0-cee03008a62a", "type": "Scope" }, + { "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6", "type": "Scope" } + ] + }, + { + "resourceAppId": "fc780465-2017-40d4-a0c5-307022471b92", + "resourceAccess": [ + { "id": "63a677ce-818c-4409-9d12-5c6d2e2a6bfe", "type": "Scope" }, + { "id": "41269fc5-d04d-4bfd-bce7-43a51cea049a", "type": "Role" } + ] + }, + { + "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", + "resourceAccess": [ + { "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", "type": "Scope" }, + { "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role" } + ] + }, + { + "resourceAppId": "00000003-0000-0ff1-ce00-000000000000", + "resourceAccess": [ + { "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", "type": "Scope" } + ] + }, + { + "resourceAppId": "48ac35b8-9aa8-4d74-927d-1f4a14a0b239", + "resourceAccess": [ + { "id": "e60370c1-e451-437e-aa6e-d76df38e5f15", "type": "Scope" } + ] + }, + { + "resourceAppId": "c5393580-f805-4401-95e8-94b7a6ef2fc2", + "resourceAccess": [ + { "id": "594c1fb6-4f81-4475-ae41-0c394909246c", "type": "Scope" } + ] + } + ] +} diff --git a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 index 32786d5bd89d7..06c813ebb712c 100644 --- a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 @@ -6,96 +6,43 @@ function Set-CIPPCPVConsent { $ExecutingUser ) $Results = [System.Collections.ArrayList]@() - Set-Location (Get-Item $PSScriptRoot).Parent.FullName - $ExpectedPermissions = Get-Content '.\Cache_SAMSetup\SAMManifest.json' | ConvertFrom-Json - $Translator = Get-Content '.\Cache_SAMSetup\PermissionsTranslator.json' | ConvertFrom-Json + $Tenant = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenantfilter + $TenantName = $Tenant.defaultDomainName + $TenantFilter = $Tenant.customerId + try { - $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenantfilter - $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $env:ApplicationID + $DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID + } catch { - + "There is no existing CPV Application Consent for $($TenantName). Adding a new application." } - if (!$ourSVCPrincipal) { - try { - $AppBody = @" + + try { + $AppBody = @" { - "ApplicationGrants":[ {"EnterpriseApplicationId":"00000003-0000-0000-c000-000000000000","Scope":"Application.ReadWrite.all,DelegatedPermissionGrant.ReadWrite.All"}], - "ApplicationId": "ed2d757e-dbab-439c-a2d3-1567de12d31f" + "ApplicationGrants":[ {"EnterpriseApplicationId":"00000003-0000-0000-c000-000000000000","Scope":"Application.ReadWrite.all,DelegatedPermissionGrant.ReadWrite.All,Directory.ReadWrite.All"}], + "ApplicationId": "$($ENV:applicationId)" } "@ - $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - $Results.add("Succesfully added CPV Application") - $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id&`$top=999" -tenantid $Tenantfilter - $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $env:ApplicationID + $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID + $Table = Get-CIPPTable -TableName cpvtenants + $unixtime = [int64](([datetime]::UtcNow) - (Get-Date "1/1/1970")).TotalSeconds + $GraphRequest = @{ + LastApply = "$unixtime" + applicationId = "$($ENV:applicationId)" + Tenant = "$($tenantfilter)" + PartitionKey = 'Tenant' + RowKey = "$($tenantfilter)" + } + Add-AzDataTableEntity @Table -Entity $GraphRequest -Force + $Results.add("Successfully added CPV Application to tenant $($TenantName)") | Out-Null + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Added our Service Principal to $($TenantName): $($_.Exception.message)" -Sev "Info" -tenant $($Tenantfilter) - } - #TODO: after doing this, write to the table that we have done this for current applicationId, so that we don't ever have to do it again when running on a schedule. - - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant: $($_.Exception.message)" -Sev "Error" -tenant $($Tenantfilter) - return @("Could not add our Service Principal to the client tenant $($Tenantfilter): $($_.Exception.message)") - } - - } - else { - $Results.add("Application Exists, adding permissions") - } - #TODO: Add this as a function so we can use it for more than just our app - $CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $tenantfilter - - $Grants = foreach ($App in $ExpectedPermissions.requiredResourceAccess) { - $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $app.resourceAppId - if (!$svcPrincipalId) { continue } #If the app does not exist, we can't add permissions for it. E.g. Defender etc. - foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") { - if ($singleresource.id -In $currentroles.appRoleId) { continue } - [pscustomobject]@{ - principalId = $($ourSVCPrincipal.id) - resourceId = $($svcPrincipalId.id) - appRoleId = "$($SingleResource.Id)" - } - } } - - foreach ($Grant in $grants) { - try { - $SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $tenantfilter -type POST - } - catch { - $Results.add("Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message)") - } - } - - #Adding all required Delegated permissions - $CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -tenantid $tenantfilter - foreach ($App in $ExpectedPermissions.requiredResourceAccess) { - $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $app.resourceAppId - if (!$svcPrincipalId) { continue } #If the app does not exist, we can't add permissions for it. E.g. Defender etc. - $NewScope = ($Translator | Where-Object { $_.id -in $app.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ' ' - $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id) - if (!$OldScope) { - $Createbody = @{ - clientId = $ourSVCPrincipal.id - consentType = "AllPrincipals" - resourceId = $svcPrincipalId.id - scope = $NewScope - } | ConvertTo-Json -Compress - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" -tenantid $tenantfilter -body $Createbody -type POST - $Results.add("Succesfully added permissions for $($svcPrincipalId.displayName)") - } - else { - $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ') - if (!$compare) { - $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") - continue - } - $Patchbody = @{ - scope = "$NewScope" - } | ConvertTo-Json -Compress - $Patchrequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($Oldscope.id)" -tenantid $tenantfilter -body $Patchbody -type PATCH - $Results.add("Succesfully updated permissions for $($svcPrincipalId.displayName)") - } - + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev "Error" -tenant $($Tenantfilter) + return @("Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)") } return $Results -} \ No newline at end of file +} diff --git a/UpdatePermissions/run.ps1 b/UpdatePermissions/run.ps1 index ce7a307dad113..47e932e1581b5 100644 --- a/UpdatePermissions/run.ps1 +++ b/UpdatePermissions/run.ps1 @@ -1,34 +1,7 @@ # Input bindings are passed in via param block. param($Timer) -# Get the current universal time in the default string format. -$currentUTCtime = (Get-Date).ToUniversalTime() - -$Table = Get-CIPPTable -TableName cpvtenants -$CPVRows = Get-AzDataTableEntity @Table - $Tenants = get-tenants -$TenantList = $CPVRows.Tenant -foreach ($Row in $Tenants ) { - Write-Output "Processing tenants" - - if (!$CPVRows) { - Write-Output "No list available" - Push-OutputBinding -Name Msg -Value $row.customerId - continue - } - - if ($Row.customerId -notin $TenantList) { - Write-Output "Not in the list: $($row.customerId)" - Write-LogMessage -message "A New tenant has been added: $($row.defaultDomainName) with id $($row.customerId)" -Sev "Warn" -API "NewTenant" - Push-OutputBinding -Name Msg -Value $row.customerId - continue - - } - - if ($CPVRows | Where-Object { $_.Tenant -eq $row.customerId } | Where-Object { $_.LastApply -EQ $null -or (Get-Date $_.LastApply).AddDays(-14) -gt $currentUTCtime }) { - Write-Output "In list, Old age." - Push-OutputBinding -Name Msg -Value $row.customerId - continue - } +foreach ($Row in $Tenants) { + Push-OutputBinding -Name Msg -Value $row } \ No newline at end of file diff --git a/UpdatePermissionsQueue/run.ps1 b/UpdatePermissionsQueue/run.ps1 index a8f01f5572aa0..372049965cb41 100644 --- a/UpdatePermissionsQueue/run.ps1 +++ b/UpdatePermissionsQueue/run.ps1 @@ -1,91 +1,15 @@ # Input bindings are passed in via param block. -param([string]$QueueItem, $TriggerMetadata) - -# Get the current universal time in the default string format. -Set-Location (Get-Item $PSScriptRoot).Parent.FullName -$TenantFilter = get-tenants | Where-Object customerId -EQ $QueueItem +param($QueueItem, $TriggerMetadata) +Write-Host "Applying permissions for $($QueueItem.defaultDomainName)" $Table = Get-CIPPTable -TableName cpvtenants -$APINAME = "CPV Permissions" -$Translator = Get-Content '.\Cache_SAMSetup\PermissionsTranslator.json' | ConvertFrom-Json -$ExpectedPermissions = Get-Content '.\Cache_SAMSetup\SAMManifest.json' | ConvertFrom-Json -try { - $DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter.customerId)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - -} -catch { - "no old permissions to delete, moving on" +$CPVRows = Get-AzDataTableEntity @Table | Where-Object -Property Tenant -EQ $QueueItem.customerId +if (!$CPVRows -or $ENV:ApplicationID -notin $CPVRows.applicationId) { + Write-LogMessage -message "A New tenant has been added, or a new CIPP-SAM Application is in use: $($queueitem.defaultDomainName) with id $($queueitem.customerId)" -Sev "Warn" -API "NewTenant" + Write-Host "Adding CPV permissions" + Set-CIPPCPVConsent -Tenantfilter $QueueItem.defaultDomainName } -$GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object { - try { - $Resource = $_ - $Permissionsname = switch ($Resource.ResourceAppId) { - '00000002-0000-0ff1-ce00-000000000000' { 'Office 365 Exchange Online' } - '00000003-0000-0000-c000-000000000000' { "Graph API" } - 'fc780465-2017-40d4-a0c5-307022471b92' { 'WindowsDefenderATP' } - '00000003-0000-0ff1-ce00-000000000000' { 'Sharepoint' } - '48ac35b8-9aa8-4d74-927d-1f4a14a0b239' { 'Skype and Teams Tenant Admin API' } - 'c5393580-f805-4401-95e8-94b7a6ef2fc2' { 'Office 365 Management API' } - - - } - $Scope = ($Translator | Where-Object { $_.id -in $Resource.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ', ' - if ($Scope) { - $RequiredCPVPerms = [PSCustomObject]@{ - EnterpriseApplicationId = $_.ResourceAppId - Scope = "$Scope" - } - $AppBody = @" -{ - "ApplicationGrants":[ $(ConvertTo-Json -InputObject $RequiredCPVPerms -Compress -Depth 10)], - "ApplicationId": "$($env:ApplicationID)" -} -"@ - $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter.customerId)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -Tenant $TenantFilter.defaultDomainName -message "Succesfully set CPV Permissions for $PermissionsName" -Sev "Error" - - "Succesfully set CPV permissions for $Permissionsname" - - } - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -Tenant $TenantFilter.defaultDomainName -message "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API? Error: $($_.Exception.message)" -Sev "Error" - "Could not set CPV permissions for $PermissionsName. Does the Tenant have a license for this API? Error: $($_.Exception.message)" - } -} -$ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($ENV:applicationid)')" -tenantid $Tenantfilter.customerid - -# if the app svc principal exists, consent app permissions -$apps = $ExpectedPermissions -$Grants = foreach ($App in $apps.requiredResourceAccess) { - try { - $svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $Tenantfilter.customerid - } - catch { - continue - } - foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") { - if ($singleresource.id -In $currentroles.appRoleId) { continue } - [pscustomobject]@{ - principalId = $($ourSVCPrincipal.id) - resourceId = $($svcPrincipalId.id) - appRoleId = "$($SingleResource.Id)" - } - } -} -foreach ($Grant in $grants) { - try { - $SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $Tenantfilter.customerid -type POST - } - catch { - "Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message). " - } -} +Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $QueueItem.defaultDomainName +Add-CIPPDelegatedPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $QueueItem.defaultDomainName -$GraphRequest = @{ - LastApply = "$((Get-Date).ToString())" - Tenant = "$($tenantfilter.customerId)" - PartitionKey = 'Tenant' - RowKey = "$($tenantfilter.customerId)" -} -Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null +Write-LogMessage -message "Updated permissions for $QueueItem" -Sev "Info" -tenant $QueueItem.defaultDomainName -API "UpdatePermissionsQueue" From b06f529440ee38cf5e17c0dbcdd9105048f033db Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 10 Oct 2023 21:03:58 +0200 Subject: [PATCH 36/79] fixes mfa state --- ListMFAUsers/run.ps1 | 92 +----------- ListMFAUsersAllTenants/run.ps1 | 139 +++---------------- Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 | 102 ++++++++++++++ 3 files changed, 120 insertions(+), 213 deletions(-) create mode 100644 Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 diff --git a/ListMFAUsers/run.ps1 b/ListMFAUsers/run.ps1 index 5830c84f11a4a..aeecf27a20e15 100644 --- a/ListMFAUsers/run.ps1 +++ b/ListMFAUsers/run.ps1 @@ -11,97 +11,7 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -m Write-Host 'PowerShell HTTP trigger function processed a request.' if ($Request.query.TenantFilter -ne 'AllTenants') { - - $users = Get-CIPPMSolUsers -tenant $Request.query.TenantFilter - if (!$users) { - $users = foreach ($user in (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?$select=id,UserPrincipalName,DisplayName,accountEnabled' -tenantid $Request.query.TenantFilter)) { - [PSCustomObject]@{ - UserPrincipalName = $user.UserPrincipalName - BlockCredential = $user.accountEnabled - DisplayName = $user.DisplayName - ObjectId = $user.id - StrongAuthenticationRequirements = @{StrongAuthenticationRequirement = @{state = 'Not Available - GDAP Only' } } - } - } - - } - $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $Request.query.TenantFilter ).IsEnabled - $CAState = New-Object System.Collections.ArrayList - - Try { - $MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails' -tenantid $Request.query.TenantFilter) - } - catch { - $CAState.Add('Not Licensed for Conditional Access') - $MFARegistration = $null - } - - if ($null -ne $MFARegistration) { - $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $Request.query.TenantFilter -ErrorAction Stop ) - - try { - $ExcludeAllUsers = New-Object System.Collections.ArrayList - $ExcludeSpecific = New-Object System.Collections.ArrayList - - foreach ($Policy in $CAPolicies) { - if (($policy.grantControls.builtincontrols -eq 'mfa') -or ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa')) { - if ($Policy.conditions.applications.includeApplications -ne 'All') { - Write-Host $Policy.conditions.applications.includeApplications - $CAState.Add("$($policy.displayName) - Specific Applications - $($policy.state)") | Out-Null - $Policy.conditions.users.excludeUsers.foreach({ $ExcludeSpecific.Add($_) }) - continue - } - if ($Policy.conditions.users.includeUsers -eq 'All') { - $CAState.Add("$($policy.displayName) - All Users - $($policy.state)") | Out-Null - $Policy.conditions.users.excludeUsers.foreach({ $ExcludeAllUsers.Add($_) }) - continue - } - } - } - } - catch { - } - } - - if ($CAState.count -eq 0) { $CAState.Add('None') | Out-Null } - - - # Interact with query parameters or the body of the request. - $GraphRequest = $Users | ForEach-Object { - Write-Host 'Processing users' - $UserCAState = New-Object System.Collections.ArrayList - foreach ($CA in $CAState) { - Write-Host 'Looping CAState' - if ($CA -like '*All Users*') { - if ($ExcludeAllUsers -contains $_.ObjectId) { $UserCAState.Add("Excluded from $($policy.displayName) - All Users") | Out-Null } - else { $UserCAState.Add($CA) | Out-Null } - } - elseif ($CA -like '*Specific Applications*') { - if ($ExcludeSpecific -contains $_.ObjectId) { $UserCAState.Add("Excluded from $($policy.displayName) - Specific Applications") | Out-Null } - else { $UserCAState.Add($CA) | Out-Null } - } - else { - Write-Host 'Adding to CA' - $UserCAState.Add($CA) | Out-Null - } - } - - $PerUser = if ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -ne $null) { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state } else { 'Disabled' } - $AccountState = if ($_.BlockCredential -eq $true) { $false } else { $true } - - $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered } - [PSCustomObject]@{ - ID = $_.ObjectId - UPN = $_.UserPrincipalName - DisplayName = $_.DisplayName - AccountEnabled = $AccountState - PerUser = $PerUser - isLicensed = $_.isLicensed - MFARegistration = $MFARegUser - CoveredByCA = ($UserCAState -join ', ') - CoveredBySD = $SecureDefaultsState - } - } + $GraphRequest = Get-CIPPMFAState -TenantFilter $Request.query.TenantFilter } else { $Table = Get-CIPPTable -TableName cachemfa diff --git a/ListMFAUsersAllTenants/run.ps1 b/ListMFAUsersAllTenants/run.ps1 index 7f0e356923ace..6c0e4dfd3841c 100644 --- a/ListMFAUsersAllTenants/run.ps1 +++ b/ListMFAUsersAllTenants/run.ps1 @@ -13,135 +13,30 @@ try { $GraphRequest = Get-Tenants | ForEach-Object -Parallel { $domainName = $_.defaultDomainName - $tenantName = $_.displayName Import-Module '.\GraphHelper.psm1' + Import-Module '.\modules\CippCore' $Table = Get-CIPPTable -TableName cachemfa - - try { - $users = Get-CIPPMSolUsers -tenant $domainName - if (!$users) { - $users = foreach ($user in (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?$select=id,UserPrincipalName,DisplayName,accountEnabled' -tenantid $Request.query.TenantFilter)) { - [PSCustomObject]@{ - UserPrincipalName = $user.UserPrincipalName - BlockCredential = $user.accountEnabled - DisplayName = $user.DisplayName - ObjectId = $user.id - StrongAuthenticationRequirements = @{StrongAuthenticationRequirement = @{state = 'Not Available - GDAP Only' } } - } - } - - } - $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $domainName).IsEnabled - $CAState = New-Object System.Collections.ArrayList - $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $domainName -ErrorAction Stop ) - try { - $ExcludeAllUsers = New-Object System.Collections.ArrayList - $ExcludeSpecific = New-Object System.Collections.ArrayList - foreach ($Policy in $CAPolicies) { - if (($policy.grantControls.builtincontrols -eq 'mfa') -or ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa')) { - if ($Policy.conditions.applications.includeApplications -ne 'All') { - Write-Host $Policy.conditions.applications.includeApplications - $CAState.Add('Specific Applications') | Out-Null - $ExcludeSpecific = $Policy.conditions.users.excludeUsers - continue - } - if ($Policy.conditions.users.includeUsers -eq 'All') { - $CAState.Add('All Users') | Out-Null - $ExcludeAllUsers = $Policy.conditions.users.excludeUsers - continue - } - } - } - } - catch { - } - Try { - $MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails' -tenantid $domainName) - } - catch { - $CAState.Add('Not Licensed for Conditional Access') | Out-Null - $MFARegistration = $null - } - if ($CAState.length -eq 0) { $CAState.Add('None') | Out-Null } - - # Interact with query parameters or the body of the request. - $GraphRequest = $Users | ForEach-Object { - try { - $UserCAState = New-Object System.Collections.ArrayList - foreach ($CA in $CAState) { - if ($CA -eq 'All Users') { - if ($ExcludeAllUsers -contains $_.ObjectId) { $UserCAState.Add('Excluded from All Users') | Out-Null } - else { $UserCAState.Add($CA) | Out-Null } - } - elseif ($CA -eq 'Specific Applications') { - if ($ExcludeSpecific -contains $_.ObjectId) { $UserCAState.Add('Excluded from Specific Applications') | Out-Null } - else { $UserCAState.Add($CA) | Out-Null } - } - else { - $UserCAState.Add($CA) | Out-Null - } - } - - $PerUser = if ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -ne $null) { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state } else { 'Disabled' } - $AccountState = if ($_.BlockCredential -eq $true) { $false } else { $true } - $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered } - @{ - Tenant = "$tenantName" - UPN = "$($_.UserPrincipalName)" - AccountEnabled = [boolean]$AccountState - PerUser = "$PerUser" - isLicensed = "$($_.isLicensed)" - MFARegistration = [boolean]$MFARegUser - CoveredByCA = [string]($UserCAState -join ', ') - CoveredBySD = [boolean]$SecureDefaultsState - RowKey = [string]($_.UserPrincipalName).replace('#', '') - PartitionKey = 'users' - } - } - catch { - @{ - Tenant = "$tenantName" - UPN = "$($_.UserPrincipalName)" - AccountEnabled = [boolean]$AccountState - isLicensed = [boolean]$_.isLicensed - PerUser = "$PerUser" - MFARegistration = [boolean]$MFARegUser - CoveredByCA = [string]($UserCAState -join ', ') - CoveredBySD = [boolean]$SecureDefaultsState - RowKey = [string]$_.UserPrincipalName - PartitionKey = 'users' - } - } - } - Write-Host $tenantName - #Write-Host ($GraphRequest | ConvertTo-Json -Compress) - if ($GraphRequest) { - Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null - } - } - catch { - - $Table = Get-CIPPTable -TableName cachemfa - @{ - Tenant = [string]$tenantName - UPN = [string]$domainName - AccountEnabled = 'none' - PerUser = 'none' - MFARegistration = 'none' - CoveredByCA = [string]'Could not connect to tenant' - CoveredBySD = 'none' - RowKey = [string]"$domainName" - PartitionKey = 'users' - } + $GraphRequest = Get-CIPPMFAState -TenantFilter $domainName + if ($GraphRequest) { Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null - } } - $status = 'Completed' } catch { - $Status = 'Error' + $Table = Get-CIPPTable -TableName cachemfa + $GraphRequest = @{ + Tenant = [string]$tenantName + UPN = [string]$domainName + AccountEnabled = 'none' + PerUser = [string]'Could not connect to tenant' + MFARegistration = 'none' + CoveredByCA = [string]'Could not connect to tenant' + CoveredBySD = 'none' + RowKey = [string]"$domainName" + PartitionKey = 'users' + } + Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null } finally { - Update-CippQueueEntry -RowKey $QueueItem -Status $Status + Update-CippQueueEntry -RowKey $QueueItem -Status "Completed" } diff --git a/Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 b/Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 new file mode 100644 index 0000000000000..c51b4ee90fae3 --- /dev/null +++ b/Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 @@ -0,0 +1,102 @@ + +function Get-CIPPMFAState { + [CmdletBinding()] + param ( + $TenantFilter, + $APIName = "Get MFA Status", + $ExecutingUser + ) + + $users = foreach ($user in (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?$select=id,UserPrincipalName,DisplayName,accountEnabled,assignedLicenses' -tenantid $TenantFilter)) { + [PSCustomObject]@{ + UserPrincipalName = $user.UserPrincipalName + isLicensed = [boolean]$user.assignedLicenses.skuid + accountEnabled = $user.accountEnabled + DisplayName = $user.DisplayName + ObjectId = $user.id + StrongAuthenticationRequirements = @{StrongAuthenticationRequirement = @{state = 'See Documentation' } } + } + } + + $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled + $CAState = New-Object System.Collections.ArrayList + + Try { + $MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails' -tenantid $TenantFilter) + } + catch { + $CAState.Add('Not Licensed for Conditional Access') + $MFARegistration = $null + } + + if ($null -ne $MFARegistration) { + $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -ErrorAction Stop ) + + try { + $ExcludeAllUsers = New-Object System.Collections.ArrayList + $ExcludeSpecific = New-Object System.Collections.ArrayList + + foreach ($Policy in $CAPolicies) { + if (($policy.grantControls.builtincontrols -eq 'mfa') -or ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa')) { + if ($Policy.conditions.applications.includeApplications -ne 'All') { + Write-Host $Policy.conditions.applications.includeApplications + $CAState.Add("$($policy.displayName) - Specific Applications - $($policy.state)") | Out-Null + $Policy.conditions.users.excludeUsers.foreach({ $ExcludeSpecific.Add($_) }) + continue + } + if ($Policy.conditions.users.includeUsers -eq 'All') { + $CAState.Add("$($policy.displayName) - All Users - $($policy.state)") | Out-Null + $Policy.conditions.users.excludeUsers.foreach({ $ExcludeAllUsers.Add($_) }) + continue + } + } + } + } + catch { + } + } + + if ($CAState.count -eq 0) { $CAState.Add('None') | Out-Null } + + + # Interact with query parameters or the body of the request. + $GraphRequest = $Users | ForEach-Object { + Write-Host 'Processing users' + $UserCAState = New-Object System.Collections.ArrayList + foreach ($CA in $CAState) { + Write-Host 'Looping CAState' + if ($CA -like '*All Users*') { + if ($ExcludeAllUsers -contains $_.ObjectId) { $UserCAState.Add("Excluded from $($policy.displayName) - All Users") | Out-Null } + else { $UserCAState.Add($CA) | Out-Null } + } + elseif ($CA -like '*Specific Applications*') { + if ($ExcludeSpecific -contains $_.ObjectId) { $UserCAState.Add("Excluded from $($policy.displayName) - Specific Applications") | Out-Null } + else { $UserCAState.Add($CA) | Out-Null } + } + else { + Write-Host 'Adding to CA' + $UserCAState.Add($CA) | Out-Null + } + } + + $PerUser = if ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -ne $null) { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state } else { 'Disabled' } + + $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered } + [PSCustomObject]@{ + Tenant = $TenantFilter + ID = $_.ObjectId + UPN = $_.UserPrincipalName + DisplayName = $_.DisplayName + AccountEnabled = $_.accountEnabled + PerUser = $PerUser + isLicensed = $_.isLicensed + MFARegistration = $MFARegUser + CoveredByCA = ($UserCAState -join ', ') + CoveredBySD = $SecureDefaultsState + RowKey = [string]($_.UserPrincipalName).replace('#', '') + PartitionKey = 'users' + } + + } + return $GraphRequest +} \ No newline at end of file From 032450dac4413e936574388aee90f390402f2e53 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 10 Oct 2023 21:41:18 +0200 Subject: [PATCH 37/79] added errorhandling --- ListMFAUsersAllTenants/run.ps1 | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/ListMFAUsersAllTenants/run.ps1 b/ListMFAUsersAllTenants/run.ps1 index 6c0e4dfd3841c..f6afa90cf0a72 100644 --- a/ListMFAUsersAllTenants/run.ps1 +++ b/ListMFAUsersAllTenants/run.ps1 @@ -17,9 +17,20 @@ try { Import-Module '.\modules\CippCore' $Table = Get-CIPPTable -TableName cachemfa $GraphRequest = Get-CIPPMFAState -TenantFilter $domainName - if ($GraphRequest) { - Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null + if (!$GraphRequest) { + $GraphRequest = @{ + Tenant = [string]$tenantName + UPN = [string]$domainName + AccountEnabled = 'none' + PerUser = [string]'Could not connect to tenant' + MFARegistration = 'none' + CoveredByCA = [string]'Could not connect to tenant' + CoveredBySD = 'none' + RowKey = [string]"$domainName" + PartitionKey = 'users' + } } + Add-AzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null } } catch { From d78998ed8f5bfc1fdf83e5a58bd9be2ebc27ccb0 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 10 Oct 2023 17:22:59 -0400 Subject: [PATCH 38/79] GraphRequests Change Tenant to TenantFilter --- ListPartnerRelationships/run.ps1 | 24 +++--- .../Entrypoints/Invoke-ListGraphRequest.ps1 | 8 +- .../Push-ListGraphRequestQueue.ps1 | 6 +- .../GraphRequests/Get-GraphRequestList.ps1 | 78 +++++++++++++++---- 4 files changed, 86 insertions(+), 30 deletions(-) diff --git a/ListPartnerRelationships/run.ps1 b/ListPartnerRelationships/run.ps1 index e9fff1c026dd1..4a6d47d586c73 100644 --- a/ListPartnerRelationships/run.ps1 +++ b/ListPartnerRelationships/run.ps1 @@ -7,24 +7,24 @@ $APIName = $TriggerMetadata.FunctionName Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' try { - $GraphRequestList = @{ - Endpoint = 'policies/crossTenantAccessPolicy/partners' - Tenant = $Request.Query.TenantFilter - QueueNameOverride = 'Partner Relationships' - ReverseTenantLookup = $true - } - $GraphRequest = Get-GraphRequestList @GraphRequestList + $GraphRequestList = @{ + Endpoint = 'policies/crossTenantAccessPolicy/partners' + TenantFilter = $Request.Query.TenantFilter + QueueNameOverride = 'Partner Relationships' + ReverseTenantLookup = $true + } + $GraphRequest = Get-GraphRequestList @GraphRequestList } catch { - $GraphRequest = @() + $GraphRequest = @() } $StatusCode = [HttpStatusCode]::OK $results = [PSCustomObject]@{ - Results = @($GraphRequest) + Results = @($GraphRequest) } # Associate values to output bindings by calling 'Push-OutputBinding'. Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = $StatusCode - Body = $results - }) + StatusCode = $StatusCode + Body = $results + }) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 index e36bbe85eb338..e6f2f4e3ff40e 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListGraphRequest.ps1 @@ -1,6 +1,10 @@ function Invoke-ListGraphRequest { - # Input bindings are passed in via param block. + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] param($Request, $TriggerMetadata) $APIName = $TriggerMetadata.FunctionName @@ -50,7 +54,7 @@ function Invoke-ListGraphRequest { } if ($Request.Query.TenantFilter) { - $GraphRequestParams.Tenant = $Request.Query.TenantFilter + $GraphRequestParams.TenantFilter = $Request.Query.TenantFilter } if ($Request.Query.QueueId) { diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 index 8d3ea706de4b7..b383a245b3d3d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-ListGraphRequestQueue.ps1 @@ -1,4 +1,8 @@ function Push-ListGraphRequestQueue { + <# + .FUNCTIONALITY + Entrypoint + #> # Input bindings are passed in via param block. param($QueueItem, $TriggerMetadata) @@ -26,7 +30,7 @@ function Push-ListGraphRequestQueue { Get-AzDataTableEntity @Table -Filter $Filter | Remove-AzDataTableEntity @Table $GraphRequestParams = @{ - Tenant = $QueueItem.Tenant + TenantFilter = $QueueItem.TenantFilter Endpoint = $QueueItem.Endpoint Parameters = $QueueItem.Parameters NoPagination = $QueueItem.NoPagination diff --git a/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 b/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 index e04f4e9af019b..ed7a9a6b63c21 100644 --- a/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 +++ b/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 @@ -1,7 +1,54 @@ function Get-GraphRequestList { + <# + .SYNOPSIS + Execute a Graph query + + .PARAMETER TenantFilter + Tenant to query (or AllTenants) + + .PARAMETER Endpoint + Graph API endpoint + + .PARAMETER Parameters + API Parameters + + .PARAMETER QueueId + Queue Id + + .PARAMETER CippLink + Reference link for queueing + + .PARAMETER Version + API Version - v1.0 or beta + + .PARAMETER QueueNameOverride + Queue name to set + + .PARAMETER SkipCache + Skip Caching + + .PARAMETER ClearCache + Clear cached results + + .PARAMETER NoPagination + Disable pagination + + .PARAMETER CountOnly + Only return count of results + + .PARAMETER NoAuthCheck + Skip auth check + + .PARAMETER ReverseTenantLookup + Perform reverse tenant lookup + + .PARAMETER ReverseTenantLookupProperty + Property to perform reverse tenant lookup + + #> [CmdletBinding()] Param( - [string]$Tenant = $env:TenantId, + [string]$TenantFilter = $env:TenantId, [Parameter(Mandatory = $true)] [string]$Endpoint, [hashtable]$Parameters = @{}, @@ -46,12 +93,12 @@ function Get-GraphRequestList { $Filter = "QueueId eq '{0}'" -f $QueueId $Rows = Get-AzDataTableEntity @Table -Filter $Filter $Type = 'Queue' - } elseif ($Tenant -eq 'AllTenants' -or (!$SkipCache.IsPresent -and !$ClearCache.IsPresent -and !$CountOnly.IsPresent)) { + } elseif ($TenantFilter -eq 'AllTenants' -or (!$SkipCache.IsPresent -and !$ClearCache.IsPresent -and !$CountOnly.IsPresent)) { $Table = Get-CIPPTable -TableName $TableName - if ($Tenant -eq 'AllTenants') { + if ($TenantFilter -eq 'AllTenants') { $Filter = "PartitionKey eq '{0}' and QueueType eq 'AllTenants'" -f $PartitionKey } else { - $Filter = "PartitionKey eq '{0}' and Tenant eq '{1}'" -f $PartitionKey, $Tenant + $Filter = "PartitionKey eq '{0}' and Tenant eq '{1}'" -f $PartitionKey, $TenantFilter } #Write-Host $Filter $Rows = Get-AzDataTableEntity @Table -Filter $Filter | Where-Object { $_.Timestamp.DateTime -gt (Get-Date).ToUniversalTime().AddHours(-1) } @@ -62,17 +109,17 @@ function Get-GraphRequestList { } Write-Host "Cached: $(($Rows | Measure-Object).Count) rows (Type: $($Type))" - $QueueReference = '{0}-{1}' -f $Tenant, $PartitionKey + $QueueReference = '{0}-{1}' -f $TenantFilter, $PartitionKey $RunningQueue = Get-CippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -ne 'Completed' -and $_.Status -ne 'Failed' } if (!$Rows) { - switch ($Tenant) { + switch ($TenantFilter) { 'AllTenants' { if ($SkipCache) { Get-Tenants -IncludeErrors | ForEach-Object -Parallel { Import-Module .\GraphHelper.psm1 $GraphRequestParams = @{ - Tenant = $_.defaultDomainName + TenantFilter = $_.defaultDomainName Endpoint = $using:Endpoint Parameters = $using:Parameters NoPagination = $using:NoPagination.IsPresent @@ -95,8 +142,9 @@ function Get-GraphRequestList { Write-Host 'Queue currently running' Write-Host ($RunningQueue | ConvertTo-Json) [PSCustomObject]@{ - Tenant = 'Data still processing, please wait' - QueueId = $RunningQueue.RowKey + QueueMessage = 'Data still processing, please wait' + QueueId = $RunningQueue.RowKey + Queued = $true } } else { $Queue = New-CippQueueEntry -Name "$QueueName (All Tenants)" -Link $CippLink -Reference $QueueReference @@ -108,9 +156,9 @@ function Get-GraphRequestList { Write-Host 'Pushing output bindings' try { Get-Tenants -IncludeErrors | ForEach-Object { - $Tenant = $_.defaultDomainName + $TenantFilter = $_.defaultDomainName $QueueTenant = @{ - Tenant = $Tenant + TenantFilter = $TenantFilter Endpoint = $Endpoint QueueId = $Queue.RowKey QueueName = $QueueName @@ -134,7 +182,7 @@ function Get-GraphRequestList { default { $GraphRequest = @{ uri = $GraphQuery.ToString() - tenantid = $Tenant + tenantid = $TenantFilter ComplexFilter = $true } @@ -169,7 +217,7 @@ function Get-GraphRequestList { } else { $Queue = New-CippQueueEntry -Name $QueueName -Link $CippLink -Reference $QueueReference $QueueTenant = @{ - Tenant = $Tenant + TenantFilter = $TenantFilter Endpoint = $Endpoint QueueId = $Queue.RowKey QueueName = $QueueName @@ -183,7 +231,7 @@ function Get-GraphRequestList { Push-OutputBinding -Name QueueItem -Value $QueueTenant [PSCustomObject]@{ - QueueMessage = ('Loading {0} rows for {1}. Please check back after the job completes' -f $Count, $Tenant) + QueueMessage = ('Loading {0} rows for {1}. Please check back after the job completes' -f $Count, $TenantFilter) QueueId = $Queue.RowKey Queued = $true } @@ -192,7 +240,7 @@ function Get-GraphRequestList { } if (!$QueueThresholdExceeded) { - $GraphRequestResults = New-GraphGetRequest @GraphRequest -ErrorAction Stop | Select-Object *, @{l = 'Tenant'; e = { $Tenant } }, @{l = 'CippStatus'; e = { 'Good' } } + $GraphRequestResults = New-GraphGetRequest @GraphRequest -ErrorAction Stop | Select-Object *, @{l = 'Tenant'; e = { $TenantFilter } }, @{l = 'CippStatus'; e = { 'Good' } } if ($ReverseTenantLookup -and $GraphRequestResults) { $TenantInfo = $GraphRequestResults.$ReverseTenantLookupProperty | Sort-Object -Unique | ForEach-Object { New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/findTenantInformationByTenantId(tenantId='$_')" -noauthcheck $true -asApp:$true -tenant $env:TenantId From 921419b504ff260a390e557e3e90c66f08e23be7 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 10 Oct 2023 20:25:41 -0400 Subject: [PATCH 39/79] Add entrypoint designation Filter on Functionality property in Get-Help --- .../Public/Entrypoints/Invoke-ExecUserSettings.ps1 | 4 ++++ .../Entrypoints/Invoke-ListFunctionParameters.ps1 | 10 ++++++++-- .../Public/Entrypoints/Invoke-ListUserSettings.ps1 | 7 +++++-- .../Entrypoints/Push-AddAlertSubscription_Queue.ps1 | 4 ++++ 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 index 7c2f56081eafc..5fd4e0064fe74 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecUserSettings.ps1 @@ -1,6 +1,10 @@ using namespace System.Net function Invoke-ExecUserSettings { + <# + .FUNCTIONALITY + Entrypoint + #> param($Request, $TriggerMetadata) $APIName = $TriggerMetadata.FunctionName diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 index b4b3382bd237b..63d1f7f0ccf6c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 @@ -1,6 +1,10 @@ using namespace System.Net function Invoke-ListFunctionParameters { + <# + .FUNCTIONALITY + Entrypoint + #> # Input bindings are passed in via param block. param($Request, $TriggerMetadata) @@ -29,6 +33,8 @@ function Invoke-ListFunctionParameters { $Functions = Get-Command @CommandQuery $Results = foreach ($Function in $Functions) { if ($Function -In $TemporaryBlacklist) { continue } + $Help = Get-Help $Function + if ($Help.Functionality -eq 'Entrypoint') { continue } $Parameters = foreach ($Key in $Function.Parameters.Keys) { if ($CommonParameters -notcontains $Key) { $Param = $Function.Parameters.$Key @@ -40,13 +46,13 @@ function Invoke-ListFunctionParameters { } [PSCustomObject]@{ Function = $Function.Name + Synopsis = $Help.Synopsis Parameters = @($Parameters) } } $StatusCode = [HttpStatusCode]::OK $Results - } - catch { + } catch { $Results = "Function Error: $($_.Exception.Message)" $StatusCode = [HttpStatusCode]::BadRequest } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 index be2a948cfa9c7..1c440995de168 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserSettings.ps1 @@ -1,6 +1,10 @@ using namespace System.Net function Invoke-ListUserSettings { + <# + .FUNCTIONALITY + Entrypoint + #> param($Request, $TriggerMetadata) $APIName = $TriggerMetadata.FunctionName @@ -14,8 +18,7 @@ function Invoke-ListUserSettings { $UserSettings = $UserSettings | Select-Object -ExpandProperty JSON | ConvertFrom-Json -Depth 10 -ErrorAction SilentlyContinue $StatusCode = [HttpStatusCode]::OK $Results = $UserSettings - } - catch { + } catch { $Results = "Function Error: $($_.Exception.Message)" $StatusCode = [HttpStatusCode]::BadRequest } diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-AddAlertSubscription_Queue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-AddAlertSubscription_Queue.ps1 index 4651cc31b1cb4..611be3f2a23a2 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-AddAlertSubscription_Queue.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-AddAlertSubscription_Queue.ps1 @@ -1,4 +1,8 @@ function Push-AddAlertSubscription_Queue { + <# + .FUNCTIONALITY + Entrypoint + #> # Input bindings are passed in via param block. param($QueueItem, $TriggerMetadata) From 127b3886548d01fb559a5764b004e834829bc5d6 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 10 Oct 2023 21:28:52 -0400 Subject: [PATCH 40/79] Add parameter descriptions --- .../Public/Entrypoints/Invoke-ListFunctionParameters.ps1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 index 63d1f7f0ccf6c..c9df21cad59c7 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 @@ -34,13 +34,16 @@ function Invoke-ListFunctionParameters { $Results = foreach ($Function in $Functions) { if ($Function -In $TemporaryBlacklist) { continue } $Help = Get-Help $Function + $ParamsHelp = ($Help | Select-Object -ExpandProperty parameters).parameter | Select-Object name, @{n = 'description'; exp = { $_.description.Text } } if ($Help.Functionality -eq 'Entrypoint') { continue } $Parameters = foreach ($Key in $Function.Parameters.Keys) { if ($CommonParameters -notcontains $Key) { $Param = $Function.Parameters.$Key + $ParamHelp = $ParamsHelp | Where-Object { $_.name -eq $Key } [PSCustomObject]@{ - Name = $Key - Type = $Param.ParameterType.FullName + Name = $Key + Type = $Param.ParameterType.FullName + Description = $ParamHelp.description } } } From 17816e9ec23c4e14c6f33c8129c713fd59fac2bd Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 11 Oct 2023 12:19:06 +0200 Subject: [PATCH 41/79] Added failed tennat handling --- ListMFAUsersAllTenants/run.ps1 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ListMFAUsersAllTenants/run.ps1 b/ListMFAUsersAllTenants/run.ps1 index f6afa90cf0a72..f357954cc5550 100644 --- a/ListMFAUsersAllTenants/run.ps1 +++ b/ListMFAUsersAllTenants/run.ps1 @@ -16,7 +16,12 @@ try { Import-Module '.\GraphHelper.psm1' Import-Module '.\modules\CippCore' $Table = Get-CIPPTable -TableName cachemfa - $GraphRequest = Get-CIPPMFAState -TenantFilter $domainName + Try { + $GraphRequest = Get-CIPPMFAState -TenantFilter $domainName -ErrorAction Stop + } + catch { + $GraphRequest = $null + } if (!$GraphRequest) { $GraphRequest = @{ Tenant = [string]$tenantName From b288e607498feea41997309eb40e40c6bbc0ea7c Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 11 Oct 2023 19:16:34 +0200 Subject: [PATCH 42/79] Fixes #https://github.com/KelvinTegelaar/CIPP/issues/1750 --- ExecEditTemplate/run.ps1 | 21 ++++++++---- .../Public/Set-CIPPIntuneTemplate.ps1 | 32 +++++++++++++++++++ 2 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 Modules/CIPPCore/Public/Set-CIPPIntuneTemplate.ps1 diff --git a/ExecEditTemplate/run.ps1 b/ExecEditTemplate/run.ps1 index 54c3cc33635f8..4a4d1d4bf7a5f 100644 --- a/ExecEditTemplate/run.ps1 +++ b/ExecEditTemplate/run.ps1 @@ -12,13 +12,22 @@ try { $guid = $request.body.guid $JSON = $request.body | Select-Object * -ExcludeProperty GUID | ConvertTo-Json $Type = $request.Query.Type - Add-AzDataTableEntity @Table -Entity @{ - JSON = "$JSON" - RowKey = "$GUID" - PartitionKey = "$Type" - GUID = "$GUID" + + if ($Type -eq "IntuneTemplate") { + write-host "Intune Template" + write-host "" + $RawJSON = $request.body | Select-Object * -ExcludeProperty displayName, description, type, GUID | ConvertTo-Json -Depth 10 -Compress + Set-CIPPIntuneTemplate -RawJSON $RawJSON -GUID $GUID -DisplayName $Request.body.displayName -Description $Request.body.description -templateType $Request.body.type + } + else { + Add-AzDataTableEntity @Table -Entity @{ + JSON = "$JSON" + RowKey = "$GUID" + PartitionKey = "$Type" + GUID = "$GUID" + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Edited template $($Request.body.name) with GUID $GUID" -Sev "Debug" } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Edited template $($Request.body.name) with GUID $GUID" -Sev "Debug" $body = [pscustomobject]@{ "Results" = "Successfully saved the template" } } diff --git a/Modules/CIPPCore/Public/Set-CIPPIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Set-CIPPIntuneTemplate.ps1 new file mode 100644 index 0000000000000..10155ccecc8db --- /dev/null +++ b/Modules/CIPPCore/Public/Set-CIPPIntuneTemplate.ps1 @@ -0,0 +1,32 @@ +function Set-CIPPIntuneTemplate { + param ( + [Parameter(Mandatory = $true)] + $RawJSON, + $GUID, + $DisplayName, + $Description, + $templateType + ) + + if (!$DisplayName) { throw "You must enter a displayname" } + if ($null -eq ($RawJSON | ConvertFrom-Json)) { throw "the JSON is invalid" } + + $object = [PSCustomObject]@{ + Displayname = $DisplayName + Description = $Description + RAWJson = $RawJSON + Type = $templateType + GUID = $GUID + } | ConvertTo-Json -Depth 10 -Compress + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-AzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$GUID" + GUID = "$GUID" + PartitionKey = "IntuneTemplate" + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created intune policy template named $($Request.body.displayname) with GUID $GUID" -Sev "Debug" + + return "Successfully added template" +} From 3587e93a70cc2370d2aea11f98c64bf389723d03 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 11 Oct 2023 16:47:51 -0400 Subject: [PATCH 43/79] Limit functions to public visibility --- .../Public/Entrypoints/Invoke-ListFunctionParameters.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 index c9df21cad59c7..13395bcac219f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 @@ -30,7 +30,7 @@ function Invoke-ListFunctionParameters { #temporary until I clean up the coremodule and move things private. $TemporaryBlacklist = 'Get-CIPPAuthentication', 'Invoke-CippWebhookProcessing', 'Invoke-ListFunctionParameters', 'New-CIPPAPIConfig', 'New-CIPPGraphSubscription.ps1' try { - $Functions = Get-Command @CommandQuery + $Functions = Get-Command @CommandQuery | Where-Object { $_.Visibility -eq 'Public' } $Results = foreach ($Function in $Functions) { if ($Function -In $TemporaryBlacklist) { continue } $Help = Get-Help $Function From 88ad58cbdc4c28d18893738d99f4060a8229b040 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 12 Oct 2023 01:43:23 +0200 Subject: [PATCH 44/79] allow adding of the ticket type --- .../Private/New-HaloPSATicket.ps1 | 40 ++++++++++--------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 index ada78c4b377e9..c2feb7888fec0 100644 --- a/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 +++ b/Modules/CippExtensions/Private/New-HaloPSATicket.ps1 @@ -10,25 +10,29 @@ function New-HaloPSATicket { $Configuration = ((Get-AzDataTableEntity @Table).config | ConvertFrom-Json).HaloPSA $token = Get-HaloToken -configuration $Configuration - #use the token to create a new ticket in HaloPSA - $body = ConvertTo-Json -Compress -Depth 10 -InputObject @( - [PSCustomObject]@{ - files = $null - usertype = 1 - userlookup = @{ - id = -1 - lookupdisplay = "Enter Details Manually" - } - client_id = $client - site_id = $null - user_name = $null - reportedby = $null - summary = $title - details_html = $description - donotapplytemplateintheapi = $true - attachments = @() + $Object = [PSCustomObject]@{ + files = $null + usertype = 1 + userlookup = @{ + id = -1 + lookupdisplay = "Enter Details Manually" } - ) + client_id = $client + site_id = $null + user_name = $null + reportedby = $null + summary = $title + details_html = $description + donotapplytemplateintheapi = $true + attachments = @() + } + + if ($Configuration.TicketType) { + $object | Add-Member -MemberType NoteProperty -Name "tickettype_id" -Value $Configuration.TicketType + } + #use the token to create a new ticket in HaloPSA + $body = ConvertTo-Json -Compress -Depth 10 -InputObject @($Object) + Write-Host "Sending ticket to HaloPSA" Write-Host $body From 62be9f8944b254b02279c161d33e65634ccf0ea1 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 00:18:15 +0200 Subject: [PATCH 45/79] added remove mailbox permissions cmdlet --- .../Public/Remove-CIPPMailboxPermissions.ps1 | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1 diff --git a/Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1 b/Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1 new file mode 100644 index 0000000000000..232d532beff70 --- /dev/null +++ b/Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1 @@ -0,0 +1,21 @@ +function Remove-CIPPMailboxPermissions { + [CmdletBinding()] + param ( + $userid, + $AccessUser, + $TenantFilter, + $APIName = "Manage Shared Mailbox Access", + $ExecutingUser + ) + + try { + $permissions = New-ExoRequest -tenantid $TenantFilter -cmdlet "Remove-MailboxPermission" -cmdParams @{Identity = $userid; user = $AccessUser } -Anchor $userid + Write-LogMessage -user $ExecutingUser -API $APIName -message "Removed $($AccessUser) from $($userid)'s mailbox." -Sev "Info" -tenant $TenantFilter + return "Removed $($AccessUser) from $($userid)'s mailbox." + + } + catch { + Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not remove mailbox permissions for $($userid). Error: $($_.Exception.Message)" -Sev "Error" -tenant $TenantFilter + return "Could not remove mailbox permissions for $($userid). Error: $($_.Exception.Message)" + } +} From 284f783aa0f73e6ea52912d2682424fb5bf931a6 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 01:32:19 +0200 Subject: [PATCH 46/79] allow adding of custom attributes --- AddUser/run.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/AddUser/run.ps1 b/AddUser/run.ps1 index 12e321b2f93ba..f6ab759134a70 100644 --- a/AddUser/run.ps1 +++ b/AddUser/run.ps1 @@ -36,6 +36,14 @@ try { } } if ($userobj.businessPhone) { $bodytoShip | Add-Member -NotePropertyName businessPhones -NotePropertyValue @($userobj.businessPhone) } + if ($userobj.addedAttributes) { + Write-Host "Found added attribute" + Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)" + $userobj.addedAttributes.getenumerator() | ForEach-Object { + "Adding property $($_.Key) with value $($_.value)" + $bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value + } + } $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users" -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Created user $($userobj.displayname) with id $($GraphRequest.id) " -Sev "Info" From d6278eabe5c3bdeebf34c6d98ea7b1e2e5db5c80 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 01:41:16 +0200 Subject: [PATCH 47/79] small logging improvement. --- AddUser/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/AddUser/run.ps1 b/AddUser/run.ps1 index f6ab759134a70..f2bac94e00f62 100644 --- a/AddUser/run.ps1 +++ b/AddUser/run.ps1 @@ -40,7 +40,7 @@ try { Write-Host "Found added attribute" Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)" $userobj.addedAttributes.getenumerator() | ForEach-Object { - "Adding property $($_.Key) with value $($_.value)" + $results.add("Added property $($_.Key) with value $($_.value)") $bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value } } From 73cd0e8812c801e84c807b4502320b17867187ec Mon Sep 17 00:00:00 2001 From: John Duprey Date: Thu, 12 Oct 2023 21:07:36 -0400 Subject: [PATCH 48/79] Scheduler - Nested object support --- AddScheduledItem/run.ps1 | 49 +++++++++++++++++++++++++++--------- ExecScheduledCommand/run.ps1 | 2 +- Scheduler_UserTasks/run.ps1 | 15 ++++++----- 3 files changed, 45 insertions(+), 21 deletions(-) diff --git a/AddScheduledItem/run.ps1 b/AddScheduledItem/run.ps1 index 8568323c6059f..6b34139309980 100644 --- a/AddScheduledItem/run.ps1 +++ b/AddScheduledItem/run.ps1 @@ -7,20 +7,45 @@ $Table = Get-CIPPTable -TableName 'ScheduledTasks' $propertiesToCheck = @('Webhook', 'Email', 'PSA') $PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ',' -$Parameters = ($task.Parameters | ConvertTo-Json -Compress) + +$Parameters = [System.Collections.Hashtable]@{} +foreach ($Key in $task.Parameters.Keys) { + $Param = $task.Parameters.$Key + if ($Param.Key) { + $ht = @{} + foreach ($p in $Param) { + Write-Host $p.Key + $ht[$p.Key] = $p.Value + } + $Parameters[$Key] = [PSCustomObject]$ht + } else { + $Parameters[$Key] = $Param + } +} + +$Parameters = ($Parameters | ConvertTo-Json -Compress) + +$AdditionalProperties = [System.Collections.Hashtable]@{} +foreach ($Prop in $task.AdditionalProperties) { + $AdditionalProperties[$Prop.Key] = $Prop.Value +} +$AdditionalProperties = ([PSCustomObject]$AdditionalProperties | ConvertTo-Json -Compress) + + if ($Parameters -eq 'null') { $Parameters = '' } $entity = @{ - PartitionKey = [string]'ScheduledTask' - TaskState = [string]'Planned' - RowKey = [string]"$(New-Guid)" - Tenant = [string]$task.TenantFilter - Name = [string]$task.Name - Command = [string]$task.Command.value - Parameters = [string]$Parameters - ScheduledTime = [string]$task.ScheduledTime - Recurrence = [string]$task.Recurrence.value - PostExecution = [string]$PostExecution - Results = 'Planned' + PartitionKey = [string]'ScheduledTask' + TaskState = [string]'Planned' + RowKey = [string]"$(New-Guid)" + Tenant = [string]$task.TenantFilter + Name = [string]$task.Name + Command = [string]$task.Command.value + Parameters = [string]$Parameters + ScheduledTime = [string]$task.ScheduledTime + Recurrence = [string]$task.Recurrence.value + PostExecution = [string]$PostExecution + AdditionalProperties = [string]$AdditionalProperties + Results = 'Planned' } Write-Host "entity: $($entity | ConvertTo-Json)" Add-AzDataTableEntity @Table -Entity $entity diff --git a/ExecScheduledCommand/run.ps1 b/ExecScheduledCommand/run.ps1 index faef5ae522595..fed27bba15799 100644 --- a/ExecScheduledCommand/run.ps1 +++ b/ExecScheduledCommand/run.ps1 @@ -51,7 +51,7 @@ switch -wildcard ($task.PostExecution) { 'TaskInfo' = $QueueItem.TaskInfo 'Results' = $Results } - Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $($Webhook | ConvertTo-Json) + Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $($Webhook | ConvertTo-Json -Depth 20) } } diff --git a/Scheduler_UserTasks/run.ps1 b/Scheduler_UserTasks/run.ps1 index af9effa413378..b487941e93e48 100644 --- a/Scheduler_UserTasks/run.ps1 +++ b/Scheduler_UserTasks/run.ps1 @@ -5,7 +5,7 @@ $Filter = "TaskState eq 'Planned' or TaskState eq 'Failed - Planned'" $tasks = Get-AzDataTableEntity @Table -Filter $Filter foreach ($task in $tasks) { $tenant = $task.Tenant - $currentUnixTime = [int64](([datetime]::UtcNow) - (Get-Date "1/1/1970")).TotalSeconds + $currentUnixTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds if ($currentUnixTime -ge $task.ScheduledTime) { try { Update-AzDataTableEntity @Table -Entity @{ @@ -15,27 +15,26 @@ foreach ($task in $tasks) { TaskState = 'Running' } $task.Parameters = $task.Parameters | ConvertFrom-Json -AsHashtable + $task.AdditionalProperties = $task.AdditionalProperties | ConvertFrom-Json if (!$task.Parameters) { $task.Parameters = @{} } $ScheduledCommand = [pscustomobject]@{ Command = $task.Command - Parameters = $task.Parameters + Parameters = $task.Parameters TaskInfo = $task } - if ($task.Tenant -eq "AllTenants") { + if ($task.Tenant -eq 'AllTenants') { $Results = Get-Tenants | ForEach-Object { $ScheduledCommand.Parameters['TenantFilter'] = $_.defaultDomainName Push-OutputBinding -Name Msg -Value $ScheduledCommand } - } - else { + } else { $ScheduledCommand.Parameters['TenantFilter'] = $task.Tenant $Results = Push-OutputBinding -Name Msg -Value $ScheduledCommand } - } - catch { + } catch { $errorMessage = $_.Exception.Message Update-AzDataTableEntity @Table -Entity @{ @@ -45,7 +44,7 @@ foreach ($task in $tasks) { ExecutedTime = "$currentUnixTime" TaskState = 'Failed' } - Write-LogMessage -API "Scheduler_UserTasks" -tenant $tenant -message "Failed to execute task $($task.Name): $errorMessage" -sev Error + Write-LogMessage -API 'Scheduler_UserTasks' -tenant $tenant -message "Failed to execute task $($task.Name): $errorMessage" -sev Error } } } \ No newline at end of file From b2bf93b9b507e1d24273e3c870d87d82d678d5d6 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 08:32:03 +0100 Subject: [PATCH 49/79] Update Invoke-CIPPWebhookProcessing.ps1 --- Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 index 2b7b6e29621f1..2c4902ef1f0ae 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPWebhookProcessing.ps1 @@ -219,10 +219,10 @@ function Invoke-CippWebhookProcessing { } | ConvertTo-Json -Depth 15 -Compress if ($Title) { Write-Host 'Sending alert to email' - Send-CIPPAlert -Type 'email' -Title $title -HTMLContent $HTML + Send-CIPPAlert -Type 'email' -Title $title -HTMLContent $HTML -TenantFilter $TenantFilter Write-Host 'Sending alert to webhook' - Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $JsonContent + Send-CIPPAlert -Type 'webhook' -Title $title -JSONContent $JsonContent -TenantFilter $TenantFilter Write-Host 'Sending alert to PSA' - Send-CIPPAlert -Type 'psa' -Title $title -HTMLContent $HTML + Send-CIPPAlert -Type 'psa' -Title $title -HTMLContent $HTML -TenantFilter $TenantFilter } } From 3438dd34d810b13775855334b7c9954c7c470c7d Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 09:55:10 +0100 Subject: [PATCH 50/79] Update Send-CIPPAlert.ps1 --- Modules/CIPPCore/Public/Send-CIPPAlert.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 index eea1166b81b25..d0a855b76897c 100644 --- a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 +++ b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 @@ -34,12 +34,12 @@ function Send-CIPPAlert { $JSONBody = ConvertTo-Json -Compress -Depth 10 -InputObject $PowerShellBody New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -NoAuthCheck $true -type POST -body ($JSONBody) } - Write-LogMessage -API 'Webhook Alerts' -message "Sent a webhook alert to email: $Title" -sev info + Write-LogMessage -API 'Webhook Alerts' -message "Sent a webhook alert to email: $Title" -tenant $TenantFilter -sev info } catch { Write-Host "Could not send webhook alert to email: $($_.Exception.message)" - Write-LogMessage -API 'Webhook Alerts' -message "Could not send webhook alerts to email. $($_.Exception.message)" -sev info + Write-LogMessage -API 'Webhook Alerts' -message "Could not send webhook alerts to email. $($_.Exception.message)" -tenant $TenantFilter -sev info } } @@ -66,12 +66,12 @@ function Send-CIPPAlert { } } - Write-LogMessage -API 'Webhook Alerts' -message "Sent Webhook alert $title to External webhook" -sev info + Write-LogMessage -API 'Webhook Alerts' -message "Sent Webhook alert $title to External webhook" -tenant $TenantFilter -sev info } catch { Write-Host "Could not send alerts to webhook: $($_.Exception.message)" - Write-LogMessage -API 'Webhook Alerts' -message "Could not send alerts to webhook: $($_.Exception.message)" -sev info + Write-LogMessage -API 'Webhook Alerts' -message "Could not send alerts to webhook: $($_.Exception.message)" -tenant $TenantFilter -sev info } } Write-Host "Trying to send to PSA" From 57f24ea8ebaecd1b00cd4634f4bf617ff8c0a191 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 12:38:49 +0200 Subject: [PATCH 51/79] upped version --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index ecedc98d1d5a2..64b5ae3938a00 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.3.1 \ No newline at end of file +4.4.0 \ No newline at end of file From 40045ecf11c171f212b09944b050cde57a11eb7b Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Fri, 13 Oct 2023 12:43:36 +0200 Subject: [PATCH 52/79] Delete .github/workflows/dev_cipppwrro.yml --- .github/workflows/dev_cipppwrro.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 .github/workflows/dev_cipppwrro.yml diff --git a/.github/workflows/dev_cipppwrro.yml b/.github/workflows/dev_cipppwrro.yml deleted file mode 100644 index 726d88d3e2878..0000000000000 --- a/.github/workflows/dev_cipppwrro.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy Powershell project to Azure Function App - cipppwrro - -on: - push: - branches: - - dev - workflow_dispatch: - -env: - AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - -jobs: - build-and-deploy: - runs-on: windows-latest - steps: - - name: 'Checkout GitHub Action' - uses: actions/checkout@v2 - - - name: 'Run Azure Functions Action' - uses: Azure/functions-action@v1 - id: fa - with: - app-name: 'cipppwrro' - slot-name: 'Production' - package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} - publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_7CFCA05390754624B5492AF7ECD3D826 }} From 9a1e5e5d301b1e3f438f4c0b5041adeacff2c754 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Fri, 13 Oct 2023 12:43:45 +0200 Subject: [PATCH 53/79] Delete .github/workflows/dev_cippexdyr.yml --- .github/workflows/dev_cippexdyr.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) delete mode 100644 .github/workflows/dev_cippexdyr.yml diff --git a/.github/workflows/dev_cippexdyr.yml b/.github/workflows/dev_cippexdyr.yml deleted file mode 100644 index 260977a37c4e3..0000000000000 --- a/.github/workflows/dev_cippexdyr.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy Powershell project to Azure Function App - cippexdyr - -on: - push: - branches: - - dev - workflow_dispatch: - -env: - AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - -jobs: - build-and-deploy: - runs-on: windows-latest - steps: - - name: 'Checkout GitHub Action' - uses: actions/checkout@v2 - - - name: 'Run Azure Functions Action' - uses: Azure/functions-action@v1 - id: fa - with: - app-name: 'cippexdyr' - slot-name: 'Production' - package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} - publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_E034296DFC754683A45A6A9B4B8E4382 }} From b28c4d457c431c60dfb865253d994567d0764e8e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 16:49:05 +0200 Subject: [PATCH 54/79] fixes bug with halo tenant selection --- Modules/CippExtensions/Private/Get-HaloToken.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/Private/Get-HaloToken.ps1 b/Modules/CippExtensions/Private/Get-HaloToken.ps1 index 9e3bc5434e418..2a9cda303da23 100644 --- a/Modules/CippExtensions/Private/Get-HaloToken.ps1 +++ b/Modules/CippExtensions/Private/Get-HaloToken.ps1 @@ -11,10 +11,11 @@ function Get-HaloToken { client_secret = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name 'HaloPSA' -AsPlainText) scope = 'all' } - if ($Configuration.tenant) { $Tenant = "?tenant=$($Configuration.tenant)"} + if (![string]::IsNullOrEmpty($Configuration.tenant)) { $Tenant = "?tenant=$($Configuration.tenant)" } $token = Invoke-RestMethod -Uri "$($Configuration.AuthURL)/token$Tenant" -Method Post -Body $body -ContentType 'application/x-www-form-urlencoded' return $token - } else { + } + else { throw 'No Halo configuration' } } \ No newline at end of file From 1c03c9f4c2b4da2347b290cb0c1297ee4eb3d47c Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 16:54:32 +0200 Subject: [PATCH 55/79] added troubleshooting text --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 0addf8cd56b3b..1ea78e3401577 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -156,7 +156,7 @@ if ($config.sendtoIntegration) { } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev info } } From 09c90218e903d1585abc1acbb7dfed62820d4e85 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 16:57:52 +0200 Subject: [PATCH 56/79] halo hotfix --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index 64b5ae3938a00..4f3470c1664f9 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.4.0 \ No newline at end of file +4.4.1 \ No newline at end of file From 5211284e6d746c26307ff327024d22fd25b761fa Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 16:39:33 +0100 Subject: [PATCH 57/79] Added better logging to alerts Added additional logging to alerts --- Scheduler_CIPPNotifications/run.ps1 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 0addf8cd56b3b..93d6ff112a258 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -49,6 +49,7 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } @@ -78,12 +79,13 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } catch { Write-Host "Could not send alerts to email: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant $Tenant -sev error } @@ -119,7 +121,7 @@ try { Invoke-RestMethod -Uri $config.webhook -Method POST -ContentType 'Application/json' -Body $JSONBody } } - + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -tenant $Tenant -sev info } $UpdateLogs = $CurrentLog | ForEach-Object { @@ -132,7 +134,7 @@ try { } catch { Write-Host "Could not send alerts to webhook: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -tenant $Tenant -sev error } if ($config.sendtoIntegration) { @@ -153,10 +155,11 @@ if ($config.sendtoIntegration) { Add-AzDataTableEntity @Table -Entity $UpdateLogs -Force } } + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "alerts to PSA" -sev info } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev error } } From 19f6d175cbd5dc9176f3ec61b97e5c19da3c1ef5 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 16:54:46 +0100 Subject: [PATCH 58/79] Revert "Added better logging to alerts" This reverts commit 5211284e6d746c26307ff327024d22fd25b761fa. --- Scheduler_CIPPNotifications/run.ps1 | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 93d6ff112a258..0addf8cd56b3b 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -49,7 +49,6 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) - Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } @@ -79,13 +78,12 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) - Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } catch { Write-Host "Could not send alerts to email: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant $Tenant -sev error + Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info } @@ -121,7 +119,7 @@ try { Invoke-RestMethod -Uri $config.webhook -Method POST -ContentType 'Application/json' -Body $JSONBody } } - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -tenant $Tenant -sev info + } $UpdateLogs = $CurrentLog | ForEach-Object { @@ -134,7 +132,7 @@ try { } catch { Write-Host "Could not send alerts to webhook: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -tenant $Tenant -sev error + Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info } if ($config.sendtoIntegration) { @@ -155,11 +153,10 @@ if ($config.sendtoIntegration) { Add-AzDataTableEntity @Table -Entity $UpdateLogs -Force } } - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "alerts to PSA" -sev info } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev error + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev info } } From 8d34c3d8ef0462af1cc92d5f8dbbdd5c5087bd56 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 16:58:27 +0100 Subject: [PATCH 59/79] Update run.ps1 --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 0addf8cd56b3b..1ea78e3401577 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -156,7 +156,7 @@ if ($config.sendtoIntegration) { } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev info } } From dcd30be245cd5c7021b407543d098e8901af6960 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Fri, 13 Oct 2023 17:01:02 +0100 Subject: [PATCH 60/79] Added additional logging to alerts Added additional logging --- Scheduler_CIPPNotifications/run.ps1 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 1ea78e3401577..59d8066f67e12 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -49,6 +49,7 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } @@ -78,12 +79,13 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info } } } catch { Write-Host "Could not send alerts to email: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant $Tenant -sev error } @@ -119,7 +121,7 @@ try { Invoke-RestMethod -Uri $config.webhook -Method POST -ContentType 'Application/json' -Body $JSONBody } } - + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -tenant $Tenant -sev info } $UpdateLogs = $CurrentLog | ForEach-Object { @@ -132,7 +134,7 @@ try { } catch { Write-Host "Could not send alerts to webhook: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -message "Could not send alerts to : $($_.Exception.message)" -tenant $Tenant -sev error } if ($config.sendtoIntegration) { @@ -153,10 +155,11 @@ if ($config.sendtoIntegration) { Add-AzDataTableEntity @Table -Entity $UpdateLogs -Force } } + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "alerts to PSA" -sev info } catch { Write-Host "Could not send alerts to ticketing system: $($_.Exception.message)" - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Could not send alerts to ticketing system: $($_.Exception.message)" -sev Error } } From eca4beb1d949b7daab210f304408c59aa9061aa0 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 18:18:28 +0200 Subject: [PATCH 61/79] added some troubleshooting text --- ExecCPVPermissions/run.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1 index ecd545e8ae4ce..d05ab1cdb252d 100644 --- a/ExecCPVPermissions/run.ps1 +++ b/ExecCPVPermissions/run.ps1 @@ -10,6 +10,8 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME - # Write to the Azure Functions log stream. Write-Host "PowerShell HTTP trigger function processed a request." $TenantFilter = (get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName +Write-Host "Our Tenantfilter is $TenantFilter" +Write-Host ((get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter) | ConvertTo-Json) $GraphRequest = try { Set-CIPPCPVConsent -Tenantfilter $TenantFilter Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter From fceb172f581bb065ecabf9f91d8b2f7ccf75f764 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Fri, 13 Oct 2023 18:19:15 +0200 Subject: [PATCH 62/79] Add or update the Azure App Service build and deployment workflow config --- .github/workflows/master_cipppwrro.yml | 29 ++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/master_cipppwrro.yml diff --git a/.github/workflows/master_cipppwrro.yml b/.github/workflows/master_cipppwrro.yml new file mode 100644 index 0000000000000..682b20060782d --- /dev/null +++ b/.github/workflows/master_cipppwrro.yml @@ -0,0 +1,29 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy Powershell project to Azure Function App - cipppwrro + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + +jobs: + build-and-deploy: + runs-on: windows-latest + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v2 + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: 'cipppwrro' + slot-name: 'Production' + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_2A50CBD3E97E4A2C82A9DC2EA6D8CE0D }} From c9fd4fe731ac46c0e16b3fbfb92050bc7ee0a71b Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Fri, 13 Oct 2023 18:19:43 +0200 Subject: [PATCH 63/79] Delete .github/workflows/master_cipppwrro.yml --- .github/workflows/master_cipppwrro.yml | 29 -------------------------- 1 file changed, 29 deletions(-) delete mode 100644 .github/workflows/master_cipppwrro.yml diff --git a/.github/workflows/master_cipppwrro.yml b/.github/workflows/master_cipppwrro.yml deleted file mode 100644 index 682b20060782d..0000000000000 --- a/.github/workflows/master_cipppwrro.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action -# More GitHub Actions for Azure: https://github.com/Azure/actions - -name: Build and deploy Powershell project to Azure Function App - cipppwrro - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - -jobs: - build-and-deploy: - runs-on: windows-latest - steps: - - name: 'Checkout GitHub Action' - uses: actions/checkout@v2 - - - name: 'Run Azure Functions Action' - uses: Azure/functions-action@v1 - id: fa - with: - app-name: 'cipppwrro' - slot-name: 'Production' - package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} - publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_2A50CBD3E97E4A2C82A9DC2EA6D8CE0D }} From 6d219d83c3067455ebf9110bb731f51847cf44eb Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Fri, 13 Oct 2023 18:20:15 +0200 Subject: [PATCH 64/79] Add or update the Azure App Service build and deployment workflow config --- .github/workflows/dev_cipppwrro.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/dev_cipppwrro.yml diff --git a/.github/workflows/dev_cipppwrro.yml b/.github/workflows/dev_cipppwrro.yml new file mode 100644 index 0000000000000..ad786fd522fec --- /dev/null +++ b/.github/workflows/dev_cipppwrro.yml @@ -0,0 +1,29 @@ +# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action +# More GitHub Actions for Azure: https://github.com/Azure/actions + +name: Build and deploy Powershell project to Azure Function App - cipppwrro + +on: + push: + branches: + - dev + workflow_dispatch: + +env: + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + +jobs: + build-and-deploy: + runs-on: windows-latest + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v2 + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: 'cipppwrro' + slot-name: 'Production' + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_9E109464904540339CA94F283ACE1312 }} From b93027b9fa8c4425e301f9c32ec02df65f2a166d Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 18:27:58 +0200 Subject: [PATCH 65/79] recommendation: Get them out as quick as possible to no one notices. Thanks Ashe. --- ExecCPVPermissions/run.ps1 | 2 +- version_latest.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1 index d05ab1cdb252d..9814d0e735717 100644 --- a/ExecCPVPermissions/run.ps1 +++ b/ExecCPVPermissions/run.ps1 @@ -9,7 +9,7 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME - # Write to the Azure Functions log stream. Write-Host "PowerShell HTTP trigger function processed a request." -$TenantFilter = (get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName +$TenantFilter = (get-tenants -IncludeAll | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName Write-Host "Our Tenantfilter is $TenantFilter" Write-Host ((get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter) | ConvertTo-Json) $GraphRequest = try { diff --git a/version_latest.txt b/version_latest.txt index 4f3470c1664f9..f939222922632 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.4.1 \ No newline at end of file +4.4.2 \ No newline at end of file From 433b6b29d35bd8d137d14612c509c75d3d9252de Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 18:30:16 +0200 Subject: [PATCH 66/79] include all --- ExecCPVPermissions/run.ps1 | 3 +-- UpdatePermissions/run.ps1 | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1 index 9814d0e735717..2801c3f1fca4f 100644 --- a/ExecCPVPermissions/run.ps1 +++ b/ExecCPVPermissions/run.ps1 @@ -9,9 +9,8 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME - # Write to the Azure Functions log stream. Write-Host "PowerShell HTTP trigger function processed a request." -$TenantFilter = (get-tenants -IncludeAll | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName +$TenantFilter = (get-tenants -IncludeAll -IncludeErrors | Where-Object -Property customerId -EQ $Request.query.Tenantfilter).defaultDomainName Write-Host "Our Tenantfilter is $TenantFilter" -Write-Host ((get-tenants | Where-Object -Property customerId -EQ $Request.query.Tenantfilter) | ConvertTo-Json) $GraphRequest = try { Set-CIPPCPVConsent -Tenantfilter $TenantFilter Add-CIPPApplicationPermission -RequiredResourceAccess "CippDefaults" -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter diff --git a/UpdatePermissions/run.ps1 b/UpdatePermissions/run.ps1 index 47e932e1581b5..03faa53ab09f8 100644 --- a/UpdatePermissions/run.ps1 +++ b/UpdatePermissions/run.ps1 @@ -1,7 +1,7 @@ # Input bindings are passed in via param block. param($Timer) -$Tenants = get-tenants +$Tenants = get-tenants -IncludeAll foreach ($Row in $Tenants) { Push-OutputBinding -Name Msg -Value $row } \ No newline at end of file From 31da2b978dace9433f8461a3e51782388727b908 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 18:32:00 +0200 Subject: [PATCH 67/79] halo token fix --- Modules/CippExtensions/Private/Get-HaloToken.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/Get-HaloToken.ps1 b/Modules/CippExtensions/Private/Get-HaloToken.ps1 index 2a9cda303da23..2e0ed6e8c30b3 100644 --- a/Modules/CippExtensions/Private/Get-HaloToken.ps1 +++ b/Modules/CippExtensions/Private/Get-HaloToken.ps1 @@ -11,7 +11,7 @@ function Get-HaloToken { client_secret = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name 'HaloPSA' -AsPlainText) scope = 'all' } - if (![string]::IsNullOrEmpty($Configuration.tenant)) { $Tenant = "?tenant=$($Configuration.tenant)" } + if (!([string]::IsNullOrEmpty($Configuration.Tenant))) { $Tenant = "?tenant=$($Configuration.tenant)" } $token = Invoke-RestMethod -Uri "$($Configuration.AuthURL)/token$Tenant" -Method Post -Body $body -ContentType 'application/x-www-form-urlencoded' return $token } From a1c60a83bd8d080d128daaab55fed761e7b24b85 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 18:41:43 +0200 Subject: [PATCH 68/79] one more add --- Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 index 06c813ebb712c..4a44db86a958e 100644 --- a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 @@ -6,7 +6,7 @@ function Set-CIPPCPVConsent { $ExecutingUser ) $Results = [System.Collections.ArrayList]@() - $Tenant = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenantfilter + $Tenant = Get-Tenants -IncludeAll -IncludeErrors | Where-Object -Property defaultDomainName -EQ $Tenantfilter $TenantName = $Tenant.defaultDomainName $TenantFilter = $Tenant.customerId From 20c44ff9c841ca7d044bb1e58c7c13e49c8f29fc Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 13 Oct 2023 23:27:43 +0200 Subject: [PATCH 69/79] removed delete, cleaned up error. --- Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 index 4a44db86a958e..34db91662aa0e 100644 --- a/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1 @@ -10,14 +10,6 @@ function Set-CIPPCPVConsent { $TenantName = $Tenant.defaultDomainName $TenantFilter = $Tenant.customerId - try { - $DeleteOldPermissions = New-GraphpostRequest -Type DELETE -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents/$($env:ApplicationID)" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID - - } - catch { - "There is no existing CPV Application Consent for $($TenantName). Adding a new application." - } - try { $AppBody = @" { @@ -41,6 +33,9 @@ function Set-CIPPCPVConsent { } catch { + $ErrorMessage = $_.Exception.Message + if ($ErrorMessage -like '*409 (Conflict)*') { return @("We've already added our Service Principal to $($TenantName)") } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)" -Sev "Error" -tenant $($Tenantfilter) return @("Could not add our Service Principal to the client tenant $($TenantName): $($_.Exception.message)") } From fad01ae8c071fd08db88d59060294f40ff4f907d Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Sat, 14 Oct 2023 08:22:29 +0100 Subject: [PATCH 70/79] Fixed Alert Error Fixed double -tenant line 124 --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 59d8066f67e12..e2daabff52c0b 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -121,7 +121,7 @@ try { Invoke-RestMethod -Uri $config.webhook -Method POST -ContentType 'Application/json' -Body $JSONBody } } - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -tenant $Tenant -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -sev info } $UpdateLogs = $CurrentLog | ForEach-Object { From 1eb86a9a6500e3209baccdb787756cfe072385c7 Mon Sep 17 00:00:00 2001 From: BNWEIN Date: Sat, 14 Oct 2023 14:27:22 +0100 Subject: [PATCH 71/79] Update run.ps1 Changed to write-log to $JSONRecipients --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index e2daabff52c0b..d8826cfa21d55 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -49,7 +49,7 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) - Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($JSONRecipients)" -tenant $Tenant -sev info } } } From dc4fa1ba3d7c5ce78cd4557ac09079358dc61e7f Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sat, 14 Oct 2023 16:12:07 +0200 Subject: [PATCH 72/79] None as tenant for halo --- Modules/CippExtensions/Private/Get-HaloToken.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/Private/Get-HaloToken.ps1 b/Modules/CippExtensions/Private/Get-HaloToken.ps1 index 2e0ed6e8c30b3..bc75822a98758 100644 --- a/Modules/CippExtensions/Private/Get-HaloToken.ps1 +++ b/Modules/CippExtensions/Private/Get-HaloToken.ps1 @@ -11,7 +11,7 @@ function Get-HaloToken { client_secret = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name 'HaloPSA' -AsPlainText) scope = 'all' } - if (!([string]::IsNullOrEmpty($Configuration.Tenant))) { $Tenant = "?tenant=$($Configuration.tenant)" } + if ($Configuration.Tenant -ne "None") { $Tenant = "?tenant=$($Configuration.tenant)" } $token = Invoke-RestMethod -Uri "$($Configuration.AuthURL)/token$Tenant" -Method Post -Body $body -ContentType 'application/x-www-form-urlencoded' return $token } From c9b5b30f7ff5c6c874dd33300022b93d41207148 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sat, 14 Oct 2023 16:12:35 +0200 Subject: [PATCH 73/79] upped version --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index f939222922632..f0f76fb693287 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.4.2 \ No newline at end of file +4.4.3 \ No newline at end of file From 0f625b8093373268e90abbe9478daea51179a833 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sat, 14 Oct 2023 18:40:28 +0200 Subject: [PATCH 74/79] added listlogs to debug. --- ListLogs/run.ps1 | 2 +- Scheduler_CIPPNotifications/run.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ListLogs/run.ps1 b/ListLogs/run.ps1 index d95f392f5a908..3f4d59a2477cf 100644 --- a/ListLogs/run.ps1 +++ b/ListLogs/run.ps1 @@ -4,7 +4,7 @@ using namespace System.Net param($Request, $TriggerMetadata) $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Info' +Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' if ($request.Query.Filter -eq 'True') { $LogLevel = if ($Request.query.Severity) { ($Request.query.Severity).split(',') } else { 'Info', 'Warn', 'Error', 'Critical', 'Alert' } diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index d8826cfa21d55..86dea5a7b6158 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -121,7 +121,7 @@ try { Invoke-RestMethod -Uri $config.webhook -Method POST -ContentType 'Application/json' -Body $JSONBody } } - Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook) " -sev info + Write-LogMessage -API 'Alerts' -tenant $Tenant -message "Sent Webhook to $($config.webhook)" -sev Debug } $UpdateLogs = $CurrentLog | ForEach-Object { From 8aa92cb1209d385cebe4a6b20d8c218a2ea32d2c Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sat, 14 Oct 2023 18:43:15 +0200 Subject: [PATCH 75/79] 4.4.4 looks nicer. --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index f0f76fb693287..f15ec04e09e05 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.4.3 \ No newline at end of file +4.4.4 \ No newline at end of file From ebf7fe21f58296fdbabc34f0c7b7435878d4ddd8 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 15 Oct 2023 17:49:52 +0200 Subject: [PATCH 76/79] Debug log issue --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index 86dea5a7b6158..f58502cff4026 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -49,7 +49,7 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) - Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($JSONRecipients)" -tenant $Tenant -sev info + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($JSONRecipients)" -tenant $Tenant -sev Debug } } } From 9a761c5650605f531391a33459b4c28d26486e8d Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 15 Oct 2023 17:50:09 +0200 Subject: [PATCH 77/79] debug log --- Scheduler_CIPPNotifications/run.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1 index f58502cff4026..d9c1c577f1b02 100644 --- a/Scheduler_CIPPNotifications/run.ps1 +++ b/Scheduler_CIPPNotifications/run.ps1 @@ -79,7 +79,7 @@ try { } "@ New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody) - Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev info + Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev Debug } } } From 384401071c86606c913c1f030dcd38b041a541a6 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 15 Oct 2023 18:23:11 +0200 Subject: [PATCH 78/79] upped version --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index f15ec04e09e05..5f7049803b4bd 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.4.4 \ No newline at end of file +4.4.5 \ No newline at end of file From c63ad12b7856c63dbe1f5bcd80fb29fdd6c54786 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 15 Oct 2023 18:23:45 +0200 Subject: [PATCH 79/79] debug --- Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 b/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 index f281bae8d301f..1de02b590c376 100644 --- a/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 +++ b/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 @@ -12,7 +12,7 @@ function Get-CIPPAuthentication { $ENV:tenantid = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name "TenantId" -AsPlainText) $ENV:refreshtoken = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name "RefreshToken" -AsPlainText) $ENV:SetFromProfile = $true - Write-LogMessage -message "Reloaded authentication data from KeyVault" -Sev 'info' -API "CIPP Authentication" + Write-LogMessage -message "Reloaded authentication data from KeyVault" -Sev 'debug' -API "CIPP Authentication" return $true }