Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
redanthrax committed Jan 8, 2024
2 parents 43d76e9 + e0dc369 commit 657c796
Show file tree
Hide file tree
Showing 12 changed files with 198 additions and 88 deletions.
14 changes: 7 additions & 7 deletions Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@ function Add-CIPPDelegatedPermission {
$ApplicationId,
$Tenantfilter
)
Write-Host 'Adding Delegated Permissions'
Set-Location (Get-Item $PSScriptRoot).FullName

if ($RequiredResourceAccess -eq "CIPPDefaults") {
Write-Host "RequiredResourceAccess: $($RequiredResourceAccess | ConvertTo-Json -Depth 10)"
if ($RequiredResourceAccess -eq 'CIPPDefaults') {
$RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
}
$Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
Expand All @@ -26,17 +27,16 @@ function Add-CIPPDelegatedPermission {
if (!$OldScope) {
$Createbody = @{
clientId = $ourSVCPrincipal.id
consentType = "AllPrincipals"
consentType = 'AllPrincipals'
resourceId = $svcPrincipalId.id
scope = $NewScope
} | ConvertTo-Json -Compress
$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" -tenantid $Tenantfilter -body $Createbody -type POST
$CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $Tenantfilter -body $Createbody -type POST
$Results.add("Successfully added permissions for $($svcPrincipalId.displayName)") | Out-Null
}
else {
} else {
$compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ')
if (!$compare) {
$Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") | Out-Null
$Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") | Out-Null
continue
}
$Patchbody = @{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,20 @@ function Push-CIPPAlertAppSecretExpiry {
)
$LastRunTable = Get-CIPPTable -Table AlertLastRun


Write-Host "Checking app expire for $($QueueItem.tenant)"
try {
$Filter = "RowKey eq 'AppSecretExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
$Yesterday = (Get-Date).AddDays(-1)
if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$select=appId,displayName,passwordCredentials" -tenantid $QueueItem.tenant | ForEach-Object {
foreach ($App in $_) {
Write-Host "checking $($App.displayName)"
if ($App.passwordCredentials) {
foreach ($Credential in $App.passwordCredentials) {
if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) {
("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
Write-Host ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
Write-AlertMessage -tenant $($QueueItem.tenant) -message ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ function Push-CIPPAlertDepTokenExpiry {
)
$LastRunTable = Get-CIPPTable -Table AlertLastRun



try {
$Filter = "RowKey eq 'DepTokenExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
Expand Down
55 changes: 33 additions & 22 deletions Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAdmins.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -6,34 +6,45 @@ function Push-CIPPAlertMFAAdmins {
$TriggerMetadata
)
try {
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
$AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
foreach ($Policy in $CAPolicies) {
if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
$DuoActive = $true
}
}
if (!$DuoActive) {
$AdminList | ForEach-Object {
$CARegistered = $null
try {
New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
if ($_.'@odata.type' -in $StrongMFAMethods) {
$CARegistered = $true
$LastRunTable = Get-CIPPTable -Table AlertLastRun
$Filter = "RowKey eq 'MFAAllAdmins' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
$Yesterday = (Get-Date).AddDays(-1)
if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
$AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
foreach ($Policy in $CAPolicies) {
if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
$DuoActive = $true
}
}
if (!$DuoActive) {
$AdminList | ForEach-Object {
$CARegistered = $null
try {
New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
if ($_.'@odata.type' -in $StrongMFAMethods) {
$CARegistered = $true
}
}
if ($CARegistered -ne $true) {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured."
}
} catch {
# Error handling here if needed
}
if ($CARegistered -ne $true) {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured."
}
} catch {
# Error handling here if needed
}
} else {
Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
}
} else {
Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for admins for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
}
$LastRun = @{
RowKey = 'MFAAllAdmins'
PartitionKey = $QueueItem.tenantid
}
Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
}
80 changes: 47 additions & 33 deletions Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAlertUsers.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -6,46 +6,60 @@ function Push-CIPPAlertMFAAlertUsers {
$TriggerMetadata
)
try {
$users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
Write-Host "found $($users.count) users"
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
$LastRunTable = Get-CIPPTable -Table AlertLastRun
$Filter = "RowKey eq 'MFAAllUsers' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
$Yesterday = (Get-Date).AddDays(-1)
if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
$users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
Write-Host "found $($users.count) users for $($QueueItem.tenant)"
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'

$UserBatches = [System.Collections.Generic.List[Object]]@()
for ($i = 0; $i -lt $users.count; $i += 20) {
$UserBatches.Add($users[$i..($i + 19)])
}

$UserBatches | ForEach-Object -Parallel {
Import-Module CippCore
Import-Module AzBobbyTables
$UserBatch = $_
Write-Host "processing batch of $($UserBatch.count) users"
$BatchRequests = $UserBatch | ForEach-Object {
@{
id = $_.id
method = 'GET'
url = "users/$($_.ID)/authentication/Methods"
}
$UserBatches = [System.Collections.Generic.List[Object]]@()
for ($i = 0; $i -lt $users.count; $i += 20) {
$UserBatches.Add($users[$i..($i + 19)])
}
$BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
foreach ($response in $BatchResponses) {
$UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
$CARegistered = $false

foreach ($method in $response.body.value) {
if ($method.'@odata.type' -in $using:StrongMFAMethods) {
$CARegistered = $true
break
$UserBatches | ForEach-Object -Parallel {
try {
Write-Host "processing batch of $($_.count) users for $($using:QueueItem.tenant)"
Import-Module CippCore
Import-Module AzBobbyTables
$UserBatch = $_
Write-Host "processing batch of $($UserBatch.count) users"
$BatchRequests = $UserBatch | ForEach-Object {
@{
id = $_.id
method = 'GET'
url = "users/$($_.ID)/authentication/Methods"
}
}
}
$BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
foreach ($response in $BatchResponses) {
$UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
$CARegistered = $false

if (-not $CARegistered) {
Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
}
}
} -ThrottleLimit 25
foreach ($method in $response.body.value) {
if ($method.'@odata.type' -in $using:StrongMFAMethods) {
$CARegistered = $true
break
}
}

if (-not $CARegistered) {
Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
}
}
} catch {
}
} -ThrottleLimit 25
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for users for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
}
$LastRun = @{
RowKey = 'MFAAllUsers'
PartitionKey = $QueueItem.tenantid
}
Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
}
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
function Push-ExecAddMultiTenantApp($QueueItem, $TriggerMetadata) {
try {
Write-Host $Queueitem
$Queueitem = $QueueItem | ConvertTo-Json -Depth 10 | ConvertFrom-Json
Write-Host "$($Queueitem | ConvertTo-Json -Depth 10)"
$ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Queueitem.Tenant
if ($Queueitem.AppId -Notin $ServicePrincipalList.appId) {
$PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $queueitem.tenant -body "{ `"appId`": `"$($Queueitem.appId)`" }"
Write-LogMessage -message "Added $($Queueitem.AppId) to tenant $($Queueitem.Tenant)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info
} else {
Write-LogMessage -message "This app already exists in tenant $($Queueitem.Tenant). We're adding the required permissions." -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info
}
Add-CIPPApplicationPermission -RequiredResourceAccess [pscustomobject]$queueitem.applicationResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
Add-CIPPDelegatedPermission -RequiredResourceAccess [pscustomobject]$queueitem.DelegateResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
Add-CIPPApplicationPermission -RequiredResourceAccess ($queueitem.applicationResourceAccess) -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
Add-CIPPDelegatedPermission -RequiredResourceAccess ($queueitem.DelegateResourceAccess) -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
} catch {
Write-LogMessage -message "Error adding application to tenant $($Queueitem.Tenant) - $($_.Exception.Message)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Error
}
Expand Down
Loading

0 comments on commit 657c796

Please sign in to comment.