feat: add application roles to permission check

JohnDuprey · JohnDuprey · commit 39248bf1593e · 2025-03-04T09:41:20.000-05:00
diff --git a/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1 b/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1
@@ -18,6 +18,7 @@ function Read-JwtAccessDetails {
         IPAddress         = ''
         Name              = ''
         Scope             = ''
+        Roles             = ''
         TenantId          = ''
         UserPrincipalName = ''
     }
@@ -43,8 +44,9 @@ function Read-JwtAccessDetails {
     $TokenDetails.IPAddress = $TokenObj.ipaddr
     $TokenDetails.Name = $TokenObj.name
     $TokenDetails.Scope = $TokenObj.scp -split ' '
+    $TokenDetails.Roles = $TokenObj.roles
     $TokenDetails.TenantId = $TokenObj.tid
     $TokenDetails.UserPrincipalName = $TokenObj.upn
 
     return $TokenDetails
-}
+}
diff --git a/Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1 b/Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1
@@ -128,6 +128,9 @@ function Test-CIPPAccessPermissions {
             $Messages.Add('You have all the required permissions.') | Out-Null
         }
 
+        $ApplicationToken = Get-GraphToken -returnRefresh $true -SkipCache $true -AsApp $true
+        $ApplicationTokenDetails = Read-JwtAccessDetails -Token $ApplicationToken.access_token -erroraction SilentlyContinue | Select-Object
+
         $LastUpdate = [DateTime]::SpecifyKind($GraphPermissions.Timestamp.DateTime, [DateTimeKind]::Utc)
         $CpvTable = Get-CippTable -tablename 'cpvtenants'
         $CpvRefresh = Get-CippAzDataTableEntity @CpvTable -Filter "PartitionKey eq 'Tenant'"
@@ -162,13 +165,14 @@ function Test-CIPPAccessPermissions {
     }
 
     $AccessCheck = [PSCustomObject]@{
-        AccessTokenDetails = $AccessTokenDetails
-        Messages           = @($Messages)
-        ErrorMessages      = @($ErrorMessages)
-        MissingPermissions = @($MissingPermissions)
-        CPVRefreshList     = @($CPVRefreshList)
-        Links              = @($Links)
-        Success            = $Success
+        AccessTokenDetails      = $AccessTokenDetails
+        ApplicationTokenDetails = $ApplicationTokenDetails
+        Messages                = @($Messages)
+        ErrorMessages           = @($ErrorMessages)
+        MissingPermissions      = @($MissingPermissions)
+        CPVRefreshList          = @($CPVRefreshList)
+        Links                   = @($Links)
+        Success                 = $Success
     }
 
     $Table = Get-CIPPTable -TableName AccessChecks
