Merge pull request #1141 from JohnDuprey/dev

Bugfixes

Author: JohnDuprey

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -34,28 +34,31 @@ function Add-CIPPDelegatedPermission {
             $RequiredResourceAccess.Add($Resource)
         }
 
-        if ($Tenantfilter -eq $env:TenantID) {
+        if ($Tenantfilter -eq $env:TenantID -or $Tenantfilter -eq 'PartnerTenant') {
             $RequiredResourceAccess = $RequiredResourceAccess + ($AdditionalPermissions | Where-Object { $RequiredResourceAccess.resourceAppId -notcontains $_.resourceAppId })
         } else {
             # remove the partner center permission if not pushing to partner tenant
             $RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
         }
     }
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
-    $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
+    $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
     $Results = [System.Collections.Generic.List[string]]::new()
 
     $CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
 
     foreach ($App in $RequiredResourceAccess) {
+        if (!$App) {
+            continue
+        }
         $svcPrincipalId = $ServicePrincipalList | Where-Object -Property appId -EQ $App.resourceAppId
         if (!$svcPrincipalId) {
             try {
                 $Body = @{
                     appId = $App.resourceAppId
                 } | ConvertTo-Json -Compress
-                $svcPrincipalId = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $Tenantfilter -body $Body -type POST
+                $svcPrincipalId = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $Tenantfilter -body $Body -type POST -NoAuthCheck $true
             } catch {
                 $Results.add("Failed to create service principal for $($App.resourceAppId): $(Get-NormalizedError -message $_.Exception.Message)")
                 continue

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1

@@ -124,7 +124,6 @@ function Push-DomainAnalyserDomain {
     } catch {
         $Message = 'SPF Error'
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
-        return $Message
     }
 
     # Check SPF Record
@@ -187,7 +186,7 @@ function Push-DomainAnalyserDomain {
     } catch {
         $Message = 'DMARC Error'
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
-        return $Message
+        #return $Message
     }
 
     # DNS Sec Check
@@ -205,7 +204,7 @@ function Push-DomainAnalyserDomain {
     } catch {
         $Message = 'DNSSEC Error'
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
-        return $Message
+        #return $Message
     }
 
     # DKIM Check
@@ -240,7 +239,7 @@ function Push-DomainAnalyserDomain {
     } catch {
         $Message = 'DKIM Exception'
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
-        return $Message
+        #return $Message
     }
 
     # Get Microsoft DKIM CNAME selector Records
@@ -303,7 +302,6 @@ function Push-DomainAnalyserDomain {
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
             Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "MS CNAME DKIM error: $($ErrorMessage.NormalizedError)" -LogData $ErrorMessage -sev Error
-            return $ErrorMessage.NormalizedError
         }
     }
 

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1

@@ -20,7 +20,7 @@ function Push-DomainAnalyserTenant {
         return
     } else {
         try {
-            $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant.customerId | Where-Object { ($_.id -notlike '*.microsoftonline.com' -and $_.id -NotLike '*.exclaimer.cloud' -and $_.id -Notlike '*.excl.cloud' -and $_.id -NotLike '*.codetwo.online' -and $_.id -NotLike '*.call2teams.com' -and $_.isVerified) }
+            $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant.customerId | Where-Object { ($_.id -notlike '*.microsoftonline.com' -and $_.id -NotLike '*.exclaimer.cloud' -and $_.id -Notlike '*.excl.cloud' -and $_.id -NotLike '*.codetwo.online' -and $_.id -NotLike '*.call2teams.com' -and $_.id -notlike '*signature365.net' -and $_.isVerified) }
 
             $TenantDomains = foreach ($d in $Domains) {
                 [PSCustomObject]@{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCPVPermissions.ps1

@@ -28,14 +28,20 @@ Function Invoke-ExecCPVPermissions {
     }
 
     $GraphRequest = try {
-        if ($TenantFilter -ne 'PartnerTenant') {
+        if ($TenantFilter -notin @('PartnerTenant', $env:TenantId)) {
             Set-CIPPCPVConsent @CPVConsentParams
         } else {
             $TenantFilter = $env:TenantID
+            $Tenant = [PSCustomObject]@{
+                displayName       = '*Partner Tenant'
+                defaultDomainName = $env:TenantID
+            }
         }
         Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
         Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $ENV:ApplicationID -tenantfilter $TenantFilter
-        Set-CIPPSAMAdminRoles -TenantFilter $TenantFilter
+        if ($TenantFilter -notin @('PartnerTenant', $env:TenantId)) {
+            Set-CIPPSAMAdminRoles -TenantFilter $TenantFilter
+        }
         $Success = $true
     } catch {
         "Failed to update permissions for $($Tenant.displayName): $($_.Exception.Message)"

Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxes.ps1

@@ -38,7 +38,7 @@ Function Invoke-ListMailboxes {
             @{Parameter = 'SoftDeletedMailbox'; Type = 'Bool' }
         )
 
-        foreach ($Param in $Request.Query.Keys) {
+        foreach ($Param in $Request.Query.PSObject.Properties.Name) {
             $CmdParam = $AllowedParameters | Where-Object { $_.Parameter -eq $Param }
             if ($CmdParam) {
                 switch ($CmdParam.Type) {
@@ -48,7 +48,9 @@ Function Invoke-ListMailboxes {
                         }
                     }
                     'Bool' {
-                        if ([bool]$Request.Query.$Param -eq $true) {
+                        $ParamIsTrue = $false
+                        [bool]::TryParse($Request.Query.$Param, [ref]$ParamIsTrue) | Out-Null
+                        if ($ParamIsTrue -eq $true) {
                             $ExoRequest.cmdParams.$Param = $true
                         }
                     }

Modules/CIPPCore/Public/GraphHelper/Get-AuthorisedRequest.ps1

@@ -12,7 +12,7 @@ function Get-AuthorisedRequest {
     if (!$TenantID) {
         $TenantID = $env:TenantID
     }
-    if ($Uri -like 'https://graph.microsoft.com/beta/contracts*' -or $Uri -like '*/customers/*' -or $Uri -eq 'https://graph.microsoft.com/v1.0/me/sendMail' -or $Uri -like '*/tenantRelationships/*') {
+    if ($Uri -like 'https://graph.microsoft.com/beta/contracts*' -or $Uri -like '*/customers/*' -or $Uri -eq 'https://graph.microsoft.com/v1.0/me/sendMail' -or $Uri -like '*/tenantRelationships/*' -or $Uri -like '*/security/partner/*') {
         return $true
     }
     $Tenants = Get-Tenants -IncludeErrors

Modules/CIPPCore/Public/Set-CIPPCAExclusion.ps1

@@ -9,7 +9,7 @@ function Set-CIPPCAExclusion {
         $executingUser
     )
     try {
-        $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)" -tenantid $TenantFilter
+        $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)" -tenantid $TenantFilter -AsApp $true
         if ($ExclusionType -eq 'add') {
             $NewExclusions = [pscustomobject]@{
                 conditions = [pscustomobject]@{ users = [pscustomobject]@{
@@ -19,7 +19,7 @@ function Set-CIPPCAExclusion {
             }
             $RawJson = ConvertTo-Json -Depth 10 -InputObject $NewExclusions
             if ($PSCmdlet.ShouldProcess($PolicyId, "Add exclusion for $UserID")) {
-                New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON
+                New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -AsApp $true
             }
         }
 
@@ -32,7 +32,7 @@ function Set-CIPPCAExclusion {
             }
             $RawJson = ConvertTo-Json -Depth 10 -InputObject $NewExclusions
             if ($PSCmdlet.ShouldProcess($PolicyId, "Remove exclusion for $UserID")) {
-                New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON
+                New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -AsApp $true
             }
         }
         "Successfully performed $($ExclusionType) exclusion for $username from policy $($PolicyId)"
@@ -41,4 +41,4 @@ function Set-CIPPCAExclusion {
         "Failed to $($ExclusionType) user exclusion for $username from policy $($PolicyId): $($_.Exception.Message)"
         Write-LogMessage -user $executingUser -API 'Set-CIPPConditionalAccessExclusion' -message "Failed to $($ExclusionType) user exclusion for $username from policy $($PolicyId): $_" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_)
     }
-}
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1

@@ -51,10 +51,10 @@ function Invoke-CIPPStandardAntiPhishPolicy {
     param($Tenant, $Settings)
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AntiPhishPolicy'
 
-    $PolicyName = @('Default Anti-Phishing Policy', 'Office365 AntiPhish Default (Default)')
-
-    $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' |
-        Where-Object -Property Name -In $PolicyName |
+    $PolicyList = @('Default Anti-Phishing Policy', 'Office365 AntiPhish Default (Default)')
+    $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' | Where-Object -Property Name -In $PolicyList
+    $PolicyName = $ExistingPolicy.Name
+    $CurrentState = $ExistingPolicy |
         Select-Object Name, Enabled, PhishThresholdLevel, EnableMailboxIntelligence, EnableMailboxIntelligenceProtection, EnableSpoofIntelligence, EnableFirstContactSafetyTips, EnableSimilarUsersSafetyTips, EnableSimilarDomainsSafetyTips, EnableUnusualCharactersSafetyTips, EnableUnauthenticatedSender, EnableViaTag, AuthenticationFailAction, SpoofQuarantineTag, MailboxIntelligenceProtectionAction, MailboxIntelligenceQuarantineTag, TargetedUserProtectionAction, TargetedUserQuarantineTag, TargetedDomainProtectionAction, TargetedDomainQuarantineTag, EnableOrganizationDomainsProtection
 
     $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and