update permissions for app manifests when updates are detected

JohnDuprey · JohnDuprey · commit f84f77268384 · 2025-07-30T12:36:01.000-04:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1
@@ -10,7 +10,7 @@ function Push-ExecAppApprovalTemplate {
         $TemplateId = $Item.templateId
         if (!$TemplateId) {
             Write-LogMessage -message 'No template specified' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
-            return
+            return $false
         }
 
         # Get the template data to determine if it's a Gallery Template or Enterprise App
@@ -19,7 +19,7 @@ function Push-ExecAppApprovalTemplate {
 
         if (!$Template) {
             Write-LogMessage -message "Template $TemplateId not found" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
-            return
+            return $false
         }
 
         $TemplateData = $Template.JSON | ConvertFrom-Json
@@ -37,14 +37,14 @@ function Push-ExecAppApprovalTemplate {
             $GalleryTemplateId = $TemplateData.GalleryTemplateId
             if (!$GalleryTemplateId) {
                 Write-LogMessage -message 'Gallery Template ID not found in template data' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
-                return
+                return $false
             }
 
             # Check if the app already exists in the tenant
             $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
             if ($TemplateData.GalleryTemplateId -in $ServicePrincipalList.applicationTemplateId) {
                 Write-LogMessage -message "Gallery Template app $($TemplateData.AppName) already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Gallery App' -sev Info
-                return
+                return $true
             }
 
             # Instantiate the gallery template
@@ -74,14 +74,36 @@ function Push-ExecAppApprovalTemplate {
             $ApplicationManifest = $TemplateData.ApplicationManifest
             if (!$ApplicationManifest) {
                 Write-LogMessage -message 'Application Manifest not found in template data' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
-                return
+                return $false
             }
 
             # Check for existing application by display name
-            $ExistingApp = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/applications?`$filter=displayName eq '$($TemplateData.AppName)'&`$top=1" -tenantid $Item.Tenant -NoAuthCheck $true
-            if ($ExistingApp -and $ExistingApp.value) {
-                Write-LogMessage -message "Application Manifest $($TemplateData.AppName) already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
-                return
+            $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
+            $ExistingApp = $ServicePrincipalList | Where-Object { $_.displayName -eq $TemplateData.AppName }
+            if ($ExistingApp) {
+                Write-LogMessage -message "Application with name '$($TemplateData.AppName)' already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
+
+                # get existing application
+                $App = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications(appId='$($ExistingApp.appId)')" -tenantid $Item.Tenant
+
+                # compare permissions
+                $ExistingPermissions = $App.requiredResourceAccess | ConvertTo-Json -Depth 10
+                $NewPermissions = $ApplicationManifest.requiredResourceAccess | ConvertTo-Json -Depth 10
+                if ($ExistingPermissions -ne $NewPermissions) {
+                    Write-LogMessage -message "Updating permissions for existing application '$($TemplateData.AppName)' in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
+
+                    # Update permissions for existing application
+                    $UpdateBody = @{
+                        requiredResourceAccess = $ApplicationManifest.requiredResourceAccess
+                    } | ConvertTo-Json -Depth 10
+                    $null = New-GraphPostRequest -type PATCH -uri "https://graph.microsoft.com/beta/applications(appId='$($ExistingApp.appId)')" -tenantid $Item.Tenant -body $UpdateBody
+
+                    # consent new permissions
+                    Add-CIPPDelegatedPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $ExistingApp.appId -Tenantfilter $Item.Tenant
+                    Add-CIPPApplicationPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $ExistingApp.appId -Tenantfilter $Item.Tenant
+                }
+
+                return $true
             }
 
             $PropertiesToRemove = @('appId', 'id', 'createdDateTime', 'publisherDomain', 'servicePrincipalLockConfiguration', 'identifierUris', 'applicationIdUris')
@@ -103,22 +125,20 @@ function Push-ExecAppApprovalTemplate {
                         appId = $CreatedApp.appId
                     } | ConvertTo-Json
 
-                    $ServicePrincipal = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body $ServicePrincipalBody
+                    $null = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body $ServicePrincipalBody
 
                     Write-LogMessage -message "Successfully deployed Application Manifest $($TemplateData.AppName) to tenant $($Item.Tenant). Application ID: $($CreatedApp.appId)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
-                    $DelegateResourceAccess = $ApplicationManifest.requiredResourceAccess
-                    $ApplicationResourceAccess = $ApplicationManifest.requiredResourceAccess
-                    if ($ApplicationManifest.requiredResourceAccess) {
-                        Add-CIPPDelegatedPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $App -Tenantfilter $Tenant
-                        Add-CIPPApplicationPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $App -Tenantfilter $Tenant
-                    }
 
+                    if ($CreatedApp.requiredResourceAccess) {
+                        Add-CIPPDelegatedPermission -RequiredResourceAccess $CreatedApp.requiredResourceAccess -ApplicationId $CreatedApp.appId -Tenantfilter $Item.Tenant
+                        Add-CIPPApplicationPermission -RequiredResourceAccess $CreatedApp.requiredResourceAccess -ApplicationId $CreatedApp.appId -Tenantfilter $Item.Tenant
+                    }
                 } else {
                     Write-LogMessage -message "Application Manifest deployment failed - no application ID returned for $($TemplateData.AppName) in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Error
                 }
             } catch {
                 Write-LogMessage -message "Error creating application from manifest in tenant $($Item.Tenant) - $($_.Exception.Message)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Error
-                throw
+                throw $_.Exception.Message
             }
 
         } else {
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAppApprovalTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAppApprovalTemplate.ps1
@@ -102,7 +102,6 @@ function Invoke-ExecAppApprovalTemplate {
             if ($Request.Query.TemplateId) {
                 $templateId = $Request.Query.TemplateId
                 $filter = "PartitionKey eq 'AppApprovalTemplate' and RowKey eq '$templateId'"
-                Write-LogMessage -headers $Headers -API $APIName -message "Retrieved specific template: $templateId" -Sev 'Info'
             }
 
             $Templates = Get-CIPPAzDataTableEntity @Table -Filter $filter
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1
@@ -186,6 +186,27 @@ function Invoke-CIPPStandardAppDeploy {
                         $ExistingApp = $AppExists | Where-Object { $_.displayName -eq $TemplateData.AppName }
                         if ($ExistingApp) {
                             Write-LogMessage -API 'Standards' -tenant $tenant -message "Application with name '$($TemplateData.AppName)' already exists in tenant $Tenant" -sev Info
+
+                            # get existing application
+                            $App = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications(appId='$($ExistingApp.appId)')" -tenantid $Tenant
+
+                            # compare permissions
+                            $ExistingPermissions = $App.requiredResourceAccess | ConvertTo-Json -Depth 10
+                            $NewPermissions = $ApplicationManifest.requiredResourceAccess | ConvertTo-Json -Depth 10
+                            if ($ExistingPermissions -ne $NewPermissions) {
+                                Write-LogMessage -API 'Standards' -tenant $tenant -message "Updating permissions for existing application '$($TemplateData.AppName)' in tenant $Tenant" -sev Info
+
+                                # Update permissions for existing application
+                                $UpdateBody = @{
+                                    requiredResourceAccess = $ApplicationManifest.requiredResourceAccess
+                                } | ConvertTo-Json -Depth 10
+                                $null = New-GraphPostRequest -type PATCH -uri "https://graph.microsoft.com/beta/applications(appId='$($ExistingApp.appId)')" -tenantid $Tenant -body $UpdateBody
+
+                                # consent new permissions
+                                Add-CIPPDelegatedPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $ExistingApp.appId -Tenantfilter $Tenant
+                                Add-CIPPApplicationPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $ExistingApp.appId -Tenantfilter $Tenant
+                            }
+
                             continue
                         }
 

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,6 @@ function Invoke-ExecAppApprovalTemplate {`
`102`	`102`	`if ($Request.Query.TemplateId) {`
`103`	`103`	`$templateId = $Request.Query.TemplateId`
`104`	`104`	`$filter = "PartitionKey eq 'AppApprovalTemplate' and RowKey eq '$templateId'"`
`105`		`- Write-LogMessage -headers $Headers -API $APIName -message "Retrieved specific template: $templateId" -Sev 'Info'`
`106`	`105`	`}`
`107`	`106`
`108`	`107`	`$Templates = Get-CIPPAzDataTableEntity @Table -Filter $filter`