Merge pull request KelvinTegelaar#1443 from kris6673/feat-jit-admin-all-tenants-list

Feat: List JIT admin support for all tenants

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1

@@ -0,0 +1,111 @@
+function Push-ExecJITAdminListAllTenants {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    $Tenant = Get-Tenants -TenantFilter $Item.customerId
+    $DomainName = $Tenant.defaultDomainName
+    $Table = Get-CIPPTable -TableName CacheJITAdmin
+
+    try {
+        # Get schema extensions
+        $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
+
+        # Query users with JIT Admin enabled
+        $Query = @{
+            TenantFilter = $DomainName # Use $DomainName for the current tenant
+            Endpoint     = 'users'
+            Parameters   = @{
+                '$count'  = 'true'
+                '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
+                '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false" # Fetches both states to cache current status
+            }
+        }
+        $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
+
+        if ($Users) {
+            # Get role memberships
+            $BulkRequests = $Users | ForEach-Object { @(
+                    @{
+                        id     = $_.id
+                        method = 'GET'
+                        url    = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+                    }
+                )
+            }
+            # Ensure $BulkRequests is not empty or null before making the bulk request
+            if ($BulkRequests -and $BulkRequests.Count -gt 0) {
+                $RoleResults = New-GraphBulkRequest -tenantid $DomainName -Requests @($BulkRequests)
+
+                # Format the data
+                $Results = $Users | ForEach-Object {
+                    $currentUser = $_ # Capture current user in the loop
+                    $MemberOf = @() # Initialize as empty array
+                    if ($RoleResults) {
+                        $userRoleResult = $RoleResults | Where-Object -Property id -EQ $currentUser.id
+                        if ($userRoleResult -and $userRoleResult.body -and $userRoleResult.body.value) {
+                            $MemberOf = $userRoleResult.body.value | Select-Object displayName, id
+                        }
+                    }
+
+                    $jitAdminData = $currentUser.($Schema.id)
+                    $jitAdminEnabled = if ($jitAdminData -and $jitAdminData.PSObject.Properties['jitAdminEnabled']) { $jitAdminData.jitAdminEnabled } else { $false }
+                    $jitAdminExpiration = if ($jitAdminData -and $jitAdminData.PSObject.Properties['jitAdminExpiration']) { $jitAdminData.jitAdminExpiration } else { $null }
+
+                    [PSCustomObject]@{
+                        id                 = $currentUser.id
+                        displayName        = $currentUser.displayName
+                        userPrincipalName  = $currentUser.userPrincipalName
+                        accountEnabled     = $currentUser.accountEnabled
+                        jitAdminEnabled    = $jitAdminEnabled
+                        jitAdminExpiration = $jitAdminExpiration
+                        memberOf           = ($MemberOf | ConvertTo-Json -Depth 5 -Compress)
+                    }
+                }
+
+                # Add to Azure Table
+                foreach ($result in $Results) {
+                    $GUID = (New-Guid).Guid
+                    Write-Host ($result | ConvertTo-Json -Depth 10 -Compress)
+                    $GraphRequest = @{
+                        JITAdminUser = [string]($result | ConvertTo-Json -Depth 10 -Compress)
+                        RowKey       = [string]$GUID
+                        PartitionKey = 'JITAdminUser'
+                        Tenant       = [string]$DomainName
+                        UserId       = [string]$result.id # Add UserId for easier querying if needed
+                        UserUPN      = [string]$result.userPrincipalName # Add UserUPN for easier querying
+                    }
+                    Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null
+                }
+            } else {
+                # No users with JIT Admin attributes found, or no users at all
+                Write-Host "No JIT Admin users or no users found to process for tenant $DomainName."
+            }
+        } else {
+            Write-Host "No users found for tenant $DomainName."
+        }
+
+    } catch {
+        $GUID = (New-Guid).Guid
+        $ErrorMessage = "Could not process JIT Admin users for Tenant: $($DomainName). Error: $($_.Exception.Message)"
+        if ($_.ScriptStackTrace) {
+            $ErrorMessage += " StackTrace: $($_.ScriptStackTrace)"
+        }
+        $ErrorJson = ConvertTo-Json -InputObject @{
+            Tenant    = $DomainName
+            Error     = $ErrorMessage
+            Exception = ($_.Exception.Message | ConvertTo-Json -Depth 3 -Compress)
+            Timestamp = (Get-Date).ToString('s')
+        }
+        $GraphRequest = @{
+            JITAdminUser = [string]$ErrorJson
+            RowKey       = [string]$GUID
+            PartitionKey = 'JITAdminUser'
+            Tenant       = [string]$DomainName
+        }
+        Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null
+        Write-Error ('Error processing JIT Admin for {0}: {1}' -f $DomainName, $_.Exception.Message)
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -10,51 +10,114 @@ function Invoke-ExecJITAdmin {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $APIName = 'ExecJITAdmin'
+    $APIName = $Request.Params.CIPPEndpoint
     $User = $Request.Headers
-    $TenantFilter = $Request.body.TenantFilter.value ? $Request.body.TenantFilter.value : $Request.body.TenantFilter
-    Write-LogMessage -Headers $User -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $TenantFilter = $Request.Body.tenantFilter.value ? $Request.Body.tenantFilter.value : $Request.Body.tenantFilter
+    Write-LogMessage -Headers $User -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
     if ($Request.Query.Action -eq 'List') {
         $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
-        $Query = @{
-            TenantFilter = $Request.Query.TenantFilter
-            Endpoint     = 'users'
-            Parameters   = @{
-                '$count'  = 'true'
-                '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
-                '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false"
+        if ($Request.Query.TenantFilter -ne 'AllTenants') {
+            # Single tenant logic
+            $Query = @{
+                TenantFilter = $Request.Query.TenantFilter
+                Endpoint     = 'users'
+                Parameters   = @{
+                    '$count'  = 'true'
+                    '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
+                    '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false"
+                }
             }
-        }
-        $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
-        $BulkRequests = $Users | ForEach-Object { @(
-                @{
-                    id     = $_.id
-                    method = 'GET'
-                    url    = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+            $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
+            $BulkRequests = $Users | ForEach-Object { @(
+                    @{
+                        id     = $_.id
+                        method = 'GET'
+                        url    = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+                    }
+                )
+            }
+            $RoleResults = New-GraphBulkRequest -tenantid $Request.Query.TenantFilter -Requests @($BulkRequests)
+            #Write-Information ($RoleResults | ConvertTo-Json -Depth 10 )
+            $Results = $Users | ForEach-Object {
+                $MemberOf = ($RoleResults | Where-Object -Property id -EQ $_.id).body.value | Select-Object displayName, id
+                [PSCustomObject]@{
+                    id                 = $_.id
+                    displayName        = $_.displayName
+                    userPrincipalName  = $_.userPrincipalName
+                    accountEnabled     = $_.accountEnabled
+                    jitAdminEnabled    = $_.($Schema.id).jitAdminEnabled
+                    jitAdminExpiration = $_.($Schema.id).jitAdminExpiration
+                    memberOf           = $MemberOf
                 }
-            )
-        }
-        $RoleResults = New-GraphBulkRequest -tenantid $Request.Query.TenantFilter -Requests @($BulkRequests)
-        #Write-Information ($RoleResults | ConvertTo-Json -Depth 10 )
-        $Results = $Users | ForEach-Object {
-            $MemberOf = ($RoleResults | Where-Object -Property id -EQ $_.id).body.value | Select-Object displayName, id
-            [PSCustomObject]@{
-                id                 = $_.id
-                displayName        = $_.displayName
-                userPrincipalName  = $_.userPrincipalName
-                accountEnabled     = $_.accountEnabled
-                jitAdminEnabled    = $_.($Schema.id).jitAdminEnabled
-                jitAdminExpiration = $_.($Schema.id).jitAdminExpiration
-                memberOf           = $MemberOf
             }
-        }
 
-        #Write-Information ($Results | ConvertTo-Json -Depth 10)
-        $Body = @{
-            Results  = @($Results)
-            Metadata = @{
-                Parameters = $Query.Parameters
+            #Write-Information ($Results | ConvertTo-Json -Depth 10)
+            $Body = @{
+                Results  = @($Results)
+                Metadata = @{
+                    Parameters = $Query.Parameters
+                }
+            }
+        } else {
+            # AllTenants logic
+            $Results = [System.Collections.Generic.List[object]]::new()
+            $Metadata = @{}
+            $Table = Get-CIPPTable -TableName CacheJITAdmin
+            $PartitionKey = 'JITAdminUser'
+            $Filter = "PartitionKey eq '$PartitionKey'"
+            $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-60)
+
+            $QueueReference = '{0}-{1}' -f $Request.Query.TenantFilter, $PartitionKey # $TenantFilter is 'AllTenants'
+            Write-Information "QueueReference: $QueueReference"
+            $RunningQueue = Invoke-ListCippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
+
+            if ($RunningQueue) {
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Still loading JIT Admin data for all tenants. Please check back in a few more minutes.'
+                }
+            } elseif (!$Rows -and !$RunningQueue) {
+                $TenantList = Get-Tenants -IncludeErrors
+                $Queue = New-CippQueueEntry -Name 'JIT Admin List - All Tenants' -Link '/identity/administration/jit-admin?tenantFilter=AllTenants' -Reference $QueueReference -TotalTasks ($TenantList | Measure-Object).Count
+
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Loading JIT Admin data for all tenants. Please check back in a few minutes.'
+                }
+                $InputObject = [PSCustomObject]@{
+                    OrchestratorName = 'JITAdminOrchestrator'
+                    QueueFunction    = @{
+                        FunctionName = 'GetTenants'
+                        QueueId      = $Queue.RowKey
+                        TenantParams = @{
+                            IncludeErrors = $true
+                        }
+                        DurableName  = 'ExecJITAdminListAllTenants'
+                    }
+                    SkipLog          = $true
+                }
+                Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+            } else {
+                # There is data in the cache, so we will use that
+                Write-Information "Found $($Rows.Count) rows in the cache"
+                foreach ($row in $Rows) {
+                    $UserObject = $row.JITAdminUser | ConvertFrom-Json
+                    $Results.Add(
+                        [PSCustomObject]@{
+                            Tenant             = $row.Tenant
+                            id                 = $UserObject.id
+                            displayName        = $UserObject.displayName
+                            userPrincipalName  = $UserObject.userPrincipalName
+                            accountEnabled     = $UserObject.accountEnabled
+                            jitAdminEnabled    = $UserObject.jitAdminEnabled
+                            jitAdminExpiration = $UserObject.jitAdminExpiration
+                            memberOf           = $UserObject.memberOf
+                        }
+                    )
+                }
+            }
+            $Body = @{
+                Results  = @($Results)
+                Metadata = $Metadata
             }
         }
     } else {

Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1

@@ -133,7 +133,7 @@ function Test-CIPPAccessPermissions {
         $ApplicationToken = Get-GraphToken -returnRefresh $true -SkipCache $true -AsApp $true
         $ApplicationTokenDetails = Read-JwtAccessDetails -Token $ApplicationToken.access_token -erroraction SilentlyContinue | Select-Object
 
-        $LastUpdate = [DateTime]::SpecifyKind($GraphPermissions.Timestamp.DateTime, [DateTimeKind]::Utc)
+        $LastUpdate = [DateTime]::SpecifyKind($GraphPermissions.Timestamp.ToString('yyyy-MM-ddTHH:mm:ssZ'), [DateTimeKind]::Utc)
         $CpvTable = Get-CippTable -tablename 'cpvtenants'
         $CpvRefresh = Get-CippAzDataTableEntity @CpvTable -Filter "PartitionKey eq 'Tenant'"
         $TenantList = Get-Tenants -IncludeErrors | Where-Object { $_.customerId -ne $env:TenantID -and $_.Excluded -eq $false }