new sam wizard steps

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCreateSAMApp.ps1

@@ -0,0 +1,102 @@
+using namespace System.Net
+
+Function Invoke-ExecCreateSAMApp {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite.
+    #>
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $KV = $env:WEBSITE_DEPLOYMENT_ID
+
+    try {
+        $Token = $Request.body
+        if ($Token) {
+            $URL = ($Request.headers.'x-ms-original-url').split('?') | Select-Object -First 1
+            $TenantId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/organization' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method GET -ContentType 'application/json').value.id
+            #Find Existing app registration
+            $AppId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/applications' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method GET -ContentType 'application/json' -Body "{ `"filter`": `"displayName eq 'CIPP-SAM'`" }").value | Select-Object -Last 1
+            #Check if the appId has the redirect URI, if not, add it.
+            if ($AppId) {
+                Write-Host "Found existing app: $($AppId.id). Reusing."
+                $state = 'updated'
+                if ($AppId.web.redirectUris -notcontains $URL) {
+                    $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+                    $SamManifestFile = Get-Item (Join-Path $ModuleBase 'Public\SAMManifest.json')
+                    $app = Get-Content $SamManifestFile.FullName | ConvertFrom-Json
+                    $App.web.redirectUris = @($App.web.redirectUris + $URL) #change to SPA URL.
+                    $app = $app | ConvertTo-Json -Depth 15
+                    Invoke-RestMethod "https://graph.microsoft.com/v1.0/applications/$($AppId.id)" -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method PATCH -Body $app -ContentType 'application/json'
+                }
+            } else {
+                $state = 'created'
+                $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+                $SamManifestFile = Get-Item (Join-Path $ModuleBase 'Public\SAMManifest.json')
+                $app = Get-Content $SamManifestFile.FullName | ConvertFrom-Json
+                $App.web.redirectUris = @($App.web.redirectUris + $URL) #change to SPA URL.
+                $app = $app | ConvertTo-Json -Depth 15
+                $AppId = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/applications' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body $app -ContentType 'application/json')
+                $attempt = 0
+                do {
+                    try {
+                        try {
+                            $SPNDefender = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/servicePrincipals' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body "{ `"appId`": `"fc780465-2017-40d4-a0c5-307022471b92`" }" -ContentType 'application/json')
+                        } catch {
+                            Write-Information "didn't deploy spn for defender, probably already there."
+                        }
+                        try {
+                            $SPNTeams = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/servicePrincipals' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body "{ `"appId`": `"48ac35b8-9aa8-4d74-927d-1f4a14a0b239`" }" -ContentType 'application/json')
+                        } catch {
+                            Write-Information "didn't deploy spn for Teams, probably already there."
+                        }
+                        try {
+                            $SPNO365Manage = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/servicePrincipals' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body "{ `"appId`": `"c5393580-f805-4401-95e8-94b7a6ef2fc2`" }" -ContentType 'application/json')
+                        } catch {
+                            Write-Information "didn't deploy spn for O365 Management, probably already there."
+                        }
+                        try {
+                            $SPNPartnerCenter = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/servicePrincipals' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body "{ `"appId`": `"fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd`" }" -ContentType 'application/json')
+                        } catch {
+                            Write-Information "didn't deploy spn for PartnerCenter, probably already there."
+                        }
+                        $SPN = (Invoke-RestMethod 'https://graph.microsoft.com/v1.0/servicePrincipals' -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body "{ `"appId`": `"$($AppId.appId)`" }" -ContentType 'application/json')
+                        Start-Sleep 2
+                        $attempt ++
+                    } catch {
+                        $attempt ++
+                    }
+                } until ($attempt -gt 3)
+            }
+            $AppPassword = (Invoke-RestMethod "https://graph.microsoft.com/v1.0/applications/$($AppId.id)/addPassword" -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body '{"passwordCredential":{"displayName":"CIPPInstall"}}' -ContentType 'application/json').secretText
+
+            if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+                $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+                $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+                $Secret.TenantId = $TenantId
+                $Secret.ApplicationId = $AppId.appId
+                $Secret.ApplicationSecret = $AppPassword
+                Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
+                Write-Information ($Secret | ConvertTo-Json -Depth 5)
+            } else {
+                Set-AzKeyVaultSecret -VaultName $kv -Name 'tenantid' -SecretValue (ConvertTo-SecureString -String $TenantId -AsPlainText -Force)
+                Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationid' -SecretValue (ConvertTo-SecureString -String $Appid.appId -AsPlainText -Force)
+                Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -SecretValue (ConvertTo-SecureString -String $AppPassword -AsPlainText -Force)
+            }
+            $Results = @{'message' = "Succesfully $state the application registration. The application ID is $($AppId.id). You may continue to the next step."; severity = 'success' }
+        }
+
+    } catch {
+        $Results = [pscustomobject]@{'Results' = "Failed. $($_.InvocationInfo.ScriptLineNumber):  $($_.Exception.message)"; severity = 'failed' }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecSAMSetup.ps1

@@ -6,6 +6,8 @@ Function Invoke-ExecSAMSetup {
         Entrypoint,AnyTenant
     .ROLE
         CIPP.AppSettings.ReadWrite
+    .LEGACY
+        This function is a legacy function that was used to set up the CIPP application in Azure AD. It is not used in the current version of CIPP, look at Invoke-ExecCreateSAMApp for the new version.
     #>
     [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
     [CmdletBinding()]