Merge branch 'dev' into groupinfo-single-group

Author: kris6673

Modules/CIPPCore/Private/Convert-QuarantinePermissionsValue.ps1

@@ -0,0 +1,71 @@
+function Convert-QuarantinePermissionsValue {
+    [CmdletBinding(DefaultParameterSetName = 'DecimalValue')]
+    param (
+        [Parameter(Mandatory, Position = 0, ParameterSetName = "StringValue")]
+        [ValidateNotNullOrEmpty()]
+        [string]$InputObject,
+
+        [Parameter(Position = 0, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToViewHeader = 0,
+        [Parameter(Position = 1, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDownload = 0,
+        [Parameter(Mandatory, Position = 2, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToAllowSender,
+        [Parameter(Mandatory, Position = 3, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToBlockSender,
+        [Parameter(Mandatory, Position = 4, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRequestRelease,
+        [Parameter(Mandatory, Position = 5, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRelease,
+        [Parameter(Mandatory, Position = 6, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToPreview,
+        [Parameter(Mandatory, Position = 7, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDelete
+    )
+
+    #Converts string value with EndUserQuarantinePermissions received from Get-QuarantinePolicy
+    if (($PSCmdlet.ParameterSetName) -eq "StringValue") {
+        try {
+            # Remove square brackets and split into lines
+            $InputObject = $InputObject.Trim('[', ']')
+            $hashtable = @{}
+            $InputObject -split "`n" | ForEach-Object {
+                $key, $value = $_ -split ":\s*"
+                $hashtable[$key.Trim()] = [System.Convert]::ToBoolean($value.Trim())
+            }
+            return $hashtable
+        }
+        catch {
+            throw "Convert-QuarantinePermissionsValue: Failed to convert string to hashtable."
+        }
+    }
+
+    #Converts selected end user quarantine permissions to decimal value used by EndUserQuarantinePermissionsValue property in New-QuarantinePolicy and Set-QuarantinePolicy
+    elseif (($PSCmdlet.ParameterSetName) -eq "DecimalValue") {
+        try {
+            # both PermissionToRequestRelease and PermissionToRelease cannot be set to true at the same time
+            if($PermissionToRequestRelease -eq 1 -and $PermissionToRelease -eq 1) {
+                throw "PermissionToRequestRelease and PermissionToRelease cannot both be set to true."
+            }
+
+            # Convert each permission to a binary string
+            $BinaryValue = [string]@(
+                $PermissionToViewHeader,
+                $PermissionToDownload,
+                $PermissionToAllowSender,
+                $PermissionToBlockSender,
+                $PermissionToRequestRelease,
+                $PermissionToRelease,
+                $PermissionToPreview,
+                $PermissionToDelete
+            ) -replace '\s',''
+
+            # Convert the binary string to an Decimal value
+            return [convert]::ToInt32($BinaryValue,2)
+        }
+        catch {
+            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+            throw "Convert-QuarantinePermissionsValue: Failed to convert QuarantinePermissions to QuarantinePermissionsValue. Error: $ErrorMessage"
+        }
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListTransportRulesAllTenants.ps1

@@ -0,0 +1,42 @@
+function Push-ListTransportRulesAllTenants {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    $Tenant = Get-Tenants -TenantFilter $Item.customerId
+    $DomainName = $Tenant.defaultDomainName
+    $Table = Get-CIPPTable -TableName CacheTransportRules
+
+    try {
+        $TransportRules = New-ExoRequest -tenantid $DomainName -cmdlet 'Get-TransportRule'
+        $Results = foreach ($rule in $TransportRules) {
+            $GUID = (New-Guid).Guid
+            $Results = @{
+                TransportRule = [string]($rule | ConvertTo-Json -Depth 10)
+                RowKey        = [string]$GUID
+                PartitionKey  = 'TransportRule'
+                Tenant        = [string]$DomainName
+            }
+            Add-CIPPAzDataTableEntity @Table -Entity $Results -Force | Out-Null
+        }
+
+    } catch {
+        $GUID = (New-Guid).Guid
+        $ErrorText = ConvertTo-Json -InputObject @{
+            Tenant      = $DomainName
+            Name        = "Could not connect to Tenant: $($_.Exception.Message)"
+            State       = 'Error'
+            Priority    = 0
+            Description = "Error retrieving transport rules: $($_.Exception.Message)"
+        }
+        $Results = @{
+            TransportRule = [string]$ErrorText
+            RowKey        = [string]$GUID
+            PartitionKey  = 'TransportRule'
+            Tenant        = [string]$DomainName
+        }
+        Add-CIPPAzDataTableEntity @Table -Entity $Results -Force | Out-Null
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1

@@ -16,7 +16,9 @@ function Push-UpdatePermissionsQueue {
         $Table = Get-CIPPTable -TableName cpvtenants
         $CPVRows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Tenant -EQ $Item.customerId
 
-        if (!$CPVRows -or $env:ApplicationID -notin $CPVRows.applicationId) {
+        $Tenant = Get-Tenants -TenantFilter $Item.customerId -IncludeErrors
+
+        if ((!$CPVRows -or $env:ApplicationID -notin $CPVRows.applicationId) -and $Tenant.delegatedPrivilegeStatus -ne 'directTenant') {
             Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message 'A New tenant has been added, or a new CIPP-SAM Application is in use' -Sev 'Warn' -API 'NewTenant'
             Write-Information 'Adding CPV permissions'
             Set-CIPPCPVConsent -Tenantfilter $Item.customerId

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCPVPermissions.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecCPVPermissions {
+function Invoke-ExecCPVPermissions {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -15,7 +15,7 @@ Function Invoke-ExecCPVPermissions {
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
     $TenantFilter = $Request.Body.tenantFilter
 
-    $Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter | Select-Object -First 1
+    $Tenant = Get-Tenants -TenantFilter $TenantFilter -IncludeErrors
 
     if ($Tenant) {
         Write-Host "Our tenant is $($Tenant.displayName) - $($Tenant.defaultDomainName)"

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1

@@ -1,11 +1,11 @@
 using namespace System.Net
 
-Function Invoke-ExecAddTenant {
+function Invoke-ExecAddTenant {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
-        CIPP.AppSettings.ReadWrite.
+        CIPP.AppSettings.ReadWrite
     #>
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
@@ -31,7 +31,7 @@ Function Invoke-ExecAddTenant {
             # Create new tenant entry
             try {
                 # Get tenant information from Microsoft Graph
-                $headers = @{ Authorization = "Bearer $($request.body.access_token)" }
+                $headers = @{ Authorization = "Bearer $($request.body.accessToken)" }
                 $Organization = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/organization' -Headers $headers -Method GET -ContentType 'application/json' -ErrorAction Stop).value
                 $displayName = $Organization.displayName
                 $Domains = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -Headers $headers -Method GET -ContentType 'application/json' -ErrorAction Stop).value
@@ -63,7 +63,8 @@ Function Invoke-ExecAddTenant {
 
             # Add tenant to table
             Add-CIPPAzDataTableEntity @TenantsTable -Entity $NewTenant -Force | Out-Null
-            $Results = @{'message' = "Successfully added tenant $tenantId to the tenant list with directTenant status."; 'severity' = 'success' }
+            $Results = @{'message' = "Successfully added tenant $displayName ($defaultDomainName) to the tenant list with Direct Tenant status."; 'severity' = 'success' }
+            Write-LogMessage -tenant $defaultDomainName -tenantid $tenantId -API 'Add-Tenant' -message "Added tenant $displayName ($defaultDomainName) with Direct Tenant status." -Sev 'Info'
         }
     } catch {
         $Results = @{'message' = "Failed to add tenant: $($_.Exception.Message)"; 'state' = 'error'; 'severity' = 'error' }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCombinedSetup.ps1

@@ -0,0 +1,72 @@
+using namespace System.Net
+
+Function Invoke-ExecCombinedSetup {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    #Make arraylist of Results
+    $Results = [System.Collections.ArrayList]::new()
+    try {
+        if ($request.body.selectedBaselines -and $request.body.baselineOption -eq 'downloadBaselines') {
+            #do a single download of the selected baselines.
+            foreach ($template in $request.body.selectedBaselines) {
+                $object = @{
+                    TenantFilter  = 'No tenant'
+                    Name          = "Download Single Baseline: $($template.value)"
+                    Command       = @{
+                        value = 'New-CIPPTemplateRun'
+                    }
+                    Parameters    = @{
+                        TemplateSettings = @{
+                            ca                 = $false
+                            intuneconfig       = $false
+                            intunecompliance   = $false
+                            intuneprotection   = $false
+                            templateRepo       = @{
+                                label       = $Template.label
+                                value       = $template.value
+                                addedFields = @{
+                                    branch = 'main'
+                                }
+                            }
+                            templateRepoBranch = @{
+                                label = 'main'
+                                value = 'main'
+                            }
+                            standardsconfig    = $true
+                            groupTemplates     = $true
+                            policyTemplates    = $true
+                            caTemplates        = $true
+                        }
+                    }
+                    ScheduledTime = 0
+                }
+                $null = Add-CIPPScheduledTask -task $object -hidden $false -DisallowDuplicateName $true -Headers $Request.Headers
+                $Results.add("Scheduled download of baseline: $($template.value)")
+            }
+        }
+        if ($Request.body.email -or $Request.body.webhook) {
+            #create hashtable from pscustomobject
+            $notificationConfig = $request.body | Select-Object email, webhook, onepertenant, logsToInclude, sendtoIntegration, sev | ConvertTo-Json | ConvertFrom-Json -AsHashtable
+            $notificationResults = Set-CIPPNotificationConfig @notificationConfig
+            $Results.add($notificationResults)
+        }
+        $Results.add('Setup is now complete. You may navigate away from this page and start using CIPP.')
+        #one more force of reauth so env vars update.
+        $auth = Get-CIPPAuthentication
+    } catch {
+        $Results = [pscustomobject]@{'Results' = "Failed. $($_.InvocationInfo.ScriptLineNumber):  $($_.Exception.message)"; severity = 'failed' }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCreateSAMApp.ps1

@@ -5,7 +5,7 @@ Function Invoke-ExecCreateSAMApp {
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
-        CIPP.AppSettings.ReadWrite.
+        CIPP.AppSettings.ReadWrite
     #>
     [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
     [CmdletBinding()]
@@ -84,10 +84,19 @@ Function Invoke-ExecCreateSAMApp {
                 Write-Information ($Secret | ConvertTo-Json -Depth 5)
                 Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
             } else {
+
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'tenantid' -SecretValue (ConvertTo-SecureString -String $TenantId -AsPlainText -Force)
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationid' -SecretValue (ConvertTo-SecureString -String $Appid.appId -AsPlainText -Force)
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -SecretValue (ConvertTo-SecureString -String $AppPassword -AsPlainText -Force)
             }
+            $ConfigTable = Get-CippTable -tablename 'Config'
+            #update the ConfigTable with the latest appId, for caching compare.
+            $NewConfig = @{
+                PartitionKey  = 'AppCache'
+                RowKey        = 'AppCache'
+                ApplicationId = $AppId.appId
+            }
+            Add-CIPPAzDataTableEntity @ConfigTable -Entity $NewConfig -Force | Out-Null
             $Results = @{'message' = "Succesfully $state the application registration. The application ID is $($AppId.appid). You may continue to the next step."; severity = 'success' }
         }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecTokenExchange.ps1

@@ -41,7 +41,7 @@ Function Invoke-ExecTokenExchange {
             Write-LogMessage -API $APIName -message 'Retrieved client secret from development secrets' -Sev 'Info'
         } else {
             try {
-                $ClientSecret = (Get-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -AsPlainText).SecretValue
+                $ClientSecret = (Get-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -AsPlainText)
                 Write-LogMessage -API $APIName -message 'Retrieved client secret from key vault' -Sev 'Info'
             } catch {
                 Write-LogMessage -API $APIName -message "Failed to retrieve client secret: $($_.Exception.Message)" -Sev 'Error'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -5,7 +5,7 @@ Function Invoke-ExecUpdateRefreshToken {
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
-        CIPP.AppSettings.ReadWrite.
+        CIPP.AppSettings.ReadWrite
     #>
     [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
     [CmdletBinding()]
@@ -29,11 +29,17 @@ Function Invoke-ExecUpdateRefreshToken {
             }
             Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
         } else {
-            if ($env:ApplicationId -eq $Request.body.tenantId) {
+            if ($env:TenantID -eq $Request.body.tenantId) {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             } else {
-                $name = $Request.body.tenantId -replace '-', '_'
-                Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                Write-Host "$($env:TenantID) does not match $($Request.body.tenantId) - we're adding a new secret for the tenant."
+                $name = $Request.body.tenantId
+                try {
+                    Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                } catch {
+                    Write-Host "Failed to set secret $name in KeyVault. $($_.Exception.Message)"
+                    throw $_
+                }
             }
         }
         $InstanceId = Start-UpdatePermissionsOrchestrator #start the CPV refresh immediately while wizard still runs.

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Spamfilter/Invoke-AddQuarantinePolicy.ps1

@@ -0,0 +1,67 @@
+using namespace System.Net
+
+Function Invoke-AddQuarantinePolicy {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Exchange.Spamfilter.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -Headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    $Tenants = ($Request.body.selectedTenants).value
+
+    # If allTenants is selected, get all tenants and overwrite any other tenant selection
+    if ("AllTenants" -in $Tenants) {
+        $tenants = (Get-Tenants).defaultDomainName
+    }
+
+    $Result = foreach ($TenantFilter in $tenants) {
+        try {
+            $ReleaseActionPreference = $Request.Body.ReleaseActionPreference.value ?? $Request.Body.ReleaseActionPreference
+
+            $EndUserQuarantinePermissions   = @{
+                PermissionToBlockSender = $Request.Body.BlockSender
+                PermissionToDelete  = $Request.Body.Delete
+                PermissionToPreview = $Request.Body.Preview
+                PermissionToRelease = $ReleaseActionPreference -eq "Release" ? $true : $false
+                PermissionToRequestRelease  = $ReleaseActionPreference -eq "RequestRelease" ? $true : $false
+                PermissionToAllowSender = $Request.Body.AllowSender
+            }
+
+            $Params = @{
+                Identity = $Request.Body.Name
+                EndUserQuarantinePermissions = $EndUserQuarantinePermissions
+                ESNEnabled = $Request.Body.QuarantineNotification
+                IncludeMessagesFromBlockedSenderAddress = $Request.Body.IncludeMessagesFromBlockedSenderAddress
+                action = "New"
+                tenantFilter = $TenantFilter
+                APIName = $APIName
+            }
+
+            Set-CIPPQuarantinePolicy @Params
+            $Message = "Created Quarantine policy '$($Request.Body.Name)' for tenant '$($TenantFilter)'"
+            Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev Info
+            $Message
+
+        }
+        catch {
+            $ErrorMessage = Get-CippException -Exception $_
+            $Message = "Failed to create Quarantine policy '$($Request.Body.Name)' for tenant '$($TenantFilter)' - $($ErrorMessage.NormalizedError)"
+            Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev Error -LogData $ErrorMessage
+            $Message
+        }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @{Results = @($Result) }
+        })
+
+}