add single tenants improvements

KelvinTegelaar · KelvinTegelaar · commit 2f6e6ea04b86 · 2025-05-21T14:22:12.000+02:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1
@@ -13,12 +13,12 @@ Function Invoke-ExecAddTenant {
     try {
         # Get the tenant ID from the request body
         $tenantId = $Request.body.tenantId
-        $displayName = $Request.body.displayName
         $defaultDomainName = $Request.body.defaultDomainName
 
         # Get the Tenants table
         $TenantsTable = Get-CippTable -tablename 'Tenants'
-
+        #force a refresh of the authentication info
+        $auth = Get-CIPPAuthentication
         # Check if tenant already exists
         $ExistingTenant = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$tenantId'"
 
@@ -30,25 +30,13 @@ Function Invoke-ExecAddTenant {
         } else {
             # Create new tenant entry
             try {
-                # Get organization info
-                $Organization = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/organization' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
-
-                if (-not $displayName) {
-                    $displayName = $Organization[0].displayName
-                }
-
-                if (-not $defaultDomainName) {
-                    # Try to get domains
-                    try {
-                        $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
-                        $defaultDomainName = ($Domains | Where-Object { $_.isDefault -eq $true }).id
-                        $initialDomainName = ($Domains | Where-Object { $_.isInitial -eq $true }).id
-                    } catch {
-                        # If we can't get domains, use verified domains from organization
-                        $defaultDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isDefault -eq $true }).name
-                        $initialDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isInitial -eq $true }).name
-                    }
-                }
+                # Get tenant information from Microsoft Graph
+                $headers = @{ Authorization = "Bearer $($request.body.access_token)" }
+                $Organization = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/organization' -Headers $headers -Method GET -ContentType 'application/json' -ErrorAction Stop).value
+                $displayName = $Organization.displayName
+                $Domains = (Invoke-RestMethod -Uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -Headers $headers -Method GET -ContentType 'application/json' -ErrorAction Stop).value
+                $defaultDomainName = ($Domains | Where-Object { $_.isDefault -eq $true }).id
+                $initialDomainName = ($Domains | Where-Object { $_.isInitial -eq $true }).id
             } catch {
                 Write-LogMessage -API 'Add-Tenant' -message "Failed to get information for tenant $tenantId - $($_.Exception.Message)" -Sev 'Critical'
                 throw "Failed to get information for tenant $tenantId. Make sure the tenant is properly authenticated."
diff --git a/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1 b/Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1
@@ -20,7 +20,10 @@ function Get-CIPPAuthentication {
             }
             Write-Host "Got secrets from dev storage. ApplicationID: $env:ApplicationID"
             #Get list of tenants that have 'directTenant' set to true
-            $tenants = Get-Tenants -IncludeErrors | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            #get directtenants directly from table, avoid get-tenants due to performance issues
+            $TenantsTable = Get-CippTable -tablename 'Tenants'
+            $Filter = "PartitionKey eq 'Tenants' and delegatedPrivilegeStatus eq 'directTenant'"
+            $tenants = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter
             if ($tenants) {
                 $tenants | ForEach-Object {
                     $secretname = $_.customerId -replace '-', '_'
@@ -49,7 +52,9 @@ function Get-CIPPAuthentication {
 
             $keyvaultname = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
             #Get list of tenants that have 'directTenant' set to true
-            $tenants = Get-Tenants -IncludeErrors | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            $TenantsTable = Get-CippTable -tablename 'Tenants'
+            $Filter = "PartitionKey eq 'Tenants' and delegatedPrivilegeStatus eq 'directTenant'"
+            $tenants = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter
             if ($tenants) {
                 $tenants | ForEach-Object {
                     $name = $_.tenantId -replace '-', '_'
diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1
@@ -4,11 +4,16 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     Internal
     #>
     if (!$scope) { $scope = 'https://graph.microsoft.com/.default' }
+
     if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' }
     #If the $env:<$tenantid> is set, use that instead of the refreshtoken for all tenants.
     $refreshToken = $env:RefreshToken
     if (!$tenantid) { $tenantid = $env:TenantID }
-    $ClientType = Get-Tenants -IncludeErrors -TenantFilter $tenantid
+    #Get list of tenants that have 'directTenant' set to true
+    #get directtenants directly from table, avoid get-tenants due to performance issues
+    $TenantsTable = Get-CippTable -tablename 'Tenants'
+    $Filter = "PartitionKey eq 'Tenants' and delegatedPrivilegeStatus eq 'directTenant'"
+    $ClientType = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter | Where-Object { $_.customerId -eq $tenantid -or $_.defaultDomainName -eq $tenantid }
     if ($clientType.delegatedPrivilegeStatus -eq 'directTenant') {
         Write-Host "Using direct tenant refresh token for $($clientType.customerId)"
         $ClientRefreshToken = Get-Item -Path "env:\$($clientType.customerId)" -ErrorAction SilentlyContinue
diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1
@@ -14,7 +14,10 @@ function Get-Tenants {
         [switch]$CleanOld,
         [string]$TenantFilter
     )
-
+    $caller = $MyInvocation.InvocationName
+    $scriptName = $MyInvocation.ScriptName
+    Write-Host "Called by: $caller"
+    Write-Host "In script: $scriptName"
     $TenantsTable = Get-CippTable -tablename 'Tenants'
     $ExcludedFilter = "PartitionKey eq 'Tenants' and Excluded eq true"
 
@@ -75,7 +78,9 @@ function Get-Tenants {
     if (($BuildRequired -or $TriggerRefresh.IsPresent) -and $PartnerTenantState.state -ne 'owntenant') {
         # Get TenantProperties table
         $PropertiesTable = Get-CippTable -TableName 'TenantProperties'
-
+        if (!$env:RefreshToken) {
+            throw 'RefreshToken not set. Cannot get tenant list.'
+        }
         #get the full list of tenants
         $GDAPRelationships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active' and not startsWith(displayName,'MLT_')$RelationshipFilter&`$select=customer,autoExtendDuration,endDateTime&`$top=300" -NoAuthCheck:$true
         $GDAPList = foreach ($Relationship in $GDAPRelationships) {
