app approval template support

Author: JohnDuprey

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

@@ -2,6 +2,7 @@ function Add-CIPPApplicationPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $Tenantfilter
     )
@@ -31,7 +32,34 @@ function Add-CIPPApplicationPermission {
 
             $RequiredResourceAccess.Add($Resource)
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding application permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $AppPermissions = @($Permissions.$AppId.applicationPermissions)
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = [System.Collections.Generic.List[object]]::new()
+                }
+                foreach ($Permission in $AppPermissions) {
+                    $Resource.ResourceAccess.Add(@{
+                            id   = $Permission.id
+                            type = 'Role'
+                        })
+                }
+
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
+
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
@@ -59,7 +87,7 @@ function Add-CIPPApplicationPermission {
             }
         }
         foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
-            if ($SingleResource.id -In $CurrentRoles.appRoleId) { continue }
+            if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
             [pscustomobject]@{
                 principalId = $($ourSVCPrincipal.id)
                 resourceId  = $($svcPrincipalId.id)

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -2,6 +2,7 @@ function Add-CIPPDelegatedPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $NoTranslateRequired,
         $Tenantfilter
@@ -40,7 +41,34 @@ function Add-CIPPDelegatedPermission {
             # remove the partner center permission if not pushing to partner tenant
             $RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding delegated permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $NoTranslateRequired = $true
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $DelegatedPermissions = @($Permissions.$AppId.delegatedPermissions)
+                $ResourceAccess = [System.Collections.Generic.List[object]]::new()
+                foreach ($Permission in $DelegatedPermissions) {
+                    $ResourceAccess.Add(@{
+                            id   = $Permission.value
+                            type = 'Scope'
+                        })
+                }
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = @($ResourceAccess)
+                }
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
@@ -66,6 +94,7 @@ function Add-CIPPDelegatedPermission {
         }
 
         $DelegatedScopes = $App.resourceAccess | Where-Object -Property type -EQ 'Scope'
+
         if ($NoTranslateRequired) {
             $NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
         } else {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1

@@ -8,29 +8,23 @@ function Push-ExecAppApprovalTemplate {
     try {
         $Item = $Item | ConvertTo-Json -Depth 10 | ConvertFrom-Json
         $TemplateId = $Item.templateId
-
-        $TemplateTable = Get-CIPPTable -TableName 'templates'
-        $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
-        $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
-
-        if (!$Template) {
-            Write-LogMessage -message "Template $TemplateId not found" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+        if (!$TemplateId) {
+            Write-LogMessage -message 'No template specified' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
             return
         }
 
-        $Permissions = $Template.Permissions
-
-        Write-Host "$($Item | ConvertTo-Json -Depth 10)"
         $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
         if ($Item.AppId -notin $ServicePrincipalList.appId) {
+            Write-Information "Adding $($Item.AppId) to tenant $($Item.Tenant)."
             $PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body "{ `"appId`": `"$($Item.appId)`" }"
             Write-LogMessage -message "Added $($Item.AppId) to tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
         } else {
             Write-LogMessage -message "This app already exists in tenant $($Item.Tenant). We're adding the required permissions." -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
         }
-        Add-CIPPApplicationPermission -RequiredResourceAccess ($Item.applicationResourceAccess) -ApplicationId $Item.AppId -Tenantfilter $Item.Tenant
-        Add-CIPPDelegatedPermission -RequiredResourceAccess ($Item.DelegateResourceAccess) -ApplicationId $Item.AppId -Tenantfilter $Item.Tenant
+        Add-CIPPApplicationPermission -TemplateId $TemplateId -Tenantfilter $Item.Tenant
+        Add-CIPPDelegatedPermission -TemplateId $TemplateId -Tenantfilter $Item.Tenant
     } catch {
         Write-LogMessage -message "Error adding application to tenant $($Item.Tenant) - $($_.Exception.Message)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+        Write-Error $_.Exception.Message
     }
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAddMultiTenantApp.ps1

@@ -33,26 +33,30 @@ function Invoke-ExecAddMultiTenantApp {
 
             $TenantCount = ($TenantFilter | Measure-Object).Count
             $Queue = New-CippQueueEntry -Name 'Application Approval' -TotalTasks $TenantCount
-            foreach ($Tenant in $TenantFilter) {
-                try {
-                    $InputObject = @{
-                        OrchestratorName = 'ExecMultiTenantAppOrchestrator'
-                        Batch            = @([pscustomobject]@{
-                                FunctionName              = $Command
-                                Tenant                    = $tenant
-                                AppId                     = $Request.Body.AppId
-                                applicationResourceAccess = $ApplicationResourceAccess
-                                delegateResourceAccess    = $DelegateResourceAccess
-                                QueueId                   = $Queue.RowKey
-                            })
-                        SkipLog          = $true
-                    }
-                    $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-                    "Queued application to tenant $Tenant. See the logbook for deployment details"
-                } catch {
-                    "Error queuing application to tenant $Tenant - $($_.Exception.Message)"
+            $Batch = foreach ($Tenant in $TenantFilter) {
+                [pscustomobject]@{
+                    FunctionName              = $Command
+                    Tenant                    = $tenant
+                    AppId                     = $Request.Body.AppId
+                    applicationResourceAccess = $ApplicationResourceAccess
+                    delegateResourceAccess    = $DelegateResourceAccess
+                    QueueId                   = $Queue.RowKey
                 }
             }
+
+            try {
+                $InputObject = @{
+                    OrchestratorName = 'ExecMultiTenantAppOrchestrator'
+                    Batch            = @($Batch)
+                    SkipLog          = $true
+                }
+                $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+                $Results = 'Deploying {0} to {1}, see the logbook for details' -f $Request.Body.AppId, ($Request.Body.tenantFilter.label -join ', ')
+            } catch {
+                $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
+                $Results = "Function Error: $ErrorMsg"
+            }
+
             $StatusCode = [HttpStatusCode]::OK
         } catch {
             $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
@@ -61,14 +65,34 @@ function Invoke-ExecAddMultiTenantApp {
         }
     } elseif ($Request.Body.configMode -eq 'template') {
         Write-Information 'Application Approval - Template Mode'
-        Write-Information ($Request.Body | ConvertTo-Json -Depth 5)
-
-
-        
-
-
+        if ('allTenants' -in $Request.Body.tenantFilter.value) {
+            $TenantFilter = (Get-Tenants).defaultDomainName
+        } else {
+            $TenantFilter = $Request.Body.tenantFilter.value
+        }
+        $TenantCount = ($TenantFilter | Measure-Object).Count
+        $Queue = New-CippQueueEntry -Name 'Application Approval (Template)' -TotalTasks $TenantCount
 
-        $Results = 'Deploying {0} to {1}' -f $Request.Body.selectedTemplate.label, ($Request.Body.tenantFilter.label -join ', ')
+        $Batch = foreach ($Tenant in $TenantFilter) {
+            [pscustomobject]@{
+                FunctionName = 'ExecAppApprovalTemplate'
+                Tenant       = $tenant
+                TemplateId   = $Request.Body.selectedTemplate.value
+                AppId        = $Request.Body.selectedTemplate.addedFields.AppId
+                QueueId      = $Queue.RowKey
+            }
+        }
+        try {
+            $InputObject = @{
+                OrchestratorName = 'ExecMultiTenantAppOrchestrator'
+                Batch            = @($Batch)
+                SkipLog          = $true
+            }
+            $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+            $Results = 'Deploying {0} to {1}, see the logbook for details' -f $Request.Body.selectedTemplate.label, ($Request.Body.tenantFilter.label -join ', ')
+        } catch {
+            $Results = "Error queuing application - $($_.Exception.Message)"
+        }
         $StatusCode = [HttpStatusCode]::OK
     }