Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: KelvinTegelaar

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1

@@ -0,0 +1,33 @@
+
+function Get-CIPPAlertEntraConnectSyncStatus {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        # Set Hours with fallback to 72 hours
+        $Hours = if ($InputValue) { [int]$InputValue } else { 72 }
+        $ConnectSyncStatus = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/organization?$select=onPremisesLastPasswordSyncDateTime,onPremisesLastSyncDateTime,onPremisesSyncEnabled' -tenantid $TenantFilter
+
+        if ($ConnectSyncStatus.onPremisesSyncEnabled -eq $true) {
+            $LastPasswordSync = $ConnectSyncStatus.onPremisesLastPasswordSyncDateTime
+            $SyncDateTime = $ConnectSyncStatus.onPremisesLastSyncDateTime
+            # Get the older of the two sync times
+            $LastSync = if ($SyncDateTime -lt $LastPasswordSync) { $SyncDateTime } else { $LastPasswordSync }
+
+            if ($LastSync -lt (Get-Date).AddHours(-$Hours).ToUniversalTime()) {
+                $AlertData = "Entra Connect Sync for $($TenantFilter) has not run for over $Hours hours. Last sync was at $($LastSync.ToString('o'))"
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Entra Connect Sync Status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1

@@ -20,7 +20,7 @@ function Push-DomainAnalyserTenant {
         return
     } else {
         try {
-            # Remove domains that are not wanted, and used for cloud signature services
+            # Remove domains that are not wanted, and used for cloud signature services. Same exclusions also found in Invoke-CIPPStandardAddDKIM
             $ExclusionDomains = @(
                 '*.microsoftonline.com'
                 '*.exclaimer.cloud'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecEditCalendarPermissions.ps1

@@ -21,12 +21,13 @@ function Invoke-ExecEditCalendarPermissions {
     $Permissions = $Request.Query.Permissions ?? $Request.Body.Permissions.value
     $FolderName = $Request.Query.FolderName ?? $Request.Body.FolderName
     $RemoveAccess = $Request.Query.RemoveAccess ?? $Request.Body.RemoveAccess.value
+    $CanViewPrivateItems = $Request.Query.CanViewPrivateItems ?? $Request.Body.CanViewPrivateItems
 
     try {
         if ($RemoveAccess) {
             $Result = Set-CIPPCalendarPermission -Headers $Headers -UserID $UserID -FolderName $FolderName -RemoveAccess $RemoveAccess -TenantFilter $TenantFilter
         } else {
-            $Result = Set-CIPPCalendarPermission -Headers $Headers -UserID $UserID -FolderName $FolderName -TenantFilter $TenantFilter -UserToGetPermissions $UserToGetPermissions -Permissions $Permissions
+            $Result = Set-CIPPCalendarPermission -Headers $Headers -UserID $UserID -FolderName $FolderName -TenantFilter $TenantFilter -UserToGetPermissions $UserToGetPermissions -Permissions $Permissions -CanViewPrivateItems $CanViewPrivateItems
         }
         $StatusCode = [HttpStatusCode]::OK
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-EditIntuneScript.ps1

@@ -14,35 +14,110 @@ function Invoke-EditIntuneScript {
     $Headers = $Request.Headers
     Write-LogMessage -Headers $Headers -API $APINAME -message 'Accessed this API' -Sev Debug
 
-    $graphUrl = "https://graph.microsoft.com/beta"
-    switch($Request.Method) {
-        "GET" {
-            $parms = @{
-                uri = "$graphUrl/deviceManagement/deviceManagementScripts/$($Request.Query.ScriptId)"
-                tenantid = $Request.Query.TenantFilter
+    $graphUrl = 'https://graph.microsoft.com/beta'
+
+    # Define the endpoint based on script type
+    function Get-ScriptEndpoint {
+        param (
+            [Parameter(Mandatory = $true)]
+            [string]$ScriptType
+        )
+
+        switch ($ScriptType) {
+            'Windows' { return 'deviceManagement/deviceManagementScripts' }
+            'MacOS' { return 'deviceManagement/deviceShellScripts' }
+            'Remediation' { return 'deviceManagement/deviceHealthScripts' }
+            'Linux' { return 'deviceManagement/configurationPolicies' }
+            default { return 'deviceManagement/deviceManagementScripts' }
+        }
+    }
+
+    switch ($Request.Method) {
+        'GET' {
+            # First get the script type by querying the script ID
+            $scriptId = $Request.Query.ScriptId
+            $scriptTypeFound = $false
+
+            # Try each endpoint to find the script
+            foreach ($scriptType in @('Windows', 'MacOS', 'Remediation', 'Linux')) {
+                $endpoint = Get-ScriptEndpoint -ScriptType $scriptType
+                $parms = @{
+                    uri      = "$graphUrl/$endpoint/$scriptId"
+                    tenantid = $Request.Query.TenantFilter
+                }
+
+                try {
+                    $intuneScript = New-GraphGetRequest @parms -ErrorAction Stop
+                    if ($intuneScript) {
+                        $intuneScript | Add-Member -MemberType NoteProperty -Name scriptType -Value $scriptType -Force
+                        $scriptTypeFound = $true
+                        break
+                    }
+                } catch {
+                    # Script not found in this endpoint, try next one
+                    continue
+                }
             }
 
-            $intuneScript = New-GraphGetRequest @parms
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::OK
-                Body       = $intuneScript
-            })
+            if ($scriptTypeFound) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::OK
+                        Body       = $intuneScript
+                    })
+            } else {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::NotFound
+                        Body       = "Script with ID $scriptId was not found in any endpoint."
+                    })
+            }
         }
-        "PATCH" {
+        'PATCH' {
+            # Parse the script data to determine type
+            $scriptData = $Request.Body.IntuneScript | ConvertFrom-Json
+            $scriptType = $Request.Body.ScriptType
+
+            if (-not $scriptType) {
+                # Try to determine script type from the request body
+                if ($scriptData.PSObject.Properties.Name -contains '@odata.type') {
+                    switch ($scriptData.'@odata.type') {
+                        '#microsoft.graph.deviceManagementScript' { $scriptType = 'Windows' }
+                        '#microsoft.graph.deviceShellScript' { $scriptType = 'MacOS' }
+                        '#microsoft.graph.deviceHealthScript' { $scriptType = 'Remediation' }
+                        default {
+                            if ($scriptData.platforms -eq 'linux' -and $scriptData.templateReference.templateFamily -eq 'deviceConfigurationScripts') {
+                                $scriptType = 'Linux'
+                            } else {
+                                $scriptType = 'Windows' # Default to Windows if no definitive type found
+                            }
+                        }
+                    }
+                }
+            }
+
+            $endpoint = Get-ScriptEndpoint -ScriptType $scriptType
             $parms = @{
-                uri = "$graphUrl/deviceManagement/deviceManagementScripts/$($Request.Body.ScriptId)"
+                uri      = "$graphUrl/$endpoint/$($Request.Body.ScriptId)"
                 tenantid = $Request.Body.TenantFilter
-                body = $Request.Body.IntuneScript
+                body     = $Request.Body.IntuneScript
+            }
+
+            try {
+                $patchResult = New-GraphPOSTRequest @parms -type 'PATCH'
+                $body = [pscustomobject]@{'Results' = $patchResult }
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::OK
+                        Body       = $body
+                    })
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = "Failed to update script: $($ErrorMessage.NormalizedError)"
+                    })
             }
-            $patchResult = New-GraphPOSTRequest @parms -type "PATCH"
-            $body = [pscustomobject]@{'Results' = $patchResult }
-            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::OK
-                Body       = $body
-            })
         }
-        "POST" {
-            Write-Output "Adding script"
+        'POST' {
+            Write-Output 'Adding script'
         }
     }
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecCreateTAP.ps1

@@ -19,17 +19,28 @@ Function Invoke-ExecCreateTAP {
     $UserID = $Request.Query.ID ?? $Request.Body.ID
 
     try {
-        $Result = New-CIPPTAP -userid $UserID -TenantFilter $TenantFilter -APIName $APIName -Headers $Headers
+        $TAPResult = New-CIPPTAP -userid $UserID -TenantFilter $TenantFilter -APIName $APIName -Headers $Headers
+
+        # Create results array with both TAP and UserID as separate items
+        $Results = @(
+            $TAPResult,
+            @{
+                resultText = "User ID: $UserID"
+                copyField = $UserID
+                state = 'success'
+            }
+        )
+
         $StatusCode = [HttpStatusCode]::OK
     } catch {
-        $Result = Get-NormalizedError -message $($_.Exception.Message)
+        $Results = Get-NormalizedError -message $($_.Exception.Message)
         $StatusCode = [HttpStatusCode]::InternalServerError
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode
-            Body       = @{'Results' = $Result }
+            Body       = @{'Results' = $Results }
         })
 
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-EditTenant.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-EditTenant {
+function Invoke-EditTenant {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
@@ -11,8 +11,9 @@ Function Invoke-EditTenant {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
 
-    Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    Write-LogMessage -headers $Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 
     $customerId = $Request.Body.customerId
     $tenantAlias = $Request.Body.tenantAlias
@@ -46,9 +47,9 @@ Function Invoke-EditTenant {
         }
 
         # Update tenant groups
-        $CurrentMembers = Get-CIPPAzDataTableEntity @GroupMembersTable -Filter "customerId eq '$customerId'"
+        $CurrentGroupMemberships = Get-CIPPAzDataTableEntity @GroupMembersTable -Filter "customerId eq '$customerId'"
         foreach ($Group in $tenantGroups) {
-            $GroupEntity = $CurrentMembers | Where-Object { $_.GroupId -eq $Group.groupId }
+            $GroupEntity = $CurrentGroupMemberships | Where-Object { $_.GroupId -eq $Group.groupId }
             if (!$GroupEntity) {
                 $GroupEntity = @{
                     PartitionKey = 'Member'
@@ -61,8 +62,8 @@ Function Invoke-EditTenant {
         }
 
         # Remove any groups that are no longer selected
-        foreach ($Group in $CurrentMembers) {
-            if ($tenantGroups -notcontains $Group.GroupId) {
+        foreach ($Group in $CurrentGroupMemberships) {
+            if ($tenantGroups.GroupId -notcontains $Group.GroupId) {
                 Remove-AzDataTableEntity @GroupMembersTable -Entity $Group
             }
         }
@@ -76,7 +77,7 @@ Function Invoke-EditTenant {
                 Body       = $response
             })
     } catch {
-        Write-LogMessage -headers $Request.Headers -tenant $customerId -API $APINAME -message "Edit Tenant failed. The error is: $($_.Exception.Message)" -Sev 'Error'
+        Write-LogMessage -headers $Headers -tenant $customerId -API $APINAME -message "Edit Tenant failed. The error is: $($_.Exception.Message)" -Sev 'Error'
         $response = @{
             state      = 'error'
             resultText = $_.Exception.Message

Modules/CIPPCore/Public/New-CIPPTAP.ps1

@@ -11,7 +11,8 @@ function New-CIPPTAP {
         $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($userid)/authentication/temporaryAccessPassMethods" -tenantid $TenantFilter -type POST -body '{}' -verbose
         Write-LogMessage -headers $Headers -API $APIName -message "Created Temporary Access Password (TAP) for $userid" -Sev 'Info' -tenant $TenantFilter
         return @{
-            resultText          = "The TAP for this user is $($GraphRequest.temporaryAccessPass) - This TAP is usable for the next $($GraphRequest.LifetimeInMinutes) minutes"
+            resultText          = "The TAP for $userid is $($GraphRequest.temporaryAccessPass) - This TAP is usable for the next $($GraphRequest.LifetimeInMinutes) minutes"
+            userid              = $userid
             copyField           = $GraphRequest.temporaryAccessPass
             temporaryAccessPass = $GraphRequest.temporaryAccessPass
             lifetimeInMinutes   = $GraphRequest.LifetimeInMinutes

Modules/CIPPCore/Public/Set-CIPPCalendarPermission.ps1

@@ -9,7 +9,8 @@ function Set-CIPPCalendarPermission {
         $folderName,
         $UserToGetPermissions,
         $LoggingName,
-        $Permissions
+        $Permissions,
+        [bool]$CanViewPrivateItems
     )
 
     try {
@@ -26,6 +27,10 @@ function Set-CIPPCalendarPermission {
             AccessRights = @($Permissions)
             User         = $UserToGetPermissions
         }
+
+        if ($CanViewPrivateItems) {
+            $CalParam | Add-Member -NotePropertyName 'SharingPermissionFlags' -NotePropertyValue 'Delegate,CanViewPrivateItems'
+        }
 
         if ($RemoveAccess) {
             if ($PSCmdlet.ShouldProcess("$UserID\$folderName", "Remove permissions for $LoggingName")) {
@@ -42,6 +47,9 @@ function Set-CIPPCalendarPermission {
                 }
                 Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message "Successfully set Calendar permissions $Permissions for $LoggingName on $UserID." -sev Info
                 $Result = "Successfully set permissions on folder $($CalParam.Identity). The user $LoggingName now has $Permissions permissions on this folder."
+                if ($CanViewPrivateItems) {
+                    $Result += " The user can also view private items."
+                }
             }
         }
     } catch {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1

@@ -66,9 +66,36 @@ function Invoke-CIPPStandardAddDKIM {
         return
     }
 
+    # Same exclusions also found in Push-DomainAnalyserTenant
+    $ExclusionDomains = @(
+        '*.microsoftonline.com'
+        '*.exclaimer.cloud'
+        '*.excl.cloud'
+        '*.codetwo.online'
+        '*.call2teams.com'
+        '*.signature365.net'
+        '*.myteamsconnect.io'
+        '*.teams.dstny.com'
+    )
 
-    $AllDomains = ($BatchResults | Where-Object { $_.DomainName }).DomainName
-    $DKIM = $BatchResults | Where-Object { $_.Domain } | Select-Object Domain, Enabled, Status
+    $AllDomains = ($BatchResults | Where-Object { $_.DomainName }).DomainName | ForEach-Object {
+        $Domain = $_
+        foreach ($ExclusionDomain in $ExclusionDomains) {
+            if ($Domain -like $ExclusionDomain) {
+                $Domain = $null
+            }
+        }
+        if ($null -ne $Domain) { $Domain }
+    }
+    $DKIM = $BatchResults | Where-Object { $_.Domain } | Select-Object Domain, Enabled, Status | ForEach-Object {
+        $Domain = $_
+        foreach ($ExclusionDomain in $ExclusionDomains) {
+            if ($Domain.Domain -like $ExclusionDomain) {
+                $Domain = $null
+            }
+        }
+        if ($null -ne $Domain) { $Domain }
+    }
 
     # List of domains for each way to enable DKIM
     $NewDomains = $AllDomains | Where-Object { $DKIM.Domain -notcontains $_ }