feat:Make JIT admin support all tenants view

kris6673 · kris6673 · commit 732ad866f030 · 2025-05-21T22:31:58.000+02:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1
@@ -7,7 +7,6 @@ function Push-ExecJITAdminListAllTenants {
 
     $Tenant = Get-Tenants -TenantFilter $Item.customerId
     $DomainName = $Tenant.defaultDomainName
-    Write-Host "Processing push queue for JIT Admin for tenant: $DomainName"
     $Table = Get-CIPPTable -TableName CacheJITAdmin
 
     try {
@@ -62,17 +61,18 @@ function Push-ExecJITAdminListAllTenants {
                         accountEnabled     = $currentUser.accountEnabled
                         jitAdminEnabled    = $jitAdminEnabled
                         jitAdminExpiration = $jitAdminExpiration
-                        memberOf           = ($MemberOf | ConvertTo-Json -Depth 5 -Compress) # Store as JSON string
+                        memberOf           = ($MemberOf | ConvertTo-Json -Depth 5 -Compress)
                     }
                 }
 
                 # Add to Azure Table
                 foreach ($result in $Results) {
                     $GUID = (New-Guid).Guid
+                    Write-Host ($result | ConvertTo-Json -Depth 10 -Compress)
                     $GraphRequest = @{
-                        JITAdminUser = ($result | ConvertTo-Json -Depth 10 -Compress)
+                        JITAdminUser = [string]($result | ConvertTo-Json -Depth 10 -Compress)
                         RowKey       = [string]$GUID
-                        PartitionKey = 'JITAdminUsers' # Use the specified partition key
+                        PartitionKey = 'JITAdminUser'
                         Tenant       = [string]$DomainName
                         UserId       = [string]$result.id # Add UserId for easier querying if needed
                         UserUPN      = [string]$result.userPrincipalName # Add UserUPN for easier querying
@@ -89,23 +89,21 @@ function Push-ExecJITAdminListAllTenants {
 
     } catch {
         $GUID = (New-Guid).Guid
-        $ErrorRecord = $_ | Select-Object *
         $ErrorMessage = "Could not process JIT Admin users for Tenant: $($DomainName). Error: $($_.Exception.Message)"
         if ($_.ScriptStackTrace) {
             $ErrorMessage += " StackTrace: $($_.ScriptStackTrace)"
         }
         $ErrorJson = ConvertTo-Json -InputObject @{
             Tenant    = $DomainName
             Error     = $ErrorMessage
-            Exception = ($_.Exception | ConvertTo-Json -Depth 3 -Compress)
-            FullError = ($ErrorRecord | ConvertTo-Json -Depth 3 -Compress)
+            Exception = ($_.Exception.Message | ConvertTo-Json -Depth 3 -Compress)
             Timestamp = (Get-Date).ToString('s')
         }
         $GraphRequest = @{
-            JITAdminUserError = [string]$ErrorJson
-            RowKey            = [string]$GUID
-            PartitionKey      = 'JITAdminUsers_Error' # Differentiate errors
-            Tenant            = [string]$DomainName
+            JITAdminUser = [string]$ErrorJson
+            RowKey       = [string]$GUID
+            PartitionKey = 'JITAdminUser'
+            Tenant       = [string]$DomainName
         }
         Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null
         Write-Error ('Error processing JIT Admin for {0}: {1}' -f $DomainName, $_.Exception.Message)
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1
@@ -17,7 +17,8 @@ function Invoke-ExecJITAdmin {
 
     if ($Request.Query.Action -eq 'List') {
         $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
-        if ($TenantFilter -ne 'AllTenants') {
+        if ($Request.Query.TenantFilter -ne 'AllTenants') {
+            # Single tenant logic
             $Query = @{
                 TenantFilter = $Request.Query.TenantFilter
                 Endpoint     = 'users'
@@ -36,7 +37,6 @@ function Invoke-ExecJITAdmin {
                     }
                 )
             }
-            # Use $TenantFilter consistently, which is derived from Body or Query params at line 15
             $RoleResults = New-GraphBulkRequest -tenantid $Request.Query.TenantFilter -Requests @($BulkRequests)
             #Write-Information ($RoleResults | ConvertTo-Json -Depth 10 )
             $Results = $Users | ForEach-Object {
@@ -63,34 +63,30 @@ function Invoke-ExecJITAdmin {
             # AllTenants logic
             $Results = [System.Collections.Generic.List[object]]::new()
             $Metadata = @{}
-            # Assumed table name for JIT Admin cache. User might need to adjust.
             $Table = Get-CIPPTable -TableName CacheJITAdmin
-            $PartitionKey = 'JITAdminUsers' # Assumed partition key
-
-            # Filter for recent data, e.g., last 60 minutes. Orchestrator populates this.
+            $PartitionKey = 'JITAdminUser'
             $Filter = "PartitionKey eq '$PartitionKey'"
-            $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-1)
+            $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-60)
 
             $QueueReference = '{0}-{1}' -f $Request.Query.TenantFilter, $PartitionKey # $TenantFilter is 'AllTenants'
+            Write-Information "QueueReference: $QueueReference"
             $RunningQueue = Invoke-ListCippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
 
             if ($RunningQueue) {
                 $Metadata = [PSCustomObject]@{
                     QueueMessage = 'Still loading JIT Admin data for all tenants. Please check back in a few more minutes.'
                 }
-                $Results.Add([PSCustomObject]@{ Waiting = $true })
-            } elseif (!$dRows -and !$RunningQueue) {
+            } elseif (!$Rows -and !$RunningQueue) {
                 $TenantList = Get-Tenants -IncludeErrors
-                $QueueLink = if ($Request.RequestUri) { $Request.RequestUri.ToString() -replace $Request.Query.Action, 'List' } else { '/identity/administration/users/jit-admin?Action=List&TenantFilter=AllTenants' } # Fallback link
-                $Queue = New-CippQueueEntry -Name 'JIT Admin List - All Tenants' -Link $QueueLink -Reference $QueueReference -TotalTasks ($TenantList | Measure-Object).Count
+                $Queue = New-CippQueueEntry -Name 'JIT Admin List - All Tenants' -Link '/identity/administration/jit-admin?tenantFilter=AllTenants' -Reference $QueueReference -TotalTasks ($TenantList | Measure-Object).Count
 
                 $Metadata = [PSCustomObject]@{
                     QueueMessage = 'Loading JIT Admin data for all tenants. Please check back in a few minutes.'
                 }
                 $InputObject = [PSCustomObject]@{
-                    OrchestratorName = 'JITAdminListAllTenantsOrchestrator' # Assumed orchestrator name
+                    OrchestratorName = 'JITAdminOrchestrator'
                     QueueFunction    = @{
-                        FunctionName = 'GetTenants' # Generic entry, durable function handles per-tenant logic
+                        FunctionName = 'GetTenants'
                         QueueId      = $Queue.RowKey
                         TenantParams = @{
                             IncludeErrors = $true
@@ -100,32 +96,24 @@ function Invoke-ExecJITAdmin {
                     SkipLog          = $true
                 }
                 Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-                $Results.Add([PSCustomObject]@{ Waiting = $true })
             } else {
-                # $dRows exist
+                # There is data in the cache, so we will use that
+                Write-Information "Found $($Rows.Count) rows in the cache"
                 foreach ($row in $Rows) {
-                    # Assuming $row.JITUserObject contains the serialized PSCustomObject for the user's JIT details
-                    # And $row.TenantId (or $row.TenantDisplayName) contains the tenant identifier
-                    try {
-                        $UserObject = $row.JITUserObject | ConvertFrom-Json
-                        $Results.Add(
-                            [PSCustomObject]@{
-                                Tenant             = $row.TenantId # Or TenantDisplayName, ensure orchestrator stores this
-                                id                 = $UserObject.id
-                                displayName        = $UserObject.displayName
-                                userPrincipalName  = $UserObject.userPrincipalName
-                                accountEnabled     = $UserObject.accountEnabled
-                                jitAdminEnabled    = $UserObject.jitAdminEnabled
-                                jitAdminExpiration = $UserObject.jitAdminExpiration
-                                memberOf           = $UserObject.memberOf # This should be an array of role objects
-                            }
-                        )
-                    } catch {
-                        Write-LogMessage -Headers $User -API $APIName -message "Failed to process cached JIT admin row for Tenant $($row.TenantId), RowKey $($row.RowKey). Error: $($_.Exception.Message)" -Sev 'Warning'
-                        # Optionally add a placeholder or skip if critical
-                    }
+                    $UserObject = $row.JITAdminUser | ConvertFrom-Json
+                    $Results.Add(
+                        [PSCustomObject]@{
+                            Tenant             = $row.Tenant
+                            id                 = $UserObject.id
+                            displayName        = $UserObject.displayName
+                            userPrincipalName  = $UserObject.userPrincipalName
+                            accountEnabled     = $UserObject.accountEnabled
+                            jitAdminEnabled    = $UserObject.jitAdminEnabled
+                            jitAdminExpiration = $UserObject.jitAdminExpiration
+                            memberOf           = $UserObject.memberOf
+                        }
+                    )
                 }
-                $Metadata = @{ Info = 'Displaying cached JIT Admin data for all tenants.' }
             }
             $Body = @{
                 Results  = @($Results)
