app approval template deployment

JohnDuprey · JohnDuprey · commit 75e73ce11add · 2025-05-20T17:36:03.000-04:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1
@@ -0,0 +1,36 @@
+function Push-ExecAppApprovalTemplate {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    try {
+        $Item = $Item | ConvertTo-Json -Depth 10 | ConvertFrom-Json
+        $TemplateId = $Item.templateId
+
+        $TemplateTable = Get-CIPPTable -TableName 'templates'
+        $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+        $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+
+        if (!$Template) {
+            Write-LogMessage -message "Template $TemplateId not found" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+            return
+        }
+
+        $Permissions = $Template.Permissions
+
+        Write-Host "$($Item | ConvertTo-Json -Depth 10)"
+        $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
+        if ($Item.AppId -notin $ServicePrincipalList.appId) {
+            $PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body "{ `"appId`": `"$($Item.appId)`" }"
+            Write-LogMessage -message "Added $($Item.AppId) to tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
+        } else {
+            Write-LogMessage -message "This app already exists in tenant $($Item.Tenant). We're adding the required permissions." -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
+        }
+        Add-CIPPApplicationPermission -RequiredResourceAccess ($Item.applicationResourceAccess) -ApplicationId $Item.AppId -Tenantfilter $Item.Tenant
+        Add-CIPPDelegatedPermission -RequiredResourceAccess ($Item.DelegateResourceAccess) -ApplicationId $Item.AppId -Tenantfilter $Item.Tenant
+    } catch {
+        Write-LogMessage -message "Error adding application to tenant $($Item.Tenant) - $($_.Exception.Message)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+    }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1
@@ -20,17 +20,32 @@ function Invoke-ExecServicePrincipals {
     try {
         switch ($Request.Query.Action) {
             'Create' {
+                $BlockList = @(
+                    'e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd', # eM Client
+                    'ff8d92dc-3d82-41d6-bcbd-b9174d163620', # PerfectData Software
+                    'a245e8c0-b53c-4b67-9b45-751d1dff8e6b', # Newsletter Software Supermailer
+                    'b15665d9-eda6-4092-8539-0eec376afd59', # rclone
+                    'a43e5392-f48b-46a4-a0f1-098b5eeb4757', # CloudSponge
+                    'caffae8c-0882-4c81-9a27-d1803af53a40'  # SigParser
+                )
                 $Action = 'Create'
+
                 if ($Request.Query.AppId -match '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$') {
-                    $Body = @{
-                        'appId' = $Request.Query.AppId
-                    } | ConvertTo-Json -Compress
-                    try {
-                        $ServicePrincipal = New-GraphPostRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -type POST -body $Body -NoAuthCheck $true
-                        $Results = "Created service principal for $($ServicePrincipal.displayName) ($($ServicePrincipal.appId))"
-                    } catch {
-                        $Results = "Unable to create service principal: $($_.Exception.Message)"
+
+                    if ($BlockList -contains $Request.Query.AppId) {
+                        $Results = 'Service Principal creation is blocked for this AppId'
                         $Success = $false
+                    } else {
+                        $Body = @{
+                            'appId' = $Request.Query.AppId
+                        } | ConvertTo-Json -Compress
+                        try {
+                            $ServicePrincipal = New-GraphPostRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -type POST -body $Body -NoAuthCheck $true
+                            $Results = "Created service principal for $($ServicePrincipal.displayName) ($($ServicePrincipal.appId))"
+                        } catch {
+                            $Results = "Unable to create service principal: $($_.Exception.Message)"
+                            $Success = $false
+                        }
                     }
                 } else {
                     $Results = 'Invalid AppId'
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAddMultiTenantApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAddMultiTenantApp.ps1
@@ -12,51 +12,66 @@ function Invoke-ExecAddMultiTenantApp {
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
-    $DelegateResources = $request.body.permissions | Where-Object -Property origin -EQ 'Delegated' | ForEach-Object { @{ id = $_.id; type = 'Scope' } }
-    $DelegateResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $DelegateResources }
-    $ApplicationResources = $request.body.permissions | Where-Object -Property origin -EQ 'Application' | ForEach-Object { @{ id = $_.id; type = 'Role' } }
-    $ApplicationResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $ApplicationResources }
 
-    $Results = try {
-        if ($Request.Body.CopyPermissions -eq $true) {
-            $Command = 'ExecApplicationCopy'
-        } else {
-            $Command = 'ExecAddMultiTenantApp'
-        }
-        if ('allTenants' -in $Request.Body.tenantFilter.value) {
-            $TenantFilter = (Get-Tenants).defaultDomainName
-        } else {
-            $TenantFilter = $Request.Body.tenantFilter.value
-        }
+    if ($Request.Body.configMode -eq 'manual') {
+        $DelegateResources = $request.body.permissions | Where-Object -Property origin -EQ 'Delegated' | ForEach-Object { @{ id = $_.id; type = 'Scope' } }
+        $DelegateResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $DelegateResources }
+        $ApplicationResources = $request.body.permissions | Where-Object -Property origin -EQ 'Application' | ForEach-Object { @{ id = $_.id; type = 'Role' } }
+        $ApplicationResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $ApplicationResources }
+
+        $Results = try {
+            if ($Request.Body.CopyPermissions -eq $true) {
+                $Command = 'ExecApplicationCopy'
+            } else {
+                $Command = 'ExecAddMultiTenantApp'
+            }
+            if ('allTenants' -in $Request.Body.tenantFilter.value) {
+                $TenantFilter = (Get-Tenants).defaultDomainName
+            } else {
+                $TenantFilter = $Request.Body.tenantFilter.value
+            }
 
-        $TenantCount = ($TenantFilter | Measure-Object).Count
-        $Queue = New-CippQueueEntry -Name 'Application Approval' -TotalTasks $TenantCount
-        foreach ($Tenant in $TenantFilter) {
-            try {
-                $InputObject = @{
-                    OrchestratorName = 'ExecMultiTenantAppOrchestrator'
-                    Batch            = @([pscustomobject]@{
-                            FunctionName              = $Command
-                            Tenant                    = $tenant
-                            AppId                     = $Request.Body.AppId
-                            applicationResourceAccess = $ApplicationResourceAccess
-                            delegateResourceAccess    = $DelegateResourceAccess
-                            QueueId                   = $Queue.RowKey
-                        })
-                    SkipLog          = $true
+            $TenantCount = ($TenantFilter | Measure-Object).Count
+            $Queue = New-CippQueueEntry -Name 'Application Approval' -TotalTasks $TenantCount
+            foreach ($Tenant in $TenantFilter) {
+                try {
+                    $InputObject = @{
+                        OrchestratorName = 'ExecMultiTenantAppOrchestrator'
+                        Batch            = @([pscustomobject]@{
+                                FunctionName              = $Command
+                                Tenant                    = $tenant
+                                AppId                     = $Request.Body.AppId
+                                applicationResourceAccess = $ApplicationResourceAccess
+                                delegateResourceAccess    = $DelegateResourceAccess
+                                QueueId                   = $Queue.RowKey
+                            })
+                        SkipLog          = $true
+                    }
+                    $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+                    "Queued application to tenant $Tenant. See the logbook for deployment details"
+                } catch {
+                    "Error queuing application to tenant $Tenant - $($_.Exception.Message)"
                 }
-                $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-                "Queued application to tenant $Tenant. See the logbook for deployment details"
-            } catch {
-                "Error queuing application to tenant $Tenant - $($_.Exception.Message)"
             }
+            $StatusCode = [HttpStatusCode]::OK
+        } catch {
+            $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
+            $Results = "Function Error: $ErrorMsg"
+            $StatusCode = [HttpStatusCode]::BadRequest
         }
+    } elseif ($Request.Body.configMode -eq 'template') {
+        Write-Information 'Application Approval - Template Mode'
+        Write-Information ($Request.Body | ConvertTo-Json -Depth 5)
+
+
+        
+
+
+
+        $Results = 'Deploying {0} to {1}' -f $Request.Body.selectedTemplate.label, ($Request.Body.tenantFilter.label -join ', ')
         $StatusCode = [HttpStatusCode]::OK
-    } catch {
-        $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
-        $Results = "Function Error: $ErrorMsg"
-        $StatusCode = [HttpStatusCode]::BadRequest
     }
+
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode
