New APIs for single tenant mode

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1

@@ -0,0 +1,89 @@
+using namespace System.Net
+
+Function Invoke-ExecAddTenant {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite.
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    try {
+        # Get the tenant ID from the request body
+        $tenantId = $Request.body.tenantId
+        $displayName = $Request.body.displayName
+        $defaultDomainName = $Request.body.defaultDomainName
+
+        # Get the Tenants table
+        $TenantsTable = Get-CippTable -tablename 'Tenants'
+
+        # Check if tenant already exists
+        $ExistingTenant = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$tenantId'"
+
+        if ($ExistingTenant) {
+            # Update existing tenant
+            $ExistingTenant.delegatedPrivilegeStatus = 'directTenant'
+            Add-CIPPAzDataTableEntity @TenantsTable -Entity $ExistingTenant -Force | Out-Null
+            $Results = @{'message' = 'Successfully updated tenant.'; 'severity' = 'success' }
+        } else {
+            # Create new tenant entry
+            try {
+                # Get organization info
+                $Organization = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/organization' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
+
+                if (-not $displayName) {
+                    $displayName = $Organization[0].displayName
+                }
+
+                if (-not $defaultDomainName) {
+                    # Try to get domains
+                    try {
+                        $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
+                        $defaultDomainName = ($Domains | Where-Object { $_.isDefault -eq $true }).id
+                        $initialDomainName = ($Domains | Where-Object { $_.isInitial -eq $true }).id
+                    } catch {
+                        # If we can't get domains, use verified domains from organization
+                        $defaultDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isDefault -eq $true }).name
+                        $initialDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isInitial -eq $true }).name
+                    }
+                }
+            } catch {
+                Write-LogMessage -API 'Add-Tenant' -message "Failed to get information for tenant $tenantId - $($_.Exception.Message)" -Sev 'Critical'
+                throw "Failed to get information for tenant $tenantId. Make sure the tenant is properly authenticated."
+            }
+
+            # Create new tenant object
+            $NewTenant = [PSCustomObject]@{
+                PartitionKey             = 'Tenants'
+                RowKey                   = $tenantId
+                customerId               = $tenantId
+                displayName              = $displayName
+                defaultDomainName        = $defaultDomainName
+                initialDomainName        = $initialDomainName
+                delegatedPrivilegeStatus = 'directTenant'
+                domains                  = ''
+                Excluded                 = $false
+                ExcludeUser              = ''
+                ExcludeDate              = ''
+                GraphErrorCount          = 0
+                LastGraphError           = ''
+                RequiresRefresh          = $false
+                LastRefresh              = (Get-Date).ToUniversalTime()
+            }
+
+            # Add tenant to table
+            Add-CIPPAzDataTableEntity @TenantsTable -Entity $NewTenant -Force | Out-Null
+            $Results = @{'message' = "Successfully added tenant $tenantId to the tenant list with directTenant status."; 'severity' = 'success' }
+        }
+    } catch {
+        $Results = @{'message' = "Failed to add tenant: $($_.Exception.Message)"; 'state' = 'error'; 'severity' = 'error' }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -24,18 +24,27 @@ Function Invoke-ExecUpdateRefreshToken {
                 $Secret.RefreshToken = $Request.body.RefreshToken
             } else {
                 Write-Host "$($env:Applicationid) does not match $($Request.body.tenantId)"
-                $secret | Add-Member -MemberType NoteProperty -Name $($Request.body.tenantId) -Value $Request.body.refreshtoken -Force
+                $name = $Request.body.tenantId -replace '-', '_'
+                $secret | Add-Member -MemberType NoteProperty -Name $name -Value $Request.body.refreshtoken -Force
             }
             Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
         } else {
             if ($env:ApplicationId -eq $Request.body.tenantId) {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             } else {
-                Set-AzKeyVaultSecret -VaultName $kv -Name $Request.body.tenantId -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                $name = $Request.body.tenantId -replace '-', '_'
+                Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             }
         }
         $InstanceId = Start-UpdatePermissionsOrchestrator #start the CPV refresh immediately while wizard still runs.
-        $Results = @{'message' = "Successfully updated your stored authentication for $($request.body.tenantId)."; severity = 'success' }
+
+
+        $Results = @{
+            'message' = "Successfully updated your stored authentication for $($request.body.tenantId)."
+            'severity' = 'success'
+            'state' = 'success'
+            'tenantId' = $Request.body.tenantId
+        }
     } catch {
         $Results = [pscustomobject]@{'Results' = "Failed. $($_.InvocationInfo.ScriptLineNumber):  $($_.Exception.message)"; severity = 'failed' }
     }

Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1

@@ -5,6 +5,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     #>
     if (!$scope) { $scope = 'https://graph.microsoft.com/.default' }
     if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' }
+    #If the $env:<$tenantid> is set, use that instead of the refreshtoken for all tenants.
     $AuthBody = @{
         client_id     = $env:ApplicationID
         client_secret = $env:ApplicationSecret