Merge pull request KelvinTegelaar#1452 from KelvinTegelaar/dev

Dev to release

Author: KelvinTegelaar

Cache_SAMSetup/PermissionsTranslator.json

@@ -0,0 +1,71 @@
+function Convert-QuarantinePermissionsValue {
+    [CmdletBinding(DefaultParameterSetName = 'DecimalValue')]
+    param (
+        [Parameter(Mandatory, Position = 0, ParameterSetName = "StringValue")]
+        [ValidateNotNullOrEmpty()]
+        [string]$InputObject,
+
+        [Parameter(Position = 0, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToViewHeader = 0,
+        [Parameter(Position = 1, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDownload = 0,
+        [Parameter(Mandatory, Position = 2, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToAllowSender,
+        [Parameter(Mandatory, Position = 3, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToBlockSender,
+        [Parameter(Mandatory, Position = 4, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRequestRelease,
+        [Parameter(Mandatory, Position = 5, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRelease,
+        [Parameter(Mandatory, Position = 6, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToPreview,
+        [Parameter(Mandatory, Position = 7, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDelete
+    )
+
+    #Converts string value with EndUserQuarantinePermissions received from Get-QuarantinePolicy
+    if (($PSCmdlet.ParameterSetName) -eq "StringValue") {
+        try {
+            # Remove square brackets and split into lines
+            $InputObject = $InputObject.Trim('[', ']')
+            $hashtable = @{}
+            $InputObject -split "`n" | ForEach-Object {
+                $key, $value = $_ -split ":\s*"
+                $hashtable[$key.Trim()] = [System.Convert]::ToBoolean($value.Trim())
+            }
+            return $hashtable
+        }
+        catch {
+            throw "Convert-QuarantinePermissionsValue: Failed to convert string to hashtable."
+        }
+    }
+
+    #Converts selected end user quarantine permissions to decimal value used by EndUserQuarantinePermissionsValue property in New-QuarantinePolicy and Set-QuarantinePolicy
+    elseif (($PSCmdlet.ParameterSetName) -eq "DecimalValue") {
+        try {
+            # both PermissionToRequestRelease and PermissionToRelease cannot be set to true at the same time
+            if($PermissionToRequestRelease -eq 1 -and $PermissionToRelease -eq 1) {
+                throw "PermissionToRequestRelease and PermissionToRelease cannot both be set to true."
+            }
+
+            # Convert each permission to a binary string
+            $BinaryValue = [string]@(
+                $PermissionToViewHeader,
+                $PermissionToDownload,
+                $PermissionToAllowSender,
+                $PermissionToBlockSender,
+                $PermissionToRequestRelease,
+                $PermissionToRelease,
+                $PermissionToPreview,
+                $PermissionToDelete
+            ) -replace '\s',''
+
+            # Convert the binary string to an Decimal value
+            return [convert]::ToInt32($BinaryValue,2)
+        }
+        catch {
+            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+            throw "Convert-QuarantinePermissionsValue: Failed to convert QuarantinePermissions to QuarantinePermissionsValue. Error: $ErrorMessage"
+        }
+    }
+}

Cache_SAMSetup/SAMManifest.json

@@ -2,6 +2,7 @@ function Add-CIPPApplicationPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $Tenantfilter
     )
@@ -31,7 +32,34 @@ function Add-CIPPApplicationPermission {
 
             $RequiredResourceAccess.Add($Resource)
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding application permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $AppPermissions = @($Permissions.$AppId.applicationPermissions)
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = [System.Collections.Generic.List[object]]::new()
+                }
+                foreach ($Permission in $AppPermissions) {
+                    $Resource.ResourceAccess.Add(@{
+                            id   = $Permission.id
+                            type = 'Role'
+                        })
+                }
+
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
+
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
@@ -59,7 +87,7 @@ function Add-CIPPApplicationPermission {
             }
         }
         foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
-            if ($SingleResource.id -In $CurrentRoles.appRoleId) { continue }
+            if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
             [pscustomobject]@{
                 principalId = $($ourSVCPrincipal.id)
                 resourceId  = $($svcPrincipalId.id)

Modules/CIPPCore/Private/Convert-QuarantinePermissionsValue.ps1

@@ -2,6 +2,7 @@ function Add-CIPPDelegatedPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $NoTranslateRequired,
         $Tenantfilter
@@ -40,7 +41,34 @@ function Add-CIPPDelegatedPermission {
             # remove the partner center permission if not pushing to partner tenant
             $RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding delegated permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $NoTranslateRequired = $true
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $DelegatedPermissions = @($Permissions.$AppId.delegatedPermissions)
+                $ResourceAccess = [System.Collections.Generic.List[object]]::new()
+                foreach ($Permission in $DelegatedPermissions) {
+                    $ResourceAccess.Add(@{
+                            id   = $Permission.value
+                            type = 'Scope'
+                        })
+                }
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = @($ResourceAccess)
+                }
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
@@ -66,6 +94,7 @@ function Add-CIPPDelegatedPermission {
         }
 
         $DelegatedScopes = $App.resourceAccess | Where-Object -Property type -EQ 'Scope'
+
         if ($NoTranslateRequired) {
             $NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
         } else {

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

@@ -0,0 +1,33 @@
+
+function Get-CIPPAlertEntraConnectSyncStatus {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        # Set Hours with fallback to 72 hours
+        $Hours = if ($InputValue) { [int]$InputValue } else { 72 }
+        $ConnectSyncStatus = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/organization?$select=onPremisesLastPasswordSyncDateTime,onPremisesLastSyncDateTime,onPremisesSyncEnabled' -tenantid $TenantFilter
+
+        if ($ConnectSyncStatus.onPremisesSyncEnabled -eq $true) {
+            $LastPasswordSync = $ConnectSyncStatus.onPremisesLastPasswordSyncDateTime
+            $SyncDateTime = $ConnectSyncStatus.onPremisesLastSyncDateTime
+            # Get the older of the two sync times
+            $LastSync = if ($SyncDateTime -lt $LastPasswordSync) { $SyncDateTime } else { $LastPasswordSync }
+
+            if ($LastSync -lt (Get-Date).AddHours(-$Hours).ToUniversalTime()) {
+                $AlertData = "Entra Connect Sync for $($TenantFilter) has not run for over $Hours hours. Last sync was at $($LastSync.ToString('o'))"
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Entra Connect Sync Status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
             if ($users.UserPrincipalName) {
                 $AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1

@@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {
     )
     try {
 
-        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
         if ($users.UserPrincipalName) {
             $AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -0,0 +1,42 @@
+function Get-CIPPAccessRole {
+    <#
+    .SYNOPSIS
+    Get the access role for the current user
+
+    .DESCRIPTION
+    Get the access role for the current user
+
+    .PARAMETER TenantID
+    The tenant ID to check the access role for
+
+    .EXAMPLE
+    Get-CippAccessRole -UserId $UserId
+
+    .FUNCTIONALITY
+    Internal
+    #>
+    [CmdletBinding()]
+    param($Request)
+
+    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRole'
+    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$($Request.Headers.'x-ms-client-principal-name')'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+
+    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+    $SwaRoles = $SwaCreds.userRoles
+
+    # Combine SWA roles and cached roles into a single deduplicated list
+    $AllRoles = [System.Collections.Generic.List[string]]::new()
+    if ($null -ne $SwaRoles) {
+        $AllRoles.AddRange($SwaRoles)
+    }
+    if ($null -ne $CachedRoles) {
+        $AllRoles.AddRange($CachedRoles)
+    }
+
+    # Remove duplicates and ensure we have a clean array
+    $CombinedRoles = $AllRoles | Select-Object -Unique
+
+    # For debugging
+    Write-Information "Combined Roles: $($CombinedRoles -join ', ')"
+    return $CombinedRoles
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1

@@ -0,0 +1,51 @@
+function Set-CIPPAccessRole {
+    <#
+    .SYNOPSIS
+    Set the access role mappings
+
+    .DESCRIPTION
+    Set the access role mappings for Entra groups
+
+    .PARAMETER Role
+    The role to set (e.g. 'superadmin','admin','editor','readonly','customrole')
+
+    .PARAMETER Group
+    The Entra group to set the role for
+
+    .FUNCTIONALITY
+    Internal
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    Param(
+        [Parameter(Mandatory = $true)]
+        [string]$Role,
+        [Parameter(Mandatory = $true)]
+        [string]$Group
+    )
+
+    $BlacklistedRoles = @('authenticated', 'anonymous')
+
+    if ($BlacklistedRoles -contains $Role) {
+        throw 'Role group cannot be set for authenticated or anonymous roles'
+    }
+
+    if (!$Group.id -or !$Group.displayName) {
+        throw 'Group is not valid'
+    }
+
+    $Role = $Role.ToLower().Trim() -replace ' ', ''
+
+    $Table = Get-CippTable -TableName AccessRoleGroups
+    $AccessGroup = Get-CIPPAzDataTableEntity @Table -Filter "RowKey = '$Role'"
+
+    $AccessGroup = [PSCustomObject]@{
+        PartitionKey = [string]'AccessRole'
+        RowKey       = [string]$Role
+        GroupId      = [string]$Group.id
+        GroupName    = [string]$Group.displayName
+    }
+
+    if ($PSCmdlet.ShouldProcess("Setting access role $Role for group $($Group.displayName)")) {
+        Add-CIPPAzDataTableEntity -Table $Table -Entity $AccessGroup -Force
+    }
+}