-
Notifications
You must be signed in to change notification settings - Fork 5.4k
/
Copy pathNew-CIPPAPIConfig.ps1
126 lines (119 loc) · 6.83 KB
/
New-CIPPAPIConfig.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
function New-CIPPAPIConfig {
[CmdletBinding(SupportsShouldProcess)]
param (
$APIName = 'CIPP API Config',
$Headers,
[switch]$ResetSecret,
[string]$AppName,
[string]$AppId
)
$Permissions = Get-GraphToken -tenantid $env:TenantID -scope 'https://graph.microsoft.com/.default' -AsApp $true -SkipCache $true -ReturnRefresh $true
$Token = Read-JwtAccessDetails -Token $Permissions.access_token
$Permissions = $Token.Roles | Where-Object { $_ -match 'Application.ReadWrite.All' -or $_ -match 'Directory.ReadWrite.All' }
if (!$Permissions -or $Permissions.Count -lt 2) {
Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message 'Insufficient permissions to create API App' -Sev 'Error'
throw 'Insufficient permissions to create API App. This integration requires the following Application permissions in the partner tenant. Application.ReadWrite.All, Directory.ReadWrite.All'
}
try {
if ($AppId) {
$APIApp = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appid='$($AppId)')" -NoAuthCheck $true
} else {
$CreateBody = @{
api = @{
oauth2PermissionScopes = @(
@{
adminConsentDescription = 'Allow the application to access CIPP-API on behalf of the signed-in user.'
adminConsentDisplayName = 'Access CIPP-API'
id = 'ba7ffeff-96ea-4ac4-9822-1bcfee9adaa4'
isEnabled = $true
type = 'User'
userConsentDescription = 'Allow the application to access CIPP-API on your behalf.'
userConsentDisplayName = 'Access CIPP-API'
value = 'user_impersonation'
}
)
}
displayName = $AppName
requiredResourceAccess = @(
@{
resourceAccess = @(
@{
id = 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'
type = 'Scope'
}
)
resourceAppId = '00000003-0000-0000-c000-000000000000'
}
)
signInAudience = 'AzureADMyOrg'
web = @{
homePageUrl = 'https://cipp.app'
implicitGrantSettings = @{
enableAccessTokenIssuance = $false
enableIdTokenIssuance = $true
}
redirectUris = @("https://$($ENV:Website_hostname)/.auth/login/aad/callback")
}
} | ConvertTo-Json -Depth 10 -Compress
if ($PSCmdlet.ShouldProcess($AppName, 'Create API App')) {
Write-Information 'Creating app'
$APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -AsApp $true -NoAuthCheck $true -type POST -body $CreateBody
Write-Information 'Creating password'
$APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}"
Write-Information 'Adding App URL'
$APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -AsApp $true -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}"
Write-Information 'Adding serviceprincipal'
$ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -AsApp $true -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Created CIPP-API App with name '$($APIApp.displayName)'." -Sev 'info'
}
}
if ($ResetSecret.IsPresent -and $APIApp) {
if ($PSCmdlet.ShouldProcess($APIApp.displayName, 'Reset API Secret')) {
Write-Information 'Removing all old passwords'
$Requests = @(
@{
id = 'removeOldPasswords'
method = 'PATCH'
url = "applications/$($APIApp.id)/"
headers = @{
'Content-Type' = 'application/json'
}
body = @{
passwordCredentials = @()
}
},
@{
id = 'addNewPassword'
method = 'POST'
url = "applications/$($APIApp.id)/addPassword"
headers = @{
'Content-Type' = 'application/json'
}
body = @{
passwordCredential = @{
displayName = 'Generated by API Setup'
}
}
dependsOn = @('removeOldPasswords')
}
)
$BatchResponse = New-GraphBulkRequest -tenantid $env:TenantID -NoAuthCheck $true -asapp $true -Requests $Requests
$APIPassword = $BatchResponse | Where-Object { $_.id -eq 'addNewPassword' } | Select-Object -ExpandProperty body
Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Reset CIPP-API Password for '$($APIApp.displayName)'." -Sev 'info'
}
}
return @{
AppName = $APIApp.displayName
ApplicationID = $APIApp.appId
ApplicationSecret = $APIPassword.secretText
Results = $Results
}
} catch {
$ErrorMessage = Get-CippException -Exception $_
Write-Information ($ErrorMessage | ConvertTo-Json -Depth 10)
Write-LogMessage -headers $Headers -API $APINAME -tenant 'None' -message "Failed to setup CIPP-API Access: $($ErrorMessage.NormalizedError) Linenumber: $($_.InvocationInfo.ScriptLineNumber)" -Sev 'Error' -LogData $ErrorMessage
return @{
Results = "Failed to setup CIPP-API Access: $($ErrorMessage.NormalizedError)"
}
}
}