[pull] master from KelvinTegelaar:master

.github/workflows/upload_dev.yml

@@ -0,0 +1,36 @@
+name: Upload Dev zip
+
+on:
+  push:
+    branches:
+      - dev
+
+jobs:
+  release:
+    if: github.event.repository.fork == false && github.event_name == 'push'
+    name: Upload to Azure
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout the repository
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      # Create ZIP File in a New Source Directory
+      - name: Prepare and Zip Release Files
+        run: |
+          mkdir -p src/releases
+          zip -r src/releases/dev.zip . \
+            --exclude "./src/releases/*" \
+            --exclude ".*" \
+            --exclude ".*/**"
+
+      # Upload to Azure Blob Storage
+      - name: Azure Blob Upload with Destination folder defined
+        uses: LanceMcCarthy/[email protected]
+        with:
+          connection_string: ${{ secrets.AZURE_CONNECTION_STRING }}
+          container_name: cipp-api
+          source_folder: src/releases/
+          destination_folder: /
+          delete_if_exists: true

Config/CyberEssentials.BPATemplate.json

@@ -92,7 +92,10 @@
         "isMFARegistered",
         "defaultMFAMethod"
       ],
-      "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails"
+      "URL": "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails",
+      "Parameters": {
+        "asApp": "True"
+      }
     }
   ]
 }

Config/cipp-roles.json

@@ -0,0 +1,23 @@
+{
+  "readonly": {
+    "include": ["*.Read"],
+    "exclude": ["CIPP.SuperAdmin.*"]
+  },
+  "editor": {
+    "include": ["*.Read", "*.ReadWrite"],
+    "exclude": [
+      "CIPP.SuperAdmin.*",
+      "CIPP.Admin.*",
+      "CIPP.AppSettings.*",
+      "Tenant.Standards.ReadWrite"
+    ]
+  },
+  "admin": {
+    "include": ["*"],
+    "exclude": ["CIPP.SuperAdmin.*"]
+  },
+  "superadmin": {
+    "include": ["*"],
+    "exclude": []
+  }
+}

Config/schemaDefinitions.json

@@ -0,0 +1,16 @@
+[
+    {
+        "id": "cippUser",
+        "description": "CIPP User Schema",
+        "targetTypes": ["User"],
+        "properties": [
+            { "name": "jitAdminEnabled", "type": "Boolean" },
+            { "name": "jitAdminExpiration", "type": "DateTime" },
+            { "name": "mailboxType", "type": "String" },
+            { "name": "archiveEnabled", "type": "Boolean" },
+            { "name": "autoExpandingArchiveEnabled", "type": "Boolean" },
+            { "name": "perUserMfaState", "type": "String" }
+        ],
+        "status": "Available"
+    }
+]

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -64,12 +64,15 @@ function Add-CIPPScheduledTask {
     if ([int64]$task.ScheduledTime -eq 0 -or [string]::IsNullOrEmpty($task.ScheduledTime)) {
         $task.ScheduledTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
     }
-
+    $excludedTenants = if ($task.excludedTenants.value) {
+        $task.excludedTenants.value -join ','
+    }
     $entity = @{
         PartitionKey         = [string]'ScheduledTask'
         TaskState            = [string]'Planned'
         RowKey               = [string]$RowKey
         Tenant               = $task.TenantFilter.value ? "$($task.TenantFilter.value)" : "$($task.TenantFilter)"
+        excludedTenants      = [string]$excludedTenants
         Name                 = [string]$task.Name
         Command              = [string]$task.Command.value
         Parameters           = [string]$Parameters

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderIncidents.ps1

@@ -0,0 +1,24 @@
+
+function Get-CIPPAlertDefenderIncidents {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        $AlertData = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/security/incidents?`$top=50&`$filter=status eq 'active'" -tenantid $TenantFilter | ForEach-Object {
+            "Incident ID $($_.id): Created at $($_.createdDateTime). Severity: $($_.severity). `nIncident name: $($_.displayName). Incident URL: $($_.incidentWebUrl)."
+        }
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+
+    } catch {
+        # Pretty sure this one is gonna be spammy cause of licensing issues, so it's commented out -Bobby
+        # Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Defender incident data for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraLicenseUtilization.ps1

@@ -18,9 +18,9 @@ function Get-CIPPAlertEntraLicenseUtilization {
         $Alerts = [System.Collections.Generic.List[string]]::new()
 
         # Check P1 License utilization
-        if ($LicenseData.entitledP1LicenseCount -gt 0) {
+        if ($LicenseData.entitledP1LicenseCount -gt 0 -or $LicenseData.entitledP2LicenseCount -gt 0) {
             $P1Used = $LicenseData.p1FeatureUtilizations.conditionalAccess.userCount
-            $P1Entitled = $LicenseData.entitledP1LicenseCount
+            $P1Entitled = $LicenseData.entitledP1LicenseCount + $LicenseData.entitledP2LicenseCount
             $P1Usage = ($P1Used / $P1Entitled) * 100
             $P1Overage = $P1Used - $P1Entitled
 

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
             if ($users.UserPrincipalName) {
                 $AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1

@@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {
     )
     try {
 
-        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
         if ($users.UserPrincipalName) {
             $AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1

@@ -12,16 +12,14 @@ function Get-CIPPAlertNoCAConfig {
     )
 
     try {
-        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -erroraction stop).serviceplans
+        $CAAvailable = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter -ErrorAction Stop).serviceplans
         if ('AAD_PREMIUM' -in $CAAvailable.servicePlanName) {
             $CAPolicies = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $TenantFilter)
             if (!$CAPolicies.id) {
                 $AlertData = 'Conditional Access is available, but no policies could be found.'
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
             }
         }
-
     } catch {
         Write-AlertMessage -tenant $($TenantFilter) -message "Conditional Access Config Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
     }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1

@@ -11,15 +11,14 @@ function Get-CIPPAlertUnusedLicenses {
         $TenantFilter
     )
 
-
     try {
         $LicenseTable = Get-CIPPTable -TableName ExcludedLicenses
         $ExcludedSkuList = Get-CIPPAzDataTableEntity @LicenseTable
         $AlertData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus' -tenantid $TenantFilter | ForEach-Object {
-            $skuid = $_
-            foreach ($sku in $skuid) {
+            $skuId = $_
+            foreach ($sku in $skuId) {
                 if ($sku.skuId -in $ExcludedSkuList.GUID) { continue }
-                $PrettyName = ($ConvertTable | Where-Object { $_.GUID -eq $sku.skuid }).'Product_Display_Name' | Select-Object -Last 1
+                $PrettyName = ($ConvertTable | Where-Object { $_.GUID -eq $sku.skuId }).'Product_Display_Name' | Select-Object -Last 1
                 if (!$PrettyName) { $PrettyName = $sku.skuPartNumber }
                 if ($sku.prepaidUnits.enabled - $sku.consumedUnits -gt 0) {
                     "$PrettyName has unused licenses. Using $($_.consumedUnits) of $($_.prepaidUnits.enabled)."

Modules/CIPPCore/Public/Authentication/Get-CIPPHttpFunctions.ps1

@@ -9,6 +9,7 @@ function Get-CIPPHttpFunctions {
         $Results = foreach ($Function in $Functions) {
             $Help = Get-Help $Function
             if ($Help.Functionality -ne 'Entrypoint') { continue }
+            if ($Help.Role -eq 'Public') { continue }
             [PSCustomObject]@{
                 Function = $Function.Name
                 Role     = $Help.Role

Modules/CIPPCore/Public/Authentication/Get-CippApiClient.ps1

@@ -18,7 +18,7 @@ function Get-CippApiClient {
     if ($AppId) {
         $Table.Filter = "RowKey eq '$AppId'"
     }
-    $Apps = Get-CIPPAzDataTableEntity @Table
+    $Apps = Get-CIPPAzDataTableEntity @Table | Where-Object { ![string]::IsNullOrEmpty($_.RowKey) }
     $Apps = foreach ($Client in $Apps) {
         $Client = $Client | Select-Object -Property @{Name = 'ClientId'; Expression = { $_.RowKey } }, AppName, Role, IPRange, Enabled
 

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -9,6 +9,14 @@ function New-CIPPAPIConfig {
         [string]$AppId
     )
 
+    $Permissions = Get-GraphToken -tenantid $env:TenantID -scope 'https://graph.microsoft.com/.default' -AsApp $true -SkipCache $true -ReturnRefresh $true
+    $Token = Read-JwtAccessDetails -Token $Permissions.access_token
+    $Permissions = $Token.Roles | Where-Object { $_ -match 'Application.ReadWrite.All' -or $_ -match 'Directory.ReadWrite.All' }
+    if (!$Permissions -or $Permissions.Count -lt 2) {
+        Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message 'Insufficient permissions to create API App' -Sev 'Error'
+        throw 'Insufficient permissions to create API App. This integration requires the following Application permissions in the partner tenant. Application.ReadWrite.All, Directory.ReadWrite.All'
+    }
+
     try {
         if ($AppId) {
             $APIApp = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appid='$($AppId)')" -NoAuthCheck $true
@@ -53,13 +61,13 @@ function New-CIPPAPIConfig {
 
             if ($PSCmdlet.ShouldProcess($AppName, 'Create API App')) {
                 Write-Information 'Creating app'
-                $APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -NoAuthCheck $true -type POST -body $CreateBody
+                $APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -AsApp $true -NoAuthCheck $true -type POST -body $CreateBody
                 Write-Information 'Creating password'
-                $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}"
+                $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}"
                 Write-Information 'Adding App URL'
-                $APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}"
+                $APIIdUrl = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)" -AsApp $true -NoAuthCheck $true -type PATCH -body "{`"identifierUris`":[`"api://$($APIApp.appId)`"]}"
                 Write-Information 'Adding serviceprincipal'
-                $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
+                $ServicePrincipal = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/serviceprincipals' -AsApp $true -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"$AppName`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
                 Write-LogMessage -headers $Headers -API $APINAME -tenant 'None '-message "Created CIPP-API App with name '$($APIApp.displayName)'." -Sev 'info'
             }
         }

Modules/CIPPCore/Public/Authentication/Set-CippApiAuth.ps1

@@ -1,6 +1,6 @@
 function Set-CippApiAuth {
     [CmdletBinding(SupportsShouldProcess)]
-    Param(
+    param(
         [string]$RGName,
         [string]$FunctionAppName,
         [string]$TenantId,
@@ -9,7 +9,9 @@ function Set-CippApiAuth {
 
     if ($env:MSI_SECRET) {
         Disable-AzContextAutosave -Scope Process | Out-Null
-        $Context = (Connect-AzAccount -Identity).Context
+        $null = Connect-AzAccount -Identity
+        $SubscriptionId = $ENV:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
+        $Context = Set-AzContext -SubscriptionId $SubscriptionId
     } else {
         $Context = Get-AzContext
     }

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -12,7 +12,14 @@ function Test-CIPPAccess {
     # Check help for role
     $APIRole = $Help.Role
 
-    $AnyTenantAllowedFunctions = @('ListTenants', 'ListUserSettings', 'ListUserPhoto', 'GetCippAlerts', 'GetVersion')
+    if ($APIRole -eq 'Public') {
+        return $true
+    }
+
+    # Get default roles from config
+    $CIPPCoreModuleRoot = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
+    $CIPPRoot = (Get-Item $CIPPCoreModuleRoot).Parent.Parent
+    $BaseRoles = Get-Content -Path $CIPPRoot\Config\cipp-roles.json | ConvertFrom-Json
 
     if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
         # Direct API Access
@@ -108,7 +115,7 @@ function Test-CIPPAccess {
                 }
 
                 if ($APIAllowed) {
-                    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $env:TenantID
+                    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $env:TenantID
                     # Check tenant level access
                     if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
                         $TenantAllowed = $true
@@ -132,15 +139,15 @@ function Test-CIPPAccess {
                     }
                 }
             }
+
             if (!$APIAllowed) {
-                throw "Access to this CIPP API endpoint is not allowed, the '$($Role.Role)' custom role does not have the required permission: $APIRole"
+                throw "Access to this CIPP API endpoint is not allowed, you do not have the required permission: $APIRole"
             }
-            if (!$TenantAllowed -and $AnyTenantAllowedFunctions -notcontains $Request.Params.CIPPEndpoint) {
+            if (!$TenantAllowed -and $Help.Functionality -notmatch 'AnyTenant') {
                 throw 'Access to this tenant is not allowed'
             } else {
                 return $true
             }
-
         } else {
             # No permissions found for any roles
             if ($TenantList.IsPresent) {

Modules/CIPPCore/Public/Clear-CippDurables.ps1

@@ -19,6 +19,16 @@ function Clear-CippDurables {
         }
     }
 
+    Remove-AzDataTable @InstancesTable
+    Remove-AzDataTable @HistoryTable
+    $BlobContainer = '{0}-largemessages' -f $FunctionName
+    if (Get-AzStorageContainer -Name $BlobContainer -Context $StorageContext -ErrorAction SilentlyContinue) {
+        Write-Information "- Removing blob container: $BlobContainer"
+        if ($PSCmdlet.ShouldProcess($BlobContainer, 'Remove Blob Container')) {
+            Remove-AzStorageContainer -Name $BlobContainer -Context $StorageContext -Confirm:$false -Force
+        }
+    }
+
     $QueueTable = Get-CippTable -TableName 'CippQueue'
     $CippQueue = Invoke-ListCippQueue
     $QueueEntities = foreach ($Queue in $CippQueue) {
@@ -45,15 +55,7 @@ function Clear-CippDurables {
         }
     }
 
-    Remove-AzDataTable @InstancesTable
-    Remove-AzDataTable @HistoryTable
-    $BlobContainer = '{0}-largemessages' -f $FunctionName
-    if (Get-AzStorageContainer -Name $BlobContainer -Context $StorageContext -ErrorAction SilentlyContinue) {
-        Write-Information "- Removing blob container: $BlobContainer"
-        if ($PSCmdlet.ShouldProcess($BlobContainer, 'Remove Blob Container')) {
-            Remove-AzStorageContainer -Name $BlobContainer -Context $StorageContext -Confirm:$false -Force
-        }
-    }
     $null = Get-CippTable -TableName ('{0}History' -f $FunctionName)
     Write-Information 'Durable Orchestrators and Queues have been cleared'
+    return $true
 }