Merge pull request #29 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master
SEVENP · Jan 20, 2024 · 44a5f91 · 44a5f91
2 parents 8d40229 + 0632082
commit 44a5f91
Show file tree

Hide file tree

Showing 21 changed files with 302 additions and 30 deletions.
diff --git a/.github/workflows/dev_cippy6oom.yml b/.github/workflows/dev_cippy6oom.yml
@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippy6oom
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippy6oom'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B9C635E19DF6459F8995BA602EFA638A }}
diff --git a/Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json b/Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json
@@ -37,5 +37,5 @@
       "excludeApplications": []
     }
   },
-  "displayName": "Enforce Multi factor authentication for each application"
+  "displayName": "CIPP: Enforce Multi factor authentication for each application"
 }
diff --git a/Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json b/Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json
@@ -32,5 +32,5 @@
     "times": null,
     "clientApplications": null
   },
-  "displayName": "Enforce Multi-factor authentication for Static Web Apps"
+  "displayName": "CIPP: Enforce Multi-factor authentication for Static Web Apps"
 }
diff --git a/Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json b/Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json
@@ -26,11 +26,11 @@
     "platforms": null,
     "clientApplications": null,
     "applications": {
-      "includeApplications": ["None"],
+      "includeApplications": ["All"],
       "includeUserActions": [],
       "includeAuthenticationContextClassReferences": [],
       "excludeApplications": []
     }
   },
-  "displayName": "Block Legacy Authentication"
+  "displayName": "CIPP: Block Legacy Authentication"
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1
@@ -18,6 +18,14 @@ Function Invoke-AddStandardsDeploy {
         $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
         $Settings = ($request.body | Select-Object -Property *, v2* -ExcludeProperty Select_*, None )
         $Settings | Add-Member -NotePropertyName 'v2.1' -NotePropertyValue $true -Force
+        if ($Settings.phishProtection.remediate) {
+            $URL = $request.headers.'x-ms-original-url'.split('/api') | Select-Object -First 1
+            Write-Host $URL
+            $Settings.phishProtection = [pscustomobject]@{
+                remediate = [bool]$Settings.phishProtection.remediate
+                URL       = $URL
+            }
+        }
         foreach ($Tenant in $tenants) {
 
             $object = [PSCustomObject]@{
@@ -37,8 +45,7 @@ Function Invoke-AddStandardsDeploy {
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -tenant $tenant -API 'Standards' -message 'Successfully added standards deployment' -Sev 'Info'
         }
         $body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' }
-    }
-    catch {
+    } catch {
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -message "Standards API failed. Error:$($_.Exception.Message)" -Sev 'Error'
         $body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" }
     }

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignAPDevice.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignAPDevice.ps1
@@ -0,0 +1,32 @@
+using namespace System.Net
+
+Function Invoke-ExecAssignAPDevice {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $tenantfilter = $Request.Body.TenantFilter
+    try {
+        $body = @{
+            UserPrincipalName   = $Request.body.UserPrincipalName
+            addressableUserName = $Request.body.addressableUserName
+        } | ConvertTo-Json
+        New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($request.body.Device)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST 
+        $Results = "Successfully assigned device to $($Request.body.UserPrincipalName) for $($tenantfilter)"
+    } catch {
+        $Results = "Could not $($Request.body.UserPrincipalName) to $($Request.body.device) for $($tenantfilter) Error: $($_.Exception.Message)"
+    }
+
+    $Results = [pscustomobject]@{'Results' = "$results" }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1
@@ -12,6 +12,9 @@ Function Invoke-ExecOffboardTenant {
 
         $Tenantfilter = $request.body.tenantfilter
 
+        # temp fix -rvdwegen
+        $tenantId = (Invoke-RestMethod -Method GET "https://login.windows.net/$Tenantfilter/.well-known/openid-configuration").token_endpoint.Split('/')[3]
+
         $results = [System.Collections.ArrayList]@()
         $errors = [System.Collections.ArrayList]@()
 
@@ -105,7 +108,7 @@ Function Invoke-ExecOffboardTenant {
         }
 
         # All customer tenant specific actions ALWAYS have to be completed before this action!
-        if ($request.body.RemoveMultitenantApps) {
+        if ($request.body.RemoveMultitenantCSPApps) {
             # Remove multi-tenant apps with the CSP tenant as origin
             try {
                 $multitenantCSPApps = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$select=displayName,appId,id,appOwnerOrganizationId&`$filter=appOwnerOrganizationId eq $($env:TenantID)" -tenantid $Tenantfilter -ComplexFilter)
@@ -129,18 +132,23 @@ Function Invoke-ExecOffboardTenant {
         if ($request.body.TerminateGDAP) {
             # Terminate GDAP relationships
             try {
-                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$TenantFilter')" -tenantid $env:TenantID)
+                $TenantFilter
+                $TenantFilter
+                $TenantFilter
+                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$tenantid')" -tenantid $env:TenantID)
                 $delegatedAdminRelationships | ForEach-Object {
                     try {
                         $terminate = (New-GraphPostRequest -type 'POST' -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($_.id)/requests" -body '{"action":"terminate"}' -ContentType 'application/json' -tenantid $env:TenantID)
                         $results.Add("Succesfully terminated GDAP relationship $($_.displayName) from tenant $TenantFilter")
                         Write-LogMessage -user $ExecutingUser -API $APIName -message "GDAP Relationship $($_.displayName) has been terminated" -Sev "Info" -tenant $TenantFilter
                     } catch {
+                        $($_.Exception.message)
                         #$results.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                         $errors.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                     }
                 }
             } catch {
+                $($_.Exception.message)
                 #$results.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
                 $errors.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
             }

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecSyncAPDevices.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecSyncAPDevices.ps1
@@ -0,0 +1,28 @@
+using namespace System.Net
+
+Function Invoke-ExecSyncAPDevices {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $tenantfilter = $Request.Query.TenantFilter
+    try {
+        New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings/sync' -tenantid $TenantFilter
+        $Results = "Successfully Started Sync for $($TenantFilter)"
+    } catch {
+        $Results = "Failed to start sync for $tenantfilter. Did you try syncing in the last 10 minutes?"
+    }
+
+    $Results = [pscustomobject]@{'Results' = "$results" }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListAPDevices.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListAPDevices.ps1
@@ -17,7 +17,6 @@ Function Invoke-ListAPDevices {
 
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Query.TenantFilter
-    $userid = $Request.Query.UserID
     try {
         $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities?`$top=999" -tenantid $TenantFilter  
         $StatusCode = [HttpStatusCode]::OK

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailQuarantine.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailQuarantine.ps1
@@ -13,7 +13,7 @@ Function Invoke-ListMailQuarantine {
     $Tenantfilter = $request.Query.tenantfilter
 
     try {
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage'
+        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 }
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1
@@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
 
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSharepointQuota.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSharepointQuota.ps1
@@ -18,6 +18,5 @@ function Push-CIPPAlertSharepointQuota {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get SharePoint quota for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/invoke-DomainAnalyser_List.ps1 b/Modules/CIPPCore/Public/Entrypoints/invoke-DomainAnalyser_List.ps1
@@ -0,0 +1,39 @@
+
+using namespace System.Net
+
+Function Invoke-DomainAnalyser_List {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $DomainTable = Get-CIPPTable -Table 'Domains'
+
+    # Get all the things
+
+    if ($Request.Query.tenantFilter -ne 'AllTenants') {
+        $DomainTable.Filter = "TenantId eq '{0}'" -f $Request.Query.tenantFilter
+    }
+
+    try {
+        # Extract json from table results
+        $Results = foreach ($DomainAnalyserResult in (Get-CIPPAzDataTableEntity @DomainTable).DomainAnalyser) {
+            try { 
+                if (![string]::IsNullOrEmpty($DomainAnalyserResult)) {
+                    $Object = $DomainAnalyserResult | ConvertFrom-Json -ErrorAction SilentlyContinue
+                    $Object
+                }
+            } catch {}
+        }
+    } catch {
+        $Results = @()
+    }
+
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @($Results)
+        })
+}
diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1
@@ -1,5 +1,5 @@
 
-function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders) {
+function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders, $contentType) {
     <#
     .FUNCTIONALITY
     Internal
@@ -16,10 +16,14 @@ function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $N
             $type = 'POST'
         }
 
+        if (!$contentType) {
+            $contentType = 'application/json; charset=utf-8'
+        }
         try {
-            $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType 'application/json; charset=utf-8')
+            $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType)
         } catch {
-            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error.message
+            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error
+            if ($Message.innerError) { $Message = $Message.Innererror.Message } else { $Message = $Message.Message.Error }
             if ($Message -eq $null) { 
                 try {
                     $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).message

diff --git a/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1 b/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1
@@ -45,6 +45,21 @@ function New-CIPPCAPolicy {
         # no issues here.
     }
 
+    #If Grant Controls contains authenticationstrength, create these and then replace the id
+    if ($JSONobj.GrantControls.authenticationStrength.policyType -eq 'custom') {
+        $ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
+        if ($ExistingStrength) {
+            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+
+        } else {
+            $Body = ConvertTo-Json -InputObject $JSONObj.GrantControls.authenticationStrength
+            $GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter
+            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+            Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created new Authentication Strength Policy: $($JSONObj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
+        }
+    }
+
+
     #for each of the locations, check if they exist, if not create them. These are in $jsonobj.LocationInfo
     $LocationLookupTable = foreach ($locations in $jsonobj.LocationInfo) {
         foreach ($location in $locations) {
@@ -109,6 +124,7 @@ function New-CIPPCAPolicy {
             return "Created policy $displayname for $tenantfilter"
         }
     } catch {
+        Write-Host "$($_.exception | ConvertTo-Json)"
         throw "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)"
         Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message) " -sev 'Error'
     }

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1
@@ -0,0 +1,39 @@
+function Invoke-CIPPStandardDisableAdditionalStorageProviders {
+    <#
+    .FUNCTIONALITY
+    Internal
+    #>
+    param($Tenant, $Settings)
+
+    $AdditionalStorageProvidersState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' }
+
+    if ($Settings.remediate) {
+
+        try {
+            if ($AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable) {
+                New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{ Identity = $AdditionalStorageProvidersState.Identity; AdditionalStorageProvidersAvailable = $false } -useSystemMailbox $true
+                Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers have been disabled.' -sev Info
+                $AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable = $false
+            } else {
+                Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are already disabled.' -sev Info
+            }
+        } catch {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable OWA additional storage providers. Error: $($_.Exception.Message)" -sev Error
+        }
+
+    }
+
+    if ($Settings.alert) {
+
+        if ($AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are enabled' -sev Alert
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are disabled' -sev Info
+        }
+    }
+
+    if ($Settings.report) {
+
+        Add-CIPPBPAField -FieldName 'AdditionalStorageProvidersEnabled' -FieldValue [bool]$AdditionalStorageProvidersState.AdditionalStorageProvidersEnabled -StoreAs bool -Tenant $tenant
+    }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses { @@
                 }
             }
         } catch {
-            Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
         }
     }