Merge branch 'KelvinTegelaar:master' into master

infoxchange · Jan 8, 2024 · 76bb695 · 76bb695
2 parents 8718cd2 + e0dc369
commit 76bb695
Show file tree

Hide file tree

Showing 12 changed files with 198 additions and 88 deletions.
diff --git a/Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1 b/Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1
@@ -5,9 +5,10 @@ function Add-CIPPDelegatedPermission {
         $ApplicationId,
         $Tenantfilter
     )
+    Write-Host 'Adding Delegated Permissions'
     Set-Location (Get-Item $PSScriptRoot).FullName
-
-    if ($RequiredResourceAccess -eq "CIPPDefaults") {
+    Write-Host "RequiredResourceAccess: $($RequiredResourceAccess | ConvertTo-Json -Depth 10)"
+    if ($RequiredResourceAccess -eq 'CIPPDefaults') {
         $RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
     }
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
@@ -26,17 +27,16 @@ function Add-CIPPDelegatedPermission {
         if (!$OldScope) {
             $Createbody = @{
                 clientId    = $ourSVCPrincipal.id
-                consentType = "AllPrincipals"
+                consentType = 'AllPrincipals'
                 resourceId  = $svcPrincipalId.id
                 scope       = $NewScope
             } | ConvertTo-Json -Compress
-            $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" -tenantid $Tenantfilter -body $Createbody -type POST
+            $CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $Tenantfilter -body $Createbody -type POST
             $Results.add("Successfully added permissions for $($svcPrincipalId.displayName)") | Out-Null
-        }
-        else {
+        } else {
             $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ')
             if (!$compare) {
-                $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)")  | Out-Null
+                $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") | Out-Null
                 continue
             }
             $Patchbody = @{

diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1
@@ -7,18 +7,20 @@ function Push-CIPPAlertAppSecretExpiry {
     )
     $LastRunTable = Get-CIPPTable -Table AlertLastRun
 
-
+    Write-Host "Checking app expire for $($QueueItem.tenant)"
     try {
         $Filter = "RowKey eq 'AppSecretExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
         $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
         $Yesterday = (Get-Date).AddDays(-1)
         if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
             New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$select=appId,displayName,passwordCredentials" -tenantid $QueueItem.tenant | ForEach-Object {
                 foreach ($App in $_) {
+                    Write-Host "checking $($App.displayName)"
                     if ($App.passwordCredentials) {
                         foreach ($Credential in $App.passwordCredentials) {
                             if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) {
-                               ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
+                                Write-Host ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
+                                Write-AlertMessage -tenant $($QueueItem.tenant) -message ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
                             }
                         }
                     }

diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1
@@ -7,8 +7,6 @@ function Push-CIPPAlertDepTokenExpiry {
     )
     $LastRunTable = Get-CIPPTable -Table AlertLastRun
 
-
-
     try {
         $Filter = "RowKey eq 'DepTokenExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
         $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter

diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAdmins.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAdmins.ps1
@@ -6,34 +6,45 @@ function Push-CIPPAlertMFAAdmins {
         $TriggerMetadata
     )
     try {
-        $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
-        $AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
-        $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
-        foreach ($Policy in $CAPolicies) {
-            if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
-                $DuoActive = $true
-            }
-        } 
-        if (!$DuoActive) {
-            $AdminList | ForEach-Object {
-                $CARegistered = $null
-                try {
-                    New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
-                        if ($_.'@odata.type' -in $StrongMFAMethods) {
-                            $CARegistered = $true
+        $LastRunTable = Get-CIPPTable -Table AlertLastRun
+        $Filter = "RowKey eq 'MFAAllAdmins' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
+        $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
+        $Yesterday = (Get-Date).AddDays(-1)
+        if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
+            $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
+            $AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
+            $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
+            foreach ($Policy in $CAPolicies) {
+                if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
+                    $DuoActive = $true
+                }
+            } 
+            if (!$DuoActive) {
+                $AdminList | ForEach-Object {
+                    $CARegistered = $null
+                    try {
+                        New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
+                            if ($_.'@odata.type' -in $StrongMFAMethods) {
+                                $CARegistered = $true
+                            }
                         }
+                        if ($CARegistered -ne $true) { 
+                            Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured." 
+                        }
+                    } catch {
+                        # Error handling here if needed
                     }
-                    if ($CARegistered -ne $true) { 
-                        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured." 
-                    }
-                } catch {
-                    # Error handling here if needed
                 }
+            } else {
+                Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
             }
-        } else {
-            Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
         }
     } catch {
         Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for admins for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
+    $LastRun = @{
+        RowKey       = 'MFAAllAdmins'
+        PartitionKey = $QueueItem.tenantid
+    }
+    Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAlertUsers.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAlertUsers.ps1
@@ -6,46 +6,60 @@ function Push-CIPPAlertMFAAlertUsers {
         $TriggerMetadata
     )
     try {
-        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
-        Write-Host "found $($users.count) users"
-        $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
+        $LastRunTable = Get-CIPPTable -Table AlertLastRun
+        $Filter = "RowKey eq 'MFAAllUsers' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
+        $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
+        $Yesterday = (Get-Date).AddDays(-1)
+        if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
+            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
+            Write-Host "found $($users.count) users for $($QueueItem.tenant)"
+            $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
 
-        $UserBatches = [System.Collections.Generic.List[Object]]@()
-        for ($i = 0; $i -lt $users.count; $i += 20) {
-            $UserBatches.Add($users[$i..($i + 19)])
-        }
-
-        $UserBatches | ForEach-Object -Parallel {
-            Import-Module CippCore
-            Import-Module AzBobbyTables
-            $UserBatch = $_
-            Write-Host "processing batch of $($UserBatch.count) users"
-            $BatchRequests = $UserBatch | ForEach-Object {
-                @{
-                    id     = $_.id
-                    method = 'GET'
-                    url    = "users/$($_.ID)/authentication/Methods"
-                }
+            $UserBatches = [System.Collections.Generic.List[Object]]@()
+            for ($i = 0; $i -lt $users.count; $i += 20) {
+                $UserBatches.Add($users[$i..($i + 19)])
             }
-            $BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
-            foreach ($response in $BatchResponses) {
-                $UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
-                $CARegistered = $false
 
-                foreach ($method in $response.body.value) {
-                    if ($method.'@odata.type' -in $using:StrongMFAMethods) {
-                        $CARegistered = $true
-                        break
+            $UserBatches | ForEach-Object -Parallel {
+                try {
+                    Write-Host "processing batch of $($_.count) users for $($using:QueueItem.tenant)"
+                    Import-Module CippCore
+                    Import-Module AzBobbyTables
+                    $UserBatch = $_
+                    Write-Host "processing batch of $($UserBatch.count) users"
+                    $BatchRequests = $UserBatch | ForEach-Object {
+                        @{
+                            id     = $_.id
+                            method = 'GET'
+                            url    = "users/$($_.ID)/authentication/Methods"
+                        }
                     }
-                }
+                    $BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
+                    foreach ($response in $BatchResponses) {
+                        $UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
+                        $CARegistered = $false
 
-                if (-not $CARegistered) {
-                    Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
-                }
-            }
-        } -ThrottleLimit 25
+                        foreach ($method in $response.body.value) {
+                            if ($method.'@odata.type' -in $using:StrongMFAMethods) {
+                                $CARegistered = $true
+                                break
+                            }
+                        }
 
+                        if (-not $CARegistered) {
+                            Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
+                        }
+                    }
+                } catch {
+                }
+            } -ThrottleLimit 25
+        }
     } catch {
         Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for users for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
+    $LastRun = @{
+        RowKey       = 'MFAAllUsers'
+        PartitionKey = $QueueItem.tenantid
+    }
+    Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1
@@ -1,15 +1,16 @@
 function Push-ExecAddMultiTenantApp($QueueItem, $TriggerMetadata) {
     try {
-        Write-Host $Queueitem
+        $Queueitem = $QueueItem | ConvertTo-Json -Depth 10 | ConvertFrom-Json
+        Write-Host "$($Queueitem | ConvertTo-Json -Depth 10)"
         $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Queueitem.Tenant
         if ($Queueitem.AppId -Notin $ServicePrincipalList.appId) {
             $PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $queueitem.tenant -body "{ `"appId`": `"$($Queueitem.appId)`" }"
             Write-LogMessage -message "Added $($Queueitem.AppId) to tenant $($Queueitem.Tenant)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info
         } else {
             Write-LogMessage -message "This app already exists in tenant $($Queueitem.Tenant). We're adding the required permissions." -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info
         }
-        Add-CIPPApplicationPermission -RequiredResourceAccess [pscustomobject]$queueitem.applicationResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
-        Add-CIPPDelegatedPermission -RequiredResourceAccess [pscustomobject]$queueitem.DelegateResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
+        Add-CIPPApplicationPermission -RequiredResourceAccess ($queueitem.applicationResourceAccess) -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
+        Add-CIPPDelegatedPermission -RequiredResourceAccess ($queueitem.DelegateResourceAccess) -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant
     } catch {
         Write-LogMessage -message "Error adding application to tenant $($Queueitem.Tenant) - $($_.Exception.Message)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Error
     }