Merge branch 'KelvinTegelaar:master' into master

HBCG-IO · Jul 12, 2023 · 679b5ea · 679b5ea
2 parents 800512e + 43b4591
commit 679b5ea
Show file tree

Hide file tree

Showing 99 changed files with 1,605 additions and 779 deletions.
diff --git a/AddScheduledItems/function.json b/AddScheduledItems/function.json
@@ -0,0 +1,19 @@
+{
+    "bindings": [
+      {
+        "authLevel": "anonymous",
+        "type": "httpTrigger",
+        "direction": "in",
+        "name": "Request",
+        "methods": [
+          "get",
+          "post"
+        ]
+      },
+      {
+        "type": "http",
+        "direction": "out",
+        "name": "Response"
+      }
+    ]
+  }
diff --git a/AddScheduledItems/run.ps1 b/AddScheduledItems/run.ps1
@@ -0,0 +1,20 @@
+using namespace System.Net
+param($Request, $TriggerMetadata)
+$APIName = $TriggerMetadata.FunctionName
+Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+$task = $Request.Body | ConvertFrom-Json
+$Table = Get-CIPPTable -TableName 'ScheduledTasks'
+Add-AzDataTableEntity @Table -Entity @{
+    PartitionKey = 'ScheduledTask'
+    TaskState = 'Scheduled'
+    RowKey = $task.TaskID
+    Command = $task.Command
+    Parameters = $task.Parameters
+    ScheduledTime = $task.ScheduledTime
+    Results = 'Not Executed'
+    # add more properties here based on what properties your tasks have
+}
+Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+    StatusCode = [HttpStatusCode]::OK
+    Body       = 'Task added successfully.'
+})
diff --git a/Applications_Upload/run.ps1 b/Applications_Upload/run.ps1
@@ -112,7 +112,7 @@ foreach ($tenant in $tenants) {
             $assign = New-GraphPOSTRequest -uri  "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($NewApp.id)/assign" -tenantid $tenant -type POST -body $AssignBody
             Write-LogMessage -api "AppUpload" -tenant $($Tenant) -message "Assigned application $($chocoApp.ApplicationName) to $AssignTo" -Sev "Info"
         }
-        Write-LogMessage -api "AppUpload" -tenant $($Tenant) -message "Successfully added Application"
+        Write-LogMessage -api "AppUpload" -tenant $($Tenant) -message "Successfully added Application" -Sev "Info"
     }
     catch {
         "Failed to add Application for $($Tenant): $($_.Exception.Message)"

diff --git a/BestPracticeAnalyser_All/run.ps1 b/BestPracticeAnalyser_All/run.ps1
@@ -48,7 +48,7 @@ try {
     $Result.TAPEnabled = $TAPEnabled.State
 }
 catch {
-    Write-LogMessage -API 'BestPracticeAnalyser' -tenant $tenant -message "Security Defaults State on $($tenant) Error: $($_.exception.message)" -sev 'Error'
+    Write-LogMessage -API 'BestPracticeAnalyser' -tenant $tenant -message "Retrieving TAP state failed: $($tenant) Error: $($_.exception.message)" -sev 'Error'
 }
 # Get the nudge State
 try {

diff --git a/Cache_SAMSetup/PermissionsTranslator.json b/Cache_SAMSetup/PermissionsTranslator.json
@@ -1,4 +1,11 @@
 [
+  {
+    "description": "Allows Exchange Management as app",
+    "displayName": "Manage Exchange As Application ",
+    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
+    "origin": "Application (Office 365 Exchange Online)",
+    "value": "Exchange.ManageAsApp"
+  },
   {
     "description": "Allows the app to read a basic set of profile properties of other users in your organization without a signed-in user. Includes display name, first and last name, email address, open extensions, and photo.",
     "displayName": "Read all users' basic profiles",

diff --git a/Cache_SAMSetup/SAMManifest.json b/Cache_SAMSetup/SAMManifest.json
@@ -146,7 +146,11 @@
         { "id": "34bf0e97-1971-4929-b999-9e2442d941d7", "type": "Role" },
         { "id": "45cc0394-e837-488b-a098-1918f48d186c", "type": "Role" },
         { "id": "be74164b-cff1-491c-8741-e671cb536e13", "type": "Role" },
+        { "id": "2a60023f-3219-47ad-baa4-40e17cd02a1d", "type": "Role" },
+        { "id": "338163d7-f101-4c92-94ba-ca46fe52447c", "type": "Role" },
+        { "id": "cac88765-0581-4025-9725-5ebc13f729ee", "type": "Role" },
         { "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", "type": "Scope" },
+        { "id": "84bccea3-f856-4a8a-967b-dbe0a3d53a64", "type": "Scope" },
         { "id": "280b3b69-0437-44b1-bc20-3b2fca1ee3e9", "type": "Scope" },
         {
           "id": "885f682f-a990-4bad-a642-36736a74b0c7",
@@ -172,7 +176,8 @@
     {
       "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
       "resourceAccess": [
-        { "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", "type": "Scope" }
+        { "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", "type": "Scope" },
+        { "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", "type": "Role" }
       ]
     },
     {

diff --git a/Config/7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json b/Config/7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json
@@ -1,7 +1,7 @@
 {
   "Displayname": "CIPP Default: Enable Onedrive Silent Logon and Known Folder Move",
   "Description": "This policy enables Onedrive Silent Logon and Known Folder move",
-  "RAWJson": "{\"added\":[{\"enabled\":true,\"presentationValues\":[],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('9a4db949-29e4-4e31-a129-bf2b88d8fa1b')\"},{\"enabled\":true,\"presentationValues\":[{\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\"value\":\"$($tenant.customerId)\",\"presentation@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('fbefbbdf-5382-477c-8b6c-71f4a06e2805')\"},{\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\"value\":\"0\",\"presentation@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('35c82072-a93b-4022-be14-8684c2f6fcc2')\"}],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')\"},{\"enabled\":true,\"presentationValues\":[],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('81c07ba0-7512-402d-b1f6-00856975cfab')\"},{\"enabled\":true,\"presentationValues\":[],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('61b07a01-7e60-4127-b086-f6b32458a5c5')\"},{\"enabled\":true,\"presentationValues\":[],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('8866d7bd-42fb-4695-b6f2-80e0a90b1ac3')\"},{\"enabled\":true,\"presentationValues\":[],\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('f974758d-1fab-42fe-ad36-3a6cd25c49c1')\"}],\"updated\":[],\"deletedIds\":[]}\r\n",
+  "RAWJson": "{\n\"added\":[\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('9a4db949-29e4-4e31-a129-bf2b88d8fa1b')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"%tenantid%\",\n\"presentation@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('fbefbbdf-5382-477c-8b6c-71f4a06e2805')\"\n},\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"0\",\n\"presentation@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('35c82072-a93b-4022-be14-8684c2f6fcc2')\"\n}\n],\n\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('81c07ba0-7512-402d-b1f6-00856975cfab')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"definition@odata.bind\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('61b07a01-7e60-4127-b086-f6b32458a5c5')\"\n},\n],\n\"updated\":[],\n\"deletedIds\":[]\n}",
   "Type": "Admin",
   "GUID": "7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json"
 }
diff --git a/DomainAnalyser_GetTenantDomains/run.ps1 b/DomainAnalyser_GetTenantDomains/run.ps1
@@ -93,5 +93,5 @@ if ($TenantCount -gt 0) {
         }
         catch { Write-LogMessage -API 'DomainAnalyser' -message "Domain Analyser GetTenantDomains Error $($_.Exception.Message)" -sev info }
     }
-    catch { Write-LogMessage -API 'DomainAnalyser' -message "GetTenantDomains loop exception: $($_.Exception.Message) line $($_.InvocationInfo.ScriptLineNumber)" }
+    catch { Write-LogMessage -API 'DomainAnalyser' -message "GetTenantDomains loop exception: $($_.Exception.Message) line $($_.InvocationInfo.ScriptLineNumber)" -sev "Error"}
 }
diff --git a/ExecAccessChecks/run.ps1 b/ExecAccessChecks/run.ps1
@@ -137,7 +137,7 @@ if ($Request.query.Tenants -eq 'true') {
         catch {
             @{
                 TenantName = "$($tenant)"
-                Status     = "Failed to connect to $(Get-NormalizedError -message $_.Exception.Message)" 
+                Status     = "Failed to connect to: $(Get-NormalizedError -message $_.Exception.Message)" 
             }
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check failed: $(Get-NormalizedError -message $_) " -Sev 'Error'
 

diff --git a/ExecCPVPermissions/run.ps1 b/ExecCPVPermissions/run.ps1
@@ -43,9 +43,7 @@ $GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object {
             $AppBody = @"
 {
   "ApplicationGrants":[ $(ConvertTo-Json -InputObject $RequiredCPVPerms -Compress -Depth 10)],
-  "ApplicationId": "$($env:ApplicationID)",
-  "DisplayName": "CIPP-SAM"
-}
+  "ApplicationId": "$($env:ApplicationID)"}
 "@
             $CPVConsent = New-GraphpostRequest -body $AppBody -Type POST -noauthcheck $true -uri "https://api.partnercenter.microsoft.com/v1/customers/$($TenantFilter)/applicationconsents" -scope "https://api.partnercenter.microsoft.com/.default" -tenantid $env:TenantID
             "Succesfully set CPV permissions for $Permissionsname"
@@ -58,6 +56,34 @@ $GraphRequest = $ExpectedPermissions.requiredResourceAccess | ForEach-Object {
     }
 }
 
+
+$ourSVCPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($ENV:applicationid)')" -tenantid $Tenantfilter
+
+# if the app svc principal exists, consent app permissions
+$apps = $ExpectedPermissions 
+$Grants = foreach ($App in $apps.requiredResourceAccess) {
+    try {
+        $svcPrincipalId = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($app.resourceAppId)')" -tenantid $tenantfilter
+    }
+    catch {
+        continue
+    }
+    foreach ($SingleResource in $app.ResourceAccess | Where-Object -Property Type -EQ "Role") {
+        [pscustomobject]@{
+            principalId = $($ourSVCPrincipal.id)
+            resourceId  = $($svcPrincipalId.id)
+            appRoleId   = "$($SingleResource.Id)"
+        }
+    } 
+} 
+foreach ($Grant in $grants) {
+    try {
+        $SettingsRequest = New-GraphPOSTRequest -body ($grant | ConvertTo-Json) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $tenantfilter -type POST
+    }
+    catch {
+        "Failed to grant $($grant.appRoleId) to $($grant.resourceId): $($_.Exception.Message). "
+    }
+}
 $StatusCode = [HttpStatusCode]::OK
 
 # Associate values to output bindings by calling 'Push-OutputBinding'.