[pull] master from KelvinTegelaar:master

.github/workflows/dev_cippbcaom.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippbcaom
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippbcaom'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_56AD4FDD49354D0CAB4D9A9E868D2015 }}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$top=999&$filter=IsAdmin eq true and userDisplayName ne ''On-Premises Directory Synchronization Service Account''' -tenantid $($TenantFilter) | Where-Object -Property 'isMfaRegistered' -EQ $false
+            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
             if ($users.UserPrincipalName) {
                 $AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAlertUsers.ps1

@@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {
     )
     try {
 
-        $users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$top=999&filter=isMfaRegistered eq false and userType eq ''member'' and userDisplayName ne ''On-Premises Directory Synchronization Service Account''&$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered' -tenantid $($TenantFilter)
+        $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
         if ($users.UserPrincipalName) {
             $AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1

@@ -26,7 +26,15 @@ function Push-AuditLogTenant {
             }
             $CIPPURL = $LegacyUrl
         } else {
-            $CIPPURL = 'https://{0}' -f $CippConfig.Value
+            if (!$CippConfig) {
+                    $CippConfig = @{
+                        PartitionKey = 'InstanceProperties'
+                        RowKey       = 'CIPPURL'
+                        Value        = [string]([System.Uri]$Request.Headers.'x-ms-original-url').Host
+                    }
+                    Add-AzDataTableEntity @ConfigTable -Entity $CippConfig -Force
+                    $CIPPURL = 'https://{0}' -f $CippConfig.Value
+            } else { $CIPPURL = 'https://{0}' -f $CippConfig.Value }
         }
 
         # Get webhook rules

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroupTemplate.ps1

@@ -20,7 +20,7 @@ Function Invoke-AddGroupTemplate {
             Displayname     = $request.body.displayname
             Description     = $request.body.description
             groupType       = $request.body.groupType
-            MembershipRules = $request.body.membershipRule
+            MembershipRules = $request.body.membershipRules
             allowExternal   = $request.body.allowExternal
             username        = $request.body.username
             GUID            = $GUID

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ExecSetSharePointMember.ps1

@@ -10,13 +10,21 @@ Function Invoke-ExecSetSharePointMember {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
+
+    $APIName = $TriggerMetadata.FunctionName
+    $ExecutingUser = $request.headers.'x-ms-client-principal'
+    Write-LogMessage -user $ExecutingUser -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $TenantFilter = $Request.body.tenantFilter
+
+
+
     if ($Request.body.SharePointType -eq 'Group') {
-        $GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)' or proxyAddresses/any(x:endsWith(x,'$($Request.Body.GroupID)'))&`$count=true" -ComplexFilter -tenantid $Request.Body.TenantFilter).id
+        $GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)' or proxyAddresses/any(x:endsWith(x,'$($Request.Body.GroupID)'))&`$count=true" -ComplexFilter -tenantid $TenantFilter).id
         if ($Request.body.Add -eq $true) {
-            $Results = Add-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $Request.Body.user.value -TenantFilter $Request.Body.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
+            $Results = Add-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $Request.Body.user.value -TenantFilter $TenantFilter -ExecutingUser $ExecutingUser
         } else {
-            $UserID = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.user.value)" -tenantid $Request.Body.TenantFilter).id
-            $Results = Remove-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $UserID -TenantFilter $Request.Body.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
+            $UserID = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.user.value)" -tenantid $TenantFilter).id
+            $Results = Remove-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $UserID -TenantFilter $TenantFilter -ExecutingUser $ExecutingUser
         }
     } else {
         $Results = 'This type of SharePoint site is not supported.'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ExecSharePointPerms.ps1

@@ -11,17 +11,36 @@ Function Invoke-ExecSharePointPerms {
     param($Request, $TriggerMetadata)
 
     $APIName = $TriggerMetadata.FunctionName
-    $tenantFilter = $Request.Body.TenantFilter
+    $tenantFilter = $Request.Body.tenantFilter
+    $ExecutingUser = $Request.Headers.'x-ms-client-principal'
+
+    Write-LogMessage -user $ExecutingUser -API $APIName -message 'Accessed this API' -Sev Debug
+
+    # The UPN or ID of the users OneDrive we are changing permissions on
+    $UserId = $Request.body.UPN
+    # The UPN of the user we are adding or removing permissions for
+    $OnedriveAccessUser = $Request.body.onedriveAccessUser.value
+
     try {
-        $State = Set-CIPPSharePointPerms -tenantFilter $tenantFilter -userid $request.body.UPN -OnedriveAccessUser $request.body.input -ExecutingUser $ExecutingUser -APIName $APIName -RemovePermission $request.body.RemovePermission -URL $Request.Body.URL
+
+        $State = Set-CIPPSharePointPerms -tenantFilter $tenantFilter `
+            -UserId $UserId `
+            -OnedriveAccessUser $OnedriveAccessUser `
+            -ExecutingUser $ExecutingUser `
+            -APIName $APIName `
+            -RemovePermission $Request.body.RemovePermission `
+            -URL $Request.Body.URL
         $Results = [pscustomobject]@{'Results' = "$State" }
+        $StatusCode = [HttpStatusCode]::OK
     } catch {
-        $Results = [pscustomobject]@{'Results' = "Failed. $($_.Exception.Message)" }
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = [pscustomobject]@{'Results' = "Failed. $($ErrorMessage.NormalizedError)" }
+        $StatusCode = [HttpStatusCode]::BadRequest
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
+            StatusCode = $StatusCode
             Body       = $Results
         })
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ExecTeamsVoicePhoneNumberAssignment.ps1

@@ -11,26 +11,30 @@ Function Invoke-ExecTeamsVoicePhoneNumberAssignment {
     param($Request, $TriggerMetadata)
 
     $APIName = $TriggerMetadata.FunctionName
-    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $ExecutingUser = $Request.headers.'x-ms-client-principal'
+    Write-LogMessage -user $ExecutingUser -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $Identity = $Request.Body.input.value
 
     $tenantFilter = $Request.Body.TenantFilter
     try {
         if ($Request.Body.locationOnly) {
-            $null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{LocationId = $Request.Body.input; PhoneNumber = $Request.Body.PhoneNumber; ErrorAction = 'stop'}
-            $Results = [pscustomobject]@{'Results' = "Successfully assigned emergency location to $($Request.Body.PhoneNumber)"}
+            $null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{LocationId = $Identity; PhoneNumber = $Request.Body.PhoneNumber; ErrorAction = 'stop' }
+            $Results = [pscustomobject]@{'Results' = "Successfully assigned emergency location to $($Request.Body.PhoneNumber)" }
         } else {
-            $null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{Identity = $Request.Body.input; PhoneNumber = $Request.Body.PhoneNumber; PhoneNumberType = $Request.Body.PhoneNumberType; ErrorAction = 'stop'}
-            $Results = [pscustomobject]@{'Results' = "Successfully assigned $($Request.Body.PhoneNumber) to $($Request.Body.input)"}
+            $null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{Identity = $Identity; PhoneNumber = $Request.Body.PhoneNumber; PhoneNumberType = $Request.Body.PhoneNumberType; ErrorAction = 'stop' }
+            $Results = [pscustomobject]@{'Results' = "Successfully assigned $($Request.Body.PhoneNumber) to $($Identity)" }
         }
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev 'Info'
+        Write-LogMessage -user $ExecutingUser -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev Info
+        $StatusCode = [HttpStatusCode]::OK
     } catch {
-        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-        $Results = [pscustomobject]@{'Results' = $ErrorMessage}
-        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev 'Error'
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = [pscustomobject]@{'Results' = $ErrorMessage.NormalizedError }
+        Write-LogMessage -user $ExecutingUser -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev Error -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::Forbidden
     }
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
+            StatusCode = $StatusCode
             Body       = $Results
         })
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecNamedLocation.ps1

@@ -17,10 +17,10 @@ Function Invoke-ExecNamedLocation {
     # Write to the Azure Functions log stream.
     Write-Host 'PowerShell HTTP trigger function processed a request.'
 
-    $TenantFilter = $Request.Body.TenantFilter
-    $NamedLocationId = $Request.Body.NamedLocationId
-    $change = $Request.Body.change
-    $content = $Request.Body.input
+    $TenantFilter = $Request.Body.TenantFilter ?? $Request.Query.TenantFilter
+    $NamedLocationId = $Request.Body.NamedLocationId ?? $Request.Query.NamedLocationId
+    $change = $Request.Body.change ?? $Request.Query.change
+    $content = $Request.Body.input ?? $Request.Query.input
 
     try {
         $results = Set-CIPPNamedLocation -NamedLocationId $NamedLocationId -TenantFilter $TenantFilter -change $change -content $content -ExecutingUser $request.headers.'x-ms-client-principal'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1

@@ -13,7 +13,14 @@ Function Invoke-listStandardTemplates {
     $Table = Get-CippTable -tablename 'templates'
     $Filter = "PartitionKey eq 'StandardsTemplateV2'"
     $Templates = (Get-CIPPAzDataTableEntity @Table -Filter $Filter) | ForEach-Object {
-        $data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue
+        $JSON = $_.JSON
+        try {
+            $data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue
+        } catch {
+            Write-Host "Could not load standard template: $($_.Exception.Message). Content of the template is: $($JSON)."
+            Write-Host "Template GUID: $($_.GUID)"
+            return
+        }
         $data | Add-Member -NotePropertyName 'GUID' -NotePropertyValue $_.GUID -Force
         if ($data.excludedTenants) { $data.excludedTenants = @($data.excludedTenants) }
         $data

Modules/CIPPCore/Public/Invoke-CIPPOffboardingJob.ps1

@@ -35,21 +35,21 @@ function Invoke-CIPPOffboardingJob {
             Set-CIPPSignInState -TenantFilter $tenantFilter -userid $username -AccountEnabled $false -ExecutingUser $ExecutingUser -APIName $APIName
         }
 
-        { $_.'OnedriveAccess' -ne '' } {
+        { $_.'OnedriveAccess' } {
             $Options.OnedriveAccess | ForEach-Object { Set-CIPPSharePointPerms -tenantFilter $tenantFilter -userid $username -OnedriveAccessUser $_.value -ExecutingUser $ExecutingUser -APIName $APIName }
         }
 
-        { $_.'AccessNoAutomap' -ne '' } {
+        { $_.'AccessNoAutomap' } {
             $Options.AccessNoAutomap | ForEach-Object { Set-CIPPMailboxAccess -tenantFilter $tenantFilter -userid $username -AccessUser $_.value -Automap $false -AccessRights @('FullAccess') -ExecutingUser $ExecutingUser -APIName $APIName }
         }
-        { $_.'AccessAutomap' -ne '' } {
+        { $_.'AccessAutomap' } {
             $Options.AccessAutomap | ForEach-Object { Set-CIPPMailboxAccess -tenantFilter $tenantFilter -userid $username -AccessUser $_.value -Automap $true -AccessRights @('FullAccess') -ExecutingUser $ExecutingUser -APIName $APIName }
         }
 
-        { $_.'OOO' -ne '' } {
+        { $_.'OOO' } {
             Set-CIPPOutOfOffice -tenantFilter $tenantFilter -userid $username -InternalMessage $Options.OOO -ExternalMessage $Options.OOO -ExecutingUser $ExecutingUser -APIName $APIName -state 'Enabled'
         }
-        { $_.'forward' -ne '' } {
+        { $_.'forward' } {
             if (!$Options.keepCopy) {
                 Set-CIPPForwarding -userid $userid -username $username -tenantFilter $Tenantfilter -Forward $Options.forward.value -ExecutingUser $ExecutingUser -APIName $APIName
             } else {

Modules/CIPPCore/Public/Set-CIPPSharePointPerms.ps1

@@ -1,8 +1,8 @@
 function Set-CIPPSharePointPerms {
     [CmdletBinding()]
     param (
-        $userid,
-        $OnedriveAccessUser,
+        $UserId, # The UPN or ID of the users OneDrive we are changing permissions on
+        $OnedriveAccessUser, # The UPN of the user we are adding or removing permissions for
         $TenantFilter,
         $APIName = 'Manage SharePoint Owner',
         $RemovePermission,
@@ -17,6 +17,7 @@ function Set-CIPPSharePointPerms {
 
     try {
         if (!$URL) {
+            Write-Information 'No URL provided, getting URL from Graph'
             $URL = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($UserId)/Drives" -asapp $true -tenantid $TenantFilter).WebUrl
         }
         $tenantName = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/sites/root' -asApp $true -tenantid $TenantFilter).id.Split('.')[0]
@@ -39,19 +40,19 @@ function Set-CIPPSharePointPerms {
 </Request>
 "@
         $request = New-GraphPostRequest -scope "$AdminURL/.default" -tenantid $TenantFilter -Uri "$AdminURL/_vti_bin/client.svc/ProcessQuery" -Type POST -Body $XML -ContentType 'text/xml'
-        Write-Host $($request)
+        # Write-Host $($request)
         if (!$request.ErrorInfo.ErrorMessage) {
             $Message = "$($OnedriveAccessUser) has been $($RemovePermission ? 'removed from' : 'given') access to $URL"
-            Write-LogMessage -user $ExecutingUser -API $APIName -message $Message -Sev 'Info' -tenant $TenantFilter
+            Write-LogMessage -user $ExecutingUser -API $APIName -message $Message -Sev Info -tenant $TenantFilter
             return $Message
         } else {
             $message = "Failed to change access: $($request.ErrorInfo.ErrorMessage)"
-            Write-LogMessage -user $ExecutingUser -API $APIName -message $message -Sev 'Info' -tenant $TenantFilter
-            return $message
+            Write-LogMessage -user $ExecutingUser -API $APIName -message $message -Sev Error -tenant $TenantFilter
+            throw $Message
         }
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add new owner to  $($OnedriveAccessUser) on $URL. Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
+        Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add new owner to $($OnedriveAccessUser) on $URL. Error: $($ErrorMessage.NormalizedError)" -Sev Error -tenant $TenantFilter -LogData $ErrorMessage
         return "Could not add owner for $($URL). Error: $($ErrorMessage.NormalizedError)"
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1

@@ -33,6 +33,7 @@ function Invoke-CIPPStandardcalDefault {
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'calDefault'
 
     # Input validation
+    $Settings.permissionlevel = $Settings.permissionlevel.value ? $Settings.permissionlevel.value : $Settings.permissionlevel
     if ([string]::IsNullOrWhiteSpace($Settings.permissionlevel) -or $Settings.permissionlevel -eq 'Select a value') {
         Write-LogMessage -API 'Standards' -tenant $tenant -message 'calDefault: Invalid permissionlevel parameter set' -sev Error
         Return