Merge branch 'KelvinTegelaar:master' into master

Author: IntegriComCalvin

CIPP-Permissions.json

@@ -425,6 +425,11 @@
         "Name": "UserAuthenticationMethod.ReadWrite",
         "Description": "Allows the app to read and write your authentication methods, including phone numbers and Authenticator app settings.This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods."
       },
+      {
+        "Id": "424b07a8-1209-4d17-9fe4-9018a93a1024",
+        "Name": "TeamsTelephoneNumber.ReadWrite.All",
+        "Description": "Allows the app to read and modify your tenant's acquired telephone number details on behalf of the signed-in admin user. Acquired telephone numbers may include attributes related to assigned object, emergency location, network site, etc."
+      },
       {
         "Id": "b7887744-6746-4312-813d-72daeaee7e2d",
         "Name": "UserAuthenticationMethod.ReadWrite.All",
@@ -697,6 +702,11 @@
         "Name": "User.ReadWrite.All",
         "Description": "Allows the app to read and update user profiles without a signed in user."
       },
+      {
+        "Id": "0a42382f-155c-4eb1-9bdc-21548ccaa387",
+        "Name": "TeamsTelephoneNumber.ReadWrite.All",
+        "Description": "Allows the app to read your tenant's acquired telephone number details, without a signed-in user. Acquired telephone numbers may include attributes related to assigned object, emergency location, network site, etc."
+      },
       {
         "Id": "50483e42-d915-4231-9639-7fdb7fd190e5",
         "Name": "UserAuthenticationMethod.ReadWrite.All",

CommunityRepos.json

@@ -1,4 +1,22 @@
 [
+  {
+    "Id": "1041442982",
+    "Name": "CISTemplates",
+    "Description": "CIPP CIS Templates",
+    "URL": "https://github.com/CyberDrain/CyberDrain-CIS-Templates",
+    "FullName": "CyberDrain/CyberDrain-CIS-Templates",
+    "Owner": "CyberDrain",
+    "Visibility": "public",
+    "WriteAccess": false,
+    "DefaultBranch": "main",
+    "RepoPermissions": {
+      "admin": false,
+      "maintain": false,
+      "push": false,
+      "triage": false,
+      "pull": true
+    }
+  },
   {
     "Id": "930523724",
     "Name": "CIPP-Templates",
@@ -52,5 +70,23 @@
       "triage": false,
       "pull": true
     }
+  },
+  {
+    "Id": "863076113",
+    "Name": "IntuneBaseLines",
+    "Description": "In this repo, you will find Intune profiles in JSON format, which can be used in setting up your Modern Workplace. All policies were created in Microsoft Intune and exported to share with the community.",
+    "URL": "https://github.com/IntuneAdmin/IntuneBaselines",
+    "FullName": "IntuneAdmin/IntuneBaselines",
+    "Owner": "IntuneAdmin",
+    "Visibility": "public",
+    "WriteAccess": false,
+    "DefaultBranch": "main",
+    "RepoPermissions": {
+      "admin": false,
+      "maintain": false,
+      "push": false,
+      "triage": false,
+      "pull": true
+    }
   }
 ]

Config/SchedulerRateLimits.json

@@ -0,0 +1,10 @@
+[
+  {
+    "Command": "Sync-CIPPExtensionData",
+    "MaxRequests": 50
+  },
+  {
+    "Command": "Push-CIPPExtensionData",
+    "MaxRequests": 30
+  }
+]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLicensedUsersWithRoles.ps1

@@ -0,0 +1,36 @@
+function Get-CIPPAlertLicensedUsersWithRoles {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    # Get all users with assigned licenses
+    $LicensedUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$top=999&`$select=userPrincipalName,assignedLicenses,displayName" -tenantid $TenantFilter | Where-Object { $_.assignedLicenses -and $_.assignedLicenses.Count -gt 0 }
+    if (-not $LicensedUsers -or $LicensedUsers.Count -eq 0) {
+        Write-Information "No licensed users found for tenant $TenantFilter"
+        return $true
+    }
+    # Get all directory roles with their members
+    $DirectoryRoles = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $TenantFilter
+    if (-not $DirectoryRoles -or $DirectoryRoles.Count -eq 0) {
+        Write-Information "No directory roles found for tenant $TenantFilter"
+        return
+    }
+    $UsersToAlertOn = $LicensedUsers | Where-Object { $_.userPrincipalName -in $DirectoryRoles.members.userPrincipalName }
+
+
+    if ($UsersToAlertOn.Count -gt 0) {
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $UsersToAlertOn
+    } else {
+        Write-Information "No licensed users with roles found for tenant $TenantFilter"
+    }
+
+
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuotaUsed.ps1

@@ -17,7 +17,7 @@ function Get-CIPPAlertQuotaUsed {
         return
     }
     $OverQuota = $AlertData | ForEach-Object {
-        if ($_.StorageUsedInBytes -eq 0 -or $_.prohibitSendReceiveQuotaInBytes -eq 0) { return }
+        if ([string]::IsNullOrEmpty($_.StorageUsedInBytes) -or [string]::IsNullOrEmpty($_.prohibitSendReceiveQuotaInBytes) -or $_.StorageUsedInBytes -eq 0 -or $_.prohibitSendReceiveQuotaInBytes -eq 0) { return }
         try {
             $PercentLeft = [math]::round(($_.storageUsedInBytes / $_.prohibitSendReceiveQuotaInBytes) * 100)
         } catch { $PercentLeft = 100 }

Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearches.ps1

@@ -13,27 +13,31 @@ function Get-CippAuditLogSearches {
         [Parameter()]
         [switch]$ReadyToProcess
     )
-
+    $AuditLogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
     if ($ReadyToProcess.IsPresent) {
-        $AuditLogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
         $15MinutesAgo = (Get-Date).AddMinutes(-15).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
         $1DayAgo = (Get-Date).AddDays(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and (CippStatus eq 'Pending' or (CippStatus eq 'Processing' and Timestamp le datetime'$15MinutesAgo')) and Timestamp ge datetime'$1DayAgo'" | Sort-Object Timestamp
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "PartitionKey eq 'Search' and Tenant eq '$TenantFilter' and (CippStatus eq 'Pending' or (CippStatus eq 'Processing' and Timestamp le datetime'$15MinutesAgo')) and Timestamp ge datetime'$1DayAgo'" | Sort-Object Timestamp
+    } else {
+        $7DaysAgo = (Get-Date).AddDays(-7).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and Timestamp ge datetime'$7DaysAgo'"
+    }
 
-        $BulkRequests = foreach ($PendingQuery in $PendingQueries) {
-            @{
-                id     = $PendingQuery.RowKey
-                url    = 'security/auditLog/queries/' + $PendingQuery.RowKey
-                method = 'GET'
-            }
+    $BulkRequests = foreach ($PendingQuery in $PendingQueries) {
+        @{
+            id     = $PendingQuery.RowKey
+            url    = 'security/auditLog/queries/' + $PendingQuery.RowKey
+            method = 'GET'
         }
-        if ($BulkRequests.Count -eq 0) {
-            return @()
-        }
-        $Queries = New-GraphBulkRequest -Requests @($BulkRequests) -AsApp $true -TenantId $TenantFilter | Select-Object -ExpandProperty body
+    }
+    if ($BulkRequests.Count -eq 0) {
+        return @()
+    }
+    $Queries = New-GraphBulkRequest -Requests @($BulkRequests) -AsApp $true -TenantId $TenantFilter | Select-Object -ExpandProperty body
+
+    if ($ReadyToProcess.IsPresent) {
         $Queries = $Queries | Where-Object { $PendingQueries.RowKey -contains $_.id -and $_.status -eq 'succeeded' }
-    } else {
-        $Queries = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/security/auditLog/queries' -AsApp $true -tenantid $TenantFilter
     }
+
     return $Queries
 }

Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1

@@ -157,20 +157,26 @@ function New-CippAuditLogSearch {
     if ($PSCmdlet.ShouldProcess('Create a new audit log search for tenant ' + $TenantFilter)) {
         $Query = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/security/auditLog/queries' -body ($SearchParams | ConvertTo-Json -Compress) -tenantid $TenantFilter -AsApp $true
 
+
         if ($ProcessLogs.IsPresent -and $Query.id) {
-            $Entity = [PSCustomObject]@{
-                PartitionKey = [string]'Search'
-                RowKey       = [string]$Query.id
-                Tenant       = [string]$TenantFilter
-                DisplayName  = [string]$DisplayName
-                StartTime    = [datetime]$StartTime.ToUniversalTime()
-                EndTime      = [datetime]$EndTime.ToUniversalTime()
-                Query        = [string]($Query | ConvertTo-Json -Compress)
-                CippStatus   = [string]'Pending'
-            }
-            $Table = Get-CIPPTable -TableName 'AuditLogSearches'
-            Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
+            $CippStatus = 'Pending'
+        } else {
+            $CippStatus = 'N/A'
+        }
+
+        $Entity = [PSCustomObject]@{
+            PartitionKey = [string]'Search'
+            RowKey       = [string]$Query.id
+            Tenant       = [string]$TenantFilter
+            DisplayName  = [string]$DisplayName
+            StartTime    = [datetime]$StartTime.ToUniversalTime()
+            EndTime      = [datetime]$EndTime.ToUniversalTime()
+            Query        = [string]($Query | ConvertTo-Json -Compress)
+            CippStatus   = [string]$CippStatus
         }
+        $Table = Get-CIPPTable -TableName 'AuditLogSearches'
+        Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
+
         return $Query
     }
 }

Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1

@@ -20,11 +20,13 @@ function Get-CIPPRolePermissions {
         $Permissions = $Role.Permissions | ConvertFrom-Json
         $AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() }
         $BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() }
+        $BlockedEndpoints = if ($Role.BlockedEndpoints) { $Role.BlockedEndpoints | ConvertFrom-Json } else { @() }
         [PSCustomObject]@{
-            Role           = $Role.RowKey
-            Permissions    = $Permissions.PSObject.Properties.Value
-            AllowedTenants = @($AllowedTenants)
-            BlockedTenants = @($BlockedTenants)
+            Role             = $Role.RowKey
+            Permissions      = $Permissions.PSObject.Properties.Value
+            AllowedTenants   = @($AllowedTenants)
+            BlockedTenants   = @($BlockedTenants)
+            BlockedEndpoints = @($BlockedEndpoints)
         }
     } else {
         throw "Role $RoleName not found."

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -199,6 +199,7 @@ function Test-CIPPAccess {
                     continue
                 }
             }
+
             if ($PermissionsFound) {
                 if ($TenantList.IsPresent) {
                     $LimitedTenantList = foreach ($Permission in $PermissionSet) {
@@ -248,6 +249,9 @@ function Test-CIPPAccess {
                 foreach ($Role in $PermissionSet) {
                     foreach ($Perm in $Role.Permissions) {
                         if ($Perm -match $APIRole) {
+                            if ($Role.BlockedEndpoints -contains $Request.Params.CIPPEndpoint) {
+                                throw "Access to this CIPP API endpoint is not allowed, the custom role '$($Role.Role)' has blocked this endpoint: $($Request.Params.CIPPEndpoint)"
+                            }
                             $APIAllowed = $true
                             break
                         }

Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1

@@ -5,20 +5,32 @@ function Invoke-ListCippQueue {
     .ROLE
         CIPP.Core.Read
     #>
-    param($Request = $null, $TriggerMetadata = $null)
+    param($Request = $null, $TriggerMetadata = $null, $Reference = $null, $QueueId = $null)
 
     if ($Request) {
         $APIName = $Request.Params.CIPPEndpoint
         Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
     }
 
+    $QueueId = $Request.Query.QueueId ?? $QueueId
+    $Reference = $Request.Query.Reference ?? $Reference
+
     $CippQueue = Get-CippTable -TableName 'CippQueue'
     $CippQueueTasks = Get-CippTable -TableName 'CippQueueTasks'
     $3HoursAgo = (Get-Date).ToUniversalTime().AddHours(-3).ToString('yyyy-MM-ddTHH:mm:ssZ')
-    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter "PartitionKey eq 'CippQueue' and Timestamp ge datetime'$3HoursAgo'" | Sort-Object -Property Timestamp -Descending
+
+    if ($QueueId) {
+        $Filter = "PartitionKey eq 'CippQueue' and RowKey eq '$QueueId'"
+    } elseif ($Reference) {
+        $Filter = "PartitionKey eq 'CippQueue' and Reference eq '$Reference' and Timestamp ge datetime'$3HoursAgo'"
+    } else {
+        $Filter = "PartitionKey eq 'CippQueue' and Timestamp ge datetime'$3HoursAgo'"
+    }
+
+    $CippQueueData = Get-CIPPAzDataTableEntity @CippQueue -Filter $Filter | Sort-Object -Property Timestamp -Descending
 
     $QueueData = foreach ($Queue in $CippQueueData) {
-        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "PartitionKey eq 'Task' and QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp.DateTime.ToUniversalTime() } }, Name, Status
+        $Tasks = Get-CIPPAzDataTableEntity @CippQueueTasks -Filter "PartitionKey eq 'Task' and QueueId eq '$($Queue.RowKey)'" | Where-Object { $_.Name } | Select-Object @{n = 'Timestamp'; exp = { $_.Timestamp } }, Name, Status
         $TaskStatus = @{}
         $Tasks | Group-Object -Property Status | ForEach-Object {
             $TaskStatus.$($_.Name) = $_.Count
@@ -54,9 +66,9 @@ function Invoke-ListCippQueue {
             PercentComplete = [math]::Round(((($TotalCompleted + $TotalFailed) / $Queue.TotalTasks) * 100), 1)
             PercentFailed   = [math]::Round((($TotalFailed / $Queue.TotalTasks) * 100), 1)
             PercentRunning  = [math]::Round((($TotalRunning / $Queue.TotalTasks) * 100), 1)
-            Tasks           = @($Tasks)
+            Tasks           = @($Tasks | Sort-Object -Descending Timestamp)
             Status          = $Queue.Status
-            Timestamp       = $Queue.Timestamp.DateTime.ToUniversalTime()
+            Timestamp       = $Queue.Timestamp
         }
 
     }