Merge pull request #392 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

ConversionTable.csv

@@ -15,6 +15,7 @@ function Get-CIPPAlertNewAppApproval {
     try {
         $Approvals = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests?`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
         if ($Approvals.count -gt 0) {
+            $TenantGUID = (Get-Tenants -TenantFilter $TenantFilter -SkipDomains).customerId
             $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
             foreach ($App in $Approvals) {
                 $userConsentRequests = New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/$($App.id)/userConsentRequests" -tenantid $TenantFilter
@@ -29,13 +30,17 @@ function Get-CIPPAlertNewAppApproval {
                     }
 
                     $Message = [PSCustomObject]@{
+                        RequestId   = $_.id
                         AppName     = $App.appDisplayName
                         RequestUser = $_.createdBy.user.userPrincipalName
                         Reason      = $_.reason
+                        RequestDate = $_.createdDateTime
+                        Status      = $_.status # Will allways be InProgress as we filter to only get these but this will reduce confusion when an alert is generated
                         AppId       = $App.appId
                         Scopes      = ($App.pendingScopes.displayName -join ', ')
                         ConsentURL  = $consentUrl
                         Tenant      = $TenantFilter
+                        TenantId    = $TenantGUID
                     }
                     $AlertData.Add($Message)
                 }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewAppApproval.ps1

@@ -23,6 +23,42 @@ function Invoke-ListLogs {
                 label = $_.PartitionKey
             }
         }
+    } elseif ($Request.Query.logentryid) {
+        # Return single log entry by RowKey
+        $Filter = "RowKey eq '{0}'" -f $Request.Query.logentryid
+        $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
+        Write-Host "Getting single log entry for RowKey: $($Request.Query.logentryid)"
+
+        $Row = Get-AzDataTableEntity @Table -Filter $Filter
+
+        if ($Row) {
+            if ($AllowedTenants -notcontains 'AllTenants') {
+                $TenantList = Get-Tenants -IncludeErrors | Where-Object { $_.customerId -in $AllowedTenants }
+            }
+
+            if ($AllowedTenants -contains 'AllTenants' -or ($AllowedTenants -notcontains 'AllTenants' -and ($TenantList.defaultDomainName -contains $Row.Tenant -or $Row.Tenant -eq 'CIPP' -or $TenantList.customerId -contains $Row.TenantId)) ) {
+                $LogData = if ($Row.LogData -and (Test-Json -Json $Row.LogData -ErrorAction SilentlyContinue)) {
+                    $Row.LogData | ConvertFrom-Json
+                } else { $Row.LogData }
+                [PSCustomObject]@{
+                    DateTime = $Row.Timestamp
+                    Tenant   = $Row.Tenant
+                    API      = $Row.API
+                    Message  = $Row.Message
+                    User     = $Row.Username
+                    Severity = $Row.Severity
+                    LogData  = $LogData
+                    TenantID = if ($Row.TenantID -ne $null) {
+                        $Row.TenantID
+                    } else {
+                        'None'
+                    }
+                    AppId    = $Row.AppId
+                    IP       = $Row.IP
+                    RowKey   = $Row.RowKey
+                }
+            }
+        }
     } else {
         if ($request.Query.Filter -eq 'True') {
             $LogLevel = if ($Request.Query.Severity) { ($Request.query.Severity).split(',') } else { 'Info', 'Warn', 'Error', 'Critical', 'Alert' }
@@ -86,6 +122,7 @@ function Invoke-ListLogs {
                     }
                     AppId    = $Row.AppId
                     IP       = $Row.IP
+                    RowKey   = $Row.RowKey
                 }
             }
         }

Modules/CIPPCore/Public/ConversionTable.csv

@@ -58,8 +58,20 @@ function New-GraphBulkRequest {
             }
 
         } catch {
-            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error.message
-            if ($null -eq $Message) { $Message = $($_.Exception.Message) }
+            # Try to parse ErrorDetails.Message as JSON
+            if ($_.ErrorDetails.Message) {
+                try {
+                    $ErrorJson = $_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction Stop
+                    $Message = $ErrorJson.error.message
+                } catch {
+                    $Message = $_.ErrorDetails.Message
+                }
+            }
+
+            if ([string]::IsNullOrEmpty($Message)) {
+                $Message = $_.Exception.Message
+            }
+
             if ($Message -ne 'Request not applicable to target tenant.') {
                 $Tenant.LastGraphError = $Message ?? ''
                 $Tenant.GraphErrorCount++

Modules/CIPPCore/Public/Entrypoints/Invoke-ListLogs.ps1

@@ -30,8 +30,12 @@ function Invoke-CIPPStandardAuthMethodsPolicyMigration {
     param($Tenant, $Settings)
     $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant
 
+    if ($null -eq $CurrentInfo) {
+        throw "Failed to retrieve current authentication methods policy information"
+    }
+
     if ($Settings.remediate -eq $true) {
-        if ($CurrentInfo.policyMigrationState -eq 'migrationComplete') {
+        if ($CurrentInfo.policyMigrationState -eq 'migrationComplete' -or $null -eq $CurrentInfo.policyMigrationState) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authentication methods policy migration is already complete.' -sev Info
         } else {
             try {
@@ -44,14 +48,14 @@ function Invoke-CIPPStandardAuthMethodsPolicyMigration {
     }
 
     if ($Settings.alert -eq $true) {
-        if ($CurrentInfo.policyMigrationState -ne 'migrationComplete') {
+        if ($CurrentInfo.policyMigrationState -ne 'migrationComplete' -and $null -ne $CurrentInfo.policyMigrationState) {
             Write-StandardsAlert -message 'Authentication methods policy migration is not complete. Please check if you have legacy SSPR settings or MFA settings set: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-methods-manage' -object $CurrentInfo -tenant $tenant -standardName 'AuthMethodsPolicyMigration' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authentication methods policy migration is not complete' -sev Alert
         }
     }
 
     if ($Settings.report -eq $true) {
-        $migrationComplete = $CurrentInfo.policyMigrationState -eq 'migrationComplete'
+        $migrationComplete = $CurrentInfo.policyMigrationState -eq 'migrationComplete' -or $null -eq $CurrentInfo.policyMigrationState
         Set-CIPPStandardsCompareField -FieldName 'standards.AuthMethodsPolicyMigration' -FieldValue $migrationComplete -TenantFilter $tenant
         Add-CIPPBPAField -FieldName 'AuthMethodsPolicyMigration' -FieldValue $migrationComplete -StoreAs bool -Tenant $tenant
     }

Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1

@@ -59,7 +59,7 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP {
             # Disable SMTP Basic Authentication for all users
             $SMTPusers | ForEach-Object {
                 try {
-                    New-ExoRequest -tenantid $Tenant -cmdlet 'Set-CASMailbox' -cmdParams @{ Identity = $_.Identity; SmtpClientAuthenticationDisabled = $null } -UseSystemMailbox $true
+                    New-ExoRequest -tenantid $Tenant -cmdlet 'Set-CASMailbox' -cmdParams @{ Identity = $_.Guid; SmtpClientAuthenticationDisabled = $null } -UseSystemMailbox $true
                     Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabled SMTP Basic Authentication for $($_.DisplayName), $($_.PrimarySmtpAddress)" -sev Info
                 } catch {
                     $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuthMethodsPolicyMigration.ps1

@@ -44,7 +44,7 @@ function Invoke-CIPPStandardDisableExchangeOnlinePowerShell {
     try {
 
         $AdminUsers = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?$expand=principal' -tenantid $Tenant).principal.userPrincipalName
-        $UsersWithPowerShell = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-User' -Select 'userPrincipalName, identity, remotePowerShellEnabled' | Where-Object { $_.RemotePowerShellEnabled -eq $true -and $_.userPrincipalName -notin $AdminUsers }
+        $UsersWithPowerShell = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-User' -Select 'userPrincipalName, identity, guid, remotePowerShellEnabled' | Where-Object { $_.RemotePowerShellEnabled -eq $true -and $_.userPrincipalName -notin $AdminUsers }
         $PowerShellEnabledCount = ($UsersWithPowerShell | Measure-Object).Count
         $StateIsCorrect = $PowerShellEnabledCount -eq 0
     } catch {
@@ -61,7 +61,7 @@ function Invoke-CIPPStandardDisableExchangeOnlinePowerShell {
                 @{
                     CmdletInput = @{
                         CmdletName = 'Set-User'
-                        Parameters = @{Identity = $_.Identity; RemotePowerShellEnabled = $false }
+                        Parameters = @{Identity = $_.Guid; RemotePowerShellEnabled = $false }
                     }
                 }
             }