exchange permission repair

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecAccessChecks.ps1

@@ -50,17 +50,19 @@ function Invoke-ExecAccessChecks {
                     $Results = foreach ($Tenant in $Tenants) {
                         $TenantCheck = $AccessChecks | Where-Object -Property RowKey -EQ $Tenant.customerId | Select-Object -Property Data
                         $TenantResult = [PSCustomObject]@{
-                            TenantId           = $Tenant.customerId
-                            TenantName         = $Tenant.displayName
-                            DefaultDomainName  = $Tenant.defaultDomainName
-                            GraphStatus        = 'Not run yet'
-                            ExchangeStatus     = 'Not run yet'
-                            GDAPRoles          = ''
-                            MissingRoles       = ''
-                            LastRun            = ''
-                            GraphTest          = ''
-                            ExchangeTest       = ''
-                            OrgManagementRoles = @()
+                            TenantId                  = $Tenant.customerId
+                            TenantName                = $Tenant.displayName
+                            DefaultDomainName         = $Tenant.defaultDomainName
+                            GraphStatus               = 'Not run yet'
+                            ExchangeStatus            = 'Not run yet'
+                            GDAPRoles                 = ''
+                            MissingRoles              = ''
+                            LastRun                   = ''
+                            GraphTest                 = ''
+                            ExchangeTest              = ''
+                            OrgManagementRoles        = @()
+                            OrgManagementRolesMissing = @()
+                            OrgManagementRepairNeeded = $false
                         }
                         if ($TenantCheck) {
                             $Data = @($TenantCheck.Data | ConvertFrom-Json -ErrorAction Stop)
@@ -71,7 +73,9 @@ function Invoke-ExecAccessChecks {
                             $TenantResult.LastRun = $Data.LastRun
                             $TenantResult.GraphTest = $Data.GraphTest
                             $TenantResult.ExchangeTest = $Data.ExchangeTest
-                            $TenantResult.OrgManagementRoles = $Data.OrgManagementRoles
+                            $TenantResult.OrgManagementRoles = $Data.OrgManagementRoles ? @($Data.OrgManagementRoles) : @()
+                            $TenantResult.OrgManagementRolesMissing = $Data.OrgManagementRolesMissing ? @($Data.OrgManagementRolesMissing) : @()
+                            $TenantResult.OrgManagementRepairNeeded = $Data.OrgManagementRolesMissing.Count -gt 0
                         }
                         $TenantResult
                     }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecExchangeRoleRepair.ps1

@@ -0,0 +1,94 @@
+function Invoke-ExecExchangeRoleRepair {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        CIPP.AppSettings.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $Headers = $Request.Headers
+
+    $TenantId = $Request.Query.tenantId ?? $Request.Body.tenantId
+    $Tenant = Get-Tenants -TenantFilter $TenantId
+
+    try {
+        Write-Information "Starting Exchange Organization Management role repair for tenant: $($Tenant.defaultDomainName)"
+        $OrgManagementRoles = New-ExoRequest -tenantid $Tenant.customerId -cmdlet 'Get-ManagementRoleAssignment' -cmdParams @{ RoleAssignee = 'Organization Management'; Delegating = $false } | Select-Object -Property Role, Guid
+        Write-Information "Found $($OrgManagementRoles.Count) Organization Management roles in Exchange"
+
+        $RoleDefinitions = New-GraphGetRequest -tenantid $Tenant.customerId -uri 'https://graph.microsoft.com/beta/roleManagement/exchange/roleDefinitions'
+        Write-Information "Found $($RoleDefinitions.Count) Exchange role definitions"
+
+        $BasePath = Get-Module -Name 'CIPPCore' | Select-Object -ExpandProperty ModuleBase
+        $AllOrgManagementRoles = Get-Content -Path "$BasePath\Public\OrganizationManagementRoles.json" -ErrorAction Stop | ConvertFrom-Json
+
+        $AvailableRoles = $RoleDefinitions | Where-Object -Property displayName -In $AllOrgManagementRoles | Select-Object -Property displayName, id, description
+        Write-Information "Found $($AvailableRoles.Count) available Organization Management roles in Exchange"
+        $MissingOrgMgmtRoles = $AvailableRoles | Where-Object { $OrgManagementRoles.Role -notcontains $_.displayName }
+
+        if ($MissingOrgMgmtRoles.Count -gt 0) {
+            $Requests = foreach ($Role in $MissingOrgMgmtRoles) {
+                [PSCustomObject]@{
+                    id      = $Role.id
+                    method  = 'POST'
+                    url     = 'roleManagement/exchange/roleAssignments'
+                    body    = @{
+                        principalId      = '/RoleGroups/Organization Management'
+                        roleDefinitionId = $Role.id
+                        directoryScopeId = '/'
+                        appScopeId       = $null
+                    }
+                    headers = @{
+                        'Content-Type' = 'application/json'
+                    }
+                }
+            }
+
+            $RepairResults = New-GraphBulkRequest -tenantid $Tenant.customerId -Requests @($Requests) -asapp $true
+            $RepairSuccess = $RepairResults.status -eq 201
+            if ($RepairSuccess) {
+                $Results = @{
+                    state      = 'success'
+                    resultText = "Successfully repaired the missing Organization Management roles: $($MissingOrgMgmtRoles.displayName -join ', ')"
+                }
+                Write-LogMessage -headers $Headers -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -Message "Successfully repaired the missing Organization Management roles: $($MissingOrgMgmtRoles.displayName -join ', '). Run another Tenant Access check after waiting a bit for replication." -sev 'Info'
+            } else {
+                # Get roles that failed to repair
+                $FailedRoles = $RepairResults | Where-Object { $_.status -ne 201 } | ForEach-Object {
+                    $RoleId = $_.id
+                    $Role = $MissingOrgMgmtRoles | Where-Object { $_.id -eq $RoleId }
+                    $Role.displayName
+                }
+                $PermissionError = $false
+                if ($RepairResults.status -in (401, 403, 500)) {
+                    $PermissionError = $true
+                }
+                $Results = @{
+                    state      = 'error'
+                    resultText = "Failed to repair the missing Organization Management roles: $($FailedRoles -join ', ').$(if ($PermissionError) { " This may be due to insufficient permissions. The required Graph Permission is 'RoleManagement.ReadWrite.Exchange'" })"
+                }
+                Write-LogMessage -headers $Headers -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -Message "Failed to repair the missing Organization Management roles: $($FailedRoles -join ', ')" -sev 'Error'
+            }
+        } else {
+            $Results = @{
+                state      = 'success'
+                resultText = 'No missing Organization Management roles found.'
+            }
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-Warning "Exception during Exchange Organization Management role repair: $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -Message "Exchange Organization Management role repair failed: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
+        $Results = @{
+            state      = 'error'
+            resultText = "Exchange Organization Management role repair failed: $($ErrorMessage.NormalizedError)"
+        }
+    }
+
+    Push-OutputBinding -Name 'Response' -Value ([HttpResponseContext]@{
+            StatusCode = [System.Net.HttpStatusCode]::OK
+            Body       = $Results
+        })
+}

Modules/CIPPCore/Public/OrganizationManagementRoles.json

@@ -0,0 +1,51 @@
+[
+  "Audit Logs",
+  "Communication Compliance Admin",
+  "Communication Compliance Investigation",
+  "Compliance Admin",
+  "Data Loss Prevention",
+  "Distribution Groups",
+  "E-Mail Address Policies",
+  "Federated Sharing",
+  "Information Protection Admin",
+  "Information Protection Analyst",
+  "Information Protection Investigator",
+  "Information Protection Reader",
+  "Information Rights Management",
+  "Insider Risk Management Admin",
+  "Insider Risk Management Investigation",
+  "Journaling",
+  "Legal Hold",
+  "Mail Enabled Public Folders",
+  "Mail Recipient Creation",
+  "Mail Recipients",
+  "Mail Tips",
+  "Message Tracking",
+  "Migration",
+  "Move Mailboxes",
+  "Org Custom Apps",
+  "Org Marketplace Apps",
+  "Organization Client Access",
+  "Organization Configuration",
+  "Organization Transport Settings",
+  "PlacesBuildingManagement",
+  "PlacesDeskManagement",
+  "Privacy Management Admin",
+  "Privacy Management Investigation",
+  "Public Folders",
+  "Recipient Policies",
+  "Remote and Accepted Domains",
+  "Reset Password",
+  "Retention Management",
+  "Role Management",
+  "Security Admin",
+  "Security Group Creation and Membership",
+  "Security Reader",
+  "TenantPlacesManagement",
+  "Transport Hygiene",
+  "Transport Rules",
+  "User Options",
+  "View-Only Audit Logs",
+  "View-Only Configuration",
+  "View-Only Recipients"
+]

Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1

@@ -48,15 +48,16 @@ function Test-CIPPAccessTenant {
         $ExchangeStatus = $false
 
         $Results = [PSCustomObject]@{
-            TenantName         = $Tenant.defaultDomainName
-            GraphStatus        = $false
-            GraphTest          = ''
-            ExchangeStatus     = $false
-            ExchangeTest       = ''
-            GDAPRoles          = ''
-            MissingRoles       = ''
-            OrgManagementRoles = @()
-            LastRun            = (Get-Date).ToUniversalTime()
+            TenantName                = $Tenant.defaultDomainName
+            GraphStatus               = $false
+            GraphTest                 = ''
+            ExchangeStatus            = $false
+            ExchangeTest              = ''
+            GDAPRoles                 = ''
+            MissingRoles              = ''
+            OrgManagementRoles        = @()
+            OrgManagementRolesMissing = @()
+            LastRun                   = (Get-Date).ToUniversalTime()
         }
 
         $AddedText = ''
@@ -104,39 +105,32 @@ function Test-CIPPAccessTenant {
 
         try {
             $null = New-ExoRequest -tenantid $Tenant.customerId -cmdlet 'Get-OrganizationConfig' -ErrorAction Stop
-            $ExchangeStatus = $true
-            $ExchangeTest = 'Successfully connected to Exchange'
-
-            # Get the Exchange role definitions and assignments for the Organization Management role group
-            $Requests = @(
-                @{
-                    id     = 'roleDefinitions'
-                    method = 'GET'
-                    url    = 'roleManagement/exchange/roleDefinitions?$top=999'
-                }
-                @{
-                    id     = 'roleAssignments'
-                    method = 'GET'
-                    url    = "roleManagement/exchange/roleAssignments?`$filter=principalId eq '/RoleGroups/Organization Management'&`$top=999"
-                }
-            )
-
-            $ExchangeRoles = New-GraphBulkRequest -tenantid $Tenant.customerId -Requests $Requests
-
-            # Get results and expand assigments with role definitions
-            $RoleDefinitions = ($ExchangeRoles | Where-Object -Property id -EQ 'roleDefinitions').body.value | Select-Object -Property id, displayName, description, isBuiltIn, isEnabled
-            $RoleAssignments = ($ExchangeRoles | Where-Object -Property id -EQ 'roleAssignments').body.value
-            $OrgManagementAssignments = $RoleAssignments | Where-Object -Property principalId -EQ '/RoleGroups/Organization Management' | Sort-Object -Property roleDefinitionId -Unique
-            $OrgManagementRoles = $OrgManagementAssignments | ForEach-Object {
-                $RoleDefinitions | Where-Object -Property id -EQ $_.roleDefinitionId
-            } | Sort-Object -Property displayName
 
-            Write-Warning "Found $($OrgManagementRoles.Count) Organization Management role assignments in Exchange"
+            $OrgManagementRoles = New-ExoRequest -tenantid $Tenant.customerId -cmdlet 'Get-ManagementRoleAssignment' -cmdParams @{ RoleAssignee = 'Organization Management'; Delegating = $false } | Select-Object -Property Role, Guid
+            Write-Information "Found $($OrgManagementRoles.Count) Organization Management roles in Exchange"
             $Results.OrgManagementRoles = $OrgManagementRoles
 
-            # TODO: Get list of known good roles and compare against the found roles
-
-
+            $RoleDefinitions = New-GraphGetRequest -tenantid $Tenant.customerId -uri 'https://graph.microsoft.com/beta/roleManagement/exchange/roleDefinitions'
+            Write-Information "Found $($RoleDefinitions.Count) Exchange role definitions"
+
+            $BasePath = Get-Module -Name 'CIPPCore' | Select-Object -ExpandProperty ModuleBase
+            $AllOrgManagementRoles = Get-Content -Path "$BasePath\Public\OrganizationManagementRoles.json" -ErrorAction Stop | ConvertFrom-Json
+            Write-Information "Loaded all Organization Management roles from $BasePath\Public\OrganizationManagementRoles.json"
+
+            $AvailableRoles = $RoleDefinitions | Where-Object -Property displayName -In $AllOrgManagementRoles | Select-Object -Property displayName, id, description
+            Write-Information "Found $($AvailableRoles.Count) available Organization Management roles in Exchange"
+            $MissingOrgMgmtRoles = $AvailableRoles | Where-Object { $OrgManagementRoles.Role -notcontains $_.displayName }
+            if (($MissingOrgMgmtRoles | Measure-Object).Count -gt 0) {
+                $Results.OrgManagementRolesMissing = $MissingOrgMgmtRoles
+                Write-Warning "Found $($MissingRoles.Count) missing Organization Management roles in Exchange"
+                $ExchangeStatus = $false
+                $ExchangeTest = 'Connected to Exchange but missing permissions in Organization Management. This may impact the ability to manage Exchange features'
+                Write-LogMessage -headers $Headers -API $APINAME -tenant $tenant.defaultDomainName -message 'Tenant access check for Exchange failed: Missing Organization Management roles' -Sev 'Warning' -LogData $MissingOrgMgmtRoles
+            } else {
+                Write-Warning 'All available Organization Management roles are present in Exchange'
+                $ExchangeStatus = $true
+                $ExchangeTest = 'Successfully connected to Exchange'
+            }
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
             $ReportedError = ($_.ErrorDetails | ConvertFrom-Json -ErrorAction SilentlyContinue)
@@ -145,6 +139,7 @@ function Test-CIPPAccessTenant {
 
             $ExchangeTest = "Failed to connect to Exchange: $($ErrorMessage.NormalizedError)"
             Write-LogMessage -headers $Headers -API $APINAME -tenant $tenant.defaultDomainName -message "Tenant access check for Exchange failed: $($ErrorMessage.NormalizedError) " -Sev 'Error' -LogData $ErrorMessage
+            Write-Warning "Failed to connect to Exchange: $($_.Exception.Message)"
         }
 
         if ($GraphStatus -and $ExchangeStatus) {