Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: KelvinTegelaar

Modules/CIPPCore/Public/Authentication/Get-CippApiAuth.ps1

@@ -4,25 +4,31 @@ function Get-CippApiAuth {
         [string]$FunctionAppName
     )
 
-    if ($env:MSI_SECRET) {
-        Disable-AzContextAutosave -Scope Process | Out-Null
-        $null = Connect-AzAccount -Identity
-        $SubscriptionId = $env:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
-        $Context = Set-AzContext -SubscriptionId $SubscriptionId
-    } else {
-        $Context = Get-AzContext
-        $SubscriptionId = $Context.Subscription.Id
+    if ($env:WEBSITE_AUTH_V2_CONFIG_JSON) {
+        $AuthSettings = $env:WEBSITE_AUTH_V2_CONFIG_JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
     }
 
-    # Get auth settings
-    $AuthSettings = Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01" -ErrorAction Stop | Select-Object -ExpandProperty Content | ConvertFrom-Json
+    if (-not $AuthSettings) {
+        if ($env:MSI_SECRET) {
+            Disable-AzContextAutosave -Scope Process | Out-Null
+            $null = Connect-AzAccount -Identity
+            $SubscriptionId = $env:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
+            $Context = Set-AzContext -SubscriptionId $SubscriptionId
+        } else {
+            $Context = Get-AzContext
+            $SubscriptionId = $Context.Subscription.Id
+        }
+
+        # Get auth settings
+        $AuthSettings = (Invoke-AzRestMethod -Uri "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$RGName/providers/Microsoft.Web/sites/$($FunctionAppName)/config/authsettingsV2/list?api-version=2020-06-01" -ErrorAction Stop | Select-Object -ExpandProperty Content | ConvertFrom-Json).properties
+    }
 
-    if ($AuthSettings.properties) {
+    if ($AuthSettings) {
         [PSCustomObject]@{
             ApiUrl    = "https://$($env:WEBSITE_HOSTNAME)"
-            TenantID  = $AuthSettings.properties.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace 'https://sts.windows.net/', '' -replace '/v2.0', ''
-            ClientIDs = $AuthSettings.properties.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
-            Enabled   = $AuthSettings.properties.identityProviders.azureActiveDirectory.enabled
+            TenantID  = $AuthSettings.identityProviders.azureActiveDirectory.registration.openIdIssuer -replace 'https://sts.windows.net/', '' -replace '/v2.0', ''
+            ClientIDs = $AuthSettings.identityProviders.azureActiveDirectory.validation.defaultAuthorizationPolicy.allowedApplications
+            Enabled   = $AuthSettings.identityProviders.azureActiveDirectory.enabled
         }
     } else {
         throw 'No auth settings found'

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogProcessingOrchestrator.ps1

@@ -28,9 +28,9 @@ function Start-AuditLogProcessingOrchestrator {
             $ProcessBatch = foreach ($TenantGroup in $TenantGroups) {
                 $TenantFilter = $TenantGroup.Name
                 $RowIds = @($TenantGroup.Group.RowKey)
-                for ($i = 0; $i -lt $RowIds.Count; $i += 1000) {
-                    Write-Host "Processing $TenantFilter with $($RowIds.Count) row IDs. We're processing id $($RowIds[$i]) to $($RowIds[[Math]::Min($i + 999, $RowIds.Count - 1)])"
-                    $BatchRowIds = $RowIds[$i..([Math]::Min($i + 999, $RowIds.Count - 1))]
+                for ($i = 0; $i -lt $RowIds.Count; $i += 500) {
+                    Write-Host "Processing $TenantFilter with $($RowIds.Count) row IDs. We're processing id $($RowIds[$i]) to $($RowIds[[Math]::Min($i + 499, $RowIds.Count - 1)])"
+                    $BatchRowIds = $RowIds[$i..([Math]::Min($i + 499, $RowIds.Count - 1))]
                     [PSCustomObject]@{
                         TenantFilter = $TenantFilter
                         RowIds       = $BatchRowIds

Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1

@@ -148,39 +148,76 @@ function Test-CIPPAuditLogRules {
             }
         }
 
-        # Collect bulk data for users/groups/devices/applications
-        $Requests = @(
-            @{
-                id     = 'users'
-                url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'groups'
-                url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'devices'
-                url    = '/devices?$select=id,displayName,deviceId&$top=999'
-                method = 'GET'
-            }
-            @{
-                id     = 'servicePrincipals'
-                url    = '/servicePrincipals?$select=id,displayName&$top=999'
-                method = 'GET'
-            }
-        )
-        $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
+        $Table = Get-CIPPTable -tablename 'cacheauditloglookups'
+        $1dayago = (Get-Date).AddDays(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $Lookups = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq '$TenantFilter' and Timestamp gt datetime'$1dayago'"
+        if (!$Lookups) {
+            # Collect bulk data for users/groups/devices/applications
+            $Requests = @(
+                @{
+                    id     = 'users'
+                    url    = '/users?$select=id,displayName,userPrincipalName,accountEnabled&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'groups'
+                    url    = '/groups?$select=id,displayName,mailEnabled,securityEnabled&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'devices'
+                    url    = '/devices?$select=id,displayName,deviceId&$top=999'
+                    method = 'GET'
+                }
+                @{
+                    id     = 'servicePrincipals'
+                    url    = '/servicePrincipals?$select=id,displayName&$top=999'
+                    method = 'GET'
+                }
+            )
+            $Response = New-GraphBulkRequest -TenantId $TenantFilter -Requests $Requests
+            $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value
+            $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
+            $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
+            $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value
+            # Cache the lookups for 1 day
+            $Entities = @(
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'users'
+                    Data         = [string]($Users | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'groups'
+                    Data         = [string]($Groups | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'devices'
+                    Data         = [string]($Devices | ConvertTo-Json -Compress)
+                }
+                @{
+                    PartitionKey = $TenantFilter
+                    RowKey       = 'servicePrincipals'
+                    Data         = [string]($ServicePrincipals | ConvertTo-Json -Compress)
+                }
+            )
+            # Save the cached lookups
+            Add-CIPPAzDataTableEntity @Table -Entity $Entities -Force
+            Write-Information "Cached directory lookups for tenant $TenantFilter"
+        } else {
+            # Use cached lookups
+            $Users = ($Lookups | Where-Object { $_.RowKey -eq 'users' }).Data | ConvertFrom-Json
+            $Groups = ($Lookups | Where-Object { $_.RowKey -eq 'groups' }).Data | ConvertFrom-Json
+            $Devices = ($Lookups | Where-Object { $_.RowKey -eq 'devices' }).Data | ConvertFrom-Json
+            $ServicePrincipals = ($Lookups | Where-Object { $_.RowKey -eq 'servicePrincipals' }).Data | ConvertFrom-Json
+            Write-Information "Using cached directory lookups for tenant $TenantFilter"
+        }
 
         # partner users
         $PartnerUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,displayName,userPrincipalName,accountEnabled&`$top=999" -AsApp $true -NoAuthCheck $true
 
-        $Users = ($Response | Where-Object { $_.id -eq 'users' }).body.value
-        $Groups = ($Response | Where-Object { $_.id -eq 'groups' }).body.value ?? @()
-        $Devices = ($Response | Where-Object { $_.id -eq 'devices' }).body.value ?? @()
-        $ServicePrincipals = ($Response | Where-Object { $_.id -eq 'servicePrincipals' }).body.value
-
         Write-Warning '## Audit Log Configuration ##'
         Write-Information ($Configuration | ConvertTo-Json -Depth 10)
 

Modules/CippEntrypoints/CippEntrypoints.psm1

@@ -228,7 +228,7 @@ function Receive-CippOrchestrationTrigger {
                 if (($Output | Measure-Object).Count -gt 0) {
                     Write-Information "Waiting for ($($Output.Count)) activity functions to complete..."
                     foreach ($Task in $Output) {
-                        Write-Information ($Task | ConvertTo-Json -Depth 10 -Compress)
+                        #Write-Information ($Task | ConvertTo-Json -Depth 10 -Compress)
                         try {
                             $Results = Wait-ActivityFunction -Task $Task
                         } catch {}