|
| 1 | +using namespace System.Net |
| 2 | + |
| 3 | +function Invoke-ExecHVEUser { |
| 4 | + <# |
| 5 | + .FUNCTIONALITY |
| 6 | + Entrypoint |
| 7 | + .ROLE |
| 8 | + Exchange.Mailbox.ReadWrite |
| 9 | + #> |
| 10 | + [CmdletBinding()] |
| 11 | + param($Request, $TriggerMetadata) |
| 12 | + |
| 13 | + $APIName = $Request.Params.CIPPEndpoint |
| 14 | + $Headers = $Request.Headers |
| 15 | + Write-LogMessage -Headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug' |
| 16 | + |
| 17 | + $Results = [System.Collections.Generic.List[string]]::new() |
| 18 | + $HVEUserObject = $Request.Body |
| 19 | + $Tenant = $HVEUserObject.TenantFilter |
| 20 | + |
| 21 | + try { |
| 22 | + # Check if Security Defaults are enabled |
| 23 | + try { |
| 24 | + $SecurityDefaults = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $Tenant |
| 25 | + if ($SecurityDefaults.isEnabled -eq $true) { |
| 26 | + $Results.Add('WARNING: Security Defaults are enabled for this tenant. HVE might not function.') |
| 27 | + } |
| 28 | + } catch { |
| 29 | + $Results.Add('WARNING: Could not check Security Defaults status. Please verify authentication policies manually.') |
| 30 | + } |
| 31 | + |
| 32 | + # Create the HVE user using New-MailUser |
| 33 | + $BodyToShip = [pscustomobject] @{ |
| 34 | + Name = $HVEUserObject.displayName |
| 35 | + DisplayName = $HVEUserObject.displayName |
| 36 | + PrimarySmtpAddress = $HVEUserObject.primarySMTPAddress |
| 37 | + Password = $HVEUserObject.password |
| 38 | + HVEAccount = $true |
| 39 | + } |
| 40 | + |
| 41 | + $CreateHVERequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-MailUser' -cmdParams $BodyToShip |
| 42 | + $Results.Add("Successfully created HVE user: $($HVEUserObject.primarySMTPAddress)") |
| 43 | + Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message "Created HVE user $($HVEUserObject.displayName) with email $($HVEUserObject.primarySMTPAddress)" -Sev 'Info' |
| 44 | + |
| 45 | + # Try to exclude from Conditional Access policies that block basic authentication |
| 46 | + try { |
| 47 | + # Get all Conditional Access policies |
| 48 | + $CAPolicies = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $Tenant |
| 49 | + |
| 50 | + $BasicAuthPolicies = $CAPolicies | Where-Object { |
| 51 | + $_.conditions.clientAppTypes -contains 'exchangeActiveSync' -or |
| 52 | + $_.conditions.clientAppTypes -contains 'other' -or |
| 53 | + $_.conditions.applications.includeApplications -contains 'All' -and |
| 54 | + $_.grantControls.builtInControls -contains 'block' |
| 55 | + } |
| 56 | + |
| 57 | + if ($BasicAuthPolicies) { |
| 58 | + foreach ($Policy in $BasicAuthPolicies) { |
| 59 | + try { |
| 60 | + # Add the HVE user to the exclusions |
| 61 | + $ExcludedUsers = @($Policy.conditions.users.excludeUsers) |
| 62 | + if ($CreateHVERequest.ExternalDirectoryObjectId -notin $ExcludedUsers) { |
| 63 | + |
| 64 | + $ExcludeUsers = @($ExcludedUsers + $CreateHVERequest.ExternalDirectoryObjectId) |
| 65 | + $UpdateBody = @{ |
| 66 | + conditions = @{ |
| 67 | + users = @{ |
| 68 | + excludeUsers = @($ExcludeUsers | Sort-Object -Unique) |
| 69 | + } |
| 70 | + } |
| 71 | + } |
| 72 | + |
| 73 | + $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($Policy.id)" -type PATCH -body (ConvertTo-Json -InputObject $UpdateBody -Depth 10) -tenantid $Tenant |
| 74 | + $Results.Add("Excluded HVE user from Conditional Access policy: $($Policy.displayName)") |
| 75 | + Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message "Excluded HVE user from CA policy: $($Policy.displayName)" -Sev 'Info' |
| 76 | + } |
| 77 | + } catch { |
| 78 | + $ErrorMessage = Get-CippException -Exception $_ |
| 79 | + $Message = "Failed to exclude from CA policy '$($Policy.displayName)': $($ErrorMessage.NormalizedError)" |
| 80 | + Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message $Message -Sev 'Warning' -LogData $ErrorMessage |
| 81 | + $Results.Add($Message) |
| 82 | + } |
| 83 | + } |
| 84 | + } else { |
| 85 | + $Results.Add('No Conditional Access policies blocking basic authentication found.') |
| 86 | + } |
| 87 | + } catch { |
| 88 | + $ErrorMessage = Get-CippException -Exception $_ |
| 89 | + $Message = "Failed to check/update Conditional Access policies: $($ErrorMessage.NormalizedError)" |
| 90 | + Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message $Message -Sev 'Warning' -LogData $ErrorMessage |
| 91 | + $Results.Add($Message) |
| 92 | + } |
| 93 | + |
| 94 | + $StatusCode = [HttpStatusCode]::OK |
| 95 | + } catch { |
| 96 | + $ErrorMessage = Get-CippException -Exception $_ |
| 97 | + $Message = "Failed to create HVE user: $($ErrorMessage.NormalizedError)" |
| 98 | + Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message $Message -Sev 'Error' -LogData $ErrorMessage |
| 99 | + $Results.Add($Message) |
| 100 | + $StatusCode = [HttpStatusCode]::Forbidden |
| 101 | + } |
| 102 | + |
| 103 | + # Associate values to output bindings by calling 'Push-OutputBinding'. |
| 104 | + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ |
| 105 | + StatusCode = $StatusCode |
| 106 | + Body = @{ Results = @($Results) } |
| 107 | + }) |
| 108 | +} |
0 commit comments