Merge pull request #355 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 3033c41bdf46 · 2025-07-12T06:41:05.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1
@@ -3,7 +3,7 @@ function Invoke-ExecServicePrincipals {
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
-        CIPP.Core.ReadWrite
+        Tenant.Application.ReadWrite
     #>
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecApplication.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecApplication.ps1
@@ -0,0 +1,155 @@
+function Invoke-ExecApplication {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Tenant.Application.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    $ValidTypes = @('applications', 'servicePrincipals')
+    $ValidActions = @('Update', 'Upsert', 'Delete', 'RemoveKey', 'RemovePassword')
+
+    $Id = $Request.Query.Id ?? $Request.Body.Id
+    $Type = $Request.Query.Type ?? $Request.Body.Type
+    if (-not $Id) {
+        $AppId = $Request.Query.AppId ?? $Request.Body.AppId
+        if (-not $AppId) {
+            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::BadRequest
+                    Body       = "Required parameter 'Id' or 'AppId' is missing"
+                })
+            return
+        }
+        $IdPath = "(appId='$AppId')"
+    } else {
+        $IdPath = "/$Id"
+    }
+    if ($Type -and $ValidTypes -notcontains $Type) {
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = "Invalid Type specified. Valid types are: $($ValidTypes -join ', ')"
+            })
+        return
+    }
+
+    $Uri = "https://graph.microsoft.com/beta/$($Type)$($IdPath)"
+    $Action = $Request.Query.Action ?? $Request.Body.Action
+
+    if ($ValidActions -notcontains $Action) {
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = "Invalid Action specified. Valid actions are: $($ValidActions -join ', ')"
+            })
+        return
+    }
+
+    $PostParams = @{
+        Uri = $Uri
+    }
+
+    if ($Action -eq 'Delete') {
+        $PostParams.Type = 'DELETE'
+    }
+    if ($Action -eq 'Update' -or $Action -eq 'Upsert') {
+        $PostParams.Type = 'PATCH'
+    }
+
+    if ($Action -eq 'Upsert') {
+        $PostParams.AddedHeaders = @{
+            'Prefer' = 'create-if-missing'
+        }
+    }
+
+    if ($Request.Body) {
+        $PostParams.Body = $Request.Body.Payload | ConvertTo-Json -Compress
+    }
+
+    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+
+    try {
+        if ($Action -eq 'RemoveKey' -or $Action -eq 'RemovePassword') {
+            # Handle credential removal
+            $KeyIds = $Request.Body.KeyIds.value ?? $Request.Body.KeyIds
+            if (-not $KeyIds -or $KeyIds.Count -eq 0) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = "KeyIds parameter is required for $Action action"
+                    })
+                return
+            }
+
+            if ($Action -eq 'RemoveKey') {
+                # For key credentials, use a single PATCH request
+                $CurrentObject = New-GraphGetRequest -Uri $Uri -tenantid $TenantFilter -AsApp $true
+                $UpdatedKeyCredentials = $CurrentObject.keyCredentials | Where-Object { $_.keyId -notin $KeyIds }
+                $PatchBody = @{
+                    keyCredentials = @($UpdatedKeyCredentials)
+                }
+
+                $Response = New-GraphPOSTRequest -Uri $Uri -Type 'PATCH' -Body ($PatchBody | ConvertTo-Json -Depth 10) -tenantid $TenantFilter -AsApp $true
+
+                $Results = @{
+                    resultText = "Successfully removed $($KeyIds.Count) key credential(s) from $Type"
+                    state      = 'success'
+                    details    = @($Response)
+                }
+            } else {
+                # For password credentials, use bulk removePassword requests
+                $BulkRequests = foreach ($KeyId in $KeyIds) {
+                    $RemoveBody = @{
+                        keyId = $KeyId
+                    }
+
+                    @{
+                        id      = $KeyId
+                        method  = 'POST'
+                        url     = "$($Type)$($IdPath)/removePassword"
+                        body    = $RemoveBody
+                        headers = @{
+                            'Content-Type' = 'application/json'
+                        }
+                    }
+                }
+
+                $BulkResults = New-GraphBulkRequest -Requests @($BulkRequests) -tenantid $TenantFilter -AsApp $true
+
+                $SuccessCount = ($BulkResults | Where-Object { $_.status -eq 204 }).Count
+                $FailureCount = ($BulkResults | Where-Object { $_.status -ne 204 }).Count
+
+                $Results = @{
+                    resultText = "Bulk RemovePassword completed. Success: $SuccessCount, Failures: $FailureCount"
+                    state      = if ($FailureCount -eq 0) { 'success' } else { 'error' }
+                    details    = @($BulkResults)
+                }
+            }
+        } else {
+            # Handle regular actions
+            $null = New-GraphPOSTRequest @PostParams -tenantid $TenantFilter -AsApp $true
+            $Results = @{
+                resultText = "Successfully executed $Action on $Type with Id: $Id"
+                state      = 'success'
+            }
+        }
+
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::OK
+                Body       = @{ Results = $Results }
+            })
+    } catch {
+        $Results = @{
+            resultText = "Failed to execute $Action on $Type with Id: $Id. Error: $($_.Exception.Message)"
+            state      = 'error'
+        }
+
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::InternalServerError
+                Body       = @{ Results = @($Results) }
+            })
+    }
+}
diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1
@@ -3,19 +3,21 @@ function New-GraphBulkRequest {
     .FUNCTIONALITY
     Internal
     #>
-    Param(
+    param(
         $tenantid,
         $NoAuthCheck,
         $scope,
         $asapp,
         $Requests,
-        $NoPaginateIds = @()
+        $NoPaginateIds = @(),
+        [ValidateSet('v1.0', 'beta')]
+        $Version = 'beta'
     )
 
     if ($NoAuthCheck -or (Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) {
         $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp
 
-        $URL = 'https://graph.microsoft.com/beta/$batch'
+        $URL = "https://graph.microsoft.com/$Version/`$batch"
 
         # Track consecutive Graph API failures
         $TenantsTable = Get-CippTable -tablename Tenants
