Feat: Support JIT admin for guest users

kris6673 · kris6673 · commit 498866b2382d · 2025-12-11T20:22:33.000+01:00
Fix: Move logging into the functions Feat: Copy button only copies the info you actually want Fixes KelvinTegelaar/CIPP#5072 Feat: Add error handling for JIT admin user creation and execution
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1
@@ -16,13 +16,9 @@ function Invoke-ExecJITAdmin {
     $TenantFilter = $Request.Body.tenantFilter.value ? $Request.Body.tenantFilter.value : $Request.Body.tenantFilter
 
 
-    if ($Request.Body.existingUser.value -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
-        $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.existingUser.value)" -tenantid $TenantFilter).userPrincipalName
-    }
-
     $Start = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate)).DateTime.ToLocalTime()
     $Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime()
-    $Results = [System.Collections.Generic.List[string]]::new()
+    $Results = [System.Collections.Generic.List[object]]::new()
 
     if ($Request.Body.userAction -eq 'create') {
         $Domain = $Request.Body.Domain.value ? $Request.Body.Domain.value : $Request.Body.Domain
@@ -39,17 +35,62 @@ function Invoke-ExecJITAdmin {
             Reason       = $Request.Body.reason
             Action       = 'Create'
             TenantFilter = $TenantFilter
+            Headers      = $Headers
+            APIName      = $APIName
+        }
+        try {
+            $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
+        } catch {
+            return ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::BadRequest
+                    Body       = @{'Results' = @("Failed to create JIT Admin user: $($_.Exception.Message)") }
+                })
         }
-        $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
-        Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Created JIT Admin user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ')" -Sev 'Info' -LogData $JITAdmin
-        $Results.Add("Created User: $Username")
+        $Results.Add(@{
+                resultText = "Created User: $Username"
+                copyField  = $Username
+                state      = 'success'
+            })
         if (!$Request.Body.UseTAP) {
-            $Results.Add("Password: $($CreateResult.password)")
+            $Results.Add(@{
+                    resultText = "Password: $($CreateResult.password)"
+                    copyField  = $CreateResult.password
+                    state      = 'success'
+                })
         }
         $Results.Add("JIT Admin Expires: $($Expiration)")
         Start-Sleep -Seconds 1
+    } else {
+
+        $Username = $Request.Body.existingUser.value
+        if ($Username -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
+            Write-Information "Resolving UserPrincipalName from ObjectId: $($Request.Body.existingUser.value)"
+            $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.existingUser.value)" -tenantid $TenantFilter).userPrincipalName
+
+            # If the resolved username is a guest user, we need to use the id instead of the UPN
+            if ($Username -clike '*#EXT#*') {
+                $Username = $Request.Body.existingUser.value
+            }
+        }
+
+        # Validate we have a username
+        if ([string]::IsNullOrWhiteSpace($Username)) {
+            return [HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = @{ 'Results' = @("Could not resolve username from existingUser value: $($Request.Body.existingUser.value)") }
+            }
+        }
+
+        # Add username result for existing user
+        $Results.Add(@{
+                resultText = "User: $Username"
+                copyField  = $Username
+                state      = 'success'
+            })
     }
 
+
+
     #Region TAP creation
     if ($Request.Body.UseTAP) {
         try {
@@ -82,13 +123,21 @@ function Invoke-ExecJITAdmin {
             $PasswordLink = New-PwPushLink -Payload $TempPass
             $Password = $PasswordLink ? $PasswordLink : $TempPass
 
-            $Results.Add("Temporary Access Pass: $Password")
+            $Results.Add(@{
+                    resultText = "Temporary Access Pass: $Password"
+                    copyField  = $Password
+                    state      = 'success'
+                })
             $Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes")
         } catch {
             $Results.Add('Failed to create TAP, if this is not yet enabled, use the Standards to push the settings to the tenant.')
             Write-Information (Get-CippException -Exception $_ | ConvertTo-Json -Depth 5)
             if ($Password) {
-                $Results.Add("Password: $Password")
+                $Results.Add(@{
+                        resultText = "Password: $Password"
+                        copyField  = $Password
+                        state      = 'success'
+                    })
             }
         }
     }
@@ -103,6 +152,8 @@ function Invoke-ExecJITAdmin {
         Action       = 'AddRoles'
         Reason       = $Request.Body.Reason
         Expiration   = $Expiration
+        Headers      = $Headers
+        APIName      = $APIName
     }
     if ($Start -gt (Get-Date)) {
         $TaskBody = @{
@@ -125,11 +176,16 @@ function Invoke-ExecJITAdmin {
             Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $Request.Body.existingUser.value -Expiration $Expiration -Reason $Request.Body.Reason
         }
         $Results.Add("Scheduling JIT Admin enable task for $Username")
-        Write-LogMessage -Headers $Headers -API $APIName -message "Scheduling JIT Admin for existing user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ') " -tenant $TenantFilter -Sev 'Info'
     } else {
-        $Results.Add("Executing JIT Admin enable task for $Username")
-        Set-CIPPUserJITAdmin @Parameters
-        Write-LogMessage -Headers $Headers -API $APIName -message "Executing JIT Admin for existing user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ') " -tenant $TenantFilter -Sev 'Info'
+        try {
+            $Results.Add("Executing JIT Admin enable task for $Username")
+            Set-CIPPUserJITAdmin @Parameters
+        } catch {
+            return ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::BadRequest
+                    Body       = @{'Results' = @("Failed to execute JIT Admin enable task: $($_.Exception.Message)") }
+                })
+        }
     }
 
     $DisableTaskBody = [pscustomobject]@{
@@ -158,7 +214,6 @@ function Invoke-ExecJITAdmin {
     $null = Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
     $Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction.value) task for $Username")
 
-    # TODO - We should find a way to have this return a HTTP status code based on the success or failure of the operation. This also doesn't return the results of the operation in a Results hash table, like most of the rest of the API.
     return ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
             Body       = @{'Results' = @($Results) }
diff --git a/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 b/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1
@@ -24,6 +24,9 @@ function Set-CIPPUserJITAdmin {
     .PARAMETER Reason
     Reason for JIT admin assignment. Defaults to 'No reason provided' as due to backwards compatibility this is not a mandatory field.
 
+    .PARAMETER Headers
+    Headers to include in logging
+
     .EXAMPLE
     Set-CIPPUserJITAdmin -TenantFilter 'contoso.onmicrosoft.com' -Headers@{UserPrincipalName = 'jit@contoso.onmicrosoft.com'} -Roles @('62e90394-69f5-4237-9190-012177145e10') -Action 'AddRoles' -Expiration (Get-Date).AddDays(1) -Reason 'Emergency access'
 
@@ -32,19 +35,16 @@ function Set-CIPPUserJITAdmin {
     param(
         [Parameter(Mandatory = $true)]
         [string]$TenantFilter,
-
         [Parameter(Mandatory = $true)]
         [hashtable]$User,
-
         [string[]]$Roles,
-
         [Parameter(Mandatory = $true)]
         [ValidateSet('Create', 'AddRoles', 'RemoveRoles', 'DeleteUser', 'DisableUser')]
         [string]$Action,
-
         [datetime]$Expiration,
-
-        [string]$Reason = 'No reason provided'
+        [string]$Reason = 'No reason provided',
+        $Headers,
+        [string]$APIName = 'Set-CIPPUserJITAdmin'
     )
 
     if ($PSCmdlet.ShouldProcess("User: $($User.UserPrincipalName)", "Action: $Action")) {
@@ -83,6 +83,7 @@ function Set-CIPPUserJITAdmin {
                     if ($PasswordLink) {
                         $Password = $PasswordLink
                     }
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Created JIT Admin user: $($User.UserPrincipalName). Reason: $Reason" -Sev 'Info'
                     [PSCustomObject]@{
                         id                = $NewUser.id
                         userPrincipalName = $NewUser.userPrincipalName
@@ -116,6 +117,8 @@ function Set-CIPPUserJITAdmin {
                 }
 
                 Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled -Expiration $Expiration -Reason $Reason | Out-Null
+                $Message = "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName)). Reason: $Reason"
+                Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
                 return "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
             }
             'RemoveRoles' {
@@ -125,15 +128,20 @@ function Set-CIPPUserJITAdmin {
                     } catch {}
                 }
                 Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Clear | Out-Null
+                $Message = "Removed admin roles from user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
                 return "Removed admin roles from user $($UserObj.displayName)"
             }
             'DeleteUser' {
                 try {
                     $null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter
-                    return "Deleted user $($UserObj.displayName) ($($UserObj.userPrincipalName)) with id $($UserObj.id)"
+                    $Message = "Deleted user $($UserObj.displayName) ($($UserObj.userPrincipalName)) with id $($UserObj.id)"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
+                    return $Message
                 } catch {
                     $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-                    return "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage" -Sev 'Error'
+                    throw "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
                 }
             }
             'DisableUser' {
@@ -147,11 +155,13 @@ function Set-CIPPUserJITAdmin {
                     Write-Information "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)"
                     $null = New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)" -tenantid $TenantFilter -body $Json
                     Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null
-                    return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                    $Message = "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
+                    return $Message
                 } catch {
                     $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-                    return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
-
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage" -Sev 'Error'
+                    throw "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
                 }
             }
         }
