Validate app IDs in CA policy applications

JohnDuprey · JohnDuprey · commit 4c78da146689 · 2025-12-05T20:23:43.000-05:00
Added logic to filter included and excluded application IDs in CA policy to ensure only app IDs with a corresponding service principal in the tenant are retained. Also replaced usage of $User with $Headers in log messages for consistency.
diff --git a/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1 b/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1
@@ -13,8 +13,6 @@ function New-CIPPCAPolicy {
         $Headers
     )
 
-    $User = $Request.Headers
-
     function Remove-EmptyArrays ($Object) {
         if ($Object -is [Array]) {
             foreach ($Item in $Object) { Remove-EmptyArrays $Item }
@@ -45,14 +43,14 @@ function New-CIPPCAPolicy {
         $GroupIds = [System.Collections.Generic.List[string]]::new()
         $groupNames | ForEach-Object {
             if (Test-IsGuid $_) {
-                Write-LogMessage -Headers $User -API 'Create CA Policy' -message "Already GUID, no need to replace: $_" -Sev 'Debug'
+                Write-LogMessage -Headers $Headers -API 'Create CA Policy' -message "Already GUID, no need to replace: $_" -Sev 'Debug'
                 $GroupIds.Add($_) # it's a GUID, so we keep it
             } else {
                 $groupId = ($groups | Where-Object -Property displayName -EQ $_).id # it's a display name, so we get the group ID
                 if ($groupId) {
                     foreach ($gid in $groupId) {
                         Write-Warning "Replaced group name $_ with ID $gid"
-                        $null = Write-LogMessage -Headers $User -API 'Create CA Policy' -message "Replaced group name $_ with ID $gid" -Sev 'Debug'
+                        $null = Write-LogMessage -Headers $Headers -API 'Create CA Policy' -message "Replaced group name $_ with ID $gid" -Sev 'Debug'
                         $GroupIds.Add($gid) # add the ID to the list
                     }
                 } elseif ($CreateGroups) {
@@ -141,6 +139,31 @@ function New-CIPPCAPolicy {
         }
     }
 
+    #if we have excluded or included applications, we need to remove any appIds that do not have a service principal in the tenant
+
+    if (($JSONobj.conditions.applications.includeApplications -and $JSONobj.conditions.applications.includeApplications -notcontains 'All') -or ($JSONobj.conditions.applications.excludeApplications -and $JSONobj.conditions.applications.excludeApplications -notcontains 'All')) {
+        $AllServicePrincipals = New-GraphGETRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals?$select=appId' -tenantid $TenantFilter -asApp $true
+
+        if ($JSONobj.conditions.applications.excludeApplications -and $JSONobj.conditions.applications.excludeApplications -notcontains 'All') {
+            $ValidExclusions = [system.collections.generic.list[string]]::new()
+            foreach ($appId in $JSONobj.conditions.applications.excludeApplications) {
+                if ($AllServicePrincipals.appId -contains $appId) {
+                    $ValidExclusions.Add($appId)
+                }
+            }
+            $JSONobj.conditions.applications.excludeApplications = $ValidExclusions
+        }
+        if ($JSONobj.conditions.applications.includeApplications -and $JSONobj.conditions.applications.includeApplications -notcontains 'All') {
+            $ValidInclusions = [system.collections.generic.list[string]]::new()
+            foreach ($appId in $JSONobj.conditions.applications.includeApplications) {
+                if ($AllServicePrincipals.appId -contains $appId) {
+                    $ValidInclusions.Add($appId)
+                }
+            }
+            $JSONobj.conditions.applications.includeApplications = $ValidInclusions
+        }
+    }
+
     #for each of the locations, check if they exist, if not create them. These are in $JSONobj.LocationInfo
     $LocationLookupTable = foreach ($locations in $JSONobj.LocationInfo) {
         if (!$locations) { continue }
