feat: AllTenants support with Custom Roles & Tenant Restrictions

JohnDuprey · JohnDuprey · commit 4f1faa7e84a8 · 2025-11-16T11:46:54.000-05:00
Get-Tenants will now only return tenants that users have permission to see
Also prevent users with limited tenant access from managing tenant groups
diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1
@@ -1,7 +1,8 @@
 function Test-CIPPAccess {
     param(
         $Request,
-        [switch]$TenantList
+        [switch]$TenantList,
+        [switch]$GroupList
     )
     if ($Request.Params.CIPPEndpoint -eq 'ExecSAMSetup') { return $true }
 
@@ -239,7 +240,21 @@ function Test-CIPPAccess {
                             $ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
                         }
                     }
-                    return $LimitedTenantList
+                    return @($LimitedTenantList | Sort-Object -Unique)
+                } elseif ($GroupList.IsPresent) {
+                    Write-Information "Getting allowed groups for roles: $($CustomRoles -join ', ')"
+                    $LimitedGroupList = foreach ($Permission in $PermissionSet) {
+                        if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) {
+                            @('AllGroups')
+                        } else {
+                            foreach ($AllowedItem in $Permission.AllowedTenants) {
+                                if ($AllowedItem -is [PSCustomObject] -and $AllowedItem.type -eq 'Group') {
+                                    $AllowedItem.value
+                                }
+                            }
+                        }
+                    }
+                    return @($LimitedGroupList | Sort-Object -Unique)
                 }
 
                 $TenantAllowed = $false
@@ -256,12 +271,14 @@ function Test-CIPPAccess {
                     }
 
                     if ($APIAllowed) {
-                        $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $Request.Body.tenantId.value ?? $env:TenantID
+                        $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env:TenantID
                         # Check tenant level access
                         if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
                             $TenantAllowed = $true
-                        } elseif ($TenantFilter -eq 'AllTenants') {
+                        } elseif ($TenantFilter -eq 'AllTenants' -and $ApiRole -match 'Write$') {
                             $TenantAllowed = $false
+                        } elseif ($TenantFilter -eq 'AllTenants' -and $ApiRole -match 'Read$') {
+                            $TenantAllowed = $true
                         } else {
                             $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
 
@@ -328,12 +345,11 @@ function Test-CIPPAccess {
                 }
                 return $true
                 if ($APIAllowed) {
-                    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId ?? $env:TenantID
+                    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter.value ?? $Request.Body.tenantFilter ?? $Request.Query.tenantId ?? $Request.Body.tenantId.value ?? $Request.Body.tenantId ?? $env:TenantID
                     # Check tenant level access
                     if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
                         $TenantAllowed = $true
                     } elseif ($TenantFilter -eq 'AllTenants') {
-
                         $TenantAllowed = $false
                     } else {
                         $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
diff --git a/Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1 b/Modules/CIPPCore/Public/CippQueue/Invoke-ListCippQueue.ps1
@@ -1,7 +1,7 @@
 function Invoke-ListCippQueue {
     <#
     .FUNCTIONALITY
-        Entrypoint
+        Entrypoint,AnyTenant
     .ROLE
         CIPP.Core.Read
     #>
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListApiTest.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListApiTest.ps1
@@ -18,6 +18,8 @@ function Invoke-ListApiTest {
         }
         $Response.EnvironmentVariables = $EnvironmentVariables
     }
+    $Response.AllowedTenants = $script:AllowedTenants
+    $Response.AllowedGroups = $script:AllowedGroups
 
     return ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecTenantGroup.ps1
@@ -23,6 +23,14 @@ function Invoke-ExecTenantGroup {
     $dynamicRules = $Request.Body.dynamicRules
     $ruleLogic = $Request.Body.ruleLogic ?? 'and'
 
+    $AllowedGroups = Test-CippAccess -Request $Request -GroupList
+    if ($AllowedGroups -notcontains 'AllGroups') {
+        return ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::Forbidden
+                Body       = @{ Results = 'You do not have permission to manage tenant groups.' }
+            })
+    }
+
     switch ($Action) {
         'AddEdit' {
             $Results = [System.Collections.Generic.List[object]]::new()
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/New-CippCoreRequest.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/New-CippCoreRequest.ps1
@@ -38,6 +38,18 @@ function New-CippCoreRequest {
                     })
             }
 
+            $AllowedTenants = Test-CippAccess -Request $Request -TenantList
+            $AllowedGroups = Test-CippAccess -Request $Request -GroupList
+
+            if ($AllowedTenants -notcontains 'AllTenants') {
+                Write-Warning 'Limiting tenant access'
+                $script:AllowedTenants = $AllowedTenants
+            }
+            if ($AllowedGroups -notcontains 'AllGroups') {
+                Write-Warning 'Limiting group access'
+                $script:AllowedGroups = $AllowedGroups
+            }
+
             try {
                 Write-Information "Access: $Access"
                 Write-LogMessage -headers $Headers -API $Request.Params.CIPPEndpoint -message 'Accessed this API' -Sev 'Debug'
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1
@@ -16,11 +16,7 @@ function Invoke-ListTenants {
     $TenantAccess = Test-CIPPAccess -Request $Request -TenantList
     Write-Host "Tenant Access: $TenantAccess"
 
-    if ($TenantAccess -notcontains 'AllTenants') {
-        $AllTenantSelector = $false
-    } else {
-        $AllTenantSelector = $Request.Query.AllTenantSelector
-    }
+    $AllTenantSelector = $Request.Query.AllTenantSelector
 
     $IncludeOffboardingDefaults = $Request.Query.IncludeOffboardingDefaults
 
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBreachesTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBreachesTenant.ps1
@@ -16,7 +16,9 @@ function Invoke-ListBreachesTenant {
         $filter = $null
     }
     try {
-        $usersResults = (Get-CIPPAzDataTableEntity @Table -Filter $filter).breaches | ConvertFrom-Json -ErrorAction SilentlyContinue
+        $Tenants = Get-Tenants -IncludeErrors
+        $Rows = Get-CIPPAzDataTableEntity @Table -Filter $filter | Where-Object { $Tenants.defaultDomainName -contains $_.PartitionKey }
+        $usersResults = $Rows.breaches | ConvertFrom-Json -ErrorAction SilentlyContinue
     } catch {
         $usersResults = $null
     }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCheckExtAlerts.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCheckExtAlerts.ps1
@@ -15,20 +15,21 @@ function Invoke-ListCheckExtAlerts {
     $Table = Get-CIPPTable -tablename CheckExtensionAlerts
 
     if ($TenantFilter -and $TenantFilter -ne 'AllTenants') {
-        $Filter = "PartitionKey eq '$TenantFilter'"
+        $Filter = "PartitionKey eq 'CheckAlert' and tenantFilter eq '$TenantFilter'"
     } else {
-        $Filter = $null
+        $Filter = "PartitionKey eq 'CheckAlert'"
     }
 
     try {
-        $Alerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+        $Tenants = Get-Tenants -IncludeErrors
+        $Alerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object { $Tenants.defaultDomainName -contains $_.tenantFilter } ?? @()
     } catch {
         Write-LogMessage -headers $Headers -API $APIName -message "Failed to retrieve check extension alerts: $($_.Exception.Message)" -Sev 'Error'
         $Alerts = @()
     }
 
     return [HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
-            Body       = @($Alerts | Sort-Object -Property Timestamp -Descending)
-        }
+        StatusCode = [HttpStatusCode]::OK
+        Body       = @($Alerts | Sort-Object -Property Timestamp -Descending)
+    }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListTenantAllowBlockList.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListTenantAllowBlockList.ps1
@@ -55,6 +55,8 @@ function Invoke-ListTenantAllowBlockList {
                 Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress) | Out-Null
                 $Results = @()
             } else {
+                $TenantList = Get-Tenants -IncludeErrors
+                $Rows = $Rows | Where-Object { $TenantList.defaultDomainName -contains $_.Tenant }
                 $Metadata = [PSCustomObject]@{
                     QueueId = $RunningQueue.RowKey ?? $null
                 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1
@@ -20,7 +20,7 @@ function Invoke-PublicPhishingCheck {
         $ID = (New-Guid).GUID
         $TableBody = @{
             RowKey                   = "$ID"
-            PartitionKey             = [string]$Tenant.defaultDomainName
+            PartitionKey             = 'CheckAlert'
             tenantFilter             = [string]$Tenant.defaultDomainName
             message                  = [string]$Message
             type                     = [string]$request.body.type
@@ -39,7 +39,7 @@ function Invoke-PublicPhishingCheck {
     }
 
     return [HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
-            Body       = 'OK'
-        }
+        StatusCode = [HttpStatusCode]::OK
+        Body       = 'OK'
+    }
 }
diff --git a/Modules/CIPPCore/Public/Get-CIPPDomainAnalyser.ps1 b/Modules/CIPPCore/Public/Get-CIPPDomainAnalyser.ps1
@@ -13,19 +13,21 @@ function Get-CIPPDomainAnalyser {
     Get-CIPPDomainAnalyser -TenantFilter 'AllTenants'
     #>
     [CmdletBinding()]
-    Param([string]$TenantFilter)
+    param([string]$TenantFilter)
     $DomainTable = Get-CIPPTable -Table 'Domains'
 
     # Get all the things
     #Transform the tenantFilter to the GUID.
-    $TenantFilter = (Get-Tenants -TenantFilter $tenantFilter).customerId
     if ($TenantFilter -ne 'AllTenants' -and ![string]::IsNullOrEmpty($TenantFilter)) {
+        $TenantFilter = (Get-Tenants -TenantFilter $tenantFilter).customerId
         $DomainTable.Filter = "TenantGUID eq '{0}'" -f $TenantFilter
+    } else {
+        $Tenants = Get-Tenants -IncludeErrors
     }
-
+    $Domains = Get-CIPPAzDataTableEntity @DomainTable | Where-Object { $_.TenantGUID -in $Tenants.customerId -or $TenantFilter -eq $_.TenantGUID }
     try {
         # Extract json from table results
-        $Results = foreach ($DomainAnalyserResult in (Get-CIPPAzDataTableEntity @DomainTable).DomainAnalyser) {
+        $Results = foreach ($DomainAnalyserResult in ($Domains).DomainAnalyser) {
             try {
                 if (![string]::IsNullOrEmpty($DomainAnalyserResult)) {
                     $Object = $DomainAnalyserResult | ConvertFrom-Json -ErrorAction SilentlyContinue
diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1
@@ -16,10 +16,7 @@ function Get-Tenants {
         [switch]$CleanOld,
         [string]$TenantFilter
     )
-    #$caller = $MyInvocation.InvocationName
-    #$scriptName = $MyInvocation.ScriptName
-    #Write-Host "Called by: $caller"
-    #Write-Host "In script: $scriptName"
+
     $TenantsTable = Get-CippTable -tablename 'Tenants'
     $ExcludedFilter = "PartitionKey eq 'Tenants' and Excluded eq true"
 
@@ -277,5 +274,11 @@ function Get-Tenants {
             Add-CIPPAzDataTableEntity @TenantsTable -Entity $IncludedTenantsCache -Force | Out-Null
         }
     }
+
+    # Limit tenant list to allowed tenants if set in script scope from New-CippCoreRequest
+    if ($script:AllowedTenants) {
+        $IncludedTenantsCache = $IncludedTenantsCache | Where-Object { $script:AllowedTenants -contains $_.customerId }
+    }
+
     return $IncludedTenantsCache | Where-Object { ($null -ne $_.defaultDomainName -and ($_.defaultDomainName -notmatch 'Domain Error' -or $IncludeAll.IsPresent)) } | Where-Object $IncludedTenantFilter | Sort-Object -Property displayName
 }
diff --git a/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1 b/Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1
@@ -192,7 +192,8 @@ function Get-GraphRequestList {
                 } else {
                     $Filter = "PartitionKey eq '{0}' and (RowKey eq '{1}' or OriginalEntityId eq '{1}') and Timestamp ge datetime'{2}'" -f $PartitionKey, $TenantFilter, $Timestamp
                 }
-                $Rows = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+                $Tenants = Get-Tenants -IncludeErrors
+                $Rows = Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object { $_.OriginalEntityId -in $Tenants.defaultDomainName -or $_.RowKey -in $Tenants.defaultDomainName }
                 $Type = 'Cache'
                 Write-Information "Table: $TableName | PK: $PartitionKey | Cached: $(($Rows | Measure-Object).Count) rows (Type: $($Type))"
                 $QueueReference = '{0}-{1}' -f $TenantFilter, $PartitionKey
diff --git a/Modules/CIPPCore/Public/TenantGroups/Get-TenantGroups.ps1 b/Modules/CIPPCore/Public/TenantGroups/Get-TenantGroups.ps1
@@ -19,6 +19,13 @@ function Get-TenantGroups {
     $GroupTable = Get-CippTable -tablename 'TenantGroups'
     $MembersTable = Get-CippTable -tablename 'TenantGroupMembers'
 
+    # Early exit if specific GroupId requested but not allowed
+    if ($GroupId -and $script:AllowedGroups) {
+        if ($script:AllowedGroups -notcontains $GroupId) {
+            return @()
+        }
+    }
+
     if ($TenantFilter -and $TenantFilter -ne 'allTenants') {
         $TenantParams = @{
             TenantFilter  = $TenantFilter
@@ -43,6 +50,11 @@ function Get-TenantGroups {
     } else {
         $Groups = Get-CIPPAzDataTableEntity @GroupTable
         $AllMembers = Get-CIPPAzDataTableEntity @MembersTable
+
+        # Filter to allowed groups if restrictions apply
+        if ($script:AllowedGroups) {
+            $Groups = $Groups | Where-Object { $script:AllowedGroups -contains $_.RowKey }
+        }
     }
 
     if (!$Groups) {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ function Invoke-ListApiTest {`
`18`	`18`	`}`
`19`	`19`	`$Response.EnvironmentVariables = $EnvironmentVariables`
`20`	`20`	`}`
	`21`	`+ $Response.AllowedTenants = $script:AllowedTenants`
	`22`	`+ $Response.AllowedGroups = $script:AllowedGroups`
`21`	`23`
`22`	`24`	`return ([HttpResponseContext]@{`
`23`	`25`	`StatusCode = [HttpStatusCode]::OK`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,9 @@ function Invoke-ListBreachesTenant {`
`16`	`16`	`$filter = $null`
`17`	`17`	`}`
`18`	`18`	`try {`
`19`		`- $usersResults = (Get-CIPPAzDataTableEntity @Table -Filter $filter).breaches \| ConvertFrom-Json -ErrorAction SilentlyContinue`
	`19`	`+ $Tenants = Get-Tenants -IncludeErrors`
	`20`	`+ $Rows = Get-CIPPAzDataTableEntity @Table -Filter $filter \| Where-Object { $Tenants.defaultDomainName -contains $_.PartitionKey }`
	`21`	`+ $usersResults = $Rows.breaches \| ConvertFrom-Json -ErrorAction SilentlyContinue`
`20`	`22`	`} catch {`
`21`	`23`	`$usersResults = $null`
`22`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,8 @@ function Invoke-ListTenantAllowBlockList {`
`55`	`55`	`Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject \| ConvertTo-Json -Depth 5 -Compress) \| Out-Null`
`56`	`56`	`$Results = @()`
`57`	`57`	`} else {`
	`58`	`+ $TenantList = Get-Tenants -IncludeErrors`
	`59`	`+ $Rows = $Rows \| Where-Object { $TenantList.defaultDomainName -contains $_.Tenant }`
`58`	`60`	`$Metadata = [PSCustomObject]@{`
`59`	`61`	`QueueId = $RunningQueue.RowKey ?? $null`
`60`	`62`	`}`