Merge pull request #253 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1

@@ -0,0 +1,89 @@
+using namespace System.Net
+
+Function Invoke-ExecAddTenant {
+    <#
+    .FUNCTIONALITY
+        Entrypoint,AnyTenant
+    .ROLE
+        CIPP.AppSettings.ReadWrite.
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    try {
+        # Get the tenant ID from the request body
+        $tenantId = $Request.body.tenantId
+        $displayName = $Request.body.displayName
+        $defaultDomainName = $Request.body.defaultDomainName
+
+        # Get the Tenants table
+        $TenantsTable = Get-CippTable -tablename 'Tenants'
+
+        # Check if tenant already exists
+        $ExistingTenant = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$tenantId'"
+
+        if ($ExistingTenant) {
+            # Update existing tenant
+            $ExistingTenant.delegatedPrivilegeStatus = 'directTenant'
+            Add-CIPPAzDataTableEntity @TenantsTable -Entity $ExistingTenant -Force | Out-Null
+            $Results = @{'message' = 'Successfully updated tenant.'; 'severity' = 'success' }
+        } else {
+            # Create new tenant entry
+            try {
+                # Get organization info
+                $Organization = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/organization' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
+
+                if (-not $displayName) {
+                    $displayName = $Organization[0].displayName
+                }
+
+                if (-not $defaultDomainName) {
+                    # Try to get domains
+                    try {
+                        $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenantId -NoAuthCheck:$true -ErrorAction Stop
+                        $defaultDomainName = ($Domains | Where-Object { $_.isDefault -eq $true }).id
+                        $initialDomainName = ($Domains | Where-Object { $_.isInitial -eq $true }).id
+                    } catch {
+                        # If we can't get domains, use verified domains from organization
+                        $defaultDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isDefault -eq $true }).name
+                        $initialDomainName = ($Organization[0].verifiedDomains | Where-Object { $_.isInitial -eq $true }).name
+                    }
+                }
+            } catch {
+                Write-LogMessage -API 'Add-Tenant' -message "Failed to get information for tenant $tenantId - $($_.Exception.Message)" -Sev 'Critical'
+                throw "Failed to get information for tenant $tenantId. Make sure the tenant is properly authenticated."
+            }
+
+            # Create new tenant object
+            $NewTenant = [PSCustomObject]@{
+                PartitionKey             = 'Tenants'
+                RowKey                   = $tenantId
+                customerId               = $tenantId
+                displayName              = $displayName
+                defaultDomainName        = $defaultDomainName
+                initialDomainName        = $initialDomainName
+                delegatedPrivilegeStatus = 'directTenant'
+                domains                  = ''
+                Excluded                 = $false
+                ExcludeUser              = ''
+                ExcludeDate              = ''
+                GraphErrorCount          = 0
+                LastGraphError           = ''
+                RequiresRefresh          = $false
+                LastRefresh              = (Get-Date).ToUniversalTime()
+            }
+
+            # Add tenant to table
+            Add-CIPPAzDataTableEntity @TenantsTable -Entity $NewTenant -Force | Out-Null
+            $Results = @{'message' = "Successfully added tenant $tenantId to the tenant list with directTenant status."; 'severity' = 'success' }
+        }
+    } catch {
+        $Results = @{'message' = "Failed to add tenant: $($_.Exception.Message)"; 'state' = 'error'; 'severity' = 'error' }
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecUpdateRefreshToken.ps1

@@ -24,18 +24,25 @@ Function Invoke-ExecUpdateRefreshToken {
                 $Secret.RefreshToken = $Request.body.RefreshToken
             } else {
                 Write-Host "$($env:Applicationid) does not match $($Request.body.tenantId)"
-                $secret | Add-Member -MemberType NoteProperty -Name $($Request.body.tenantId) -Value $Request.body.refreshtoken -Force
+                $name = $Request.body.tenantId -replace '-', '_'
+                $secret | Add-Member -MemberType NoteProperty -Name $name -Value $Request.body.refreshtoken -Force
             }
             Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
         } else {
             if ($env:ApplicationId -eq $Request.body.tenantId) {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'RefreshToken' -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             } else {
-                Set-AzKeyVaultSecret -VaultName $kv -Name $Request.body.tenantId -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
+                $name = $Request.body.tenantId -replace '-', '_'
+                Set-AzKeyVaultSecret -VaultName $kv -Name $name -SecretValue (ConvertTo-SecureString -String $Request.body.refreshtoken -AsPlainText -Force)
             }
         }
         $InstanceId = Start-UpdatePermissionsOrchestrator #start the CPV refresh immediately while wizard still runs.
-        $Results = @{'message' = "Successfully updated your stored authentication for $($request.body.tenantId)."; severity = 'success' }
+
+
+        $Results = @{
+            'message'  = "Successfully updated your stored authentication for $($request.body.tenantId)."
+            'tenantId' = $Request.body.tenantId
+        }
     } catch {
         $Results = [pscustomobject]@{'Results' = "Failed. $($_.InvocationInfo.ScriptLineNumber):  $($_.Exception.message)"; severity = 'failed' }
     }

Modules/CIPPCore/Public/Get-CIPPAuthentication.ps1

@@ -19,6 +19,18 @@ function Get-CIPPAuthentication {
                 }
             }
             Write-Host "Got secrets from dev storage. ApplicationID: $env:ApplicationID"
+            #Get list of tenants that have 'directTenant' set to true
+            $tenants = Get-Tenants | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            if ($tenants) {
+                Write-Host "Found $($tenants.Count) tenants with directTenant set to true"
+                $tenants | ForEach-Object {
+                    $name = $_.customerId -replace '-', '_'
+                    if ($secret.$name) {
+                        $name = $_.customerId
+                        Set-Item -Path env:$name -Value $secret.$name -Force
+                    }
+                }
+            }
         } else {
             Write-Information 'Connecting to Azure'
             Connect-AzAccount -Identity
@@ -37,6 +49,19 @@ function Get-CIPPAuthentication {
             }
 
             $keyvaultname = ($env:WEBSITE_DEPLOYMENT_ID -split '-')[0]
+            #Get list of tenants that have 'directTenant' set to true
+            $tenants = Get-Tenants | Where-Object -Property delegatedPrivilegeStatus -EQ 'directTenant'
+            if ($tenants) {
+                $tenants | ForEach-Object {
+                    $name = $_.tenantId -replace '-', '_'
+                    $secret = Get-AzKeyVaultSecret -VaultName $keyvaultname -Name $name -AsPlainText -ErrorAction Stop
+                    if ($secret) {
+                        #set the name back to the original tenantId
+                        $name = $_.customerId
+                        Set-Item -Path env:$name -Value $secret -Force
+                    }
+                }
+            }
             $Variables | ForEach-Object {
                 Set-Item -Path env:$_ -Value (Get-AzKeyVaultSecret -VaultName $keyvaultname -Name $_ -AsPlainText -ErrorAction Stop) -Force
             }

Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1

@@ -5,11 +5,19 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     #>
     if (!$scope) { $scope = 'https://graph.microsoft.com/.default' }
     if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' }
+    #If the $env:<$tenantid> is set, use that instead of the refreshtoken for all tenants.
+    $ClientRefreshToken = Get-Item env:$tenantid -ErrorAction SilentlyContinue
+    if ($ClientRefreshToken) {
+        $refreshToken = $ClientRefreshToken
+    } else {
+        $refreshToken = $env:RefreshToken
+    }
+
     $AuthBody = @{
         client_id     = $env:ApplicationID
         client_secret = $env:ApplicationSecret
         scope         = $Scope
-        refresh_token = $env:RefreshToken
+        refresh_token = $refreshToken
         grant_type    = 'refresh_token'
     }
     if ($asApp -eq $true) {
@@ -24,7 +32,7 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $AppSecret, $refreshT
     if ($null -ne $AppID -and $null -ne $refreshToken) {
         $AuthBody = @{
             client_id     = $appid
-            refresh_token = $RefreshToken
+            refresh_token = $refreshToken
             scope         = $Scope
             grant_type    = 'refresh_token'
         }