improve tenant access check

JohnDuprey · JohnDuprey · commit 5d35bf94a8a3 · 2025-06-18T17:36:06.000-04:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecAccessChecks.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecAccessChecks.ps1
@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecAccessChecks {
+function Invoke-ExecAccessChecks {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -50,16 +50,17 @@ Function Invoke-ExecAccessChecks {
                     $Results = foreach ($Tenant in $Tenants) {
                         $TenantCheck = $AccessChecks | Where-Object -Property RowKey -EQ $Tenant.customerId | Select-Object -Property Data
                         $TenantResult = [PSCustomObject]@{
-                            TenantId          = $Tenant.customerId
-                            TenantName        = $Tenant.displayName
-                            DefaultDomainName = $Tenant.defaultDomainName
-                            GraphStatus       = 'Not run yet'
-                            ExchangeStatus    = 'Not run yet'
-                            GDAPRoles         = ''
-                            MissingRoles      = ''
-                            LastRun           = ''
-                            GraphTest         = ''
-                            ExchangeTest      = ''
+                            TenantId           = $Tenant.customerId
+                            TenantName         = $Tenant.displayName
+                            DefaultDomainName  = $Tenant.defaultDomainName
+                            GraphStatus        = 'Not run yet'
+                            ExchangeStatus     = 'Not run yet'
+                            GDAPRoles          = ''
+                            MissingRoles       = ''
+                            LastRun            = ''
+                            GraphTest          = ''
+                            ExchangeTest       = ''
+                            OrgManagementRoles = @()
                         }
                         if ($TenantCheck) {
                             $Data = @($TenantCheck.Data | ConvertFrom-Json -ErrorAction Stop)
@@ -70,6 +71,7 @@ Function Invoke-ExecAccessChecks {
                             $TenantResult.LastRun = $Data.LastRun
                             $TenantResult.GraphTest = $Data.GraphTest
                             $TenantResult.ExchangeTest = $Data.ExchangeTest
+                            $TenantResult.OrgManagementRoles = $Data.OrgManagementRoles
                         }
                         $TenantResult
                     }
diff --git a/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1 b/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1
@@ -48,14 +48,15 @@ function Test-CIPPAccessTenant {
         $ExchangeStatus = $false
 
         $Results = [PSCustomObject]@{
-            TenantName     = $Tenant.defaultDomainName
-            GraphStatus    = $false
-            GraphTest      = ''
-            ExchangeStatus = $false
-            ExchangeTest   = ''
-            GDAPRoles      = ''
-            MissingRoles   = ''
-            LastRun        = (Get-Date).ToUniversalTime()
+            TenantName         = $Tenant.defaultDomainName
+            GraphStatus        = $false
+            GraphTest          = ''
+            ExchangeStatus     = $false
+            ExchangeTest       = ''
+            GDAPRoles          = ''
+            MissingRoles       = ''
+            OrgManagementRoles = @()
+            LastRun            = (Get-Date).ToUniversalTime()
         }
 
         $AddedText = ''
@@ -105,6 +106,37 @@ function Test-CIPPAccessTenant {
             $null = New-ExoRequest -tenantid $Tenant.customerId -cmdlet 'Get-OrganizationConfig' -ErrorAction Stop
             $ExchangeStatus = $true
             $ExchangeTest = 'Successfully connected to Exchange'
+
+            # Get the Exchange role definitions and assignments for the Organization Management role group
+            $Requests = @(
+                @{
+                    id     = 'roleDefinitions'
+                    method = 'GET'
+                    url    = 'roleManagement/exchange/roleDefinitions?$top=999'
+                }
+                @{
+                    id     = 'roleAssignments'
+                    method = 'GET'
+                    url    = "roleManagement/exchange/roleAssignments?`$filter=principalId eq '/RoleGroups/Organization Management'&`$top=999"
+                }
+            )
+
+            $ExchangeRoles = New-GraphBulkRequest -tenantid $Tenant.customerId -Requests $Requests
+
+            # Get results and expand assigments with role definitions
+            $RoleDefinitions = ($ExchangeRoles | Where-Object -Property id -EQ 'roleDefinitions').body.value | Select-Object -Property id, displayName, description, isBuiltIn, isEnabled
+            $RoleAssignments = ($ExchangeRoles | Where-Object -Property id -EQ 'roleAssignments').body.value
+            $OrgManagementAssignments = $RoleAssignments | Where-Object -Property principalId -EQ '/RoleGroups/Organization Management' | Sort-Object -Property roleDefinitionId -Unique
+            $OrgManagementRoles = $OrgManagementAssignments | ForEach-Object {
+                $RoleDefinitions | Where-Object -Property id -EQ $_.roleDefinitionId
+            } | Sort-Object -Property displayName
+
+            Write-Warning "Found $($OrgManagementRoles.Count) Organization Management role assignments in Exchange"
+            $Results.OrgManagementRoles = $OrgManagementRoles
+
+            # TODO: Get list of known good roles and compare against the found roles
+
+
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
             $ReportedError = ($_.ErrorDetails | ConvertFrom-Json -ErrorAction SilentlyContinue)
