Merge pull request #270 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdatePermissionsQueue.ps1

@@ -16,7 +16,9 @@ function Push-UpdatePermissionsQueue {
         $Table = Get-CIPPTable -TableName cpvtenants
         $CPVRows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Tenant -EQ $Item.customerId
 
-        if (!$CPVRows -or $env:ApplicationID -notin $CPVRows.applicationId) {
+        $Tenant = Get-Tenants -TenantFilter $Item.customerId -IncludeErrors
+
+        if ((!$CPVRows -or $env:ApplicationID -notin $CPVRows.applicationId) -and $Tenant.delegatedPrivilegeStatus -ne 'directTenant') {
             Write-LogMessage -tenant $Item.defaultDomainName -tenantId $Item.customerId -message 'A New tenant has been added, or a new CIPP-SAM Application is in use' -Sev 'Warn' -API 'NewTenant'
             Write-Information 'Adding CPV permissions'
             Set-CIPPCPVConsent -Tenantfilter $Item.customerId

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCPVPermissions.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecCPVPermissions {
+function Invoke-ExecCPVPermissions {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -15,7 +15,7 @@ Function Invoke-ExecCPVPermissions {
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
     $TenantFilter = $Request.Body.tenantFilter
 
-    $Tenant = Get-Tenants -IncludeAll | Where-Object -Property customerId -EQ $TenantFilter | Select-Object -First 1
+    $Tenant = Get-Tenants -TenantFilter $TenantFilter -IncludeErrors
 
     if ($Tenant) {
         Write-Host "Our tenant is $($Tenant.displayName) - $($Tenant.defaultDomainName)"

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecAddTenant.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecAddTenant {
+function Invoke-ExecAddTenant {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
@@ -63,7 +63,8 @@ Function Invoke-ExecAddTenant {
 
             # Add tenant to table
             Add-CIPPAzDataTableEntity @TenantsTable -Entity $NewTenant -Force | Out-Null
-            $Results = @{'message' = "Successfully added tenant $tenantId to the tenant list with directTenant status."; 'severity' = 'success' }
+            $Results = @{'message' = "Successfully added tenant $displayName ($defaultDomainName) to the tenant list with Direct Tenant status."; 'severity' = 'success' }
+            Write-LogMessage -tenant $defaultDomainName -tenantid $tenantId -API 'Add-Tenant' -message "Added tenant $displayName ($defaultDomainName) with Direct Tenant status." -Sev 'Info'
         }
     } catch {
         $Results = @{'message' = "Failed to add tenant: $($_.Exception.Message)"; 'state' = 'error'; 'severity' = 'error' }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroup.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-AddGroup {
+function Invoke-AddGroup {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -38,11 +38,11 @@ Function Invoke-AddGroup {
                 if ($GroupObject.groupType -eq 'm365') {
                     $BodyParams | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('Unified')
                 }
-                if ($GroupObject.owners -AND $GroupObject.groupType -in 'generic', 'azurerole', 'security') {
+                if ($GroupObject.owners) {
                     $BodyParams | Add-Member -NotePropertyName '[email protected]' -NotePropertyValue (($GroupObject.owners) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
                     $BodyParams.'[email protected]' = @($BodyParams.'[email protected]')
                 }
-                if ($GroupObject.members -AND $GroupObject.groupType -in 'generic', 'azurerole', 'security') {
+                if ($GroupObject.members) {
                     $BodyParams | Add-Member -NotePropertyName '[email protected]' -NotePropertyValue (($GroupObject.members) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
                     $BodyParams.'[email protected]' = @($BodyParams.'[email protected]')
                 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ListGroups {
+function Invoke-ListGroups {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -95,18 +95,16 @@ Function Invoke-ListGroups {
         } else {
             $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupID)/$($members)?`$top=999&select=$selectstring" -tenantid $TenantFilter | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
             @{Name = 'membersCsv'; Expression = { $_.members.userPrincipalName -join ',' } },
-            @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -Like '*Team*') { $true }else { $false } } },
+            @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true }else { $false } } },
             @{Name = 'calculatedGroupType'; Expression = {
-
-                    if ($_.mailEnabled -and $_.securityEnabled) {
+                    if ($_.groupTypes -contains 'Unified') {
+                        'Microsoft 365'
+                    } elseif ($_.mailEnabled -and $_.securityEnabled) {
                         'Mail-Enabled Security'
                     }
                     if (!$_.mailEnabled -and $_.securityEnabled) {
                         'Security'
                     }
-                    if ($_.groupTypes -contains 'Unified') {
-                        'Microsoft 365'
-                    }
                     if (([string]::isNullOrEmpty($_.groupTypes)) -and ($_.mailEnabled) -and (!$_.securityEnabled)) {
                         'Distribution List'
                     }

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UpdatePermissionsOrchestrator.ps1

@@ -15,7 +15,7 @@ function Start-UpdatePermissionsOrchestrator {
             'displayName'       = '*Partner Tenant'
         }
 
-        $TenantList = Get-Tenants -IncludeAll | Where-Object { $_.Excluded -eq $false -and $_.delegatedPrivilegeStatus -eq 'directTenant' }
+        $TenantList = Get-Tenants -IncludeAll | Where-Object { $_.Excluded -eq $false }
 
         $Tenants = [System.Collections.Generic.List[object]]::new()
         foreach ($Tenant in $TenantList) {

Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1

@@ -26,8 +26,7 @@ function New-GraphGetRequest {
 
     if ($NoAuthCheck -eq $true -or $IsAuthorised) {
         if ($scope -eq 'ExchangeOnline') {
-            $AccessToken = Get-ClassicAPIToken -resource 'https://outlook.office365.com' -Tenantid $tenantid
-            $headers = @{ Authorization = "Bearer $($AccessToken.access_token)" }
+            $headers = Get-GraphToken -tenantid $tenantid -scope 'https://outlook.office365.com/.default' -AsApp $asapp -SkipCache $skipTokenCache
         } else {
             $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp -SkipCache $skipTokenCache
         }

Modules/CIPPCore/Public/GraphHelper/New-TeamsAPIGetRequest.ps1

@@ -5,13 +5,13 @@ function New-TeamsAPIGetRequest($Uri, $tenantID, $Method = 'GET', $Resource = '4
     #>
 
     if ((Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) {
-        $token = Get-ClassicAPIToken -Tenant $tenantid -Resource $Resource
+        $token = Get-GraphToken -TenantID $tenantID -Scope "$Resource/.default"
 
         $NextURL = $Uri
         $ReturnedData = do {
             try {
                 $Data = Invoke-RestMethod -ContentType "$ContentType;charset=UTF-8" -Uri $NextURL -Method $Method -Headers @{
-                    Authorization            = "Bearer $($token.access_token)"
+                    Authorization            = $token.Authorization
                     'x-ms-client-request-id' = [guid]::NewGuid().ToString()
                     'x-ms-client-session-id' = [guid]::NewGuid().ToString()
                     'x-ms-correlation-id'    = [guid]::NewGuid()
@@ -29,4 +29,4 @@ function New-TeamsAPIGetRequest($Uri, $tenantID, $Method = 'GET', $Resource = '4
     } else {
         Write-Error 'Not allowed. You cannot manage your own tenant or tenants not under your scope'
     }
-}
+}

Modules/CIPPCore/Public/New-CIPPUserTask.ps1

@@ -20,8 +20,32 @@ function New-CIPPUserTask {
 
     try {
         if ($UserObj.licenses.value) {
-            $LicenseResults = Set-CIPPUserLicense -UserId $CreationResults.Username -TenantFilter $UserObj.tenantFilter -AddLicenses $UserObj.licenses.value -Headers $Headers
-            $Results.Add($LicenseResults)
+            if ($UserObj.sherwebLicense.value) {
+                $License = Set-SherwebSubscription -TenantFilter $UserObj.tenantFilter -SKU $UserObj.sherwebLicense.value -Add 1
+                $null = $results.Add('Added Sherweb License, scheduling assignment')
+                $taskObject = [PSCustomObject]@{
+                    TenantFilter  = $UserObj.tenantFilter
+                    Name          = "Assign License: $UserPrincipalName"
+                    Command       = @{
+                        value = 'Set-CIPPUserLicense'
+                    }
+                    Parameters    = [pscustomobject]@{
+                        userId      = $UserObj.id
+                        APIName     = 'Sherweb License Assignment'
+                        AddLicenses = $licenses
+                    }
+                    ScheduledTime = 0 #right now, which is in the next 15 minutes and should cover most cases.
+                    PostExecution = @{
+                        Webhook = [bool]$Request.Body.PostExecution.webhook
+                        Email   = [bool]$Request.Body.PostExecution.email
+                        PSA     = [bool]$Request.Body.PostExecution.psa
+                    }
+                }
+                Add-CIPPScheduledTask -Task $taskObject -hidden $false -Headers $Headers
+            } else {
+                $LicenseResults = Set-CIPPUserLicense -UserId $CreationResults.Username -TenantFilter $UserObj.tenantFilter -AddLicenses $UserObj.licenses.value -Headers $Headers
+                $Results.Add($LicenseResults)
+            }
         }
     } catch {
         Write-LogMessage -headers $Headers -API $APIName -tenant $($UserObj.tenantFilter) -message "Failed to assign the license. Error:$($_.Exception.Message)" -Sev 'Error'

Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1

@@ -17,6 +17,9 @@ function Set-CIPPCPVConsent {
     if ($Tenant.customerId -ne $TenantFilter) {
         return @('Not a valid tenant')
     }
+    if ($Tenant.delegatedPrivilegeStatus -eq 'directTenant') {
+        return @('Application is already consented to this tenant')
+    }
 
     if ($ResetSP) {
         try {
@@ -40,7 +43,7 @@ function Set-CIPPCPVConsent {
                         'DelegatedPermissionGrant.ReadWrite.All',
                         'Directory.ReadWrite.All',
                         'AppRoleAssignment.ReadWrite.All'
-                    ) -Join ','
+                    ) -join ','
                 }
             )
         } | ConvertTo-Json