Skip to content

Commit 8181d5b

Browse files
pull[bot]pull[bot]
authored
Merge pull request #160 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents a430ed6 + e96cc95 commit 8181d5b

File tree

3 files changed

+59
-13
lines changed

3 files changed

+59
-13
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecGDAPAccessAssignment.ps1

Lines changed: 55 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ function Invoke-ExecGDAPAccessAssignment {
5252
$Messages = [System.Collections.Generic.List[object]]::new()
5353

5454
foreach ($AccessAssignment in $AccessAssignments) {
55+
$RoleCount = ($AccessAssignment.accessDetails.unifiedRoles | Measure-Object).Count
5556
if ($Mappings.GroupId -notcontains $AccessAssignment.accessContainer.accessContainerId -and $AccessAssignment.status -notin @('deleting', 'deleted', 'error')) {
5657
Write-Warning "Deleting access assignment for $($AccessAssignment.accessContainer.accessContainerId)"
5758
$Group = $Groups | Where-Object id -EQ $AccessAssignment.accessContainer.accessContainerId
@@ -65,44 +66,87 @@ function Invoke-ExecGDAPAccessAssignment {
6566
})
6667

6768
$Messages.Add(@{
68-
'id' = $AccessAssignment.id
69+
'id' = "delete-$($AccessAssignment.id)"
6970
'message' = "Deleting access assignment for $($Group.displayName)"
7071
})
7172

73+
} elseif ($AccessAssignment.status -notin @('deleting', 'deleted', 'error')) {
74+
# check for mismatched role definitions (e.g. role in assignment does not match role in mapping)
75+
$Mapping = $Mappings | Where-Object { $_.GroupId -eq $AccessAssignment.accessContainer.accessContainerId }
76+
$Group = $Groups | Where-Object id -EQ $AccessAssignment.accessContainer.accessContainerId
77+
78+
if ($RoleCount -gt 1 -or $AccessAssignment.accessDetails.unifiedRoles.roleDefinitionId -notcontains $Mapping.roleDefinitionId) {
79+
Write-Warning "Patching access assignment for $($AccessAssignment.accessContainer.accessContainerId)"
80+
$Requests.Add(@{
81+
'id' = "patch-$($AccessAssignment.id)"
82+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments/$($AccessAssignment.id)"
83+
'method' = 'PATCH'
84+
'body' = @{
85+
'accessDetails' = @{
86+
'unifiedRoles' = @(
87+
@{
88+
roleDefinitionId = $Mapping.roleDefinitionId
89+
}
90+
)
91+
}
92+
}
93+
'headers' = @{
94+
'If-Match' = $AccessAssignment.'@odata.etag'
95+
'Content-Type' = 'application/json'
96+
}
97+
})
98+
99+
$Messages.Add(@{
100+
'id' = "patch-$($AccessAssignment.id)"
101+
'message' = "Updating access assignment for $($Group.displayName)"
102+
})
103+
}
72104
}
73105
}
74106

75107
foreach ($Mapping in $Mappings) {
76-
if ($AccessAssignments.accessContainer.accessContainerId -notcontains $Mapping.GroupId -and $Relationship.accessDetails.unifiedRoles.roleDefinitionId -contains $Mapping.roleDefinitionId) {
108+
$DeletedAssignments = $AccessAssignments | Where-Object { $_.accessContainer.accessContainerId -eq $Mapping.GroupId -and $_.status -eq 'deleted' }
109+
if (($AccessAssignments.accessContainer.accessContainerId -notcontains $Mapping.GroupId -or $DeletedAssignments.accessContainer.accessContainerId -contains $Mapping.GroupId) -and $Relationship.accessDetails.unifiedRoles.roleDefinitionId -contains $Mapping.roleDefinitionId) {
77110
Write-Information "Creating access assignment for $($Mapping.GroupId)"
78111
$Requests.Add(@{
79-
'id' = "create-$($Mapping.GroupId)"
80-
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
81-
'method' = 'POST'
82-
'body' = @{
112+
'id' = "create-$($Mapping.GroupId)"
113+
'url' = "tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
114+
'method' = 'POST'
115+
'body' = @{
83116
'accessDetails' = @{
84-
'unifiedRoles' = @($Mapping.roleDefinitionId)
117+
'unifiedRoles' = @(
118+
@{
119+
roleDefinitionId = $Mapping.roleDefinitionId
120+
}
121+
)
85122
}
86123
'accessContainer' = @{
87-
'accessContainerId' = $Mapping.GroupId
124+
'accessContainerId' = $Mapping.GroupId
125+
'accessContainerType' = 'securityGroup'
88126
}
89127
}
128+
'headers' = @{
129+
'Content-Type' = 'application/json'
130+
}
90131
})
91132
$Messages.Add(@{
92-
'id' = $Mapping.GroupId
133+
'id' = "create-$($Mapping.GroupId)"
93134
'message' = "Creating access assignment for $($Mapping.GroupName)"
94135
})
95136
}
96137
}
97138

98139
if ($Requests) {
99140
Write-Warning "Executing $($Requests.Count) access assignment changes"
100-
#Write-Information ($Requests | ConvertTo-Json -Depth 10)
141+
Write-Information ($Requests | ConvertTo-Json -Depth 10)
101142

102143
$BulkResults = New-GraphBulkRequest -Requests $Requests -NoAuthCheck $true
144+
145+
Write-Warning "Received $($BulkResults.Count) access assignment results"
146+
Write-Information ($BulkResults | ConvertTo-Json -Depth 10)
103147
$Results = foreach ($Result in $BulkResults) {
104148
$Message = $Messages | Where-Object id -EQ $Result.id
105-
if ($Result.status -eq 204) {
149+
if ($Result.status -in @('201', '202', '204')) {
106150
@{
107151
resultText = $Message.message
108152
state = 'success'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ListGDAPAccessAssignments.ps1

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ function Invoke-ListGDAPAccessAssignments {
1919

2020
# get groups asapp
2121
$Groups = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/groups?`$top=999&`$select=id,displayName&`$filter=securityEnabled eq true" -tenantid $TenantFilter -asApp $true -NoAuthCheck $true
22-
22+
2323

2424
# Get all the access containers
2525
$AccessContainers = $AccessAssignments.accessContainer.accessContainerId
@@ -47,6 +47,8 @@ function Invoke-ListGDAPAccessAssignments {
4747
}
4848
if (!$Results) {
4949
$Results = @()
50+
} else {
51+
$Results = $Results | Sort-Object -Property @{Expression = { $_.group.displayName }; Ascending = $true }
5052
}
5153

5254
$Body = @{

Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ function Test-CIPPAuditLogRules {
162162
$HasLocationData = $true
163163
}
164164
}
165-
$Data.AuditRecord = $AuditRecord
165+
$Data.AuditRecord = $RootProperties
166166
$Data | Select-Object *,
167167
@{n = 'HasLocationData'; exp = { $HasLocationData } } -ExcludeProperty ExtendedProperties, DeviceProperties, parameters
168168
} catch {

0 commit comments

Comments
 (0)