Merge pull request #449 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 8f52d44109c6 · 2025-09-12T14:25:39.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1 b/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1
@@ -20,11 +20,13 @@ function Get-CIPPRolePermissions {
         $Permissions = $Role.Permissions | ConvertFrom-Json
         $AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() }
         $BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() }
+        $BlockedEndpoints = if ($Role.BlockedEndpoints) { $Role.BlockedEndpoints | ConvertFrom-Json } else { @() }
         [PSCustomObject]@{
-            Role           = $Role.RowKey
-            Permissions    = $Permissions.PSObject.Properties.Value
-            AllowedTenants = @($AllowedTenants)
-            BlockedTenants = @($BlockedTenants)
+            Role             = $Role.RowKey
+            Permissions      = $Permissions.PSObject.Properties.Value
+            AllowedTenants   = @($AllowedTenants)
+            BlockedTenants   = @($BlockedTenants)
+            BlockedEndpoints = @($BlockedEndpoints)
         }
     } else {
         throw "Role $RoleName not found."
diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1
@@ -199,6 +199,7 @@ function Test-CIPPAccess {
                     continue
                 }
             }
+
             if ($PermissionsFound) {
                 if ($TenantList.IsPresent) {
                     $LimitedTenantList = foreach ($Permission in $PermissionSet) {
@@ -248,6 +249,9 @@ function Test-CIPPAccess {
                 foreach ($Role in $PermissionSet) {
                     foreach ($Perm in $Role.Permissions) {
                         if ($Perm -match $APIRole) {
+                            if ($Role.BlockedEndpoints -contains $Request.Params.CIPPEndpoint) {
+                                throw "Access to this CIPP API endpoint is not allowed, the custom role '$($Role.Role)' has blocked this endpoint: $($Request.Params.CIPPEndpoint)"
+                            }
                             $APIAllowed = $true
                             break
                         }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1
@@ -26,11 +26,12 @@ function Invoke-ExecCustomRole {
                 Write-LogMessage -headers $Request.Headers -API 'ExecCustomRole' -message "Saved custom role $($Request.Body.RoleName)" -Sev 'Info'
                 if ($Request.Body.RoleName -notin $DefaultRoles) {
                     $Role = @{
-                        'PartitionKey'   = 'CustomRoles'
-                        'RowKey'         = "$($Request.Body.RoleName.ToLower())"
-                        'Permissions'    = "$($Request.Body.Permissions | ConvertTo-Json -Compress)"
-                        'AllowedTenants' = "$($Request.Body.AllowedTenants | ConvertTo-Json -Compress)"
-                        'BlockedTenants' = "$($Request.Body.BlockedTenants | ConvertTo-Json -Compress)"
+                        'PartitionKey'     = 'CustomRoles'
+                        'RowKey'           = "$($Request.Body.RoleName.ToLower())"
+                        'Permissions'      = "$($Request.Body.Permissions | ConvertTo-Json -Compress)"
+                        'AllowedTenants'   = "$($Request.Body.AllowedTenants | ConvertTo-Json -Compress)"
+                        'BlockedTenants'   = "$($Request.Body.BlockedTenants | ConvertTo-Json -Compress)"
+                        'BlockedEndpoints' = "$($Request.Body.BlockedEndpoints | ConvertTo-Json -Compress)"
                     }
                     Add-CIPPAzDataTableEntity @Table -Entity $Role -Force | Out-Null
                     $Results.Add("Custom role $($Request.Body.RoleName) saved")
@@ -110,6 +111,15 @@ function Invoke-ExecCustomRole {
                     } else {
                         $Role | Add-Member -NotePropertyName BlockedTenants -NotePropertyValue @() -Force
                     }
+                    if ($Role.BlockedEndpoints) {
+                        try {
+                            $Role.BlockedEndpoints = @($Role.BlockedEndpoints | ConvertFrom-Json)
+                        } catch {
+                            $Role.BlockedEndpoints = ''
+                        }
+                    } else {
+                        $Role | Add-Member -NotePropertyName BlockedEndpoints -NotePropertyValue @() -Force
+                    }
                     $EntraRoleGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey
                     if ($EntraRoleGroup) {
                         $EntraGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey | Select-Object @{Name = 'label'; Expression = { $_.GroupName } }, @{Name = 'value'; Expression = { $_.GroupId } }
@@ -120,10 +130,11 @@ function Invoke-ExecCustomRole {
                 }
                 $DefaultRoles = foreach ($DefaultRole in $DefaultRoles) {
                     $Role = @{
-                        RowKey         = $DefaultRole
-                        Permissions    = ''
-                        AllowedTenants = @('AllTenants')
-                        BlockedTenants = @('')
+                        RowKey           = $DefaultRole
+                        Permissions      = ''
+                        AllowedTenants   = @('AllTenants')
+                        BlockedTenants   = @('')
+                        BlockedEndpoints = @('')
                     }
                     $EntraRoleGroup = $EntraRoleGroups | Where-Object -Property RowKey -EQ $Role.RowKey
                     if ($EntraRoleGroup) {
diff --git a/Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1 b/Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1
@@ -158,6 +158,22 @@ function Get-CIPPTenantAlignment {
                                 ReportingEnabled = $IntuneReportingEnabled
                             }
                         }
+                        if ($IntuneTemplate.'TemplateList-Tags') {
+                            foreach ($Tag in $IntuneTemplate.'TemplateList-Tags') {
+                                Write-Host "Processing Intune Tag: $($Tag.value)"
+                                $IntuneActions = if ($IntuneTemplate.action) { $IntuneTemplate.action } else { @() }
+                                $IntuneReportingEnabled = ($IntuneActions | Where-Object { $_.value -and ($_.value.ToLower() -eq 'report' -or $_.value.ToLower() -eq 'remediate') }).Count -gt 0
+                                $TemplatesList = Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter | Where-Object -Property package -EQ $Tag.value
+                                $TemplatesList | ForEach-Object {
+                                    $TagStandardId = "standards.IntuneTemplate.$($_.GUID)"
+                                    [PSCustomObject]@{
+                                        StandardId       = $TagStandardId
+                                        ReportingEnabled = $IntuneReportingEnabled
+                                    }
+                                }
+
+                            }
+                        }
                     }
                 }
                 # Handle Conditional Access templates specially
@@ -224,7 +240,7 @@ function Get-CIPPTenantAlignment {
                         [PSCustomObject]@{
                             StandardName      = $StandardKey
                             Compliant         = $IsCompliant
-                            StandardValue     = ($Value | ConvertTo-Json -Compress)
+                            StandardValue     = ($Value | ConvertTo-Json -Depth 100 -Compress)
                             ComplianceStatus  = $ComplianceStatus
                             ReportingDisabled = $IsReportingDisabled
                         }
diff --git a/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1 b/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1
@@ -31,6 +31,72 @@ function Get-CIPPStandards {
         $_.GUID -like $TemplateId -and $_.runManually -eq $runManually
     }
 
+    # 1.5. Expand templates that contain TemplateList-Tags into multiple standards
+    $ExpandedTemplates = foreach ($Template in $Templates) {
+        $NewTemplate = $Template.PSObject.Copy()
+        $ExpandedStandards = [ordered]@{}
+        $HasExpansions = $false
+
+        foreach ($StandardName in $Template.standards.PSObject.Properties.Name) {
+            $StandardValue = $Template.standards.$StandardName
+            $IsArray = $StandardValue -is [System.Collections.IEnumerable] -and -not ($StandardValue -is [string])
+
+            if ($IsArray) {
+                $NewArray = @()
+                foreach ($Item in $StandardValue) {
+                    if ($Item.'TemplateList-Tags'.value) {
+                        $HasExpansions = $true
+                        $Table = Get-CippTable -tablename 'templates'
+                        $Filter = "PartitionKey eq 'IntuneTemplate'"
+                        $TemplatesList = Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object -Property package -EQ $Item.'TemplateList-Tags'.value
+
+                        foreach ($TemplateItem in $TemplatesList) {
+                            $NewItem = $Item.PSObject.Copy()
+                            $NewItem.PSObject.Properties.Remove('TemplateList-Tags')
+                            $NewItem | Add-Member -NotePropertyName TemplateList -NotePropertyValue ([pscustomobject]@{
+                                label = "$($TemplateItem.RowKey)"
+                                value = "$($TemplateItem.RowKey)"
+                            }) -Force
+                            $NewArray = $NewArray + $NewItem
+                        }
+                    } else {
+                        $NewArray = $NewArray + $Item
+                    }
+                }
+                $ExpandedStandards[$StandardName] = $NewArray
+            } else {
+                if ($StandardValue.'TemplateList-Tags'.value) {
+                    $HasExpansions = $true
+                    $Table = Get-CippTable -tablename 'templates'
+                    $Filter = "PartitionKey eq 'IntuneTemplate'"
+                    $TemplatesList = Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object -Property package -EQ $StandardValue.'TemplateList-Tags'.value
+
+                    $NewArray = @()
+                    foreach ($TemplateItem in $TemplatesList) {
+                        $NewItem = $StandardValue.PSObject.Copy()
+                        $NewItem.PSObject.Properties.Remove('TemplateList-Tags')
+                        $NewItem | Add-Member -NotePropertyName TemplateList -NotePropertyValue ([pscustomobject]@{
+                            label = "$($TemplateItem.RowKey)"
+                            value = "$($TemplateItem.RowKey)"
+                        }) -Force
+                        $NewArray = $NewArray + $NewItem
+                    }
+                    $ExpandedStandards[$StandardName] = $NewArray
+                } else {
+                    $ExpandedStandards[$StandardName] = $StandardValue
+                }
+            }
+        }
+
+        if ($HasExpansions) {
+            $NewTemplate.standards = [pscustomobject]$ExpandedStandards
+        }
+
+        $NewTemplate
+    }
+
+    $Templates = $ExpandedTemplates
+
     # 2. Get tenant list, filter if needed
     $AllTenantsList = Get-Tenants
     if ($TenantFilter -ne 'allTenants') {

Original file line number	Diff line number	Diff line change
`@@ -199,6 +199,7 @@ function Test-CIPPAccess {`
`199`	`199`	`continue`
`200`	`200`	`}`
`201`	`201`	`}`
	`202`	`+`
`202`	`203`	`if ($PermissionsFound) {`
`203`	`204`	`if ($TenantList.IsPresent) {`
`204`	`205`	`$LimitedTenantList = foreach ($Permission in $PermissionSet) {`
`@@ -248,6 +249,9 @@ function Test-CIPPAccess {`
`248`	`249`	`foreach ($Role in $PermissionSet) {`
`249`	`250`	`foreach ($Perm in $Role.Permissions) {`
`250`	`251`	`if ($Perm -match $APIRole) {`
	`252`	`+ if ($Role.BlockedEndpoints -contains $Request.Params.CIPPEndpoint) {`
	`253`	`+ throw "Access to this CIPP API endpoint is not allowed, the custom role '$($Role.Role)' has blocked this endpoint: $($Request.Params.CIPPEndpoint)"`
	`254`	`+ }`
`251`	`255`	`$APIAllowed = $true`
`252`	`256`	`break`
`253`	`257`	`}`