Merge pull request #154 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1

@@ -16,12 +16,12 @@ function Push-UploadApplication {
 
         $ChocoApp = (Get-CIPPAzDataTableEntity @Table -filter $Filter).JSON | ConvertFrom-Json
         $intuneBody = $ChocoApp.IntuneBody
-        $tenants = if ($chocoapp.Tenant -eq 'AllTenants') {
-    (Get-tenants).defaultDomainName
+        $tenants = if ($ChocoApp.tenant -eq 'AllTenants') {
+            (Get-Tenants -IncludeErrors).defaultDomainName
         } else {
-            $chocoapp.Tenant
+            $ChocoApp.tenant
         }
-        if ($chocoApp.type -eq 'MSPApp') {
+        if ($ChocoApp.type -eq 'MSPApp') {
             [xml]$Intunexml = Get-Content "AddMSPApp\$($ChocoApp.MSPAppName).app.xml"
             $intunewinFilesize = (Get-Item "AddMSPApp\$($ChocoApp.MSPAppName).intunewin")
             $Infile = "AddMSPApp\$($ChocoApp.MSPAppName).intunewin"
@@ -30,7 +30,7 @@ function Push-UploadApplication {
             $intunewinFilesize = (Get-Item 'AddChocoApp\IntunePackage.intunewin')
             $Infile = "AddChocoApp\$($intunexml.ApplicationInfo.FileName)"
         }
-        $assignTo = $ChocoApp.AssignTo
+        $assignTo = $ChocoApp.assignTo
         $AssignToIntent = $ChocoApp.InstallationIntent
         $Baseuri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
         $ContentBody = ConvertTo-Json @{
@@ -39,7 +39,7 @@ function Push-UploadApplication {
             sizeEncrypted = [int64]($intunewinFilesize).length
         }
         $ClearRow = Get-CIPPAzDataTableEntity @Table -Filter $Filter
-        $RemoveCacheFile = if ($chocoapp.Tenant -ne 'AllTenants') {
+        $RemoveCacheFile = if ($ChocoApp.tenant -ne 'AllTenants') {
             Remove-AzDataTableEntity -Force @Table -Entity $clearRow
         } else {
             $Table.Force = $true
@@ -63,24 +63,24 @@ function Push-UploadApplication {
         } | ConvertTo-Json
 
         foreach ($tenant in $tenants) {
-            Try {
-                $ApplicationList = (New-graphGetRequest -Uri $baseuri -tenantid $Tenant) | Where-Object { $_.DisplayName -eq $ChocoApp.ApplicationName }
+            try {
+                $ApplicationList = (New-GraphGetRequest -Uri $baseuri -tenantid $tenant) | Where-Object { $_.DisplayName -eq $ChocoApp.Applicationname }
                 if ($ApplicationList.displayname.count -ge 1) {
-                    Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "$($ChocoApp.ApplicationName) exists. Skipping this application" -Sev 'Info'
+                    Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) exists. Skipping this application" -Sev 'Info'
                     continue
                 }
-                if ($chocoApp.type -eq 'WinGet') {
+                if ($ChocoApp.type -eq 'WinGet') {
                     Write-Host 'Winget!'
                     Write-Host ($intuneBody | ConvertTo-Json -Compress)
                     $NewApp = New-GraphPostRequest -Uri $baseuri -Body ($intuneBody | ConvertTo-Json -Compress) -Type POST -tenantid $tenant
                     Start-Sleep -Milliseconds 200
-                    Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "$($ChocoApp.ApplicationName) uploaded as WinGet app." -Sev 'Info'
+                    Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) uploaded as WinGet app." -Sev 'Info'
                     if ($AssignTo -ne 'On') {
                         $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
                         Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -Intent $intent -TenantFilter $tenant -groupName "$AssignTo" -AppType 'WinGet'
                     }
-                    Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "$($ChocoApp.ApplicationName) Successfully created" -Sev 'Info'
-                    exit 0
+                    Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) Successfully created" -Sev 'Info'
+                    continue
                 } else {
                     $NewApp = New-GraphPostRequest -Uri $baseuri -Body ($intuneBody | ConvertTo-Json) -Type POST -tenantid $tenant
 
@@ -109,23 +109,23 @@ function Push-UploadApplication {
                     $CommitStateReq = New-graphGetRequest -Uri "$($BaseURI)/$($NewApp.id)/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)" -tenantid $tenant
                     Write-Host "Commit State Request: $($CommitStateReq | ConvertTo-Json -Depth 10)"
                     if ($CommitStateReq.uploadState -like '*fail*') {
-                        Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "$($ChocoApp.ApplicationName) Commit failed. Please check if app uploaded succesful" -Sev 'Warning'
+                        Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) Commit failed. Please check if app uploaded succesful" -Sev 'Warning'
                         break
                     }
                     Start-Sleep -Milliseconds 300
                 } while ($CommitStateReq.uploadState -eq 'commitFilePending')
                 $CommitFinalizeReq = New-graphPostRequest -Uri "$($BaseURI)/$($NewApp.id)" -tenantid $tenant -Body '{"@odata.type":"#microsoft.graph.win32lobapp","committedContentVersion":"1"}' -type PATCH
                 Write-Host "Commit Finalize Request: $($CommitFinalizeReq | ConvertTo-Json -Depth 10)"
-                Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "Added Application $($chocoApp.ApplicationName)" -Sev 'Info'
+                Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Added Application $($ChocoApp.Applicationname)" -Sev 'Info'
                 if ($AssignTo -ne 'On') {
                     $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
                     Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -Intent $intent -TenantFilter $tenant -groupName "$AssignTo" -AppType 'Win32Lob'
 
                 }
-                Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message 'Successfully added Application' -Sev 'Info'
+                Write-LogMessage -api 'AppUpload' -tenant $tenant -message 'Successfully added Application' -Sev 'Info'
             } catch {
                 "Failed to add Application for $($Tenant): $($_.Exception.Message)"
-                Write-LogMessage -api 'AppUpload' -tenant $($Tenant) -message "Failed adding Application $($ChocoApp.ApplicationName). Error: $($_.Exception.Message)" -LogData (Get-CippException -Exception $_) -Sev 'Error'
+                Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Failed adding Application $($ChocoApp.Applicationname). Error: $($_.Exception.Message)" -LogData (Get-CippException -Exception $_) -Sev 'Error'
                 continue
             }
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-AddTenant.ps1

@@ -10,24 +10,29 @@ function Invoke-AddTenant {
 
     $APIName = $Request.Params.CIPPEndpoint
     Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $Action = $Request.Body.Action ?? $Request.Query.Action
+    $TenantName = $Request.Body.TenantName ?? $Request.Query.TenantName
+    $StatusCode = [HttpStatusCode]::OK
 
-    switch ($Request.Body.Action) {
+    switch ($Action) {
         'ValidateDomain' {
             # Validate the onmicrosoft.com domain
-            $Domain = "$($Request.Body.TenantName).onmicrosoft.com"
+            $Domain = "$($TenantName).onmicrosoft.com"
             $DomainCheckUri = "https://api.partnercenter.microsoft.com/v1/domains/$Domain"
+            Write-Information "Checking $Domain"
             try {
-                $DomainCheckResponse = New-GraphPOSTRequest -type HEAD -uri $DomainCheckUri -scope 'https://api.partnercenter.microsoft.com/.default' -NoAuthCheck $true
-            } catch {
-                return @{
-                    Status  = 'Error'
+                $null = New-GraphPOSTRequest -type HEAD -uri $DomainCheckUri -scope 'https://api.partnercenter.microsoft.com/.default' -NoAuthCheck $true
+
+                $Body = @{
+                    Success = $false
                     Message = "The domain '$Domain' is already in use."
                 }
+            } catch {
+                $Body = @{
+                    Success = $true
+                }
             }
-            return @{
-                Status  = 'Success'
-                Message = "The domain '$Domain' is available."
-            }
+
         }
         'AddTenant' {
             # Fetch the organization id for Tier 2 CSPs
@@ -41,6 +46,7 @@ function Invoke-AddTenant {
                         state      = 'Error'
                         resultText = "Failed to retrieve organization profile: $($_.Exception.Message)"
                     }
+                    $StatusCode = [HttpStatusCode]::BadRequest
                     break
                 }
             }
@@ -51,7 +57,7 @@ function Invoke-AddTenant {
                 CommerceId            = $null
                 CompanyProfile        = @{
                     TenantId    = $null
-                    Domain      = '{0}.onmicrosoft.com' -f $Request.Body.TenantName
+                    Domain      = '{0}.onmicrosoft.com' -f $TenantName
                     CompanyName = $Request.Body.CompanyName
                     Attributes  = @{ ObjectType = 'CustomerCompanyProfile' }
                 }
@@ -94,14 +100,15 @@ function Invoke-AddTenant {
 
                 $Body = @{
                     state      = 'Success'
-                    resultText = "Tenant created successfully. 'Username is $($Response.userCredentials.userName)@{0}.onmicrosoft.com'. Click copy to retrieve the password." -f $Request.Body.TenantName
+                    resultText = "Tenant created successfully. 'Username is $($Response.userCredentials.userName)@{0}.onmicrosoft.com'. Click copy to retrieve the password." -f $TenantName
                     copyField  = $Response.userCredentials.password
                 }
             } catch {
                 $Body = @{
                     state      = 'Error'
                     resultText = "Failed to create tenant: $($_.Exception.Message)"
                 }
+                $StatusCode = [HttpStatusCode]::BadRequest
             }
         }
         'ValidateAddress' {
@@ -126,21 +133,21 @@ function Invoke-AddTenant {
                 }
             } catch {
                 return @{
-                    state  = 'Error'
+                    state      = 'Error'
                     resultText = "Address validation failed: $($_.Exception.Message)"
                 }
             }
         }
         default {
             return @{
-                state  = 'Error'
+                state      = 'Error'
                 resultText = "Invalid action specified: $($Request.Body.Action)"
             }
         }
     }
 
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-        StatusCode = [HttpStatusCode]::InternalServerError
-        Body       = $Body
-    })
+            StatusCode = $StatusCode
+            Body       = $Body
+        })
 }

Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1

@@ -138,7 +138,7 @@ function Test-CIPPAccessPermissions {
         $CPVRefreshList = [System.Collections.Generic.List[object]]::new()
         $CPVSuccess = $true
         foreach ($Tenant in $TenantList) {
-            $LastRefresh = ($CpvRefresh | Where-Object { $_.RowKey -EQ $Tenant.customerId }).Timestamp.DateTime
+            $LastRefresh = ($CpvRefresh | Where-Object { $_.RowKey -eq $Tenant.customerId }).Timestamp.DateTime
             if ($LastRefresh -lt $LastUpdate) {
                 $CPVSuccess = $false
                 $CPVRefreshList.Add([PSCustomObject]@{
@@ -157,6 +157,19 @@ function Test-CIPPAccessPermissions {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -Headers $User -API $APINAME -message "Permissions check failed: $($ErrorMessage.NormalizedError) " -Sev 'Error' -LogData $ErrorMessage
         $ErrorMessages.Add("We could not connect to the API to retrieve the permissions. There might be a problem with the secure application model configuration. The returned error is: $($ErrorMessage.NormalizedError)") | Out-Null
+
+        try {
+            $MFAServicePolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/mfaServicePolicy' -tenantid $env:TenantID -AsApp $true -NoAuthCheck $true
+            if ($MFAServicePolicy.rememberMfaOnTrustedDevice.isEnabled -eq $true -and $MFAServicePolicy.rememberMfaOnTrustedDevice.allowedNumberOfDays -gt 0) {
+                $ErrorMessages.Add("MFA Service Policy has a session lifetime of $($MFAServicePolicy.rememberMfaOnTrustedDevice.allowedNumberOfDays) days. This may cause athentication issues for your service account.") | Out-Null
+                $Links.Add([PSCustomObject]@{
+                        Text = 'Troubleshooting'
+                        Href = 'https://docs.cipp.app/troubleshooting/troubleshooting#multi-factor-authentication-troubleshooting'
+                    }
+                ) | Out-Null
+            }
+        } catch {}
+
         $Success = $false
     }
 

Modules/CippExtensions/Public/HIBP/Get-HIBPAuth.ps1

@@ -1,11 +1,27 @@
 function Get-HIBPAuth {
-    if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
-        $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
-        $Secret = (Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'HIBP' and RowKey eq 'HIBP'").APIKey
+    $Var = 'Ext_HIBP'
+    $APIKey = Get-Item -Path "ENV:$Var" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Value
+    if ($APIKey) {
+        Write-Information 'Using cached API Key for HIBP'
     } else {
-        $null = Connect-AzAccount -Identity
-        $VaultName = $ENV:WEBSITE_OWNER_NAME -like '3e625d35-bf18-4e55*' ? 'hibp-kv' : ($ENV:WEBSITE_DEPLOYMENT_ID -split '-')[0]
-        $Secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name 'HIBP' -AsPlainText
+        if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+            $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+            $Secret = (Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'HIBP' and RowKey eq 'HIBP'").APIKey
+        } else {
+            $null = Connect-AzAccount -Identity
+            $VaultName = ($ENV:WEBSITE_DEPLOYMENT_ID -split '-')[0]
+            try {
+                $Secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name 'HIBP' -AsPlainText -ErrorAction Stop
+            } catch {
+                $Secret = $null
+            }
+
+            if ([string]::IsNullOrEmpty($Secret) -and $ENV:WEBSITE_OWNER_NAME -like '3e625d35-bf18-4e55*' -or $ENV:WEBSITE_OWNER_NAME -like '61e84181-ff2a-4ba3*') {
+                $VaultName = 'hibp-kv'
+                $Secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name 'HIBP' -AsPlainText
+            }
+        }
+        Set-Item -Path "ENV:$Var" -Value $APIKey -Force -ErrorAction SilentlyContinue
     }
 
     return @{