Merge pull request #312 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAppSecretExpiry.ps1

@@ -18,13 +18,22 @@ function Get-CIPPAlertAppSecretExpiry {
         return
     }
 
-    $AlertData = foreach ($App in $applist) {
+    $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+    foreach ($App in $applist) {
         Write-Host "checking $($App.displayName)"
         if ($App.passwordCredentials) {
             foreach ($Credential in $App.passwordCredentials) {
                 if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) {
                     Write-Host ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
-                    @{ DisplayName = $App.displayName; Expires = $Credential.endDateTime }
+
+                    $Message = [PSCustomObject]@{
+                        AppName    = $App.displayName
+                        AppId      = $App.appId
+                        Expires    = $Credential.endDateTime
+                        Tenant     = $TenantFilter
+                    }
+                    $AlertData.Add($Message)
                 }
             }
         }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1

@@ -0,0 +1,77 @@
+function Get-CIPPAlertNewRiskyUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $TenantFilter
+    )
+    $Deltatable = Get-CIPPTable -Table DeltaCompare
+    try {
+        # Check if tenant has P2 capabilities
+        $Capabilities = Get-CIPPTenantCapabilities -TenantFilter $TenantFilter
+        if (-not $Capabilities.AADPremiumService) {
+            Write-AlertMessage -tenant $($TenantFilter) -message 'Tenant does not have Azure AD Premium P2 licensing required for risky users detection'
+            return
+        }
+
+        $Filter = "PartitionKey eq 'RiskyUsersDelta' and RowKey eq '{0}'" -f $TenantFilter
+        $RiskyUsersDelta = (Get-CIPPAzDataTableEntity @Deltatable -Filter $Filter).delta | ConvertFrom-Json -ErrorAction SilentlyContinue
+        
+        # Get current risky users with more detailed information
+        $NewDelta = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskyUsers' -tenantid $TenantFilter) | Select-Object userPrincipalName, riskLevel, riskState, riskDetail, riskLastUpdatedDateTime, isProcessing, history
+        
+        $NewDeltatoSave = $NewDelta | ConvertTo-Json -Depth 10 -Compress -ErrorAction SilentlyContinue | Out-String
+        $DeltaEntity = @{
+            PartitionKey = 'RiskyUsersDelta'
+            RowKey       = [string]$TenantFilter
+            delta        = "$NewDeltatoSave"
+        }
+        Add-CIPPAzDataTableEntity @DeltaTable -Entity $DeltaEntity -Force
+
+        if ($RiskyUsersDelta) {
+            $AlertData = $NewDelta | Where-Object { 
+                $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName 
+            } | ForEach-Object {
+                $riskHistory = if ($_.history) {
+                    $latestHistory = $_.history | Sort-Object -Property riskLastUpdatedDateTime -Descending | Select-Object -First 1
+                    "Previous Risk Level: $($latestHistory.riskLevel), Last Updated: $($latestHistory.riskLastUpdatedDateTime)"
+                }
+                else {
+                    'No previous risk history'
+                }
+                
+                # Map risk level to severity
+                $severity = switch ($_.riskLevel) {
+                    'high' { 'Critical' }
+                    'medium' { 'Warning' }
+                    'low' { 'Info' }
+                    default { 'Info' }
+                }
+                
+                @{
+                    Message = "New risky user detected: $($_.userPrincipalName)"
+                    Details = @{
+                        RiskLevel    = $_.riskLevel
+                        RiskState    = $_.riskState
+                        RiskDetail   = $_.riskDetail
+                        LastUpdated  = $_.riskLastUpdatedDateTime
+                        IsProcessing = $_.isProcessing
+                        RiskHistory  = $riskHistory
+                        Severity     = $severity
+                    }
+                }
+            }
+            
+            if ($AlertData) {
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    }
+    catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Could not get risky users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCombinedSetup.ps1

@@ -1,17 +1,25 @@
 using namespace System.Net
 
-Function Invoke-ExecCombinedSetup {
+function Invoke-ExecCombinedSetup {
     <#
     .FUNCTIONALITY
         Entrypoint,AnyTenant
     .ROLE
         CIPP.AppSettings.ReadWrite
     #>
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')]
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
     #Make arraylist of Results
     $Results = [System.Collections.ArrayList]::new()
     try {
+        # Set up Azure context if needed for Key Vault access
+        if ($env:AzureWebJobsStorage -ne 'UseDevelopmentStorage=true' -and $env:MSI_SECRET) {
+            Disable-AzContextAutosave -Scope Process | Out-Null
+            $null = Connect-AzAccount -Identity
+            $SubscriptionId = $env:WEBSITE_OWNER_NAME -split '\+' | Select-Object -First 1
+            $null = Set-AzContext -SubscriptionId $SubscriptionId
+        }
         if ($request.body.selectedBaselines -and $request.body.baselineOption -eq 'downloadBaselines') {
             #do a single download of the selected baselines.
             foreach ($template in $request.body.selectedBaselines) {
@@ -56,6 +64,47 @@ Function Invoke-ExecCombinedSetup {
             $notificationResults = Set-CIPPNotificationConfig @notificationConfig
             $Results.add($notificationResults)
         }
+        if ($Request.Body.selectedOption -eq 'Manual') {
+            $KV = $env:WEBSITE_DEPLOYMENT_ID
+
+            if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
+                $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
+                $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+                if (!$Secret) {
+                    $Secret = [PSCustomObject]@{
+                        'PartitionKey'      = 'Secret'
+                        'RowKey'            = 'Secret'
+                        'TenantId'          = ''
+                        'RefreshToken'      = ''
+                        'ApplicationId'     = ''
+                        'ApplicationSecret' = ''
+                    }
+                    Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
+                }
+
+                if ($Request.Body.tenantId) { $Secret.TenantId = $Request.Body.tenantid }
+                if ($Request.Body.applicationId) { $Secret.ApplicationId = $Request.Body.applicationId }
+                if ($Request.Body.ApplicationSecret) { $Secret.ApplicationSecret = $Request.Body.ApplicationSecret }
+                Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
+                $Results.add('Manual credentials have been set in the DevSecrets table.')
+            } else {
+                if ($Request.Body.tenantId) {
+                    Set-AzKeyVaultSecret -VaultName $kv -Name 'tenantid' -SecretValue (ConvertTo-SecureString -String $Request.Body.tenantId -AsPlainText -Force)
+                    $Results.add('Set tenant ID in Key Vault.')
+                }
+                if ($Request.Body.applicationId) {
+                    Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationid' -SecretValue (ConvertTo-SecureString -String $Request.Body.applicationId -AsPlainText -Force)
+                    $Results.add('Set application ID in Key Vault.')
+                }
+                if ($Request.Body.applicationSecret) {
+                    Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationsecret' -SecretValue (ConvertTo-SecureString -String $Request.Body.applicationSecret -AsPlainText -Force)
+                    $Results.add('Set application secret in Key Vault.')
+                }
+            }
+
+            $Results.add('Manual credentials setup has been completed.')
+        }
+
         $Results.add('Setup is now complete. You may navigate away from this page and start using CIPP.')
         #one more force of reauth so env vars update.
         $auth = Get-CIPPAuthentication

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecEmailForward.ps1

@@ -12,15 +12,19 @@ Function Invoke-ExecEmailForward {
 
     $Tenantfilter = $request.body.tenantfilter
     $username = $request.body.userid
-    $ForwardingAddress = $request.body.ForwardInternal.value
+    if ($request.body.ForwardInternal -is [string]) {
+        $ForwardingAddress = $request.body.ForwardInternal
+    } else {($request.body.ForwardInternal.value)
+        $ForwardingAddress = $request.body.ForwardInternal.value
+    }
     $ForwardingSMTPAddress = $request.body.ForwardExternal
     $ForwardOption = $request.body.forwardOption
     $APIName = $Request.Params.CIPPEndpoint
-    [bool]$KeepCopy = if ($request.body.keepCopy -eq 'true') { $true } else { $false }
+    [bool]$KeepCopy = if ($request.body.KeepCopy -eq 'true') { $true } else { $false }
 
     if ($ForwardOption -eq 'internalAddress') {
         try {
-            Set-CIPPForwarding -userid $username -tenantFilter $TenantFilter -APIName $APINAME -Headers $Request.Headers -Forward $ForwardingAddress -keepCopy $KeepCopy
+            Set-CIPPForwarding -userid $username -tenantFilter $TenantFilter -APIName $APINAME -Headers $Request.Headers -Forward $ForwardingAddress -KeepCopy $KeepCopy
             if (-not $request.body.KeepCopy) {
                 $results = "Forwarding all email for $($username) to $($ForwardingAddress) and not keeping a copy"
             } else {
@@ -35,7 +39,7 @@ Function Invoke-ExecEmailForward {
 
     if ($ForwardOption -eq 'ExternalAddress') {
         try {
-            Set-CIPPForwarding -userid $username -tenantFilter $TenantFilter -APIName $APINAME -Headers $Request.Headers -forwardingSMTPAddress $ForwardingSMTPAddress -keepCopy $KeepCopy
+            Set-CIPPForwarding -userid $username -tenantFilter $TenantFilter -APIName $APINAME -Headers $Request.Headers -forwardingSMTPAddress $ForwardingSMTPAddress -KeepCopy $KeepCopy
             if (-not $request.body.KeepCopy) {
                 $results = "Forwarding all email for $($username) to $($ForwardingSMTPAddress) and not keeping a copy"
             } else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-CIPPOffboardingJob.ps1

@@ -45,10 +45,10 @@ function Invoke-CIPPOffboardingJob {
             Set-CIPPOutOfOffice -tenantFilter $TenantFilter -userid $username -InternalMessage $Options.OOO -ExternalMessage $Options.OOO -Headers $Headers -APIName $APIName -state 'Enabled'
         }
         { $_.forward } {
-            if (!$Options.keepCopy) {
+            if (!$Options.KeepCopy) {
                 Set-CIPPForwarding -userid $userid -username $username -tenantFilter $TenantFilter -Forward $Options.forward.value -Headers $Headers -APIName $APIName
             } else {
-                $KeepCopy = [boolean]$Options.keepCopy
+                $KeepCopy = [boolean]$Options.KeepCopy
                 Set-CIPPForwarding -userid $userid -username $username -tenantFilter $TenantFilter -Forward $Options.forward.value -KeepCopy $KeepCopy -Headers $Headers -APIName $APIName
             }
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListUserMailboxDetails.ps1

@@ -64,7 +64,7 @@ function Invoke-ListUserMailboxDetails {
             }
         )
         Write-Host $UserID
-        $usernames = New-GraphGetRequest -tenantid $TenantFilter -uri 'https://graph.microsoft.com/beta/users?$select=id,userPrincipalName&$top=999'
+        $usernames = New-GraphGetRequest -tenantid $TenantFilter -uri 'https://graph.microsoft.com/beta/users?$select=id,userPrincipalName,displayName,mailNickname&$top=999'
         $Results = New-ExoBulkRequest -TenantId $TenantFilter -CmdletArray $Requests -returnWithCommand $true -Anchor $username
         Write-Host "First line of usernames is $($usernames[0] | ConvertTo-Json)"
 
@@ -144,21 +144,48 @@ function Invoke-ListUserMailboxDetails {
         $ParsedPerms = @()
     }
 
-    # Get forwarding address
-    $ForwardingAddress = if ($MailboxDetailedRequest.ForwardingAddress) {
-        try {
-            (New-GraphGetRequest -TenantId $TenantFilter -Uri "https://graph.microsoft.com/beta/users/$($MailboxDetailedRequest.ForwardingAddress)").UserPrincipalName
-        } catch {
-            try {
-                '{0} ({1})' -f $MailboxDetailedRequest.ForwardingAddress, (($((New-GraphGetRequest -TenantId $TenantFilter -Uri "https://graph.microsoft.com/beta/users?`$filter=displayName eq '$($MailboxDetailedRequest.ForwardingAddress)'") | Select-Object -First 1 -ExpandProperty UserPrincipalName)))
-            } catch {
-                $MailboxDetailedRequest.ForwardingAddress
+    # Get forwarding address - lazy load contacts only if needed
+    $ForwardingAddress = $null
+    if ($MailboxDetailedRequest.ForwardingSmtpAddress) {
+        # External forwarding
+        $ForwardingAddress = $MailboxDetailedRequest.ForwardingSmtpAddress -replace '^smtp:', ''
+    } elseif ($MailboxDetailedRequest.ForwardingAddress) {
+        # Internal forwarding
+        $rawAddress = $MailboxDetailedRequest.ForwardingAddress
+
+        if ($rawAddress -match '@') {
+            # Already an email address
+            $ForwardingAddress = $rawAddress
+        } else {
+            # First try users array
+            $matchedUser = $usernames | Where-Object {
+                $_.id -eq $rawAddress -or
+                $_.displayName -eq $rawAddress -or
+                $_.mailNickname -eq $rawAddress
+            }
+
+            if ($matchedUser) {
+                $ForwardingAddress = $matchedUser.userPrincipalName
+            } else {
+                # Query for the specific contact only
+                try {
+                    # Escape single quotes in the filter value
+                    $escapedAddress = $rawAddress -replace "'", "''"
+                    $filterQuery = "displayName eq '$escapedAddress' or mailNickname eq '$escapedAddress'"
+                    $contactUri = "https://graph.microsoft.com/beta/contacts?`$filter=$filterQuery&`$select=displayName,mail,mailNickname"
+
+                    $matchedContacts = New-GraphGetRequest -tenantid $TenantFilter -uri $contactUri
+
+                    if ($matchedContacts -and $matchedContacts.Count -gt 0) {
+                        $ForwardingAddress = $matchedContacts[0].mail
+                    } else {
+                        $ForwardingAddress = $rawAddress
+                    }
+                } catch {
+                    $ForwardingAddress = $rawAddress
+                }
             }
         }
-    } elseif ($MailboxDetailedRequest.ForwardingSmtpAddress -and $MailboxDetailedRequest.ForwardingAddress) {
-        "$($MailboxDetailedRequest.ForwardingAddress) $($MailboxDetailedRequest.ForwardingSmtpAddress)"
-    } else {
-        $MailboxDetailedRequest.ForwardingSmtpAddress
     }
 
     $ProhibitSendQuotaString = $MailboxDetailedRequest.ProhibitSendQuota -split ' '

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListBPATemplates.ps1

@@ -34,7 +34,7 @@ Function Invoke-ListBPATemplates {
         foreach ($Template in $Templates) {
             $Template.JSON = $Template.JSON -replace '"parameters":', '"Parameters":'
         }
-        $Templates = $Templates.JSON | ConvertFrom-Json
+        $Templates = $Templates.JSON | ConvertFrom-Json | Sort-Object Name
     } else {
         $Templates = $Templates | ForEach-Object {
             $TemplateJson = $_.JSON -replace '"parameters":', '"Parameters":'
@@ -45,7 +45,7 @@ Function Invoke-ListBPATemplates {
                 Name  = $Template.Name
                 Style = $Template.Style
             }
-        }
+        } | Sort-Object Name
     }
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

openapi.json

@@ -2850,7 +2850,7 @@
             "schema": {
               "type": "string"
             },
-            "name": "keepCopy",
+            "name": "KeepCopy",
             "in": "body"
           }
         ],
@@ -3829,7 +3829,7 @@
             "schema": {
               "type": "string"
             },
-            "name": "keepCopy",
+            "name": "KeepCopy",
             "in": "body"
           },
           {