Merge pull request #559 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecCreateAppTemplate.ps1

@@ -0,0 +1,180 @@
+using namespace System.Net
+
+function Invoke-ExecCreateAppTemplate {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Tenant.Application.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+
+    try {
+        $TenantFilter = $Request.Body.TenantFilter
+        $AppId = $Request.Body.AppId
+        $DisplayName = $Request.Body.DisplayName
+        $Type = $Request.Body.Type # 'servicePrincipal' or 'application'
+
+        if ([string]::IsNullOrWhiteSpace($AppId)) {
+            throw 'AppId is required'
+        }
+
+        if ([string]::IsNullOrWhiteSpace($DisplayName)) {
+            throw 'DisplayName is required'
+        }
+
+        # Get the app details based on type
+        if ($Type -eq 'servicePrincipal') {
+            # For enterprise apps (service principals)
+            $AppDetails = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$filter=appId eq '$AppId'&`$select=id,appId,displayName,appRoles,oauth2PermissionScopes,requiredResourceAccess" -tenantid $TenantFilter
+
+            if (-not $AppDetails -or $AppDetails.Count -eq 0) {
+                throw "Service principal not found for AppId: $AppId"
+            }
+
+            $App = $AppDetails[0]
+
+            # Get the application registration to access requiredResourceAccess
+            try {
+                $AppRegistration = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$filter=appId eq '$AppId'&`$select=id,appId,displayName,requiredResourceAccess" -tenantid $TenantFilter
+                if ($AppRegistration -and $AppRegistration.Count -gt 0) {
+                    $RequiredResourceAccess = $AppRegistration[0].requiredResourceAccess
+                } else {
+                    $RequiredResourceAccess = @()
+                }
+            } catch {
+                Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message "Could not retrieve app registration for $AppId - will extract from service principal" -Sev 'Warning'
+                $RequiredResourceAccess = @()
+            }
+
+            # Use requiredResourceAccess if available, otherwise we can't create a proper template
+            if ($RequiredResourceAccess -and $RequiredResourceAccess.Count -gt 0) {
+                $Permissions = $RequiredResourceAccess
+            } else {
+                # No permissions found - warn the user
+                Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message "No permissions found for $AppId. The app registration may not have configured API permissions." -Sev 'Warning'
+                $Permissions = @()
+            }
+        } else {
+            # For app registrations (applications)
+            $AppDetails = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications?`$filter=appId eq '$AppId'&`$select=id,appId,displayName,requiredResourceAccess" -tenantid $TenantFilter
+            if (-not $AppDetails -or $AppDetails.Count -eq 0) {
+                throw "Application not found for AppId: $AppId"
+            }
+            $App = $AppDetails[0]
+            $Permissions = if ($App.requiredResourceAccess) { $App.requiredResourceAccess } else { @() }
+        }
+
+        # Transform requiredResourceAccess to the CIPP permission format
+        # CIPP expects: { "resourceAppId": { "applicationPermissions": [], "delegatedPermissions": [] } }
+        # Graph returns: [ { "resourceAppId": "...", "resourceAccess": [ { "id": "...", "type": "Role|Scope" } ] } ]
+        $CIPPPermissions = @{}
+        $PermissionSetId = $null
+        $PermissionSetName = "$DisplayName (Auto-created)"
+
+        if ($Permissions -and $Permissions.Count -gt 0) {
+            foreach ($Resource in $Permissions) {
+                $ResourceAppId = $Resource.resourceAppId
+                $AppPerms = [System.Collections.ArrayList]::new()
+                $DelegatedPerms = [System.Collections.ArrayList]::new()
+
+                foreach ($Access in $Resource.resourceAccess) {
+                    $PermObj = [PSCustomObject]@{
+                        id    = $Access.id
+                        value = $Access.id  # In the permission set format, both id and value are the permission ID
+                    }
+
+                    if ($Access.type -eq 'Role') {
+                        [void]$AppPerms.Add($PermObj)
+                    } elseif ($Access.type -eq 'Scope') {
+                        [void]$DelegatedPerms.Add($PermObj)
+                    }
+                }
+
+                $CIPPPermissions[$ResourceAppId] = [PSCustomObject]@{
+                    applicationPermissions = @($AppPerms)
+                    delegatedPermissions   = @($DelegatedPerms)
+                }
+            }
+
+            # Create the permission set in AppPermissions table
+            $PermissionSetId = (New-Guid).Guid
+            $PermissionsTable = Get-CIPPTable -TableName 'AppPermissions'
+
+            $PermissionEntity = @{
+                'PartitionKey' = 'Templates'
+                'RowKey'       = [string]$PermissionSetId
+                'TemplateName' = [string]$PermissionSetName
+                'Permissions'  = [string]($CIPPPermissions | ConvertTo-Json -Depth 10 -Compress)
+                'UpdatedBy'    = [string]'CIPP-API'
+            }
+
+            Add-CIPPAzDataTableEntity @PermissionsTable -Entity $PermissionEntity -Force
+            Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message "Permission set created with ID: $PermissionSetId for $($Permissions.Count) resource(s)" -Sev 'Info'
+        }
+
+        # Create the template
+        $Table = Get-CIPPTable -TableName 'templates'
+        $TemplateId = (New-Guid).Guid
+
+        $TemplateJson = @{
+            TemplateName      = "$DisplayName (Auto-created)"
+            AppId             = $AppId
+            AppName           = $DisplayName
+            AppType           = 'EnterpriseApp'
+            Permissions       = $CIPPPermissions
+            PermissionSetId   = $PermissionSetId
+            PermissionSetName = $PermissionSetName
+            AutoCreated       = $true
+            SourceTenant      = $TenantFilter
+            CreatedDate       = (Get-Date).ToString('yyyy-MM-ddTHH:mm:ss')
+        } | ConvertTo-Json -Depth 10 -Compress
+
+        $Entity = @{
+            JSON         = "$TemplateJson"
+            RowKey       = "$TemplateId"
+            PartitionKey = 'AppApprovalTemplate'
+        }
+
+        Add-CIPPAzDataTableEntity @Table -Entity $Entity
+
+        $PermissionCount = 0
+        if ($CIPPPermissions -and $CIPPPermissions.Count -gt 0) {
+            foreach ($ResourceAppId in $CIPPPermissions.Keys) {
+                $Resource = $CIPPPermissions[$ResourceAppId]
+                if ($Resource.applicationPermissions) {
+                    $PermissionCount = $PermissionCount + $Resource.applicationPermissions.Count
+                }
+                if ($Resource.delegatedPermissions) {
+                    $PermissionCount = $PermissionCount + $Resource.delegatedPermissions.Count
+                }
+            }
+        }
+
+        $Message = "Template created: $DisplayName with $PermissionCount permission(s)"
+        Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message $Message -Sev 'Info'
+
+        $Body = @{
+            Results    = $Message
+            TemplateId = $TemplateId
+        }
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+        Write-LogMessage -user $Request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create template: $ErrorMessage" -Sev 'Error'
+
+        $Body = @{
+            Results = "Failed to create template: $ErrorMessage"
+        }
+        $StatusCode = [HttpStatusCode]::BadRequest
+    }
+
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = ($Body | ConvertTo-Json -Depth 10)
+        })
+}

Modules/CIPPCore/Public/Entrypoints/Invoke-ListLogs.ps1

@@ -9,6 +9,9 @@ function Invoke-ListLogs {
     param($Request, $TriggerMetadata)
     $Table = Get-CIPPTable
 
+    $TemplatesTable = Get-CIPPTable -tablename 'templates'
+    $Templates = Get-CIPPAzDataTableEntity @TemplatesTable
+
     $ReturnedLog = if ($Request.Query.ListLogs) {
         Get-AzDataTableEntity @Table -Property PartitionKey | Sort-Object -Unique PartitionKey | Select-Object PartitionKey | ForEach-Object {
             @{
@@ -32,13 +35,11 @@ function Invoke-ListLogs {
             if ($AllowedTenants -contains 'AllTenants' -or ($AllowedTenants -notcontains 'AllTenants' -and ($TenantList.defaultDomainName -contains $Row.Tenant -or $Row.Tenant -eq 'CIPP' -or $TenantList.customerId -contains $Row.TenantId)) ) {
 
                 if ($Row.StandardTemplateId) {
-                    $TemplatesTable = Get-CIPPTable -tablename 'templates'
-                    $Templates = Get-CIPPAzDataTableEntity @TemplatesTable
-
                     $Standard = ($Templates | Where-Object { $_.RowKey -eq $Row.StandardTemplateId }).JSON | ConvertFrom-Json
 
                     $StandardInfo = @{
-                        Standard = $Standard.templateName
+                        Template = $Standard.templateName
+                        Standard = $Row.Standard
                     }
 
                     if ($Row.IntuneTemplateId) {
@@ -84,6 +85,7 @@ function Invoke-ListLogs {
             $username = $Request.Query.User ?? '*'
             $TenantFilter = $Request.Query.Tenant
             $ApiFilter = $Request.Query.API
+            $StandardFilter = $Request.Query.StandardTemplateId
 
             $StartDate = $Request.Query.StartDate ?? $Request.Query.DateFilter
             $EndDate = $Request.Query.EndDate ?? $Request.Query.DateFilter
@@ -114,7 +116,8 @@ function Invoke-ListLogs {
             $_.Severity -in $LogLevel -and
             $_.Username -like $username -and
             ($TenantFilter -eq $null -or $TenantFilter -eq 'AllTenants' -or $_.Tenant -like "*$TenantFilter*" -or $_.TenantID -eq $TenantFilter) -and
-            ($ApiFilter -eq $null -or $_.API -match "$ApiFilter")
+            ($ApiFilter -eq $null -or $_.API -match "$ApiFilter") -and
+            ($StandardFilter -eq $null -or $_.StandardTemplateId -eq $StandardFilter)
         }
 
         if ($AllowedTenants -notcontains 'AllTenants') {
@@ -123,26 +126,46 @@ function Invoke-ListLogs {
 
         foreach ($Row in $Rows) {
             if ($AllowedTenants -contains 'AllTenants' -or ($AllowedTenants -notcontains 'AllTenants' -and ($TenantList.defaultDomainName -contains $Row.Tenant -or $Row.Tenant -eq 'CIPP' -or $TenantList.customerId -contains $Row.TenantId)) ) {
+                if ($Row.StandardTemplateId) {
+                    $Standard = ($Templates | Where-Object { $_.RowKey -eq $Row.StandardTemplateId }).JSON | ConvertFrom-Json
+
+                    $StandardInfo = @{
+                        Template = $Standard.templateName
+                        Standard = $Row.Standard
+                    }
+
+                    if ($Row.IntuneTemplateId) {
+                        $IntuneTemplate = ($Templates | Where-Object { $_.RowKey -eq $Row.IntuneTemplateId }).JSON | ConvertFrom-Json
+                        $StandardInfo.IntunePolicy = $IntuneTemplate.displayName
+                    }
+                    if ($Row.ConditionalAccessTemplateId) {
+                        $ConditionalAccessTemplate = ($Templates | Where-Object { $_.RowKey -eq $Row.ConditionalAccessTemplateId }).JSON | ConvertFrom-Json
+                        $StandardInfo.ConditionalAccessPolicy = $ConditionalAccessTemplate.displayName
+                    }
+                } else {
+                    $StandardInfo = @{}
+                }
 
                 $LogData = if ($Row.LogData -and (Test-Json -Json $Row.LogData -ErrorAction SilentlyContinue)) {
                     $Row.LogData | ConvertFrom-Json
                 } else { $Row.LogData }
                 [PSCustomObject]@{
-                    DateTime = $Row.Timestamp
-                    Tenant   = $Row.Tenant
-                    API      = $Row.API
-                    Message  = $Row.Message
-                    User     = $Row.Username
-                    Severity = $Row.Severity
-                    LogData  = $LogData
-                    TenantID = if ($Row.TenantID -ne $null) {
+                    DateTime     = $Row.Timestamp
+                    Tenant       = $Row.Tenant
+                    API          = $Row.API
+                    Message      = $Row.Message
+                    User         = $Row.Username
+                    Severity     = $Row.Severity
+                    LogData      = $LogData
+                    TenantID     = if ($Row.TenantID -ne $null) {
                         $Row.TenantID
                     } else {
                         'None'
                     }
-                    AppId    = $Row.AppId
-                    IP       = $Row.IP
-                    RowKey   = $Row.RowKey
+                    AppId        = $Row.AppId
+                    IP           = $Row.IP
+                    RowKey       = $Row.RowKey
+                    StandardInfo = $StandardInfo
                 }
             }
         }

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

@@ -153,7 +153,7 @@ function New-CIPPCAPolicy {
                     name       = ($CheckExisting | Where-Object -Property displayName -EQ $Location.displayName).displayName
                     templateId = $location.id
                 }
-                Write-LogMessage -Headers $User -API $APINAME -message "Matched a CA policy with the existing Named Location: $($location.displayName)" -Sev 'Info'
+                Write-LogMessage -Tenant $TenantFilter -Headers $User -API $APINAME -message "Matched a CA policy with the existing Named Location: $($location.displayName)" -Sev 'Info'
 
             } else {
                 if ($location.countriesAndRegions) { $location.countriesAndRegions = @($location.countriesAndRegions) }
@@ -169,7 +169,7 @@ function New-CIPPCAPolicy {
                     Start-Sleep -Seconds 2
                     $retryCount++
                 } while ((!$LocationRequest -or !$LocationRequest.id) -and ($retryCount -lt 5))
-                Write-LogMessage -Headers $User -API $APINAME -message "Created new Named Location: $($location.displayName)" -Sev 'Info'
+                Write-LogMessage -Tenant $TenantFilter -Headers $User -API $APINAME -message "Created new Named Location: $($location.displayName)" -Sev 'Info'
                 [pscustomobject]@{
                     id   = $GraphRequest.id
                     name = $GraphRequest.displayName
@@ -248,7 +248,7 @@ function New-CIPPCAPolicy {
                 }
             } catch {
                 $ErrorMessage = Get-CippException -Exception $_
-                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to replace displayNames for conditional access rule $($JSONobj.displayName). Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
+                Write-LogMessage -API 'Standards' -tenant $TenantFilter -message "Failed to replace displayNames for conditional access rule $($JSONobj.displayName). Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
                 throw "Failed to replace displayNames for conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError)"
             }
         }
@@ -278,8 +278,8 @@ function New-CIPPCAPolicy {
         #Send request to disable security defaults.
         $body = '{ "isEnabled": false }'
         try {
-            $null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -asApp $true -ContentType 'application/json'
-            Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
+            $null = New-GraphPostRequest -tenantid $TenantFilter -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -asApp $true -ContentType 'application/json'
+            Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $TenantFilter -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
             Start-Sleep 3
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
@@ -340,7 +340,7 @@ function New-CIPPCAPolicy {
         }
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError) " -sev 'Error' -LogData $ErrorMessage
+        Write-LogMessage -API 'Standards' -tenant $TenantFilter -message "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError) " -sev 'Error' -LogData $ErrorMessage
 
         Write-Warning "Failed to create or update conditional access rule $($JSONobj.displayName): $($ErrorMessage.NormalizedError)"
         Write-Information $_.InvocationInfo.PositionMessage