Skip to content

Commit bc780d7

Browse files
JohnDupreyJohnDuprey
committed
fix: new-cippcapolicy
Ensure all API checks are as application to prevent lockouts For display name replacements, iterate through each id in the list in case there are duplicates Cleanup outputs Create helper function for user replacement
1 parent dc9ad98 commit bc780d7

File tree

1 file changed

+61
-24
lines changed

1 file changed

+61
-24
lines changed

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

Lines changed: 61 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -39,16 +39,50 @@ function New-CIPPCAPolicy {
3939
# Helper function to replace group display names with GUIDs
4040
function Replace-GroupNameWithId {
4141
param($groupNames)
42-
return $groupNames | ForEach-Object {
42+
43+
$GroupIds = [System.Collections.Generic.List[string]]::new()
44+
$groupNames | ForEach-Object {
4345
if (Test-IsGuid $_) {
4446
Write-LogMessage -Headers $User -API $APINAME -message "Already GUID, no need to replace: $_" -Sev 'Debug'
45-
$_ # it's a GUID, so we keep it
47+
$GroupIds.Add($_) # it's a GUID, so we keep it
4648
} else {
4749
$groupId = ($groups | Where-Object -Property displayName -EQ $_).id # it's a display name, so we get the group ID
48-
Write-LogMessage -Headers $User -API $APINAME -message "Replaced group name $_ with ID $groupId" -Sev 'Debug'
49-
$groupId
50+
if ($groupId) {
51+
foreach ($gid in $groupId) {
52+
Write-Warning "Replaced group name $_ with ID $gid"
53+
$null = Write-LogMessage -Headers $User -API $APINAME -message "Replaced group name $_ with ID $gid" -Sev 'Debug'
54+
$GroupIds.Add($gid) # add the ID to the list
55+
}
56+
} else {
57+
Write-Warning "Group $_ not found in the tenant"
58+
}
5059
}
5160
}
61+
return $GroupIds
62+
}
63+
64+
function Replace-UserNameWithId {
65+
param($userNames)
66+
67+
$UserIds = [System.Collections.Generic.List[string]]::new()
68+
$userNames | ForEach-Object {
69+
if (Test-IsGuid $_) {
70+
Write-LogMessage -Headers $User -API $APINAME -message "Already GUID, no need to replace: $_" -Sev 'Debug'
71+
$UserIds.Add($_) # it's a GUID, so we keep it
72+
} else {
73+
$userId = ($users | Where-Object -Property displayName -EQ $_).id # it's a display name, so we get the user ID
74+
if ($userId) {
75+
foreach ($uid in $userId) {
76+
Write-Warning "Replaced user name $_ with ID $uid"
77+
$null = Write-LogMessage -Headers $User -API $APINAME -message "Replaced user name $_ with ID $uid" -Sev 'Debug'
78+
$UserIds.Add($uid) # add the ID to the list
79+
}
80+
} else {
81+
Write-Warning "User $_ not found in the tenant"
82+
}
83+
}
84+
}
85+
return $UserIds
5286
}
5387

5488
$displayname = ($RawJSON | ConvertFrom-Json).Displayname
@@ -71,13 +105,13 @@ function New-CIPPCAPolicy {
71105

72106
#If Grant Controls contains authenticationstrength, create these and then replace the id
73107
if ($JSONobj.GrantControls.authenticationStrength.policyType -eq 'custom' -or $JSONobj.GrantControls.authenticationStrength.policyType -eq 'BuiltIn') {
74-
$ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
108+
$ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter -asApp $true | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
75109
if ($ExistingStrength) {
76110
$JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
77111

78112
} else {
79113
$Body = ConvertTo-Json -InputObject $JSONObj.GrantControls.authenticationStrength
80-
$GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter
114+
$GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter -asApp $true
81115
$JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
82116
Write-LogMessage -Headers $User -API $APINAME -message "Created new Authentication Strength Policy: $($JSONObj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
83117
}
@@ -88,7 +122,7 @@ function New-CIPPCAPolicy {
88122
$LocationLookupTable = foreach ($locations in $jsonobj.LocationInfo) {
89123
foreach ($location in $locations) {
90124
if (!$location.displayName) { continue }
91-
$CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $TenantFilter
125+
$CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $TenantFilter -asApp $true
92126
if ($Location.displayName -in $CheckExististing.displayName) {
93127
[pscustomobject]@{
94128
id = ($CheckExististing | Where-Object -Property displayName -EQ $Location.displayName).id
@@ -99,7 +133,7 @@ function New-CIPPCAPolicy {
99133
} else {
100134
if ($location.countriesAndRegions) { $location.countriesAndRegions = @($location.countriesAndRegions) }
101135
$Body = ConvertTo-Json -InputObject $Location
102-
$GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -body $body -Type POST -tenantid $tenantfilter
136+
$GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -body $body -Type POST -tenantid $tenantfilter -asApp $true
103137
Write-LogMessage -Headers $User -API $APINAME -message "Created new Named Location: $($location.displayName)" -Sev 'Info'
104138
[pscustomobject]@{
105139
id = $GraphRequest.id
@@ -110,9 +144,9 @@ function New-CIPPCAPolicy {
110144
}
111145

112146
foreach ($location in $JSONObj.conditions.locations.includeLocations) {
113-
Write-Host "Replacing $location"
147+
Write-Information "Replacing $location"
114148
$lookup = $LocationLookupTable | Where-Object -Property name -EQ $location
115-
Write-Host "Found $lookup"
149+
Write-Information "Found $lookup"
116150
if (!$lookup) { continue }
117151
$index = [array]::IndexOf($JSONObj.conditions.locations.includeLocations, $location)
118152
$JSONObj.conditions.locations.includeLocations[$index] = $lookup.id
@@ -126,24 +160,27 @@ function New-CIPPCAPolicy {
126160
}
127161
switch ($ReplacePattern) {
128162
'none' {
129-
Write-Host 'Replacement pattern for inclusions and exclusions is none'
163+
Write-Information 'Replacement pattern for inclusions and exclusions is none'
130164
break
131165
}
132166
'AllUsers' {
133-
Write-Host 'Replacement pattern for inclusions and exclusions is All users. This policy will now apply to everyone.'
167+
Write-Information 'Replacement pattern for inclusions and exclusions is All users. This policy will now apply to everyone.'
134168
if ($JSONObj.conditions.users.includeUsers -ne 'All') { $JSONObj.conditions.users.includeUsers = @('All') }
135169
if ($JSONObj.conditions.users.excludeUsers) { $JSONObj.conditions.users.excludeUsers = @() }
136170
if ($JSONObj.conditions.users.includeGroups) { $JSONObj.conditions.users.includeGroups = @() }
137171
if ($JSONObj.conditions.users.excludeGroups) { $JSONObj.conditions.users.excludeGroups = @() }
138172
}
139173
'displayName' {
140174
try {
141-
Write-Host 'Replacement pattern for inclusions and exclusions is displayName.'
142-
$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/users?$select=id,displayName' -tenantid $TenantFilter
143-
$groups = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName' -tenantid $TenantFilter
175+
Write-Information 'Replacement pattern for inclusions and exclusions is displayName.'
176+
$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/users?$select=id,displayName' -tenantid $TenantFilter -asApp $true
177+
$groups = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName' -tenantid $TenantFilter -asApp $true
144178

145-
if ($JSONObj.conditions.users.includeUsers -and $JSONObj.conditions.users.includeUsers -notin 'All', 'None', 'GuestOrExternalUsers') { $JSONObj.conditions.users.includeUsers = @(($users | Where-Object -Property displayName -In $JSONObj.conditions.users.includeUsers).id) }
146-
if ($JSONObj.conditions.users.excludeUsers) { $JSONObj.conditions.users.excludeUsers = @(($users | Where-Object -Property displayName -In $JSONObj.conditions.users.excludeUsers).id) }
179+
foreach ($userType in 'includeUsers', 'excludeUsers') {
180+
if ($JSONObj.conditions.users.PSObject.Properties.Name -contains $userType -and $JSONObj.conditions.users.$userType -notin 'All', 'None', 'GuestOrExternalUsers') {
181+
$JSONObj.conditions.users.$userType = @(Replace-UserNameWithId -userNames $JSONObj.conditions.users.$userType)
182+
}
183+
}
147184

148185
# Check the included and excluded groups
149186
foreach ($groupType in 'includeGroups', 'excludeGroups') {
@@ -182,23 +219,23 @@ function New-CIPPCAPolicy {
182219
}
183220

184221
$RawJSON = ConvertTo-Json -InputObject $JSONObj -Depth 10 -Compress
185-
Write-Host $RawJSON
222+
Write-Information $RawJSON
186223
try {
187-
Write-Host 'Checking'
188-
$CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter | Where-Object -Property displayName -EQ $displayname
224+
Write-Information 'Checking'
225+
$CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -asApp $true | Where-Object -Property displayName -EQ $displayname
189226
if ($CheckExististing) {
190227
if ($Overwrite -ne $true) {
191228
Throw "Conditional Access Policy with Display Name $($Displayname) Already exists"
192229
return $false
193230
} else {
194-
Write-Host "overwriting $($CheckExististing.id)"
195-
$PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON
231+
Write-Information "overwriting $($CheckExististing.id)"
232+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($CheckExististing.id)" -tenantid $tenantfilter -type PATCH -body $RawJSON -asApp $true
196233
Write-LogMessage -Headers $User -API $APINAME -tenant $($Tenant) -message "Updated Conditional Access Policy $($JSONObj.Displayname) to the template standard." -Sev 'Info'
197234
return "Updated policy $displayname for $tenantfilter"
198235
}
199236
} else {
200-
Write-Host 'Creating'
201-
$CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $tenantfilter -type POST -body $RawJSON
237+
Write-Information 'Creating'
238+
$null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $tenantfilter -type POST -body $RawJSON -asApp $true
202239
Write-LogMessage -Headers $User -API $APINAME -tenant $($Tenant) -message "Added Conditional Access Policy $($JSONObj.Displayname)" -Sev 'Info'
203240
return "Created policy $displayname for $tenantfilter"
204241
}

0 commit comments

Comments
 (0)