Merge pull request #258 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

@@ -2,6 +2,7 @@ function Add-CIPPApplicationPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $Tenantfilter
     )
@@ -31,7 +32,34 @@ function Add-CIPPApplicationPermission {
 
             $RequiredResourceAccess.Add($Resource)
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding application permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $AppPermissions = @($Permissions.$AppId.applicationPermissions)
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = [System.Collections.Generic.List[object]]::new()
+                }
+                foreach ($Permission in $AppPermissions) {
+                    $Resource.ResourceAccess.Add(@{
+                            id   = $Permission.id
+                            type = 'Role'
+                        })
+                }
+
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
+
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
@@ -59,7 +87,7 @@ function Add-CIPPApplicationPermission {
             }
         }
         foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
-            if ($SingleResource.id -In $CurrentRoles.appRoleId) { continue }
+            if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
             [pscustomobject]@{
                 principalId = $($ourSVCPrincipal.id)
                 resourceId  = $($svcPrincipalId.id)

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -2,6 +2,7 @@ function Add-CIPPDelegatedPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $NoTranslateRequired,
         $Tenantfilter
@@ -40,7 +41,34 @@ function Add-CIPPDelegatedPermission {
             # remove the partner center permission if not pushing to partner tenant
             $RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding delegated permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $NoTranslateRequired = $true
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $DelegatedPermissions = @($Permissions.$AppId.delegatedPermissions)
+                $ResourceAccess = [System.Collections.Generic.List[object]]::new()
+                foreach ($Permission in $DelegatedPermissions) {
+                    $ResourceAccess.Add(@{
+                            id   = $Permission.value
+                            type = 'Scope'
+                        })
+                }
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = @($ResourceAccess)
+                }
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
@@ -66,6 +94,7 @@ function Add-CIPPDelegatedPermission {
         }
 
         $DelegatedScopes = $App.resourceAccess | Where-Object -Property type -EQ 'Scope'
+
         if ($NoTranslateRequired) {
             $NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
         } else {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1

@@ -0,0 +1,30 @@
+function Push-ExecAppApprovalTemplate {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    try {
+        $Item = $Item | ConvertTo-Json -Depth 10 | ConvertFrom-Json
+        $TemplateId = $Item.templateId
+        if (!$TemplateId) {
+            Write-LogMessage -message 'No template specified' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+            return
+        }
+
+        $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
+        if ($Item.AppId -notin $ServicePrincipalList.appId) {
+            Write-Information "Adding $($Item.AppId) to tenant $($Item.Tenant)."
+            $PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body "{ `"appId`": `"$($Item.appId)`" }"
+            Write-LogMessage -message "Added $($Item.AppId) to tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
+        } else {
+            Write-LogMessage -message "This app already exists in tenant $($Item.Tenant). We're adding the required permissions." -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
+        }
+        Add-CIPPApplicationPermission -TemplateId $TemplateId -Tenantfilter $Item.Tenant
+        Add-CIPPDelegatedPermission -TemplateId $TemplateId -Tenantfilter $Item.Tenant
+    } catch {
+        Write-LogMessage -message "Error adding application to tenant $($Item.Tenant) - $($_.Exception.Message)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+        Write-Error $_.Exception.Message
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1

@@ -20,17 +20,32 @@ function Invoke-ExecServicePrincipals {
     try {
         switch ($Request.Query.Action) {
             'Create' {
+                $BlockList = @(
+                    'e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd', # eM Client
+                    'ff8d92dc-3d82-41d6-bcbd-b9174d163620', # PerfectData Software
+                    'a245e8c0-b53c-4b67-9b45-751d1dff8e6b', # Newsletter Software Supermailer
+                    'b15665d9-eda6-4092-8539-0eec376afd59', # rclone
+                    'a43e5392-f48b-46a4-a0f1-098b5eeb4757', # CloudSponge
+                    'caffae8c-0882-4c81-9a27-d1803af53a40'  # SigParser
+                )
                 $Action = 'Create'
+
                 if ($Request.Query.AppId -match '^[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}$') {
-                    $Body = @{
-                        'appId' = $Request.Query.AppId
-                    } | ConvertTo-Json -Compress
-                    try {
-                        $ServicePrincipal = New-GraphPostRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -type POST -body $Body -NoAuthCheck $true
-                        $Results = "Created service principal for $($ServicePrincipal.displayName) ($($ServicePrincipal.appId))"
-                    } catch {
-                        $Results = "Unable to create service principal: $($_.Exception.Message)"
+
+                    if ($BlockList -contains $Request.Query.AppId) {
+                        $Results = 'Service Principal creation is blocked for this AppId'
                         $Success = $false
+                    } else {
+                        $Body = @{
+                            'appId' = $Request.Query.AppId
+                        } | ConvertTo-Json -Compress
+                        try {
+                            $ServicePrincipal = New-GraphPostRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -type POST -body $Body -NoAuthCheck $true
+                            $Results = "Created service principal for $($ServicePrincipal.displayName) ($($ServicePrincipal.appId))"
+                        } catch {
+                            $Results = "Unable to create service principal: $($_.Exception.Message)"
+                            $Success = $false
+                        }
                     }
                 } else {
                     $Results = 'Invalid AppId'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCreateSAMApp.ps1

@@ -75,11 +75,14 @@ Function Invoke-ExecCreateSAMApp {
             if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
                 $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
                 $Secret = Get-CIPPAzDataTableEntity @DevSecretsTable -Filter "PartitionKey eq 'Secret' and RowKey eq 'Secret'"
+                if (!$Secret) { $Secret = New-Object -TypeName PSObject }
+                $Secret | Add-Member -MemberType NoteProperty -Name 'PartitionKey' -Value 'Secret' -Force
+                $Secret | Add-Member -MemberType NoteProperty -Name 'RowKey' -Value 'Secret' -Force
                 $Secret | Add-Member -MemberType NoteProperty -Name 'tenantid' -Value $TenantId -Force
                 $Secret | Add-Member -MemberType NoteProperty -Name 'applicationid' -Value $AppId.appId -Force
                 $Secret | Add-Member -MemberType NoteProperty -Name 'applicationsecret' -Value $AppPassword -Force
-                Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
                 Write-Information ($Secret | ConvertTo-Json -Depth 5)
+                Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
             } else {
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'tenantid' -SecretValue (ConvertTo-SecureString -String $TenantId -AsPlainText -Force)
                 Set-AzKeyVaultSecret -VaultName $kv -Name 'applicationid' -SecretValue (ConvertTo-SecureString -String $Appid.appId -AsPlainText -Force)

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ExecAddMultiTenantApp.ps1

@@ -12,51 +12,90 @@ function Invoke-ExecAddMultiTenantApp {
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
-    $DelegateResources = $request.body.permissions | Where-Object -Property origin -EQ 'Delegated' | ForEach-Object { @{ id = $_.id; type = 'Scope' } }
-    $DelegateResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $DelegateResources }
-    $ApplicationResources = $request.body.permissions | Where-Object -Property origin -EQ 'Application' | ForEach-Object { @{ id = $_.id; type = 'Role' } }
-    $ApplicationResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $ApplicationResources }
 
-    $Results = try {
-        if ($Request.Body.CopyPermissions -eq $true) {
-            $Command = 'ExecApplicationCopy'
-        } else {
-            $Command = 'ExecAddMultiTenantApp'
-        }
-        if ('allTenants' -in $Request.Body.tenantFilter.value) {
-            $TenantFilter = (Get-Tenants).defaultDomainName
-        } else {
-            $TenantFilter = $Request.Body.tenantFilter.value
-        }
+    if ($Request.Body.configMode -eq 'manual') {
+        $DelegateResources = $request.body.permissions | Where-Object -Property origin -EQ 'Delegated' | ForEach-Object { @{ id = $_.id; type = 'Scope' } }
+        $DelegateResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $DelegateResources }
+        $ApplicationResources = $request.body.permissions | Where-Object -Property origin -EQ 'Application' | ForEach-Object { @{ id = $_.id; type = 'Role' } }
+        $ApplicationResourceAccess = @{ ResourceAppId = '00000003-0000-0000-c000-000000000000'; resourceAccess = $ApplicationResources }
+
+        $Results = try {
+            if ($Request.Body.CopyPermissions -eq $true) {
+                $Command = 'ExecApplicationCopy'
+            } else {
+                $Command = 'ExecAddMultiTenantApp'
+            }
+            if ('allTenants' -in $Request.Body.tenantFilter.value) {
+                $TenantFilter = (Get-Tenants).defaultDomainName
+            } else {
+                $TenantFilter = $Request.Body.tenantFilter.value
+            }
+
+            $TenantCount = ($TenantFilter | Measure-Object).Count
+            $Queue = New-CippQueueEntry -Name 'Application Approval' -TotalTasks $TenantCount
+            $Batch = foreach ($Tenant in $TenantFilter) {
+                [pscustomobject]@{
+                    FunctionName              = $Command
+                    Tenant                    = $tenant
+                    AppId                     = $Request.Body.AppId
+                    applicationResourceAccess = $ApplicationResourceAccess
+                    delegateResourceAccess    = $DelegateResourceAccess
+                    QueueId                   = $Queue.RowKey
+                }
+            }
 
-        $TenantCount = ($TenantFilter | Measure-Object).Count
-        $Queue = New-CippQueueEntry -Name 'Application Approval' -TotalTasks $TenantCount
-        foreach ($Tenant in $TenantFilter) {
             try {
                 $InputObject = @{
                     OrchestratorName = 'ExecMultiTenantAppOrchestrator'
-                    Batch            = @([pscustomobject]@{
-                            FunctionName              = $Command
-                            Tenant                    = $tenant
-                            AppId                     = $Request.Body.AppId
-                            applicationResourceAccess = $ApplicationResourceAccess
-                            delegateResourceAccess    = $DelegateResourceAccess
-                            QueueId                   = $Queue.RowKey
-                        })
+                    Batch            = @($Batch)
                     SkipLog          = $true
                 }
                 $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-                "Queued application to tenant $Tenant. See the logbook for deployment details"
+                $Results = 'Deploying {0} to {1}, see the logbook for details' -f $Request.Body.AppId, ($Request.Body.tenantFilter.label -join ', ')
             } catch {
-                "Error queuing application to tenant $Tenant - $($_.Exception.Message)"
+                $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
+                $Results = "Function Error: $ErrorMsg"
             }
+
+            $StatusCode = [HttpStatusCode]::OK
+        } catch {
+            $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
+            $Results = "Function Error: $ErrorMsg"
+            $StatusCode = [HttpStatusCode]::BadRequest
+        }
+    } elseif ($Request.Body.configMode -eq 'template') {
+        Write-Information 'Application Approval - Template Mode'
+        if ('allTenants' -in $Request.Body.tenantFilter.value) {
+            $TenantFilter = (Get-Tenants).defaultDomainName
+        } else {
+            $TenantFilter = $Request.Body.tenantFilter.value
+        }
+        $TenantCount = ($TenantFilter | Measure-Object).Count
+        $Queue = New-CippQueueEntry -Name 'Application Approval (Template)' -TotalTasks $TenantCount
+
+        $Batch = foreach ($Tenant in $TenantFilter) {
+            [pscustomobject]@{
+                FunctionName = 'ExecAppApprovalTemplate'
+                Tenant       = $tenant
+                TemplateId   = $Request.Body.selectedTemplate.value
+                AppId        = $Request.Body.selectedTemplate.addedFields.AppId
+                QueueId      = $Queue.RowKey
+            }
+        }
+        try {
+            $InputObject = @{
+                OrchestratorName = 'ExecMultiTenantAppOrchestrator'
+                Batch            = @($Batch)
+                SkipLog          = $true
+            }
+            $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+            $Results = 'Deploying {0} to {1}, see the logbook for details' -f $Request.Body.selectedTemplate.label, ($Request.Body.tenantFilter.label -join ', ')
+        } catch {
+            $Results = "Error queuing application - $($_.Exception.Message)"
         }
         $StatusCode = [HttpStatusCode]::OK
-    } catch {
-        $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
-        $Results = "Function Error: $ErrorMsg"
-        $StatusCode = [HttpStatusCode]::BadRequest
     }
+
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Application Approval/Invoke-ListAppApprovalTemplates.ps1

@@ -53,12 +53,10 @@ function Invoke-ListAppApprovalTemplates {
             }
         }
 
-        Write-LogMessage -headers $Headers -API $APIName -message "Listed App Deployment Templates: $($Body.Count) templates found" -Sev 'Info'
     } catch {
         $Body = @{
             Results = "Failed to list app deployment templates: $($_.Exception.Message)"
         }
-        Write-LogMessage -headers $Headers -API $APIName -message "Failed to list App Deployment Templates: $($_.Exception.Message)" -Sev 'Error'
     }
 
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{