Merge pull request #354 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecAppApprovalTemplate.ps1

@@ -43,7 +43,7 @@ function Push-ExecAppApprovalTemplate {
             # Check if the app already exists in the tenant
             $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Item.Tenant
             if ($TemplateData.GalleryTemplateId -in $ServicePrincipalList.applicationTemplateId) {
-                Write-LogMessage -message "Gallery Template app $($TemplateData.AppName) already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
+                Write-LogMessage -message "Gallery Template app $($TemplateData.AppName) already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Gallery App' -sev Info
                 return
             }
 
@@ -55,10 +55,70 @@ function Push-ExecAppApprovalTemplate {
             $InstantiateResult = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/applicationTemplates/$GalleryTemplateId/instantiate" -type POST -tenantid $Item.tenant -body $InstantiateBody
 
             if ($InstantiateResult.application.appId) {
-                Write-LogMessage -message "Successfully deployed Gallery Template $($TemplateData.AppName) to tenant $($Item.Tenant). Application ID: $($InstantiateResult.application.appId)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Info
-                New-CIPPApplicationCopy -App $InstantiateResult.application.appId -Tenant $Item.Tenant
+                Write-LogMessage -message "Successfully deployed Gallery Template $($TemplateData.AppName) to tenant $($Item.Tenant). Application ID: $($InstantiateResult.application.appId)" -tenant $Item.Tenant -API 'Add Gallery App' -sev Info
+                # Get application registration
+                $App = $InstantiateResult.application.appId
+                $Application = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/applications(appId='$App')" -tenantid $Item.tenant -AsApp $true
+                if ($Application.requiredResourceAccess) {
+                    Add-CIPPDelegatedPermission -RequiredResourceAccess $Application.requiredResourceAccess -ApplicationId $App -Tenantfilter $Item.Tenant
+                    Add-CIPPApplicationPermission -RequiredResourceAccess $Application.requiredResourceAccess -ApplicationId $App -Tenantfilter $Item.Tenant
+                }
             } else {
-                Write-LogMessage -message "Gallery Template deployment completed but application ID not returned for $($TemplateData.AppName) in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Multitenant App' -sev Warning
+                Write-LogMessage -message "Gallery Template deployment completed but application ID not returned for $($TemplateData.AppName) in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add Gallery App' -sev Warning
+            }
+
+        } elseif ($AppType -eq 'ApplicationManifest') {
+            Write-Information "Deploying Application Manifest $($TemplateData.AppName) to tenant $($Item.Tenant)."
+
+            # Get the application manifest from template data
+            $ApplicationManifest = $TemplateData.ApplicationManifest
+            if (!$ApplicationManifest) {
+                Write-LogMessage -message 'Application Manifest not found in template data' -tenant $Item.Tenant -API 'Add Multitenant App' -sev Error
+                return
+            }
+
+            # Check for existing application by display name
+            $ExistingApp = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/applications?`$filter=displayName eq '$($TemplateData.AppName)'&`$top=1" -tenantid $Item.Tenant -NoAuthCheck $true
+            if ($ExistingApp -and $ExistingApp.value) {
+                Write-LogMessage -message "Application Manifest $($TemplateData.AppName) already exists in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
+                return
+            }
+
+            $PropertiesToRemove = @('appId', 'id', 'createdDateTime', 'publisherDomain', 'servicePrincipalLockConfiguration', 'identifierUris', 'applicationIdUris')
+
+            # Strip tenant-specific data that might cause conflicts
+            $CleanManifest = $ApplicationManifest | ConvertTo-Json -Depth 10 | ConvertFrom-Json
+            foreach ($Property in $PropertiesToRemove) {
+                $CleanManifest.PSObject.Properties.Remove($Property)
+            }
+
+            # Create the application from manifest
+            try {
+                $CreateBody = $CleanManifest | ConvertTo-Json -Depth 10
+                $CreatedApp = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/applications' -type POST -tenantid $Item.tenant -body $CreateBody
+
+                if ($CreatedApp.appId) {
+                    # Create service principal for the application
+                    $ServicePrincipalBody = @{
+                        appId = $CreatedApp.appId
+                    } | ConvertTo-Json
+
+                    $ServicePrincipal = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Item.tenant -body $ServicePrincipalBody
+
+                    Write-LogMessage -message "Successfully deployed Application Manifest $($TemplateData.AppName) to tenant $($Item.Tenant). Application ID: $($CreatedApp.appId)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Info
+                    $DelegateResourceAccess = $ApplicationManifest.requiredResourceAccess
+                    $ApplicationResourceAccess = $ApplicationManifest.requiredResourceAccess
+                    if ($ApplicationManifest.requiredResourceAccess) {
+                        Add-CIPPDelegatedPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $App -Tenantfilter $Tenant
+                        Add-CIPPApplicationPermission -RequiredResourceAccess $ApplicationManifest.requiredResourceAccess -ApplicationId $App -Tenantfilter $Tenant
+                    }
+
+                } else {
+                    Write-LogMessage -message "Application Manifest deployment failed - no application ID returned for $($TemplateData.AppName) in tenant $($Item.Tenant)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Error
+                }
+            } catch {
+                Write-LogMessage -message "Error creating application from manifest in tenant $($Item.Tenant) - $($_.Exception.Message)" -tenant $Item.Tenant -API 'Add App Manifest' -sev Error
+                throw
             }
 
         } else {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1

@@ -61,7 +61,12 @@ function Invoke-ExecServicePrincipals {
                     $Results = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals/$($Request.Query.Id)" -tenantid $TenantFilter -NoAuthCheck $true
                 } else {
                     $Action = 'List'
-                    $Results = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$orderby=displayName&$count=true' -ComplexFilter -tenantid $TenantFilter -NoAuthCheck $true
+                    $Uri = 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$orderby=displayName&$count=true'
+                    if ($Request.Query.Select) {
+                        $Uri = '{0}&$select={1}' -f $Uri, $Request.Query.Select
+                    }
+
+                    $Results = New-GraphGetRequest -Uri $Uri -ComplexFilter -tenantid $TenantFilter -NoAuthCheck $true
                 }
             }
         }

Modules/CIPPCore/Public/Entrypoints/Invoke-ExecCSPLicense.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecCSPLicense {
+function Invoke-ExecCSPLicense {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -17,7 +17,7 @@ Function Invoke-ExecCSPLicense {
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Body.tenantFilter
     $Action = $Request.Body.Action
-    $SKU = $Request.Body.SKU
+    $SKU = $Request.Body.SKU.value ?? $Request.Body.SKU
 
     try {
         if ($Action -eq 'Add') {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1

@@ -47,15 +47,60 @@ function Invoke-CIPPStandardAppDeploy {
             $Template = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'AppApprovalTemplate' and RowKey eq '$TemplateId'"
             if ($Template) {
                 $TemplateData = $Template.JSON | ConvertFrom-Json
-                if ($TemplateData.AppId) {
-                    $TemplateData.AppId ?? $TemplateData.GalleryTemplateId
+                # Default to EnterpriseApp for backward compatibility with older templates
+                $AppType = $TemplateData.AppType
+                if (-not $AppType) {
+                    $AppType = 'EnterpriseApp'
+                }
+
+                # Return different identifiers based on app type for checking
+                if ($AppType -eq 'ApplicationManifest') {
+                    # For Application Manifests, use display name for checking
+                    $TemplateData.AppName
+                } elseif ($AppType -eq 'GalleryTemplate') {
+                    # For Gallery Templates, use gallery template ID
+                    $TemplateData.GalleryTemplateId
+                } else {
+                    # For Enterprise Apps, use app ID
+                    $TemplateData.AppId
                 }
             }
         }
     }
-    $MissingApps = foreach ($App in $AppsToAdd) {
-        if ($App -notin $AppExists.appId -and $App -notin $AppExists.applicationTemplateId) {
-            $App
+
+    # Check for missing apps based on template type
+    $MissingApps = [System.Collections.Generic.List[string]]::new()
+    if ($Mode -eq 'template') {
+        $Table = Get-CIPPTable -TableName 'templates'
+        foreach ($TemplateId in $Settings.templateIds.value) {
+            $Template = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'AppApprovalTemplate' and RowKey eq '$TemplateId'"
+            if ($Template) {
+                $TemplateData = $Template.JSON | ConvertFrom-Json
+                $AppType = $TemplateData.AppType ?? 'EnterpriseApp'
+
+                $IsAppMissing = $false
+                if ($AppType -eq 'ApplicationManifest') {
+                    # For Application Manifests, check by display name
+                    $IsAppMissing = $TemplateData.AppName -notin $AppExists.displayName
+                } elseif ($AppType -eq 'GalleryTemplate') {
+                    # For Gallery Templates, check by application template ID
+                    $IsAppMissing = $TemplateData.GalleryTemplateId -notin $AppExists.applicationTemplateId
+                } else {
+                    # For Enterprise Apps, check by app ID
+                    $IsAppMissing = $TemplateData.AppId -notin $AppExists.appId
+                }
+
+                if ($IsAppMissing) {
+                    $MissingApps.Add($TemplateData.AppName ?? $TemplateData.AppId ?? $TemplateData.GalleryTemplateId)
+                }
+            }
+        }
+    } else {
+        # For copy mode, check by app ID as before
+        $MissingApps = foreach ($App in $AppsToAdd) {
+            if ($App -notin $AppExists.appId -and $App -notin $AppExists.applicationTemplateId) {
+                $App
+            }
         }
     }
     if ($Settings.remediate -eq $true) {
@@ -76,8 +121,6 @@ function Invoke-CIPPStandardAppDeploy {
             }
         } elseif ($Mode -eq 'template') {
             $TemplateIds = $Settings.templateIds.value
-            $TemplateName = $Settings.templateIds.label
-            $AppIds = $Settings.templateIds.addedFields.AppId
 
             # Get template data to determine deployment type for each template
             $Table = Get-CIPPTable -TableName 'templates'
@@ -129,6 +172,56 @@ function Invoke-CIPPStandardAppDeploy {
                             Write-LogMessage -API 'Standards' -tenant $tenant -message "Gallery Template deployment completed but application ID not returned for $($TemplateData.AppName) in tenant $Tenant" -sev Warning
                         }
 
+                    } elseif ($AppType -eq 'ApplicationManifest') {
+                        # Handle Application Manifest deployment
+                        Write-Information "Deploying Application Manifest $($TemplateData.AppName) to tenant $Tenant."
+
+                        $ApplicationManifest = $TemplateData.ApplicationManifest
+                        if (!$ApplicationManifest) {
+                            Write-LogMessage -API 'Standards' -tenant $tenant -message "Application Manifest not found in template data for $($TemplateData.TemplateName)" -sev Error
+                            continue
+                        }
+
+                        # Check if an application with the same display name already exists
+                        $ExistingApp = $AppExists | Where-Object { $_.displayName -eq $TemplateData.AppName }
+                        if ($ExistingApp) {
+                            Write-LogMessage -API 'Standards' -tenant $tenant -message "Application with name '$($TemplateData.AppName)' already exists in tenant $Tenant" -sev Info
+                            continue
+                        }
+
+                        $PropertiesToRemove = @('appId', 'id', 'createdDateTime', 'publisherDomain', 'servicePrincipalLockConfiguration', 'identifierUris', 'applicationIdUris')
+
+                        # Strip tenant-specific data that might cause conflicts
+                        $CleanManifest = $ApplicationManifest | ConvertTo-Json -Depth 10 | ConvertFrom-Json
+                        foreach ($Property in $PropertiesToRemove) {
+                            $CleanManifest.PSObject.Properties.Remove($Property)
+                        }
+                        # Create the application from manifest
+                        try {
+                            $CreateBody = $CleanManifest | ConvertTo-Json -Depth 10
+                            $CreatedApp = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/applications' -type POST -tenantid $Tenant -body $CreateBody
+
+                            if ($CreatedApp.appId) {
+                                # Create service principal for the application
+                                $ServicePrincipalBody = @{
+                                    appId = $CreatedApp.appId
+                                } | ConvertTo-Json
+
+                                $ServicePrincipal = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $Tenant -body $ServicePrincipalBody
+
+                                Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully deployed Application Manifest $($TemplateData.AppName) to tenant $Tenant. Application ID: $($CreatedApp.appId)" -sev Info
+
+                                if ($CreatedApp.requiredResourceAccess) {
+                                    Add-CIPPDelegatedPermission -RequiredResourceAccess $CreatedApp.requiredResourceAccess -ApplicationId $CreatedApp.appId -Tenantfilter $Tenant
+                                    Add-CIPPApplicationPermission -RequiredResourceAccess $CreatedApp.requiredResourceAccess -ApplicationId $CreatedApp.appId -Tenantfilter $Tenant
+                                }
+                            } else {
+                                Write-LogMessage -API 'Standards' -tenant $tenant -message "Application Manifest deployment failed - no application ID returned for $($TemplateData.AppName) in tenant $Tenant" -sev Error
+                            }
+                        } catch {
+                            Write-LogMessage -API 'Standards' -tenant $tenant -message "Error creating application from manifest in tenant $Tenant - $($_.Exception.Message)" -sev Error
+                        }
+
                     } else {
                         # Handle Enterprise App deployment (existing logic)
                         $AppId = $TemplateData.AppId