Skip to content

Commit e5f7287

Browse files
pull[bot]pull[bot]
authored
Merge pull request #348 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents bdc0c3a + 058d307 commit e5f7287

File tree

2 files changed

+117
-0
lines changed

2 files changed

+117
-0
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ExecCAServiceExclusion.ps1

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
using namespace System.Net
2+
3+
Function Invoke-ExecCAServiceExclusion {
4+
<#
5+
.FUNCTIONALITY
6+
Entrypoint
7+
.ROLE
8+
Tenant.ConditionalAccess.ReadWrite
9+
#>
10+
[CmdletBinding()]
11+
param($Request, $TriggerMetadata)
12+
13+
$APIName = $Request.Params.CIPPEndpoint
14+
$Headers = $Request.Headers
15+
Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
16+
17+
# Interact with the request
18+
$TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
19+
$ID = $Request.Query.GUID ?? $Request.Body.GUID
20+
21+
try {
22+
$result = Set-CIPPCAPolicyServiceException -TenantFilter $TenantFilter -PolicyId $ID
23+
$Body = @{ Results = $result }
24+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAPolicyServiceException' -message $Message -Sev 'Info' -tenant $TenantFilter
25+
} catch {
26+
$ErrorMessage = Get-CippException -Exception $_
27+
$Body = @{ Results = "Failed to add service provider exception to policy $($ID): $($ErrorMessage.NormalizedError)" }
28+
Write-LogMessage -headers $Headers -API 'Set-CIPPCAPolicyServiceException' -message "Failed to update policy $($PolicyId) with service provider exception for tenant $($CSPtenantId): $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_)
29+
}
30+
31+
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
32+
StatusCode = [HttpStatusCode]::OK
33+
Body = $Body
34+
})
35+
}

Modules/CIPPCore/Public/Set-CIPPCAPolicyServiceException.ps1

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
function Set-CIPPCAPolicyServiceException {
2+
[CmdletBinding(SupportsShouldProcess = $true)]
3+
param(
4+
$TenantFilter,
5+
$PolicyId
6+
)
7+
8+
$CSPtenantId = $env:TenantID
9+
10+
# Get the current policy
11+
$policy = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($PolicyId)" -tenantid $TenantFilter -AsApp $true
12+
13+
# If the policy is set to affect either all or all guests/external users
14+
if ($policy.conditions.users.includeUsers -eq "All" -OR $policy.conditions.users.includeGuestsOrExternalUsers.externalTenants.membershipKind -eq "all") {
15+
16+
# Check if the policy already has the correct service provider exception
17+
if ($policy.conditions.users.excludeGuestsOrExternalUsers) {
18+
$excludeConfig = $policy.conditions.users.excludeGuestsOrExternalUsers
19+
20+
# Check if serviceProvider is already in guestOrExternalUserTypes
21+
$hasServiceProvider = $excludeConfig.guestOrExternalUserTypes -match "serviceProvider"
22+
23+
# Check if externalTenants is properly configured
24+
if ($excludeConfig.externalTenants) {
25+
$externalTenants = $excludeConfig.externalTenants
26+
$hasCorrectExternalTenants = ($externalTenants.membershipKind -eq "enumerated" -and
27+
$externalTenants.members -contains $CSPtenantId)
28+
29+
# If already configured, exit without making changes
30+
if ($hasServiceProvider -and $hasCorrectExternalTenants) {
31+
return "Policy $PolicyId already has the correct service provider configuration. No changes needed."
32+
}
33+
}
34+
}
35+
36+
# If excludeGuestsOrExternalUsers is empty, add the entire exclusion
37+
if (!($policy.conditions.users.excludeGuestsOrExternalUsers)) {
38+
39+
# Define data
40+
$excludeServiceProviderData = [pscustomobject]@{
41+
guestOrExternalUserTypes = "serviceProvider"
42+
externalTenants = [pscustomobject]@{
43+
'@odata.type' = "#microsoft.graph.conditionalAccessEnumeratedExternalTenants"
44+
membershipKind = "enumerated"
45+
members = @(
46+
$CSPtenantId
47+
)
48+
}
49+
}
50+
51+
# Add data to cached policy
52+
$policy.conditions.users.excludeGuestsOrExternalUsers = $excludeServiceProviderData
53+
}
54+
55+
# If excludeGuestsOrExternalUsers already has content correct it to match $excludeServiceProviderData
56+
if ($policy.conditions.users.excludeGuestsOrExternalUsers) {
57+
58+
# If guestOrExternalUserTypes doesn't include type serviceProvider add it
59+
if ($policy.conditions.users.excludeGuestsOrExternalUsers.guestOrExternalUserTypes -notmatch "serviceProvider") {
60+
$policy.conditions.users.excludeGuestsOrExternalUsers.guestOrExternalUserTypes += ",serviceProvider"
61+
}
62+
63+
# If guestOrExternalUserTypes includes type serviceProvider and membershipKind is not all tenants
64+
if ($policy.conditions.users.excludeGuestsOrExternalUsers.guestOrExternalUserTypes -match "serviceProvider" -AND $policy.conditions.users.excludeGuestsOrExternalUsers.externalTenants.membershipKind -ne "all") {
65+
66+
# If membershipKind is enumerated and members does not include our tenant add it
67+
if ($policy.conditions.users.excludeGuestsOrExternalUsers.externalTenants.membershipKind -eq "enumerated" -AND $policy.conditions.users.excludeGuestsOrExternalUsers.externalTenants.members -notmatch $CSPtenantId) {
68+
$policy.conditions.users.excludeGuestsOrExternalUsers.externalTenants.members += $($CSPtenantId)
69+
}
70+
}
71+
}
72+
73+
}
74+
75+
# Patch policy with updated data.
76+
# TemplateId,createdDateTime,modifiedDateTime can't be written back so exclude them using -ExcludeProperty
77+
if ($PSCmdlet.ShouldProcess($PolicyId, "Update policy with service provider exception")) {
78+
$patch = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($policy.id)" -tenantid $TenantFilter -type PATCH -body ($policy | Select-Object * -ExcludeProperty TemplateId,createdDateTime,modifiedDateTime | ConvertTo-Json -Depth 20) -AsApp $true
79+
return "Successfully added service provider to policy $PolicyId"
80+
}
81+
82+
}

0 commit comments

Comments
 (0)