Skip to content

Commit e636d7f

Browse files
JohnDupreyJohnDuprey
committed
add conflict detection
1 parent 9d58b49 commit e636d7f

File tree

1 file changed

+46
-41
lines changed

1 file changed

+46
-41
lines changed

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1

Lines changed: 46 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -35,62 +35,61 @@ function Invoke-CIPPStandardOauthConsentLowSec {
3535
$requiredPermissions = @('offline_access', 'openid', 'User.Read', 'profile', 'email')
3636
$missingPermissions = $requiredPermissions | Where-Object { $PermissionState.permissionName -notcontains $_ }
3737

38+
$Standards = Get-CIPPStandards -Tenant $tenant
39+
$ConflictingStandard = $Standards | Where-Object -Property Standard -EQ 'OauthConsent'
40+
3841
if ($Settings.remediate -eq $true) {
39-
if (!$State.permissionGrantPolicyIdsAssignedToDefaultUserRole -contains 'ManagePermissionGrantsForSelf.cipp-consent-policy') {
40-
if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -in @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
41-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is already enabled.' -sev Info
42-
} else {
43-
try {
42+
if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -in @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
43+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is already enabled.' -sev Info
44+
} elseif ($ConflictingStandard -and $State.permissionGrantPolicyIdsAssignedToDefaultUserRole -contains 'ManagePermissionGrantsForSelf.cipp-consent-policy') {
45+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'There is a conflicting OAuth Consent policy standard enabled for this tenant. Remove the Require admin consent for applications (Prevent OAuth phishing) standard from this tenant to apply the low security standard.' -sev Error
46+
} else {
47+
try {
48+
$GraphParam = @{
49+
tenantid = $tenant
50+
Uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
51+
Type = 'PATCH'
52+
Body = @{
53+
permissionGrantPolicyIdsAssignedToDefaultUserRole = @('managePermissionGrantsForSelf.microsoft-user-default-low')
54+
} | ConvertTo-Json
55+
ContentType = 'application/json'
56+
}
57+
$null = New-GraphPostRequest @GraphParam
58+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info
59+
} catch {
60+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
61+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $ErrorMessage" -sev Error
62+
}
63+
}
64+
65+
if ($missingPermissions.Count -eq 0) {
66+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'All permissions for Application Consent already assigned.' -sev Info
67+
} else {
68+
try {
69+
$missingPermissions | ForEach-Object {
4470
$GraphParam = @{
4571
tenantid = $tenant
46-
Uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
47-
Type = 'PATCH'
72+
Uri = "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications"
73+
Type = 'POST'
4874
Body = @{
49-
permissionGrantPolicyIdsAssignedToDefaultUserRole = @('managePermissionGrantsForSelf.microsoft-user-default-low')
75+
permissionName = $_
76+
classification = 'low'
5077
} | ConvertTo-Json
5178
ContentType = 'application/json'
5279
}
5380
$null = New-GraphPostRequest @GraphParam
54-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info
55-
} catch {
56-
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
57-
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $ErrorMessage" -sev Error
58-
}
59-
}
60-
61-
if ($missingPermissions.Count -eq 0) {
62-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'All permissions for Application Consent already assigned.' -sev Info
63-
} else {
64-
try {
65-
$missingPermissions | ForEach-Object {
66-
$GraphParam = @{
67-
tenantid = $tenant
68-
Uri = "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications"
69-
Type = 'POST'
70-
Body = @{
71-
permissionName = $_
72-
classification = 'low'
73-
} | ConvertTo-Json
74-
ContentType = 'application/json'
75-
}
76-
$null = New-GraphPostRequest @GraphParam
77-
Write-LogMessage -API 'Standards' -tenant $tenant -message "Permission $_ has been added to low Application Consent" -sev Info
78-
}
79-
} catch {
80-
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
81-
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply low consent permissions Error: $ErrorMessage" -sev Error
81+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Permission $_ has been added to low Application Consent" -sev Info
8282
}
83+
} catch {
84+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
85+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply low consent permissions Error: $ErrorMessage" -sev Error
8386
}
8487
}
8588
}
8689

8790
if ($Settings.alert -eq $true) {
8891
if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
89-
if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') {
90-
Write-StandardsAlert -message 'There is a conflicting OAuth Consent policy standard enabled for this tenant.' -object $State -tenant $tenant -standardName 'OauthConsentLowSec' -standardId $Settings.standardId
91-
} else {
92-
Write-StandardsAlert -message 'Application Consent Mode(microsoft-user-default-low) is not enabled' -object $State -tenant $tenant -standardName 'OauthConsentLowSec' -standardId $Settings.standardId
93-
}
92+
Write-StandardsAlert -message 'Application Consent Mode(microsoft-user-default-low) is not enabled' -object $State -tenant $tenant -standardName 'OauthConsentLowSec' -standardId $Settings.standardId
9493
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is not enabled.' -sev Info
9594
} else {
9695
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info
@@ -104,6 +103,12 @@ function Invoke-CIPPStandardOauthConsentLowSec {
104103
authorizationPolicy = $State.permissionGrantPolicyIdsAssignedToDefaultUserRole
105104
permissionClassifications = $PermissionState
106105
}
106+
if ($ConflictingStandard) {
107+
$ValueField.conflictingStandard = @{
108+
name = $ConflictingStandard.Standard
109+
templateid = $ConflictingStandard.TemplateId
110+
}
111+
}
107112
} else {
108113
$State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $true
109114
$ValueField = $true

0 commit comments

Comments
 (0)