Merge pull request #106 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/AuditLogs/New-CIPPAuditLogSearchResultsCache.ps1

@@ -74,7 +74,7 @@ function New-CIPPAuditLogSearchResultsCache {
                 $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
                 $failedEntities = Get-CIPPAzDataTableEntity @FailedDownloadsTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId'"
                 if ($failedEntities) {
-                    Remove-AzDataTableEntity @FailedDownloadsTable -Entity $entity
+                    Remove-AzDataTableEntity @FailedDownloadsTable -Entity $failedEntities
                     Write-Information "Removed failed download records for search ID: $SearchId, tenant: $TenantFilter"
                 }
             } catch {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1

@@ -31,26 +31,66 @@ function Invoke-CIPPStandardOauthConsentLowSec {
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'OauthConsentLowSec'
 
     $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant)
+    $PermissionState = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications" -tenantid $tenant) | Select-Object -Property permissionName
+
+    $requiredPermissions = @('offline_access', 'openid', 'User.Read', 'profile', 'email')
+    $missingPermissions = $requiredPermissions | Where-Object { $PermissionState.permissionName -notcontains $_ }
+
     If ($Settings.remediate -eq $true) {
-        try {
-            if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
-                Write-Host 'Going to set'
-                New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.microsoft-user-default-low"]}' -ContentType 'application/json'
+        if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -in @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is already enabled.' -sev Info
+        } else {
+            try {
+                $GraphParam = @{
+                    tenantid = $tenant
+                    Uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
+                    Type = 'PATCH'
+                    Body = @{
+                        permissionGrantPolicyIdsAssignedToDefaultUserRole = @('managePermissionGrantsForSelf.microsoft-user-default-low')
+                    } | ConvertTo-Json
+                    ContentType = 'application/json'
+                }
+                $null = New-GraphPostRequest @GraphParam
+                Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info
+            } catch {
+                $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $ErrorMessage" -sev Error
+            }
+        }
+
+        if ($missingPermissions.Count -eq 0) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'All permissions for Application Consent already assigned.' -sev Info
+        } else {
+            try {
+                $missingPermissions | ForEach-Object {
+                    $GraphParam = @{
+                        tenantid = $tenant
+                        Uri = "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications"
+                        Type = 'POST'
+                        Body = @{
+                            permissionName = $_
+                            classification = 'low'
+                        } | ConvertTo-Json
+                        ContentType = 'application/json'
+                    }
+                    $null = New-GraphPostRequest @GraphParam
+                    Write-LogMessage -API 'Standards' -tenant $tenant -message "Permission $_ has been added to low Application Consent" -sev Info
+                }
+            } catch {
+                $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply low consent permissions Error: $ErrorMessage" -sev Error
             }
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info
-        } catch {
-            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-            Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $ErrorMessage" -sev Error
         }
     }
-    if ($Settings.alert -eq $true) {
 
+    if ($Settings.alert -eq $true) {
         if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is not enabled.' -sev Alert
         } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info
         }
     }
+
     if ($Settings.report -eq $true) {
         if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
             $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $false

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1

@@ -106,8 +106,11 @@ function Invoke-CIPPStandardUserSubmissions {
                     $PolicyParams = @{
                         EnableReportToMicrosoft          = $true
                         ReportJunkToCustomizedAddress    = $false
+                        ReportJunkAddresses              = $null
                         ReportNotJunkToCustomizedAddress = $false
+                        ReportNotJunkAddresses           = $null
                         ReportPhishToCustomizedAddress   = $false
+                        ReportPhishAddresses             = $null
                     }
                 } else {
                     $PolicyParams = @{

Modules/CippEntrypoints/CippEntrypoints.psm1

@@ -63,15 +63,15 @@ function Receive-CippHttpTrigger {
 
 function Receive-CippOrchestrationTrigger {
     param($Context)
-
+    
     try {
         if (Test-Json -Json $Context.Input) {
             $OrchestratorInput = $Context.Input | ConvertFrom-Json
         } else {
             $OrchestratorInput = $Context.Input
         }
         Write-Information "Orchestrator started $($OrchestratorInput.OrchestratorName)"
-
+        Write-Warning "Receive-CippOrchestrationTrigger - $($OrchestratorInput.OrchestratorName)"
         $DurableRetryOptions = @{
             FirstRetryInterval  = (New-TimeSpan -Seconds 5)
             MaxNumberOfAttempts = if ($OrchestratorInput.MaxAttempts) { $OrchestratorInput.MaxAttempts } else { 1 }

host.json

@@ -13,5 +13,19 @@
       "maxConcurrentActivityFunctions": 1,
       "maxConcurrentOrchestratorFunctions": 1
     }
+  },
+  "logging": {
+    "logLevel": {
+      "default": "Trace",
+      "Host.Results": "Trace",
+      "Host.Aggregator": "Trace",
+      "Function": "Trace",
+      "Host.Executor": "Trace"
+    },
+    "applicationInsights": {
+      "samplingSettings": {
+        "isEnabled": false
+      }
+    }
   }
 }