Skip to content

Commit f37bc3a

Browse files
kris6673kris6673
committed
Feat: AllTenants support for listing CA policies
1 parent 9c02627 commit f37bc3a

File tree

2 files changed

+300
-80
lines changed

2 files changed

+300
-80
lines changed

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListConditionalAccessPoliciesAllTenants.ps1

Lines changed: 165 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,165 @@
1+
function Push-ListConditionalAccessPoliciesAllTenants {
2+
<#
3+
.FUNCTIONALITY
4+
Entrypoint
5+
#>
6+
param($Item)
7+
8+
#Region Helper functions
9+
function Get-LocationNameFromId {
10+
param ($ID, $Locations)
11+
if ($id -eq 'All') { return 'All' }
12+
$DisplayName = $Locations | Where-Object { $_.id -eq $ID } | Select-Object -ExpandProperty DisplayName
13+
if ([string]::IsNullOrEmpty($displayName)) { return $ID } else { return $DisplayName }
14+
}
15+
16+
function Get-RoleNameFromId {
17+
param ($ID, $RoleDefinitions)
18+
if ($id -eq 'All') { return 'All' }
19+
$DisplayName = $RoleDefinitions | Where-Object { $_.id -eq $ID } | Select-Object -ExpandProperty DisplayName
20+
if ([string]::IsNullOrEmpty($displayName)) { return $ID } else { return $DisplayName }
21+
}
22+
23+
function Get-UserNameFromId {
24+
param ($ID, $Users)
25+
if ($id -eq 'All') { return 'All' }
26+
$DisplayName = $Users | Where-Object { $_.id -eq $ID } | Select-Object -ExpandProperty DisplayName
27+
if ([string]::IsNullOrEmpty($displayName)) { return $ID } else { return $DisplayName }
28+
}
29+
30+
function Get-GroupNameFromId {
31+
param ($ID, $Groups)
32+
if ($id -eq 'All') { return 'All' }
33+
$DisplayName = $Groups | Where-Object { $_.id -eq $ID } | Select-Object -ExpandProperty DisplayName
34+
if ([string]::IsNullOrEmpty($displayName)) { return 'No Data' } else { return $DisplayName }
35+
}
36+
37+
function Get-ApplicationNameFromId {
38+
param ($ID, $Applications, $ServicePrincipals)
39+
if ($id -eq 'All') { return 'All' }
40+
$return = $ServicePrincipals | Where-Object { $_.appId -eq $ID } | Select-Object -ExpandProperty DisplayName
41+
if ([string]::IsNullOrEmpty($return)) {
42+
$return = $Applications | Where-Object { $_.Appid -eq $ID } | Select-Object -ExpandProperty DisplayName
43+
}
44+
if ([string]::IsNullOrEmpty($return)) {
45+
$return = $Applications | Where-Object { $_.ID -eq $ID } | Select-Object -ExpandProperty DisplayName
46+
}
47+
if ([string]::IsNullOrEmpty($return)) { $return = '' }
48+
return $return
49+
}
50+
#EndRegion Helper functions
51+
52+
$Tenant = Get-Tenants -TenantFilter $Item.customerId
53+
$domainName = $Tenant.defaultDomainName
54+
$Table = Get-CIPPTable -TableName 'cacheCAPolicies'
55+
56+
try {
57+
$Requests = @(
58+
@{
59+
id = 'policies'
60+
url = 'identity/conditionalAccess/policies'
61+
method = 'GET'
62+
}
63+
@{
64+
id = 'namedLocations'
65+
url = 'identity/conditionalAccess/namedLocations'
66+
method = 'GET'
67+
}
68+
@{
69+
id = 'applications'
70+
url = 'applications?$top=999&$select=appId,displayName'
71+
method = 'GET'
72+
}
73+
@{
74+
id = 'roleDefinitions'
75+
url = 'roleManagement/directory/roleDefinitions?$select=id,displayName'
76+
method = 'GET'
77+
}
78+
@{
79+
id = 'groups'
80+
url = 'groups?$top=999&$select=id,displayName'
81+
method = 'GET'
82+
}
83+
@{
84+
id = 'users'
85+
url = 'users?$top=999&$select=id,displayName,userPrincipalName'
86+
method = 'GET'
87+
}
88+
@{
89+
id = 'servicePrincipals'
90+
url = 'servicePrincipals?$top=999&$select=appId,displayName'
91+
method = 'GET'
92+
}
93+
)
94+
95+
$BulkResults = New-GraphBulkRequest -Requests $Requests -tenantid $domainName -asapp $true
96+
97+
$ConditionalAccessPolicyOutput = ($BulkResults | Where-Object { $_.id -eq 'policies' }).body.value
98+
$AllNamedLocations = ($BulkResults | Where-Object { $_.id -eq 'namedLocations' }).body.value
99+
$AllApplications = ($BulkResults | Where-Object { $_.id -eq 'applications' } ).body.value
100+
$AllRoleDefinitions = ($BulkResults | Where-Object { $_.id -eq 'roleDefinitions' }).body.value
101+
$GroupListOutput = ($BulkResults | Where-Object { $_.id -eq 'groups' }).body.value
102+
$UserListOutput = ($BulkResults | Where-Object { $_.id -eq 'users' }).body.value
103+
$AllServicePrincipals = ($BulkResults | Where-Object { $_.id -eq 'servicePrincipals' }).body.value
104+
105+
foreach ($cap in $ConditionalAccessPolicyOutput) {
106+
$GUID = (New-Guid).Guid
107+
$PolicyData = @{
108+
id = $cap.id
109+
displayName = $cap.displayName
110+
customer = $cap.Customer
111+
Tenant = $domainName
112+
createdDateTime = $(if (![string]::IsNullOrEmpty($cap.createdDateTime)) { [datetime]$cap.createdDateTime } else { '' })
113+
modifiedDateTime = $(if (![string]::IsNullOrEmpty($cap.modifiedDateTime)) { [datetime]$cap.modifiedDateTime } else { '' })
114+
state = $cap.state
115+
clientAppTypes = ($cap.conditions.clientAppTypes) -join ','
116+
includePlatforms = ($cap.conditions.platforms.includePlatforms) -join ','
117+
excludePlatforms = ($cap.conditions.platforms.excludePlatforms) -join ','
118+
includeLocations = (Get-LocationNameFromId -Locations $AllNamedLocations -id $cap.conditions.locations.includeLocations) -join ','
119+
excludeLocations = (Get-LocationNameFromId -Locations $AllNamedLocations -id $cap.conditions.locations.excludeLocations) -join ','
120+
includeApplications = ($cap.conditions.applications.includeApplications | ForEach-Object { Get-ApplicationNameFromId -Applications $AllApplications -ServicePrincipals $AllServicePrincipals -id $_ }) -join ','
121+
excludeApplications = ($cap.conditions.applications.excludeApplications | ForEach-Object { Get-ApplicationNameFromId -Applications $AllApplications -ServicePrincipals $AllServicePrincipals -id $_ }) -join ','
122+
includeUserActions = ($cap.conditions.applications.includeUserActions | Out-String)
123+
includeAuthenticationContextClassReferences = ($cap.conditions.applications.includeAuthenticationContextClassReferences | Out-String)
124+
includeUsers = ($cap.conditions.users.includeUsers | ForEach-Object { Get-UserNameFromId -Users $UserListOutput -id $_ }) | Out-String
125+
excludeUsers = ($cap.conditions.users.excludeUsers | ForEach-Object { Get-UserNameFromId -Users $UserListOutput -id $_ }) | Out-String
126+
includeGroups = ($cap.conditions.users.includeGroups | ForEach-Object { Get-GroupNameFromId -Groups $GroupListOutput -id $_ }) | Out-String
127+
excludeGroups = ($cap.conditions.users.excludeGroups | ForEach-Object { Get-GroupNameFromId -Groups $GroupListOutput -id $_ }) | Out-String
128+
includeRoles = ($cap.conditions.users.includeRoles | ForEach-Object { Get-RoleNameFromId -RoleDefinitions $AllRoleDefinitions -id $_ }) | Out-String
129+
excludeRoles = ($cap.conditions.users.excludeRoles | ForEach-Object { Get-RoleNameFromId -RoleDefinitions $AllRoleDefinitions -id $_ }) | Out-String
130+
grantControlsOperator = ($cap.grantControls.operator) -join ','
131+
builtInControls = ($cap.grantControls.builtInControls) -join ','
132+
customAuthenticationFactors = ($cap.grantControls.customAuthenticationFactors) -join ','
133+
termsOfUse = ($cap.grantControls.termsOfUse) -join ','
134+
rawjson = ($cap | ConvertTo-Json -Depth 100)
135+
}
136+
137+
$Entity = @{
138+
Policy = [string]($PolicyData | ConvertTo-Json -Depth 10 -Compress)
139+
RowKey = [string]$GUID
140+
PartitionKey = 'CAPolicy'
141+
Tenant = [string]$domainName
142+
}
143+
Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
144+
}
145+
146+
} catch {
147+
$GUID = (New-Guid).Guid
148+
$ErrorPolicy = ConvertTo-Json -InputObject @{
149+
Tenant = $domainName
150+
displayName = "Could not connect to Tenant: $($_.Exception.Message)"
151+
state = 'Error'
152+
createdDateTime = (Get-Date).ToString('s')
153+
modifiedDateTime = (Get-Date).ToString('s')
154+
id = 'Error'
155+
clientAppTypes = 'CIPP'
156+
} -Compress
157+
$Entity = @{
158+
Policy = [string]$ErrorPolicy
159+
RowKey = [string]$GUID
160+
PartitionKey = 'CAPolicy'
161+
Tenant = [string]$domainName
162+
}
163+
Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
164+
}
165+
}

0 commit comments

Comments
 (0)