Merge pull request #69 from KelvinTegelaar/master

[pull] master from KelvinTegelaar:master

Author: pull[bot]

.DS_Store

@@ -15,3 +15,7 @@ yarn.lock
 
 # Cursor IDE
 .cursor/rules
+
+# Ignore all root PowerShell files except profile.ps1
+/*.ps1
+!/profile.ps1

.gitignore

@@ -5,15 +5,15 @@
   },
   {
     "GUID": "f30db892-07e9-47e9-837c-80727f46fd3d",
-    "Product_Display_Name": "MICROSOFT FLOW FREE"
+    "Product_Display_Name": "Microsoft Power Automate Free"
   },
   {
     "GUID": "16ddbbfc-09ea-4de2-b1d7-312db6112d70",
-    "Product_Display_Name": "MICROSOFT TEAMS (FREE)"
+    "Product_Display_Name": "Microsoft Teams (Free)"
   },
   {
     "GUID": "a403ebcc-fae0-4ca2-8c8c-7a907fd6c235",
-    "Product_Display_Name": "Power BI (free)"
+    "Product_Display_Name": "Microsoft Fabric (Free)"
   },
   {
     "GUID": "61e6bd70-fbdb-4deb-82ea-912842f39431",
@@ -25,7 +25,7 @@
   },
   {
     "GUID": "338148b6-1b11-4102-afb9-f92b6cdc0f8d",
-    "Product_Display_Name": "DYNAMICS 365 P1 TRIAL FOR INFORMATION WORKERS"
+    "Product_Display_Name": "Dynamics 365 P1 Tria for Information Workers"
   },
   {
     "GUID": "fcecd1f9-a91e-488d-a918-a96cdb6ce2b0",
@@ -41,19 +41,19 @@
   },
   {
     "GUID": "606b54a9-78d8-4298-ad8b-df6ef4481c80",
-    "Product_Display_Name": "Power Virtual Agents Viral Trial"
+    "Product_Display_Name": "Microsoft Copilot Studio Viral Trial"
   },
   {
     "GUID": "1f2f344a-700d-42c9-9427-5cea1d5d7ba6",
-    "Product_Display_Name": "MICROSOFT STREAM"
+    "Product_Display_Name": "Microsoft Stream"
   },
   {
     "GUID": "6470687e-a428-4b7a-bef2-8a291ad947c9",
-    "Product_Display_Name": "WINDOWS STORE FOR BUSINESS"
+    "Product_Display_Name": "Windows Store for Business"
   },
   {
     "GUID": "710779e8-3d4a-4c88-adb9-386c958d1fdf",
-    "Product_Display_Name": "MICROSOFT TEAMS EXPLORATORY"
+    "Product_Display_Name": "Microsoft Teams Exploratory"
   },
   {
     "GUID": "8c4ce438-32a7-4ac5-91a6-e22ae08d9c8b",
@@ -94,5 +94,9 @@
   {
     "GUID": "99049c9c-6011-4908-bf17-15f496e6519d",
     "Product_Display_Name": "Office 365 Extra File Storage"
+  },
+  {
+    "GUID": "47794cd0-f0e5-45c5-9033-2eb6b5fc84e0",
+    "Product_Display_Name": "Communications Credits"
   }
 ]

CIPP-Permissions.json

@@ -7,12 +7,9 @@ function Add-CIPPApplicationPermission {
         $TenantFilter
     )
     if ($ApplicationId -eq $env:ApplicationID -and $TenantFilter -eq $env:TenantID) {
-        #return @('Cannot modify application permissions for CIPP-SAM on partner tenant')
         $RequiredResourceAccess = 'CIPPDefaults'
     }
-    Set-Location (Get-Item $PSScriptRoot).FullName
     if ($RequiredResourceAccess -eq 'CIPPDefaults') {
-        #$RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
 
         $Permissions = Get-CippSamPermissions -NoDiff
         $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
@@ -59,33 +56,72 @@ function Add-CIPPApplicationPermission {
         }
     }
 
+    Write-Information "Adding application permissions to application $ApplicationId in tenant $TenantFilter"
 
-    $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
+    $ServicePrincipalList = [System.Collections.Generic.List[object]]::new()
+    $SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
+    foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
         #Our Service Principal isn't available yet. We do a sleep and reexecute after 3 seconds.
         Start-Sleep -Seconds 5
-        $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
+        $ServicePrincipalList.Clear()
+        $SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
+        foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
         $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     }
 
     $Results = [System.Collections.Generic.List[string]]::new()
 
     $CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
 
-    $Grants = foreach ($App in $RequiredResourceAccess) {
+    # Collect missing service principals and prepare bulk request
+    $MissingServicePrincipals = [System.Collections.Generic.List[object]]::new()
+    $AppIdToRequestId = @{}
+    $requestId = 1
+
+    foreach ($App in $RequiredResourceAccess) {
         $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId
         if (!$svcPrincipalId) {
-            try {
-                $Body = @{
-                    appId = $App.resourceAppId
-                } | ConvertTo-Json -Compress
-                $svcPrincipalId = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter -body $Body -type POST
-            } catch {
-                $Results.add("Failed to create service principal for $($App.resourceAppId): $(Get-NormalizedError -message $_.Exception.Message)")
-                continue
+            $Body = @{
+                appId = $App.resourceAppId
+            }
+            $MissingServicePrincipals.Add(@{
+                    id      = $requestId.ToString()
+                    method  = 'POST'
+                    url     = '/servicePrincipals'
+                    headers = @{
+                        'Content-Type' = 'application/json'
+                    }
+                    body    = $Body
+                })
+            $AppIdToRequestId[$App.resourceAppId] = $requestId.ToString()
+            $requestId++
+        }
+    }
+
+    # Create missing service principals in bulk
+    if ($MissingServicePrincipals.Count -gt 0) {
+        try {
+            $BulkResults = New-GraphBulkRequest -Requests $MissingServicePrincipals -tenantid $TenantFilter -NoAuthCheck $true
+            foreach ($Result in $BulkResults) {
+                if ($Result.status -eq 201) {
+                    $ServicePrincipalList.Add($Result.body)
+                } else {
+                    $AppId = ($MissingServicePrincipals | Where-Object { $_.id -eq $Result.id }).body.appId
+                    $Results.add("Failed to create service principal for $($AppId): $($Result.body.error.message)")
+                }
             }
+        } catch {
+            $Results.add("Failed to create service principals in bulk: $(Get-NormalizedError -message $_.Exception.Message)")
         }
+    }
+
+    # Build grants list
+    $Grants = foreach ($App in $RequiredResourceAccess) {
+        $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId
+        if (!$svcPrincipalId) { continue }
+
         foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
             if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
             [pscustomobject]@{
@@ -95,14 +131,37 @@ function Add-CIPPApplicationPermission {
             }
         }
     }
+
+    # Apply grants in bulk
     $counter = 0
-    foreach ($Grant in $Grants) {
+    if ($Grants.Count -gt 0) {
+        $GrantRequests = [System.Collections.Generic.List[object]]::new()
+        $requestId = 1
+        foreach ($Grant in $Grants) {
+            $GrantRequests.Add(@{
+                    id      = $requestId.ToString()
+                    method  = 'POST'
+                    url     = "/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo"
+                    headers = @{
+                        'Content-Type' = 'application/json'
+                    }
+                    body    = $Grant
+                })
+            $requestId++
+        }
+
         try {
-            $SettingsRequest = New-GraphPOSTRequest -body (ConvertTo-Json -InputObject $Grant -Depth 5) -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignedTo" -tenantid $TenantFilter -type POST -NoAuthCheck $true
-            $counter++
+            $BulkResults = New-GraphBulkRequest -Requests $GrantRequests -tenantid $TenantFilter -NoAuthCheck $true
+            foreach ($Result in $BulkResults) {
+                if ($Result.status -eq 201) {
+                    $counter++
+                } else {
+                    $GrantRequest = $GrantRequests | Where-Object { $_.id -eq $Result.id }
+                    $Results.add("Failed to grant $($GrantRequest.body.appRoleId) to $($GrantRequest.body.resourceId): $($Result.body.error.message)")
+                }
+            }
         } catch {
-            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-            $Results.add("Failed to grant $($Grant.appRoleId) to $($Grant.resourceId): $ErrorMessage")
+            $Results.add("Failed to grant permissions in bulk: $(Get-NormalizedError -message $_.Exception.Message)")
         }
     }
     "Added $counter Application permissions to $($ourSVCPrincipal.displayName)"