updated core api for entra and m365

Author: silverhack

core/api/auth/Connect-MonkeyCloud.ps1

@@ -219,50 +219,52 @@ Function Connect-MonkeyCloud{
     Else{
         $O365Object.onlineServices.EntraID = $true
     }
-    #Get actual userId
-    If($O365Object.isConfidentialApp){
-        $O365Object.userId = $O365Object.me.id;
-    }
-    Else{
-        $authObject = $O365Object.auth_tokens.GetEnumerator() | Where-Object {$null -ne $_.Value} | Select-Object -ExpandProperty Value -First 1
-        If($null -ne $authObject){
-            $O365Object.userId = $authObject | Get-UserIdFromToken
+    If($O365Object.onlineServices.EntraID){
+        #Get actual userId
+        If($O365Object.isConfidentialApp){
+            $O365Object.userId = $O365Object.me.id;
         }
-    }
-    #Get Azure AD permissions
-    If($O365Object.isConfidentialApp){
-        $app_Permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.me.id -ObjectType servicePrincipal
-        If($app_Permissions){
-            $O365Object.aadPermissions = $app_Permissions
+        Else{
+            $authObject = $O365Object.auth_tokens.GetEnumerator() | Where-Object {$null -ne $_.Value} | Select-Object -ExpandProperty Value -First 1
+            If($null -ne $authObject){
+                $O365Object.userId = $authObject | Get-UserIdFromToken
+            }
         }
-    }
-    Else{
-        $user_permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.userId -ObjectType user
-        If($user_permissions){
-            $O365Object.aadPermissions = $user_permissions
+        #Get Azure AD permissions
+        If($O365Object.isConfidentialApp){
+            $app_Permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.me.id -ObjectType servicePrincipal
+            If($app_Permissions){
+                $O365Object.aadPermissions = $app_Permissions
+            }
+        }
+        Else{
+            $user_permissions = Get-MonkeyMSGraphObjectDirectoryRole -ObjectId $O365Object.userId -ObjectType user
+            If($user_permissions){
+                $O365Object.aadPermissions = $user_permissions
+            }
+        }
+        #Check If user can request MFA for users
+        #Check Global Admin permissions
+        $ga = Test-MonkeyAADIAM -RoleTemplateId 62e90394-69f5-4237-9190-012177145e10
+        #Check Authentication administrator permissions
+        $aa = Test-MonkeyAADIAM -RoleTemplateId c4e39bd9-1100-46d3-8c65-fb160da0071f
+        #Check Privileged Authentication administrator permissions
+        $paa = Test-MonkeyAADIAM -RoleTemplateId 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
+        If($ga){
+            $O365Object.canRequestMFAForUsers = $true
+        }
+        ElseIf($aa){
+            $O365Object.canRequestMFAForUsers = $true
+        }
+        ElseIf($paa){
+            $O365Object.canRequestMFAForUsers = $true
+        }
+        ElseIf($O365Object.isConfidentialApp){
+            $O365Object.canRequestMFAForUsers = $true
+        }
+        Else{
+            $O365Object.canRequestMFAForUsers = $false
         }
-    }
-    #Check If user can request MFA for users
-    #Check Global Admin permissions
-    $ga = Test-MonkeyAADIAM -RoleTemplateId 62e90394-69f5-4237-9190-012177145e10
-    #Check Authentication administrator permissions
-    $aa = Test-MonkeyAADIAM -RoleTemplateId c4e39bd9-1100-46d3-8c65-fb160da0071f
-    #Check Privileged Authentication administrator permissions
-    $paa = Test-MonkeyAADIAM -RoleTemplateId 7be44c8a-adaf-4e2a-84d6-ab2649e08a13
-    If($ga){
-        $O365Object.canRequestMFAForUsers = $true
-    }
-    ElseIf($aa){
-        $O365Object.canRequestMFAForUsers = $true
-    }
-    ElseIf($paa){
-        $O365Object.canRequestMFAForUsers = $true
-    }
-    ElseIf($O365Object.isConfidentialApp){
-        $O365Object.canRequestMFAForUsers = $true
-    }
-    Else{
-        $O365Object.canRequestMFAForUsers = $false
     }
     #Check If requestMFA for users must be enabled by config
     try{

core/api/auth/azure/Connect-MonkeyAzure.ps1

@@ -56,7 +56,7 @@ Function Connect-MonkeyAzure{
         }
     }
     Process{
-        if($null -ne $O365Object.auth_tokens.ResourceManager){
+        If($null -ne $O365Object.auth_tokens.ResourceManager){
             $O365Object.subscriptions = Select-MonkeyAzureSubscription
         }
     }

core/api/auth/microsoft365/Connect-MonkeyM365.ps1

@@ -216,18 +216,16 @@ Function Connect-MonkeyM365{
                 }
                 Write-Information @msg
                 $O365Object.auth_tokens.SharePointAdminOnline = Connect-MonkeySPO @p -Admin
-                #Connect to root site If ScanSites param is present or If ScanAllSites is true
-                If(($O365Object.initParams.ContainsKey('ScanSites') -and @($O365Object.initParams.ScanSites).Count -gt 0) -or $scanSites){
-                    $msg = @{
-                        MessageData = ($message.TokenRequestInfoMessage -f "SharePoint Online")
-                        callStack = (Get-PSCallStack | Select-Object -First 1);
-                        logLevel = 'info';
-                        InformationAction = $O365Object.InformationAction;
-                        Tags = @('TokenRequestInfoMessage');
-                    }
-                    Write-Information @msg
-                    $O365Object.auth_tokens.SharePointOnline = Connect-MonkeySPO @p -RootSite
+                #Always try to connect to root site
+                $msg = @{
+                    MessageData = ($message.TokenRequestInfoMessage -f "SharePoint Online")
+                    callStack = (Get-PSCallStack | Select-Object -First 1);
+                    logLevel = 'info';
+                    InformationAction = $O365Object.InformationAction;
+                    Tags = @('TokenRequestInfoMessage');
                 }
+                Write-Information @msg
+                $O365Object.auth_tokens.SharePointOnline = Connect-MonkeySPO @p -RootSite
                 If($null -ne $O365Object.auth_tokens.SharePointAdminOnline){
                     #Check If user is SharePoint administrator
                     $p = @{
@@ -266,6 +264,15 @@ Function Connect-MonkeyM365{
                         #Get Webs for user
                         $O365Object.spoSites = Get-MonkeyCSOMSite @p
                     }
+                    Else{
+                        $p = @{
+                            InformationAction = $O365Object.InformationAction;
+                            Verbose = $O365Object.verbose;
+                            Debug = $O365Object.debug;
+                        }
+                        #Get Webs for user
+                        $O365Object.spoSites = Get-MonkeyCSOMSite @p
+                    }
                     #Check If connected to SharePoint
                     If($O365Object.isSharePointAdministrator -or $null -ne $O365Object.spoSites){
                         $O365Object.onlineServices.Item($service) = $true
@@ -413,7 +420,7 @@ Function Connect-MonkeyM365{
                 #Connect to Admin blade
                 $p = @{
                     Resource = $O365Object.Environment.OfficeAdminPortal;
-                    AzureService = "AzurePowershell";
+                    AzureService = "AzureCli";
                     InformationAction = $O365Object.InformationAction;
                     Verbose = $O365Object.verbose;
                     Debug = $O365Object.debug;

core/api/entraid/msgraph/helpers/PIM/Get-MonkeyMSGraphPIMRoleAssignment.ps1

@@ -43,6 +43,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
     try{
         $new_arg = @{
             APIVersion = 'beta';
+            Select = $O365Object.userProperties;
         }
         #Set Job params
         #Set Job params
@@ -131,7 +132,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
                 $role = @($roleTemplates).Where({$_.id -eq $policy.roleDefinitionId})
                 if($role.Count -gt 0){
                     $roleObject = $role | New-MonkeyPIMRoleObject
-                    $roleObject.policy = $policy;
+                    $roleObject.policy = ($policy | Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer);
                     [void]$allroleAssignments.Add($roleObject);
                 }
                 Start-Sleep -Milliseconds 500;
@@ -165,7 +166,7 @@ Function Get-MonkeyMSGraphPIMRoleAssignment{
                 $myRole.activeAssignment.isUsed = $true;
                 $myRole.roleInUse = $true;
                 $activeMembers = $activeRole.Group | Select-Object principalId,startDateTime,endDateTime,assignmentType,memberType -ErrorAction Ignore
-                if($null -ne $activeMembers){
+                If($null -ne $activeMembers){
                     #Set array
                     $allUsers = [System.Collections.Generic.List[System.Management.Automation.PSObject]]::new()
                     $allServicePrincipals = [System.Collections.Generic.List[System.Management.Automation.PSObject]]::new()

core/api/entraid/msgraph/helpers/PIM/Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer.ps1

@@ -0,0 +1,108 @@
+# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Function Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer {
+    <#
+        .SYNOPSIS
+		PIM Role settings analyzer
+
+        .DESCRIPTION
+		PIM Role settings analyzer
+
+        .INPUTS
+
+        .OUTPUTS
+
+        .EXAMPLE
+
+        .NOTES
+	        Author		: Juan Garrido
+            Twitter		: @tr1ana
+            File Name	: Invoke-MonkeyMSGraphPIMRoleSettingsAnalyzer
+            Version     : 1.0
+
+        .LINK
+            https://github.com/silverhack/monkey365
+    #>
+
+	[CmdletBinding()]
+	Param (
+        [Parameter(Mandatory=$True, ValueFromPipeline = $True, HelpMessage="Policy Object")]
+        [Object]$InputObject,
+
+        [parameter(Mandatory=$false, HelpMessage="API version")]
+        [ValidateSet("v1.0","beta")]
+        [String]$APIVersion = "beta"
+    )
+    Begin{
+        #Set args
+        $new_arg = @{
+            APIVersion = $APIVersion;
+        }
+        #Set job params
+        $jobParam = @{
+	        ScriptBlock = { Get-MonkeyMSGraphGroupTransitiveMember -GroupId $_ -Parents @($_)};
+            Arguments = $new_arg;
+	        Runspacepool = $O365Object.monkey_runspacePool;
+	        ReuseRunspacePool = $true;
+	        Debug = $O365Object.VerboseOptions.Debug;
+	        Verbose = $O365Object.VerboseOptions.Verbose;
+	        MaxQueue = $O365Object.nestedRunspaces.MaxQueue;
+	        BatchSleep = $O365Object.nestedRunspaces.BatchSleep;
+	        BatchSize = $O365Object.nestedRunspaces.BatchSize;
+        }
+    }
+    Process{
+        Try{
+            #Get numbers of approvals within unifiedRoleManagementPolicyApprovalRule
+            $approval_rule = @($InputObject.settings).Where({$_.'@odata.type' -like '*unifiedRoleManagementPolicyApprovalRule*'},[System.Management.Automation.WhereOperatorSelectionMode]::First)
+            If($approval_rule.Count -eq 1){
+                $number_of_approvals = 0;
+                #Get approvers
+                $approvers = $approval_rule[0].setting.approvalStages[0].primaryApprovers;
+                #Get Groups and users
+                $groups = @($approvers).Where({$_.'@odata.type' -like '*groupMembers*'}) | Select-Object -ExpandProperty Id -ErrorAction Ignore
+                $users = @($approvers).Where({$_.'@odata.type' -like '*singleUser*'}) | Select-Object -ExpandProperty Id -ErrorAction Ignore
+                If($null -ne $users){
+                    $number_of_approvals = @($users).Count;
+                }
+                If($null -ne $groups){
+                    $members = $groups | Invoke-MonkeyJob @jobParam
+                    If($null -ne $members){
+                        $number_of_approvals += @($members).Count;
+                    }
+                }
+                #Add to settings
+                $approval_rule[0].setting.approvalStages[0] | Add-Member -MemberType NoteProperty -Name primaryApproversCount -Value $number_of_approvals -Force
+            }
+        }
+        Catch{
+            $msg = @{
+			    MessageData = $_;
+			    callStack = (Get-PSCallStack | Select-Object -First 1);
+			    logLevel = 'verbose';
+			    InformationAction = $O365Object.InformationAction;
+                Verbose = $O365Object.verbose;
+                Debug = $O365Object.debug;
+			    Tags = @('EntraIDPIMRoleSettingsAnalyzerError');
+		    }
+		    Write-Verbose @msg
+        }
+        #Return object
+        return $InputObject
+    }
+    End{
+        #Nothing to do here
+    }
+}

core/api/entraid/msgraph/helpers/directoryrole/Get-MonkeyMSGraphEntraRoleAssignment.ps1

@@ -53,6 +53,7 @@ Function Get-MonkeyMSGraphEntraRoleAssignment {
         $graphAuth = $O365Object.auth_tokens.MSGraph
         $new_arg = @{
             APIVersion = $APIVersion;
+            Select = $O365Object.userProperties;
         }
         #Set Job params
         If($O365Object.isConfidentialApp){
@@ -158,7 +159,7 @@ Function Get-MonkeyMSGraphEntraRoleAssignment {
                         #Invoke job
                         $members = $allIds | Invoke-MonkeyJob @jobParam
                         If($null -ne $members -and @($members).Count -gt 0){
-                            foreach($member in @($members)){
+                            ForEach($member in @($members)){
                                 [void]$extendedUniqueUsers.Add($member);
                             }
                         }

core/api/entraid/msgraph/helpers/general/Get-MonkeyMSGraphAppAndService.ps1

@@ -0,0 +1,68 @@
+# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+Function Get-MonkeyMSGraphAppAndService {
+    <#
+        .SYNOPSIS
+		Read the properties and relationships of a adminAppsAndServices object
+
+        .DESCRIPTION
+		Read the properties and relationships of a adminAppsAndServices object
+
+        .INPUTS
+
+        .OUTPUTS
+
+        .EXAMPLE
+
+        .NOTES
+	        Author		: Juan Garrido
+            Twitter		: @tr1ana
+            File Name	: Get-MonkeyMSGraphAppAndService
+            Version     : 1.0
+
+        .LINK
+            https://github.com/silverhack/monkey365
+    #>
+
+	[CmdletBinding()]
+	Param (
+        [parameter(Mandatory=$false, HelpMessage="API version")]
+        [ValidateSet("v1.0","beta")]
+        [String]$APIVersion = "v1.0"
+    )
+    Begin{
+        $Environment = $O365Object.Environment
+        #Get Graph Auth
+        $graphAuth = $O365Object.auth_tokens.MSGraph
+    }
+    Process{
+        $params = @{
+            Authentication = $graphAuth;
+            ObjectType = 'admin';
+            ObjectId = 'appsAndServices';
+            Environment = $Environment;
+            ContentType = 'application/json';
+            Method = "GET";
+            APIVersion = $APIVersion;
+            InformationAction = $O365Object.InformationAction;
+            Verbose = $O365Object.verbose;
+            Debug = $O365Object.debug;
+        }
+        Get-MonkeyMSGraphObject @params
+    }
+    End{
+        #Nothing to do here
+    }
+}