Skip to content

Commit

Permalink
Merge branch 'KelvinTegelaar:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
gosvalthar authored Jan 23, 2025
2 parents 5950ae8 + 8789480 commit 2436210
Show file tree
Hide file tree
Showing 18 changed files with 730 additions and 176 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/dev_cippbcaom.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions

name: Build and deploy Powershell project to Azure Function App - cippbcaom

on:
push:
branches:
- dev
workflow_dispatch:

env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root

jobs:
deploy:
runs-on: windows-latest

steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: 'cippbcaom'
slot-name: 'Production'
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_56AD4FDD49354D0CAB4D9A9E868D2015 }}
187 changes: 153 additions & 34 deletions ConversionTable.csv

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ function Get-CIPPAlertMFAAdmins {
}
}
if (!$DuoActive) {
$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$top=999&$filter=IsAdmin eq true and userDisplayName ne ''On-Premises Directory Synchronization Service Account''' -tenantid $($TenantFilter) | Where-Object -Property 'isMfaRegistered' -EQ $false
$users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
if ($users.UserPrincipalName) {
$AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ function Get-CIPPAlertMFAAlertUsers {
)
try {

$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$top=999&filter=isMfaRegistered eq false and userType eq ''member'' and userDisplayName ne ''On-Premises Directory Synchronization Service Account''&$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered' -tenantid $($TenantFilter)
$users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq false and isMfaRegistered eq false and userType eq 'member'&`$select=userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
if ($users.UserPrincipalName) {
$AlertData = "The following $($users.Count) users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
Expand Down
187 changes: 153 additions & 34 deletions Modules/CIPPCore/Public/ConversionTable.csv

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,15 @@ function Push-AuditLogTenant {
}
$CIPPURL = $LegacyUrl
} else {
$CIPPURL = 'https://{0}' -f $CippConfig.Value
if (!$CippConfig) {
$CippConfig = @{
PartitionKey = 'InstanceProperties'
RowKey = 'CIPPURL'
Value = [string]([System.Uri]$Request.Headers.'x-ms-original-url').Host
}
Add-AzDataTableEntity @ConfigTable -Entity $CippConfig -Force
$CIPPURL = 'https://{0}' -f $CippConfig.Value
} else { $CIPPURL = 'https://{0}' -f $CippConfig.Value }
}

# Get webhook rules
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Function Invoke-AddGroupTemplate {
Displayname = $request.body.displayname
Description = $request.body.description
groupType = $request.body.groupType
MembershipRules = $request.body.membershipRule
MembershipRules = $request.body.membershipRules
allowExternal = $request.body.allowExternal
username = $request.body.username
GUID = $GUID
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,21 @@ Function Invoke-ExecSetSharePointMember {
[CmdletBinding()]
param($Request, $TriggerMetadata)


$APIName = $TriggerMetadata.FunctionName
$ExecutingUser = $request.headers.'x-ms-client-principal'
Write-LogMessage -user $ExecutingUser -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$TenantFilter = $Request.body.tenantFilter



if ($Request.body.SharePointType -eq 'Group') {
$GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)' or proxyAddresses/any(x:endsWith(x,'$($Request.Body.GroupID)'))&`$count=true" -ComplexFilter -tenantid $Request.Body.TenantFilter).id
$GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)' or proxyAddresses/any(x:endsWith(x,'$($Request.Body.GroupID)'))&`$count=true" -ComplexFilter -tenantid $TenantFilter).id
if ($Request.body.Add -eq $true) {
$Results = Add-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $Request.Body.user.value -TenantFilter $Request.Body.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
$Results = Add-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $Request.Body.user.value -TenantFilter $TenantFilter -ExecutingUser $ExecutingUser
} else {
$UserID = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.user.value)" -tenantid $Request.Body.TenantFilter).id
$Results = Remove-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $UserID -TenantFilter $Request.Body.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
$UserID = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.user.value)" -tenantid $TenantFilter).id
$Results = Remove-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $UserID -TenantFilter $TenantFilter -ExecutingUser $ExecutingUser
}
} else {
$Results = 'This type of SharePoint site is not supported.'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,36 @@ Function Invoke-ExecSharePointPerms {
param($Request, $TriggerMetadata)

$APIName = $TriggerMetadata.FunctionName
$tenantFilter = $Request.Body.TenantFilter
$tenantFilter = $Request.Body.tenantFilter
$ExecutingUser = $Request.Headers.'x-ms-client-principal'

Write-LogMessage -user $ExecutingUser -API $APIName -message 'Accessed this API' -Sev Debug

# The UPN or ID of the users OneDrive we are changing permissions on
$UserId = $Request.body.UPN
# The UPN of the user we are adding or removing permissions for
$OnedriveAccessUser = $Request.body.onedriveAccessUser.value

try {
$State = Set-CIPPSharePointPerms -tenantFilter $tenantFilter -userid $request.body.UPN -OnedriveAccessUser $request.body.input -ExecutingUser $ExecutingUser -APIName $APIName -RemovePermission $request.body.RemovePermission -URL $Request.Body.URL

$State = Set-CIPPSharePointPerms -tenantFilter $tenantFilter `
-UserId $UserId `
-OnedriveAccessUser $OnedriveAccessUser `
-ExecutingUser $ExecutingUser `
-APIName $APIName `
-RemovePermission $Request.body.RemovePermission `
-URL $Request.Body.URL
$Results = [pscustomobject]@{'Results' = "$State" }
$StatusCode = [HttpStatusCode]::OK
} catch {
$Results = [pscustomobject]@{'Results' = "Failed. $($_.Exception.Message)" }
$ErrorMessage = Get-CippException -Exception $_
$Results = [pscustomobject]@{'Results' = "Failed. $($ErrorMessage.NormalizedError)" }
$StatusCode = [HttpStatusCode]::BadRequest
}

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
StatusCode = $StatusCode
Body = $Results
})

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,26 +11,30 @@ Function Invoke-ExecTeamsVoicePhoneNumberAssignment {
param($Request, $TriggerMetadata)

$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$ExecutingUser = $Request.headers.'x-ms-client-principal'
Write-LogMessage -user $ExecutingUser -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$Identity = $Request.Body.input.value

$tenantFilter = $Request.Body.TenantFilter
try {
if ($Request.Body.locationOnly) {
$null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{LocationId = $Request.Body.input; PhoneNumber = $Request.Body.PhoneNumber; ErrorAction = 'stop'}
$Results = [pscustomobject]@{'Results' = "Successfully assigned emergency location to $($Request.Body.PhoneNumber)"}
$null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{LocationId = $Identity; PhoneNumber = $Request.Body.PhoneNumber; ErrorAction = 'stop' }
$Results = [pscustomobject]@{'Results' = "Successfully assigned emergency location to $($Request.Body.PhoneNumber)" }
} else {
$null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{Identity = $Request.Body.input; PhoneNumber = $Request.Body.PhoneNumber; PhoneNumberType = $Request.Body.PhoneNumberType; ErrorAction = 'stop'}
$Results = [pscustomobject]@{'Results' = "Successfully assigned $($Request.Body.PhoneNumber) to $($Request.Body.input)"}
$null = New-TeamsRequest -TenantFilter $TenantFilter -Cmdlet 'Set-CsPhoneNumberAssignment' -CmdParams @{Identity = $Identity; PhoneNumber = $Request.Body.PhoneNumber; PhoneNumberType = $Request.Body.PhoneNumberType; ErrorAction = 'stop' }
$Results = [pscustomobject]@{'Results' = "Successfully assigned $($Request.Body.PhoneNumber) to $($Identity)" }
}
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev 'Info'
Write-LogMessage -user $ExecutingUser -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev Info
$StatusCode = [HttpStatusCode]::OK
} catch {
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
$Results = [pscustomobject]@{'Results' = $ErrorMessage}
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev 'Error'
$ErrorMessage = Get-CippException -Exception $_
$Results = [pscustomobject]@{'Results' = $ErrorMessage.NormalizedError }
Write-LogMessage -user $ExecutingUser -API $APINAME -tenant $($TenantFilter) -message $($Results.Results) -Sev Error -LogData $ErrorMessage
$StatusCode = [HttpStatusCode]::Forbidden
}
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
StatusCode = $StatusCode
Body = $Results
})
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ Function Invoke-ExecNamedLocation {
# Write to the Azure Functions log stream.
Write-Host 'PowerShell HTTP trigger function processed a request.'

$TenantFilter = $Request.Body.TenantFilter
$NamedLocationId = $Request.Body.NamedLocationId
$change = $Request.Body.change
$content = $Request.Body.input
$TenantFilter = $Request.Body.TenantFilter ?? $Request.Query.TenantFilter
$NamedLocationId = $Request.Body.NamedLocationId ?? $Request.Query.NamedLocationId
$change = $Request.Body.change ?? $Request.Query.change
$content = $Request.Body.input ?? $Request.Query.input

try {
$results = Set-CIPPNamedLocation -NamedLocationId $NamedLocationId -TenantFilter $TenantFilter -change $change -content $content -ExecutingUser $request.headers.'x-ms-client-principal'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,14 @@ Function Invoke-listStandardTemplates {
$Table = Get-CippTable -tablename 'templates'
$Filter = "PartitionKey eq 'StandardsTemplateV2'"
$Templates = (Get-CIPPAzDataTableEntity @Table -Filter $Filter) | ForEach-Object {
$data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue
$JSON = $_.JSON
try {
$data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue
} catch {
Write-Host "Could not load standard template: $($_.Exception.Message). Content of the template is: $($JSON)."
Write-Host "Template GUID: $($_.GUID)"
return
}
$data | Add-Member -NotePropertyName 'GUID' -NotePropertyValue $_.GUID -Force
if ($data.excludedTenants) { $data.excludedTenants = @($data.excludedTenants) }
$data
Expand Down
10 changes: 5 additions & 5 deletions Modules/CIPPCore/Public/Invoke-CIPPOffboardingJob.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -35,21 +35,21 @@ function Invoke-CIPPOffboardingJob {
Set-CIPPSignInState -TenantFilter $tenantFilter -userid $username -AccountEnabled $false -ExecutingUser $ExecutingUser -APIName $APIName
}

{ $_.'OnedriveAccess' -ne '' } {
{ $_.'OnedriveAccess' } {
$Options.OnedriveAccess | ForEach-Object { Set-CIPPSharePointPerms -tenantFilter $tenantFilter -userid $username -OnedriveAccessUser $_.value -ExecutingUser $ExecutingUser -APIName $APIName }
}

{ $_.'AccessNoAutomap' -ne '' } {
{ $_.'AccessNoAutomap' } {
$Options.AccessNoAutomap | ForEach-Object { Set-CIPPMailboxAccess -tenantFilter $tenantFilter -userid $username -AccessUser $_.value -Automap $false -AccessRights @('FullAccess') -ExecutingUser $ExecutingUser -APIName $APIName }
}
{ $_.'AccessAutomap' -ne '' } {
{ $_.'AccessAutomap' } {
$Options.AccessAutomap | ForEach-Object { Set-CIPPMailboxAccess -tenantFilter $tenantFilter -userid $username -AccessUser $_.value -Automap $true -AccessRights @('FullAccess') -ExecutingUser $ExecutingUser -APIName $APIName }
}

{ $_.'OOO' -ne '' } {
{ $_.'OOO' } {
Set-CIPPOutOfOffice -tenantFilter $tenantFilter -userid $username -InternalMessage $Options.OOO -ExternalMessage $Options.OOO -ExecutingUser $ExecutingUser -APIName $APIName -state 'Enabled'
}
{ $_.'forward' -ne '' } {
{ $_.'forward' } {
if (!$Options.keepCopy) {
Set-CIPPForwarding -userid $userid -username $username -tenantFilter $Tenantfilter -Forward $Options.forward.value -ExecutingUser $ExecutingUser -APIName $APIName
} else {
Expand Down
15 changes: 8 additions & 7 deletions Modules/CIPPCore/Public/Set-CIPPSharePointPerms.ps1
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
function Set-CIPPSharePointPerms {
[CmdletBinding()]
param (
$userid,
$OnedriveAccessUser,
$UserId, # The UPN or ID of the users OneDrive we are changing permissions on
$OnedriveAccessUser, # The UPN of the user we are adding or removing permissions for
$TenantFilter,
$APIName = 'Manage SharePoint Owner',
$RemovePermission,
Expand All @@ -17,6 +17,7 @@ function Set-CIPPSharePointPerms {

try {
if (!$URL) {
Write-Information 'No URL provided, getting URL from Graph'
$URL = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($UserId)/Drives" -asapp $true -tenantid $TenantFilter).WebUrl
}
$tenantName = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/sites/root' -asApp $true -tenantid $TenantFilter).id.Split('.')[0]
Expand All @@ -39,19 +40,19 @@ function Set-CIPPSharePointPerms {
</Request>
"@
$request = New-GraphPostRequest -scope "$AdminURL/.default" -tenantid $TenantFilter -Uri "$AdminURL/_vti_bin/client.svc/ProcessQuery" -Type POST -Body $XML -ContentType 'text/xml'
Write-Host $($request)
# Write-Host $($request)
if (!$request.ErrorInfo.ErrorMessage) {
$Message = "$($OnedriveAccessUser) has been $($RemovePermission ? 'removed from' : 'given') access to $URL"
Write-LogMessage -user $ExecutingUser -API $APIName -message $Message -Sev 'Info' -tenant $TenantFilter
Write-LogMessage -user $ExecutingUser -API $APIName -message $Message -Sev Info -tenant $TenantFilter
return $Message
} else {
$message = "Failed to change access: $($request.ErrorInfo.ErrorMessage)"
Write-LogMessage -user $ExecutingUser -API $APIName -message $message -Sev 'Info' -tenant $TenantFilter
return $message
Write-LogMessage -user $ExecutingUser -API $APIName -message $message -Sev Error -tenant $TenantFilter
throw $Message
}
} catch {
$ErrorMessage = Get-CippException -Exception $_
Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add new owner to $($OnedriveAccessUser) on $URL. Error: $($ErrorMessage.NormalizedError)" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add new owner to $($OnedriveAccessUser) on $URL. Error: $($ErrorMessage.NormalizedError)" -Sev Error -tenant $TenantFilter -LogData $ErrorMessage
return "Could not add owner for $($URL). Error: $($ErrorMessage.NormalizedError)"
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ function Invoke-CIPPStandardcalDefault {
##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'calDefault'

# Input validation
$Settings.permissionlevel = $Settings.permissionlevel.value ? $Settings.permissionlevel.value : $Settings.permissionlevel
if ([string]::IsNullOrWhiteSpace($Settings.permissionlevel) -or $Settings.permissionlevel -eq 'Select a value') {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'calDefault: Invalid permissionlevel parameter set' -sev Error
Return
Expand Down
Loading

0 comments on commit 2436210

Please sign in to comment.