Skip to content

Commit

Permalink
Merge pull request KelvinTegelaar#586 from KelvinTegelaar/dev
Browse files Browse the repository at this point in the history
Dev
  • Loading branch information
KelvinTegelaar authored Jan 19, 2024
2 parents 68bc51b + a8d52c1 commit 465ecd2
Show file tree
Hide file tree
Showing 21 changed files with 302 additions and 30 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/dev_cippy6oom.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions

name: Build and deploy Powershell project to Azure Function App - cippy6oom

on:
push:
branches:
- dev
workflow_dispatch:

env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root

jobs:
deploy:
runs-on: windows-latest

steps:
- name: 'Checkout GitHub Action'
uses: actions/checkout@v4

- name: 'Run Azure Functions Action'
uses: Azure/functions-action@v1
id: fa
with:
app-name: 'cippy6oom'
slot-name: 'Production'
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B9C635E19DF6459F8995BA602EFA638A }}
Original file line number Diff line number Diff line change
Expand Up @@ -37,5 +37,5 @@
"excludeApplications": []
}
},
"displayName": "Enforce Multi factor authentication for each application"
"displayName": "CIPP: Enforce Multi factor authentication for each application"
}
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,5 @@
"times": null,
"clientApplications": null
},
"displayName": "Enforce Multi-factor authentication for Static Web Apps"
"displayName": "CIPP: Enforce Multi-factor authentication for Static Web Apps"
}
4 changes: 2 additions & 2 deletions Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@
"platforms": null,
"clientApplications": null,
"applications": {
"includeApplications": ["None"],
"includeApplications": ["All"],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"excludeApplications": []
}
},
"displayName": "Block Legacy Authentication"
"displayName": "CIPP: Block Legacy Authentication"
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,14 @@ Function Invoke-AddStandardsDeploy {
$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
$Settings = ($request.body | Select-Object -Property *, v2* -ExcludeProperty Select_*, None )
$Settings | Add-Member -NotePropertyName 'v2.1' -NotePropertyValue $true -Force
if ($Settings.phishProtection.remediate) {
$URL = $request.headers.'x-ms-original-url'.split('/api') | Select-Object -First 1
write-host $URL
$Settings.phishProtection = [pscustomobject]@{
remediate = $true
URL = $URL
}
}
foreach ($Tenant in $tenants) {

$object = [PSCustomObject]@{
Expand All @@ -37,8 +45,7 @@ Function Invoke-AddStandardsDeploy {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -tenant $tenant -API 'Standards' -message 'Successfully added standards deployment' -Sev 'Info'
}
$body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' }
}
catch {
} catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -message "Standards API failed. Error:$($_.Exception.Message)" -Sev 'Error'
$body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" }
}
Expand Down
32 changes: 32 additions & 0 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignAPDevice.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
using namespace System.Net

Function Invoke-ExecAssignAPDevice {
<#
.FUNCTIONALITY
Entrypoint
#>
[CmdletBinding()]
param($Request, $TriggerMetadata)
$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$tenantfilter = $Request.Body.TenantFilter
try {
$body = @{
UserPrincipalName = $Request.body.UserPrincipalName
addressableUserName = $Request.body.addressableUserName
} | ConvertTo-Json
New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($request.body.Device)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST
$Results = "Successfully assigned device to $($Request.body.UserPrincipalName) for $($tenantfilter)"
} catch {
$Results = "Could not $($Request.body.UserPrincipalName) to $($Request.body.device) for $($tenantfilter) Error: $($_.Exception.Message)"
}

$Results = [pscustomobject]@{'Results' = "$results" }

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $Results
})

}
12 changes: 10 additions & 2 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ Function Invoke-ExecOffboardTenant {

$Tenantfilter = $request.body.tenantfilter

# temp fix -rvdwegen
$tenantId = (Invoke-RestMethod -Method GET "https://login.windows.net/$Tenantfilter/.well-known/openid-configuration").token_endpoint.Split('/')[3]

$results = [System.Collections.ArrayList]@()
$errors = [System.Collections.ArrayList]@()

Expand Down Expand Up @@ -105,7 +108,7 @@ Function Invoke-ExecOffboardTenant {
}

# All customer tenant specific actions ALWAYS have to be completed before this action!
if ($request.body.RemoveMultitenantApps) {
if ($request.body.RemoveMultitenantCSPApps) {
# Remove multi-tenant apps with the CSP tenant as origin
try {
$multitenantCSPApps = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$select=displayName,appId,id,appOwnerOrganizationId&`$filter=appOwnerOrganizationId eq $($env:TenantID)" -tenantid $Tenantfilter -ComplexFilter)
Expand All @@ -129,18 +132,23 @@ Function Invoke-ExecOffboardTenant {
if ($request.body.TerminateGDAP) {
# Terminate GDAP relationships
try {
$delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$TenantFilter')" -tenantid $env:TenantID)
$TenantFilter
$TenantFilter
$TenantFilter
$delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$tenantid')" -tenantid $env:TenantID)
$delegatedAdminRelationships | ForEach-Object {
try {
$terminate = (New-GraphPostRequest -type 'POST' -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($_.id)/requests" -body '{"action":"terminate"}' -ContentType 'application/json' -tenantid $env:TenantID)
$results.Add("Succesfully terminated GDAP relationship $($_.displayName) from tenant $TenantFilter")
Write-LogMessage -user $ExecutingUser -API $APIName -message "GDAP Relationship $($_.displayName) has been terminated" -Sev "Info" -tenant $TenantFilter
} catch {
$($_.Exception.message)
#$results.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
$errors.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
}
}
} catch {
$($_.Exception.message)
#$results.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
$errors.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
}
Expand Down
28 changes: 28 additions & 0 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-ExecSyncAPDevices.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
using namespace System.Net

Function Invoke-ExecSyncAPDevices {
<#
.FUNCTIONALITY
Entrypoint
#>
[CmdletBinding()]
param($Request, $TriggerMetadata)
$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$tenantfilter = $Request.Query.TenantFilter
try {
New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings/sync' -tenantid $TenantFilter
$Results = "Successfully Started Sync for $($TenantFilter)"
} catch {
$Results = "Failed to start sync for $tenantfilter. Did you try syncing in the last 10 minutes?"
}

$Results = [pscustomobject]@{'Results' = "$results" }

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $Results
})

}
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ Function Invoke-ListAPDevices {

# Interact with query parameters or the body of the request.
$TenantFilter = $Request.Query.TenantFilter
$userid = $Request.Query.UserID
try {
$GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities?`$top=999" -tenantid $TenantFilter
$StatusCode = [HttpStatusCode]::OK
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ Function Invoke-ListMailQuarantine {
$Tenantfilter = $request.Query.tenantfilter

try {
$GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage'
$GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 }
$StatusCode = [HttpStatusCode]::OK
} catch {
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
Expand Down
24 changes: 24 additions & 0 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses {
}
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
}
}

Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,5 @@ function Push-CIPPAlertSharepointQuota {
}
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get SharePoint quota for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
}
}
39 changes: 39 additions & 0 deletions Modules/CIPPCore/Public/Entrypoints/invoke-DomainAnalyser_List.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@

using namespace System.Net

Function Invoke-DomainAnalyser_List {
<#
.FUNCTIONALITY
Entrypoint
#>
[CmdletBinding()]
param($Request, $TriggerMetadata)
$DomainTable = Get-CIPPTable -Table 'Domains'

# Get all the things

if ($Request.Query.tenantFilter -ne 'AllTenants') {
$DomainTable.Filter = "TenantId eq '{0}'" -f $Request.Query.tenantFilter
}

try {
# Extract json from table results
$Results = foreach ($DomainAnalyserResult in (Get-CIPPAzDataTableEntity @DomainTable).DomainAnalyser) {
try {
if (![string]::IsNullOrEmpty($DomainAnalyserResult)) {
$Object = $DomainAnalyserResult | ConvertFrom-Json -ErrorAction SilentlyContinue
$Object
}
} catch {}
}
} catch {
$Results = @()
}


# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = @($Results)
})
}
10 changes: 7 additions & 3 deletions Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders) {
function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders, $contentType) {
<#
.FUNCTIONALITY
Internal
Expand All @@ -16,10 +16,14 @@ function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $N
$type = 'POST'
}

if (!$contentType) {
$contentType = 'application/json; charset=utf-8'
}
try {
$ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType 'application/json; charset=utf-8')
$ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType)
} catch {
$Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error.message
$Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error
if ($Message.innerError) { $Message = $Message.Innererror.Message } else { $Message = $Message.Message.Error }
if ($Message -eq $null) {
try {
$Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).message
Expand Down
16 changes: 16 additions & 0 deletions Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,21 @@ function New-CIPPCAPolicy {
# no issues here.
}

#If Grant Controls contains authenticationstrength, create these and then replace the id
if ($JSONobj.GrantControls.authenticationStrength.policyType -eq 'custom') {
$ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
if ($ExistingStrength) {
$JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }

} else {
$Body = ConvertTo-Json -InputObject $JSONObj.GrantControls.authenticationStrength
$GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter
$JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created new Authentication Strength Policy: $($JSONObj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
}
}


#for each of the locations, check if they exist, if not create them. These are in $jsonobj.LocationInfo
$LocationLookupTable = foreach ($locations in $jsonobj.LocationInfo) {
foreach ($location in $locations) {
Expand Down Expand Up @@ -109,6 +124,7 @@ function New-CIPPCAPolicy {
return "Created policy $displayname for $tenantfilter"
}
} catch {
Write-Host "$($_.exception | ConvertTo-Json)"
throw "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)"
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message) " -sev 'Error'
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
function Invoke-CIPPStandardDisableAdditionalStorageProviders {
<#
.FUNCTIONALITY
Internal
#>
param($Tenant, $Settings)

$AdditionalStorageProvidersState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' }

if ($Settings.remediate) {

try {
if ($AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable) {
New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{ Identity = $AdditionalStorageProvidersState.Identity; AdditionalStorageProvidersAvailable = $false } -useSystemMailbox $true
Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers have been disabled.' -sev Info
$AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable = $false
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are already disabled.' -sev Info
}
} catch {
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable OWA additional storage providers. Error: $($_.Exception.Message)" -sev Error
}

}

if ($Settings.alert) {

if ($AdditionalStorageProvidersState.AdditionalStorageProvidersAvailable) {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are enabled' -sev Alert
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'OWA additional storage providers are disabled' -sev Info
}
}

if ($Settings.report) {

Add-CIPPBPAField -FieldName 'AdditionalStorageProvidersEnabled' -FieldValue [bool]$AdditionalStorageProvidersState.AdditionalStorageProvidersEnabled -StoreAs bool -Tenant $tenant
}
}
Loading

0 comments on commit 465ecd2

Please sign in to comment.