Merge pull request #75 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev
BNWEIN · Jun 20, 2024 · fd642ea · fd642ea
2 parents 6af915e + de99a16
commit fd642ea
Show file tree

Hide file tree

Showing 71 changed files with 669 additions and 347 deletions.
diff --git a/Cache_SAMSetup/SAMManifest.json b/Cache_SAMSetup/SAMManifest.json
@@ -159,7 +159,8 @@
         { "id": "cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec", "type": "Scope" },
         { "id": "4c06a06a-098a-4063-868e-5dfee3827264", "type": "Scope" },
         { "id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9", "type": "Role" },
-        { "id": "e67e6727-c080-415e-b521-e3f35d5248e9", "type": "Scope" }
+        { "id": "e67e6727-c080-415e-b521-e3f35d5248e9", "type": "Scope" },
+        { "id": "b6890674-9dd5-4e42-bb15-5af07f541ae1", "type": "Role" }
       ]
     },
     {

diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuotaUsed.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuotaUsed.ps1
@@ -17,9 +17,17 @@ function Get-CIPPAlertQuotaUsed {
         return
     }
     $AlertData | ForEach-Object {
-        if ($_.StorageUsedInBytes -eq 0) { return }
+        if ($_.StorageUsedInBytes -eq 0 -or $_.prohibitSendReceiveQuotaInBytes -eq 0) { return }
         $PercentLeft = [math]::round(($_.storageUsedInBytes / $_.prohibitSendReceiveQuotaInBytes) * 100)
-        if ($InputValue) { $Value = [int]$InputValue } else { $Value = 90 }
+        try {
+            if ([int]$InputValue -gt 0) {
+                $Value = [int]$InputValue
+            } else {
+                $Value = 90
+            }
+        } catch {
+            $Value = 90
+        }
         if ($PercentLeft -gt $Value) {
             "$($_.userPrincipalName): Mailbox is more than $($value)% full. Mailbox is $PercentLeft% full"
         }

diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSharepointQuota.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSharepointQuota.ps1
@@ -20,7 +20,11 @@ function Get-CIPPAlertSharepointQuota {
         return
     }
     if ($sharepointQuota) {
-        if ($InputValue -Is [Boolean]) { $Value = 90 } else { $Value = $InputValue }
+        try {
+            if ([int]$InputValue -gt 0) { $Value = [int]$InputValue } else { $Value = 90 }
+        } catch {
+            $Value = 90
+        }
         $UsedStoragePercentage = [int](($sharepointQuota.GeoUsedStorageMB / $sharepointQuota.TenantStorageMB) * 100)
         if ($UsedStoragePercentage -gt $Value) {
             $AlertData = "SharePoint Storage is at $($UsedStoragePercentage)%. Your alert threshold is $($Value)%"

diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecCustomRole.ps1
@@ -14,7 +14,7 @@ function Invoke-ExecCustomRole {
             Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API 'ExecCustomRole' -message "Saved custom role $($Request.Body.RoleName)" -Sev 'Info'
             $Role = @{
                 'PartitionKey'   = 'CustomRoles'
-                'RowKey'         = "$($Request.Body.RoleName)"
+                'RowKey'         = "$($Request.Body.RoleName.ToLower())"
                 'Permissions'    = "$($Request.Body.Permissions | ConvertTo-Json -Compress)"
                 'AllowedTenants' = "$($Request.Body.AllowedTenants | ConvertTo-Json -Compress)"
                 'BlockedTenants' = "$($Request.Body.BlockedTenants | ConvertTo-Json -Compress)"

diff --git a/...les/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Invoke-AddSharedMailbox.ps1 b/...les/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Invoke-AddSharedMailbox.ps1
@@ -35,8 +35,9 @@ Function Invoke-AddSharedMailbox {
         Write-LogMessage -user $User -API $APINAME -tenant $($groupobj.tenantid) -message "Created shared mailbox $($groupobj.displayname) with email $Email" -Sev 'Info'
 
     } catch {
-        Write-LogMessage -user $User -API $APINAME -tenant $($groupobj.tenantid) -message "Failed to create shared mailbox. Error: $($_.Exception.Message)" -Sev 'Error'
-        $Body = $Results.add("Failed to create Shared Mailbox. $($_.Exception.Message)")
+        $ErrorMessage = Get-NormalizedError -message $_.Exception.Message
+        Write-LogMessage -user $User -API $APINAME -tenant $($groupobj.tenantid) -message "Failed to create shared mailbox. Error: $ErrorMessage" -Sev 'Error'
+        $Body = $Results.add("Failed to create Shared Mailbox: $ErrorMessage")
 
     }
 
@@ -54,8 +55,9 @@ Function Invoke-AddSharedMailbox {
             $Body = $results.add("Added Aliases to $Email : $($Aliases -join ',')")
         }
     } catch {
-        Write-LogMessage -user $User -API $APINAME -tenant $($groupobj.tenantid) -message "Failed to add aliases to $Email : $($_.Exception.Message)" -Sev 'Error'
-        $Body = $results.add("ERROR: Failed to add aliases to $Email : $($_.Exception.Message)")
+        $ErrorMessage = Get-NormalizedError -message $_.Exception.Message
+        Write-LogMessage -user $User -API $APINAME -tenant $($groupobj.tenantid) -message "Failed to add aliases to $Email : $ErrorMessage" -Sev 'Error'
+        $Body = $results.add("ERROR: Failed to add aliases to $Email : $ErrorMessage")
     }
 
     $Body = [pscustomobject] @{ 'Results' = @($results) }

diff --git a/...Core/Public/Entrypoints/HTTP Functions/Email-Exchange/Invoke-ExecMailboxMobileDevices.ps1 b/...Core/Public/Entrypoints/HTTP Functions/Email-Exchange/Invoke-ExecMailboxMobileDevices.ps1
@@ -20,7 +20,7 @@ Function Invoke-ExecMailboxMobileDevices {
 
     # Interact with query parameters or the body of the request.
     Try {
-        $MobileResults = Set-CIPPMobileDevice -UserId $request.query.Userid -DeviceId $request.query.deviceid -Quarantine $request.query.Quarantine -tenantFilter $request.query.tenantfilter -APIName $APINAME -Delete $Request.query.Delete -ExecutingUser $request.headers.'x-ms-client-principal'
+        $MobileResults = Set-CIPPMobileDevice -UserId $request.query.Userid -Guid $request.query.guid -DeviceId $request.query.deviceid -Quarantine $request.query.Quarantine -tenantFilter $request.query.tenantfilter -APIName $APINAME -Delete $Request.query.Delete -ExecutingUser $request.headers.'x-ms-client-principal'
         $Results = [pscustomobject]@{'Results' = $MobileResults }
     } catch {
         $Results = [pscustomobject]@{'Results' = "Failed  $($request.query.Userid): $($_.Exception.Message)" }

diff --git a/...e/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/...e/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1
@@ -21,7 +21,7 @@ Function Invoke-ExecJITAdmin {
             Endpoint     = 'users'
             Parameters   = @{
                 '$count'  = 'true'
-                '$select' = "id,displayName,userPrincipalName,$($Schema.id)"
+                '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
                 '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false"
             }
         }
@@ -42,6 +42,7 @@ Function Invoke-ExecJITAdmin {
                 id                 = $_.id
                 displayName        = $_.displayName
                 userPrincipalName  = $_.userPrincipalName
+                accountEnabled     = $_.accountEnabled
                 jitAdminEnabled    = $_.($Schema.id).jitAdminEnabled
                 jitAdminExpiration = $_.($Schema.id).jitAdminExpiration
                 memberOf           = $MemberOf
@@ -81,9 +82,44 @@ Function Invoke-ExecJITAdmin {
             $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
             $Username = $CreateResult.userPrincipalName
             $Results.Add("Created User: $($CreateResult.userPrincipalName)")
-            $Results.Add("Password: $($CreateResult.password)")
+            if (!$Request.Body.UseTAP) {
+                $Results.Add("Password: $($CreateResult.password)")
+            }
+            $Results.Add("JIT Expires: $($Expiration)")
             Start-Sleep -Seconds 1
         }
+
+        if ($Request.Body.UseTAP) {
+            try {
+                if ($Start -gt (Get-Date)) {
+                    $TapParams = @{
+                        startDateTime = [System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate).DateTime
+                    }
+                    $TapBody = ConvertTo-Json -Depth 5 -InputObject $TapParams
+                } else {
+                    $TapBody = '{}'
+                }
+                Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods"
+                $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody
+
+                $TempPass = $TapRequest.temporaryAccessPass
+                $PasswordExpiration = $TapRequest.LifetimeInMinutes
+
+                $PasswordLink = New-PwPushLink -Payload $TempPass
+                if ($PasswordLink) {
+                    $Password = $PasswordLink
+                }
+                $Results.Add("Temporary Access Pass: $Password")
+                $Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes")
+            } catch {
+                $Results.Add('Failed to create TAP, if this is not yet enabled, use the Standards to push the settings to the tenant.')
+                Write-Information (Get-CippException -Exception $_ | ConvertTo-Json -Depth 5)
+                if ($Password) {
+                    $Results.Add("Password: $Password")
+                }
+            }
+        }
+
         $Parameters = @{
             TenantFilter = $Request.Body.TenantFilter
             User         = @{

diff --git a/...ublic/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAuditLogTest.ps1 b/...ublic/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAuditLogTest.ps1
@@ -13,7 +13,16 @@ function Invoke-ListAuditLogTest {
         LogType      = $Request.Query.LogType
         ShowAll      = $true
     }
-    $TestResults = Test-CIPPAuditLogRules @AuditLogQuery
+    try {
+        $TestResults = Test-CIPPAuditLogRules @AuditLogQuery
+    } catch {
+        $Body = Get-CippException -Exception $_
+        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::InternalServerError
+                Body       = $Body
+            })
+        return
+    }
     $Body = @{
         Results  = @($TestResults.DataToProcess)
         Metadata = @{

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCalendarPermissions.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCalendarPermissions.ps1
@@ -17,9 +17,9 @@ Function Invoke-ListCalendarPermissions {
 
     try {
         $GetCalParam = @{Identity = $UserID; FolderScope = 'Calendar' }
-        $CalendarFolder = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-MailboxFolderStatistics' -cmdParams $GetCalParam | Select-Object -First 1
+        $CalendarFolder = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-MailboxFolderStatistics' -anchor $UserID -cmdParams $GetCalParam | Select-Object -First 1
         $CalParam = @{Identity = "$($UserID):\$($CalendarFolder.name)" }
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-MailboxFolderPermission' -cmdParams $CalParam -UseSystemMailbox $true | Select-Object Identity, User, AccessRights, FolderName
+        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-MailboxFolderPermission' -anchor $UserID -cmdParams $CalParam -UseSystemMailbox $true | Select-Object Identity, User, AccessRights, FolderName
         Write-LogMessage -API 'List Calendar Permissions' -tenant $tenantfilter -message "Calendar permissions listed for $($tenantfilter)" -sev Debug
         $StatusCode = [HttpStatusCode]::OK
     } catch {

diff --git a/Modules/CIPPCore/Public/Invoke-RemoveSpamfilter.ps1 b/Modules/CIPPCore/Public/Invoke-RemoveSpamfilter.ps1
@@ -20,9 +20,9 @@ Function Invoke-RemoveSpamfilter {
 
     try {
         $cmdlet = 'Remove-HostedContentFilterRule'
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -useSystemmailbox $true
+        $null = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -useSystemmailbox $true
         $cmdlet = 'Remove-HostedContentFilterPolicy'
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -useSystemmailbox $true
+        $null = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -useSystemmailbox $true
         $Result = "Deleted $($Request.query.name)"
         Write-LogMessage -API 'TransportRules' -tenant $tenantfilter -message "Deleted transport rule $($Request.query.name)" -sev Debug
     } catch {

diff --git a/Modules/CIPPCore/Public/Invoke-RemoveTransportRule.ps1 b/Modules/CIPPCore/Public/Invoke-RemoveTransportRule.ps1
@@ -21,7 +21,7 @@ Function Invoke-RemoveTransportRule {
 
     try {
         $cmdlet = 'Remove-TransportRule'
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -UseSystemMailbox $true
+        $null = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -UseSystemMailbox $true
         $Result = "Deleted $($Request.query.guid)"
         Write-LogMessage -API 'TransportRules' -tenant $tenantfilter -message "Deleted transport rule $($Request.query.guid)" -sev Debug
     } catch {

diff --git a/Modules/CIPPCore/Public/SAMManifest.json b/Modules/CIPPCore/Public/SAMManifest.json
@@ -159,7 +159,8 @@
         { "id": "cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec", "type": "Scope" },
         { "id": "4c06a06a-098a-4063-868e-5dfee3827264", "type": "Scope" },
         { "id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9", "type": "Role" },
-        { "id": "e67e6727-c080-415e-b521-e3f35d5248e9", "type": "Scope" }
+        { "id": "e67e6727-c080-415e-b521-e3f35d5248e9", "type": "Scope" },
+        { "id": "b6890674-9dd5-4e42-bb15-5af07f541ae1", "type": "Role" }
       ]
     },
     {

diff --git a/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 b/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1
@@ -91,6 +91,17 @@ function Set-CIPPUserJITAdmin {
                         $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/directoryRoles(roleTemplateId='$($_)')/members/`$ref" -tenantid $TenantFilter -body $Json -ErrorAction SilentlyContinue
                     } catch {}
                 }
+                $UserEnabled = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)?`$select=accountEnabled" -tenantid $TenantFilter).accountEnabled
+                if (-not $UserEnabled) {
+                    $Body = @{
+                        accountEnabled = $true
+                    }
+                    $Json = ConvertTo-Json -Depth 5 -InputObject $Body
+                    try {
+                        New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter -body $Json | Out-Null
+                    } catch {}
+                }
+
                 Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled -Expiration $Expiration | Out-Null
                 return "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
             }
@@ -115,10 +126,13 @@ function Set-CIPPUserJITAdmin {
                 $Body = @{
                     accountEnabled = $false
                 }
-                $Json = ConvertTo-Json -Depth 5 -InputObject $Body
+                $Json = ConvertTo-Json -Depth 5 -InputObject $Body -Compress
                 try {
-                    New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter -body $Json
-                    Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled:$false | Out-Null
+                    Write-Information "Disabling user $($UserObj.displayName) ($($User.UserPrincipalName))"
+                    Write-Information $Json
+                    Write-Information "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)"
+                    $null = New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)" -tenantid $TenantFilter -body $Json
+                    Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null
                     return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
                 } catch {
                     return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $($_.Exception.Message)"

diff --git a/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1 b/Modules/CIPPCore/Public/Standards/Get-CIPPStandards.ps1
@@ -86,4 +86,4 @@ function Get-CIPPStandards {
             }
         }
     }
-}
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1
@@ -7,15 +7,31 @@ function Invoke-CIPPStandardAPConfig {
 
     If ($Settings.remediate -eq $true) {
 
-        $APINAME = 'Standards'
         try {
             Write-Host $($settings | ConvertTo-Json -Depth 100)
             if ($settings.NotLocalAdmin -eq $true) { $usertype = 'Standard' } else { $usertype = 'Administrator' }
             $DeploymentMode = if ($settings.DeploymentMode -eq 'true') { 'shared' } else { 'singleUser' }
-            Set-CIPPDefaultAPDeploymentProfile -tenantFilter $tenant -displayname $settings.DisplayName -description $settings.Description -usertype $usertype -DeploymentMode $DeploymentMode -assignto $settings.Assignto -devicenameTemplate $Settings.DeviceNameTemplate -allowWhiteGlove $Settings.allowWhiteGlove -CollectHash $Settings.CollectHash -hideChangeAccount $Settings.HideChangeAccount -hidePrivacy $Settings.HidePrivacy -hideTerms $Settings.HideTerms -Autokeyboard $Settings.Autokeyboard -Language $Settings.languages.value
+
+            $Parameters = @{
+                tenantFilter       = $tenant
+                displayname        = $settings.DisplayName
+                description        = $settings.Description
+                usertype           = $usertype
+                DeploymentMode     = $DeploymentMode
+                assignto           = $settings.Assignto
+                devicenameTemplate = $Settings.DeviceNameTemplate
+                allowWhiteGlove    = $Settings.allowWhiteGlove
+                CollectHash        = $Settings.CollectHash
+                hideChangeAccount  = $Settings.HideChangeAccount
+                hidePrivacy        = $Settings.HidePrivacy
+                hideTerms          = $Settings.HideTerms
+                Autokeyboard       = $Settings.Autokeyboard
+                Language           = $Settings.languages.value
+            }
+            Set-CIPPDefaultAPDeploymentProfile @Parameters
         } catch {
             $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-            #Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create Default Autopilot config: $ErrorMessage" -sev 'Error'
+            # Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create Default Autopilot config: $ErrorMessage" -sev 'Error'
             throw $ErrorMessage
         }
 

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1
@@ -5,14 +5,25 @@ function Invoke-CIPPStandardAPESP {
     #>
     param($Tenant, $Settings)
     If ($Settings.remediate -eq $true) {
-        $APINAME = 'Standards'
         try {
-            Set-CIPPDefaultAPEnrollment -TenantFilter $Tenant -ShowProgress $Settings.ShowProgress -BlockDevice $Settings.blockDevice -AllowReset $Settings.AllowReset -EnableLog $Settings.EnableLog -ErrorMessage $Settings.ErrorMessage -TimeOutInMinutes $Settings.TimeOutInMinutes -AllowFail $Settings.AllowFail -OBEEOnly $Settings.OBEEOnly
+            $Parameters = @{
+                TenantFilter     = $Tenant
+                ShowProgress     = $Settings.ShowProgress
+                BlockDevice      = $Settings.blockDevice
+                AllowReset       = $Settings.AllowReset
+                EnableLog        = $Settings.EnableLog
+                ErrorMessage     = $Settings.ErrorMessage
+                TimeOutInMinutes = $Settings.TimeOutInMinutes
+                AllowFail        = $Settings.AllowFail
+                OBEEOnly         = $Settings.OBEEOnly
+            }
+
+            Set-CIPPDefaultAPEnrollment @Parameters
         } catch {
             $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
             throw $ErrorMessage
         }
     }
 
 
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -86,4 +86,4 @@ function Get-CIPPStandards { @@
                 }
             }
         }
-    }
+    }