Skip to content

Commit

Permalink
Merge branch 'KelvinTegelaar:master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
@oitjack
oitjack committed Sep 20, 2023
2 parents b04d8af + eafc8a0 commit 569287e
Show file tree
Hide file tree
Showing 60 changed files with 812 additions and 743 deletions.
46 changes: 1 addition & 45 deletions AddCAPolicy/run.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,54 +8,10 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -

$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
if ("AllTenants" -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName }
$displayname = ($request.body.RawJSON | ConvertFrom-Json).Displayname
function Remove-EmptyArrays ($Object) {
if ($Object -is [Array]) {
foreach ($Item in $Object) { Remove-EmptyArrays $Item }
}
elseif ($Object -is [HashTable]) {
foreach ($Key in @($Object.get_Keys())) {
if ($Object[$Key] -is [Array] -and $Object[$Key].get_Count() -eq 0) {
$Object.Remove($Key)
}
else { Remove-EmptyArrays $Object[$Key] }
}
}
elseif ($Object -is [PSCustomObject]) {
foreach ($Name in @($Object.psobject.properties.Name)) {
if ($Object.$Name -is [Array] -and $Object.$Name.get_Count() -eq 0) {
$Object.PSObject.Properties.Remove($Name)
}
elseif ($object.$name -eq $null) {
$Object.PSObject.Properties.Remove($Name)
}
else { Remove-EmptyArrays $Object.$Name }
}
}
}

$JSONObj = $request.body.RawJSON | ConvertFrom-Json | Select-Object * -ExcludeProperty ID, GUID, *time*
Remove-EmptyArrays $JSONObj
#Remove context as it does not belong in the payload.
$JsonObj.grantControls.PSObject.Properties.Remove('authenticationStrength@odata.context')
if ($JSONObj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.Members) {
$JsonObj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.PSObject.Properties.Remove('@odata.context')
$JsonObj.conditions.users.excludeGuestsOrExternalUsers.externalTenants.PSObject.Properties.Remove('@odata.type')
}
if ($Request.body.newstate -and $Request.body.newstate -ne 'donotchange') {
$Jsonobj.state = $Request.body.newstate
}
$RawJSON = $JSONObj | ConvertTo-Json -Depth 10

$results = foreach ($Tenant in $tenants) {
try {
$CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" -tenantid $tenant
$PolicyName = ($RawJSON | ConvertFrom-Json).displayName
if ($PolicyName -in $CheckExististing.displayName) {
Throw "Conditional Access Policy with Display Name $($Displayname) Already exists"
}

$CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies" -tenantid $tenant -type POST -body $RawJSON
$CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $Request.body.RawJSON -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal'
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added Conditional Access Policy $($Displayname)" -Sev "Error"
"Successfully added Conditional Access Policy for $($Tenant)"
}
Expand Down
25 changes: 23 additions & 2 deletions AddCATemplate/run.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ param($Request, $TriggerMetadata)

$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug"
Write-Host ($request | ConvertTo-Json -Compress)

$TenantFilter = $Request.Query.TenantFilter
try {
$GUID = (New-Guid).GUID
$JSON = if ($request.body.rawjson) {
Expand All @@ -18,7 +18,28 @@ try {
$_ | Select-Object -Property $NonEmptyProperties
}
}
$JSON = ($JSON | ConvertTo-Json -Depth 10)

$includelocations = New-Object System.Collections.ArrayList
$IncludeJSON = foreach ($Location in $JSON.conditions.locations.includeLocations) {
$locationinfo = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations" -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time*
$null = if ($locationinfo) { $includelocations.add($locationinfo.displayName) } else { $includelocations.add($location) }
$locationinfo
}
if ($includelocations) { $JSON.conditions.locations.includeLocations = $includelocations }


$excludelocations = New-Object System.Collections.ArrayList
$ExcludeJSON = foreach ($Location in $JSON.conditions.locations.excludeLocations) {
$locationinfo = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations" -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time*
$null = if ($locationinfo) { $excludelocations.add($locationinfo.displayName) } else { $excludelocations.add($location) }
$locationinfo
}

if ($excludelocations) { $JSON.conditions.locations.excludeLocations = $excludelocations }

$JSON | Add-Member -NotePropertyName 'LocationInfo' -NotePropertyValue @($IncludeJSON, $ExcludeJSON)

$JSON = ($JSON | ConvertTo-Json -Depth 100)
$Table = Get-CippTable -tablename 'templates'
$Table.Force = $true
Add-AzDataTableEntity @Table -Entity @{
Expand Down
6 changes: 3 additions & 3 deletions AddGroup/run.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -

$groupobj = $Request.body
$SelectedTenants = if ($Request.body.selectedTenants) { $request.body.selectedTenants.defaultDomainName } else { $Request.body.tenantid }

if ("AllTenants" -in $SelectedTenants) { $SelectedTenants = (Get-Tenants).defaultDomainName }

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
Expand Down Expand Up @@ -44,13 +44,13 @@ $results = foreach ($tenant in $SelectedTenants) {
}
$GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet "New-DistributionGroup" -cmdParams $params
}
"Successfully created group."
"Successfully created group $($groupobj.displayname) for $($tenant)"
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev "Info"

}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Group creation API failed. $($_.Exception.Message)" -Sev "Error"
"Failed to create group. $($_.Exception.Message)"
"Failed to create group. $($groupobj.displayname) for $($tenant) $($_.Exception.Message)"

}
}
Expand Down
1 change: 1 addition & 0 deletions AddNamedLocation/run.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Write-Host "PowerShell HTTP trigger function processed a request."
# Input bindings are passed in via param block.
$Tenants = $request.body.selectedTenants.defaultDomainName
Write-Host ($Request.body | ConvertTo-Json)
if ($Tenants -eq "AllTenants") { $Tenants = (Get-Tenants).defaultDomainName }
$results = foreach ($Tenant in $tenants) {
try {
$ObjBody = if ($Request.body.Type -eq "IPLocation") {
Expand Down
70 changes: 33 additions & 37 deletions BestPracticeAnalyser_All/run.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
param($tenant)

$TenantName = Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant
Set-Location (Get-Item $PSScriptRoot).Parent.FullName
$TemplatesLoc = Get-ChildItem "Config\*.BPATemplate.json"
$CippRoot = (Get-Item $PSScriptRoot).Parent.FullName
$TemplatesLoc = Get-ChildItem "$CippRoot\Config\*.BPATemplate.json"
$Templates = $TemplatesLoc | ForEach-Object {
$Template = $(Get-Content $_) | ConvertFrom-Json
[PSCustomObject]@{
Expand All @@ -26,89 +26,85 @@ $AddRow = foreach ($Template in $templates) {
if ($Field.Where) { $filterscript = [scriptblock]::Create($Field.Where) } else { $filterscript = { $true } }
try {
switch ($field.API) {
"Graph" {
'Graph' {
$paramsField = @{
uri = $field.URL
tenantid = $TenantName.defaultDomainName
}
if ($Field.parameters) {
if ($Field.parameters.psobject.properties.name) {
$field.Parameters | ForEach-Object {
Write-Host "Doing: $($_.psobject.properties.name) with value $($_.psobject.properties.value)"
$paramsField.Add($_.psobject.properties.name, $_.psobject.properties.value)
$paramsField[$_.psobject.properties.name] = $_.psobject.properties.value
}
}
$FieldInfo = New-GraphGetRequest @paramsField | Where-Object $filterscript | Select-Object $field.ExtractFields
}
"Exchange" {
if ($field.Command -notlike "get-*") {
Write-LogMessage -API "BPA" -tenant $tenant -message "The BPA only supports get- exchange commands. A set or update command was used." -sev Error
'Exchange' {
if ($field.Command -notlike 'get-*') {
Write-LogMessage -API 'BPA' -tenant $tenant -message 'The BPA only supports get- exchange commands. A set or update command was used.' -sev Error
break
}
else {
} else {
$paramsField = @{
tenantid = $TenantName.defaultDomainName
cmdlet = $field.Command
}
if ($Field.Parameters) { $paramsfield.add('cmdparams', $field.parameters) }
$FieldInfo = New-ExoRequest @paramsField | Where-Object $filterscript | Select-Object $field.ExtractFields
if ($Field.Parameters) { $paramsfield.'cmdparams' = $field.parameters }
$FieldInfo = New-ExoRequest @paramsField | Where-Object $filterscript | Select-Object $field.ExtractFields
}
}
"CIPPFunction" {
if ($field.Command -notlike "get-CIPP*") {
Write-LogMessage -API "BPA" -tenant $tenant -message "The BPA only supports get-CIPP commands. A set or update command was used, or a command that is not allowed." -sev Error
'CIPPFunction' {
if ($field.Command -notlike 'get-CIPP*') {
Write-LogMessage -API 'BPA' -tenant $tenant -message 'The BPA only supports get-CIPP commands. A set or update command was used, or a command that is not allowed.' -sev Error
break
}
$paramsField = @{
TenantFilter = $TenantName.defaultDomainName
}
if ($field.parameters) {
if ($field.parameters.psobject.properties.name) {
$field.Parameters | ForEach-Object {
$paramsField.Add($_.psobject.properties.name, $_.psobject.properties.value)
$paramsField[$_.psobject.properties.name] = $_.psobject.properties.value
}
}
$FieldInfo = & $field.Command @paramsField | Where-Object $filterscript | Select-Object $field.ExtractFields
$FieldInfo = & $field.Command @paramsField | Where-Object $filterscript | Select-Object $field.ExtractFields
}
}
}
catch {
} catch {
Write-Host "Error getting $($field.Name) in $($field.api) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)"
Write-LogMessage -API "BPA" -tenant $tenant -message "Error getting $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
$fieldinfo = "FAILED"
$field.StoreAs = "string"
}
Write-LogMessage -API 'BPA' -tenant $tenant -message "Error getting $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
$fieldinfo = 'FAILED'
$field.StoreAs = 'string'
}
try {
switch -Wildcard ($field.StoreAs) {
"*bool" {
'*bool' {
if ($field.ExtractFields.Count -gt 1) {
Write-LogMessage -API "BPA" -tenant $tenant -message "The BPA only supports 1 field for a bool. $($field.ExtractFields.Count) fields were specified." -sev Error
Write-LogMessage -API 'BPA' -tenant $tenant -message "The BPA only supports 1 field for a bool. $($field.ExtractFields.Count) fields were specified." -sev Error
break
}
if ($null -eq $FieldInfo.$($field.ExtractFields)) { $FieldInfo = $false }

$Result.Add($field.Name, [bool]$FieldInfo.$($field.ExtractFields))
}
"JSON" {
if ($FieldInfo -eq $null) { $JsonString = '{}' } else { $JsonString = (ConvertTo-Json -Depth 15 -InputObject $FieldInfo) }
'JSON' {
if ($FieldInfo -eq $null) { $JsonString = '{}' } else { $JsonString = (ConvertTo-Json -Depth 15 -InputObject $FieldInfo -Compress) }
$Result.Add($field.Name, $JSONString)
}
"string" {
'string' {
$Result.Add($field.Name, [string]$FieldInfo)
}
}
}
catch {
Write-LogMessage -API "BPA" -tenant $tenant -message "Error storing $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
$Result.Add($field.Name, "FAILED")
} catch {
Write-LogMessage -API 'BPA' -tenant $tenant -message "Error storing $($field.Name) for $($TenantName.displayName) with GUID $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
$Result.Add($field.Name, 'FAILED')
}

}

if ($Result) {
try {
Add-AzDataTableEntity @Table -Entity $Result -Force
}
catch {
Write-LogMessage -API "BPA" -tenant $tenant -message "Error getting saving data for $($template.Name) - $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error
} catch {
Write-LogMessage -API 'BPA' -tenant $tenant -message "Error getting saving data for $($template.Name) - $($TenantName.customerId). Error: $($_.Exception.Message)" -sev Error

}
}
Expand Down
1 change: 1 addition & 0 deletions Cache_SAMSetup/SAMManifest.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@
{ "id": "2a60023f-3219-47ad-baa4-40e17cd02a1d", "type": "Role" },
{ "id": "338163d7-f101-4c92-94ba-ca46fe52447c", "type": "Role" },
{ "id": "cac88765-0581-4025-9725-5ebc13f729ee", "type": "Role" },
{ "id": "75359482-378d-4052-8f01-80520e7db3cd", "type": "Role" },
{ "id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30", "type": "Scope" },
{ "id": "84bccea3-f856-4a8a-967b-dbe0a3d53a64", "type": "Scope" },
{ "id": "280b3b69-0437-44b1-bc20-3b2fca1ee3e9", "type": "Scope" },
Expand Down
16 changes: 8 additions & 8 deletions Config/CIPPDefaultTable.BPATemplate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"name": "PasswordNeverExpires",
"API": "Graph",
"URL": "https://graph.microsoft.com/beta/domains",
"ExtractFields": "passwordValidityPeriodInDays",
"ExtractFields": ["passwordValidityPeriodInDays"],
"where": "$_.passwordValidityPeriodInDays -eq 2147483647",
"StoreAs": "bool",
"FrontendFields": [
Expand All @@ -20,9 +20,9 @@
{
"name": "OAuthAppConsent",
"API": "Graph",
"URL": "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy",
"ExtractFields": "permissionGrantPolicyIdsAssignedToDefaultUserRole",
"where": "'ManagePermissionGrantsForSelf.microsoft-user-default-legacy' -notin $_.permissionGrantPolicyIdsAssignedToDefaultUserRole",
"URL": "https://graph.microsoft.com/v1.0/policies/authorizationPolicy?$select=defaultUserRolePermissions",
"ExtractFields": ["defaultuserrolepermissions"],
"where": "'ManagePermissionGrantsForSelf.microsoft-user-default-legacy' -notin $_.defaultuserrolepermissions.permissionGrantPoliciesAssigned",
"StoreAs": "bool",
"FrontendFields": [
{
Expand All @@ -36,7 +36,7 @@
"name": "UnifiedAuditLog",
"API": "Exchange",
"Command": "Get-AdminAuditLogConfig",
"ExtractFields": "UnifiedAuditLogIngestionEnabled",
"ExtractFields": ["UnifiedAuditLogIngestionEnabled"],
"StoreAs": "bool",
"FrontendFields": [
{
Expand Down Expand Up @@ -65,7 +65,7 @@
"name": "TAPEnabled",
"API": "Graph",
"URL": "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass",
"ExtractFields": "State",
"ExtractFields": ["State"],
"StoreAs": "bool",
"FrontendFields": [
{
Expand All @@ -79,7 +79,7 @@
"name": "SecureDefaultState",
"API": "Graph",
"URL": "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy",
"ExtractFields": "IsEnabled",
"ExtractFields": ["IsEnabled"],
"StoreAs": "bool",
"FrontendFields": [
{
Expand All @@ -93,7 +93,7 @@
"name": "AnonymousPrivacyReports",
"API": "Graph",
"URL": "https://graph.microsoft.com/beta/admin/reportSettings",
"ExtractFields": "displayConcealedNames",
"ExtractFields": ["displayConcealedNames"],
"StoreAs": "bool",
"where": "$_.displayConcealedNames -eq $false",
"FrontendFields": [
Expand Down
Loading

0 comments on commit 569287e

Please sign in to comment.