From fac57550dc4182c9474bba16f3a33e24e4f5bddc Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 15 Jan 2025 12:11:45 -0500 Subject: [PATCH 01/11] remove method --- .../CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1 b/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1 index ec0f8fd5b5bd..2ced11b10908 100644 --- a/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1 +++ b/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1 @@ -21,7 +21,6 @@ function Get-CippAuditLogSearchResults { process { $GraphRequest = @{ Uri = ('https://graph.microsoft.com/beta/security/auditLog/queries/{0}/records?$top=999&$count=true' -f $QueryId) - Method = 'GET' AsApp = $true tenantid = $TenantFilter } From e419c7270d5712c9e24323f1d7c53c91cb89c24c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 16 Jan 2025 00:17:17 +0100 Subject: [PATCH 02/11] Increase retry limit for TAP creation to 10 attempts for improved reliability --- .../Administration/Users/Invoke-ExecJITAdmin.ps1 | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 index 766692b48157..1fef379d169f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 @@ -103,18 +103,19 @@ Function Invoke-ExecJITAdmin { $TapBody = '{}' } Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods" - # Retry creating the TAP up to 5 times, since it can fail due to the user not being fully created yet + # Retry creating the TAP up to 10 times, since it can fail due to the user not being fully created yet. Sometimes it takes 2 reties, sometimes it takes 8+. Very annoying. -Bobby $Retries = 0 + $MAX_TAP_RETRIES = 10 do { try { $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $TenantFilter -type POST -body $TapBody } catch { Start-Sleep -Seconds 2 - Write-Information 'ERROR: Failed to create TAP, retrying' - Write-Information ( ConvertTo-Json -Depth 5 -InputObject (Get-CippException -Exception $_)) + Write-Information "ERROR: Run $Retries of $MAX_TAP_RETRIES : Failed to create TAP, retrying" + # Write-Information ( ConvertTo-Json -Depth 5 -InputObject (Get-CippException -Exception $_)) } $Retries++ - } while ( $null -eq $TapRequest.temporaryAccessPass -and $Retries -le 5 ) + } while ( $null -eq $TapRequest.temporaryAccessPass -and $Retries -le $MAX_TAP_RETRIES ) $TempPass = $TapRequest.temporaryAccessPass $PasswordExpiration = $TapRequest.LifetimeInMinutes From b3df695f3be351af0955dcc54300951abb83304f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 16 Jan 2025 00:22:46 +0100 Subject: [PATCH 03/11] Remove a few comments and add TAP region --- .../Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 index 1fef379d169f..1ef908304c17 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 @@ -92,6 +92,7 @@ Function Invoke-ExecJITAdmin { Start-Sleep -Seconds 1 } + #Region TAP creation if ($Request.Body.UseTAP) { try { if ($Start -gt (Get-Date)) { @@ -102,7 +103,7 @@ Function Invoke-ExecJITAdmin { } else { $TapBody = '{}' } - Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods" + # Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods" # Retry creating the TAP up to 10 times, since it can fail due to the user not being fully created yet. Sometimes it takes 2 reties, sometimes it takes 8+. Very annoying. -Bobby $Retries = 0 $MAX_TAP_RETRIES = 10 @@ -136,6 +137,7 @@ Function Invoke-ExecJITAdmin { } } } + #EndRegion TAP creation $Parameters = @{ TenantFilter = $TenantFilter From 657651610c7abf77e2a11ec36d4e5205ad3504fb Mon Sep 17 00:00:00 2001 From: John Duprey Date: Thu, 16 Jan 2025 10:35:46 -0500 Subject: [PATCH 04/11] adding orchestrator for TriggerRefresh --- .../Administration/Tenant/Invoke-ListTenants.ps1 | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 index 7e3d3da4e22c..fccb38d002ef 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 @@ -45,7 +45,20 @@ Function Invoke-ListTenants { return } if ($Request.Query.TriggerRefresh) { - Get-Tenants -IncludeAll -TriggerRefresh + if ($Request.Query.TenantFilter -and $Request.Query.TenantFilter -ne 'AllTenants') { + Get-Tenants -TriggerRefresh -TenantFilter $Request.Query.TenantFilter + } else { + $InputObject = [PSCustomObject]@{ + Batch = @( + @{ + FunctionName = 'UpdateTenants' + } + ) + OrchestratorName = 'UpdateTenants' + SkipLog = $true + } + Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Compress -Depth 5) + } } try { $tenantfilter = $Request.Query.TenantFilter From 3ce26ec0a825802c03c2e5d37805bdacf3741de0 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:52:22 +0100 Subject: [PATCH 05/11] add a silently continue on formatting templates --- .../Tenant/Standards/Invoke-listStandardTemplates.ps1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 index f7d0f45cb8ef..a04cbc2376c6 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 @@ -15,8 +15,9 @@ Function Invoke-listStandardTemplates { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'StandardsTemplateV2'" $Templates = (Get-CIPPAzDataTableEntity @Table -Filter $Filter) | ForEach-Object { - $data = $_.JSON | ConvertFrom-Json -Depth 100 + $data = $_.JSON | ConvertFrom-Json -Depth 100 -ErrorAction SilentlyContinue $data | Add-Member -NotePropertyName 'GUID' -NotePropertyValue $_.GUID -Force + if ($data.excludedTenants) { $data.excludedTenants = @($data.excludedTenants) } $data } | Sort-Object -Property templateName From 0dc364c483e8ffa1eb3812f1f2b6a8afe1f5e797 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:28:25 +0100 Subject: [PATCH 06/11] add list standards for exclusions --- .../Tenant/Standards/Invoke-listStandardTemplates.ps1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 index a04cbc2376c6..4fcf492622f9 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1 @@ -10,8 +10,6 @@ Function Invoke-listStandardTemplates { [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName - $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'StandardsTemplateV2'" $Templates = (Get-CIPPAzDataTableEntity @Table -Filter $Filter) | ForEach-Object { From f90d85bf79c731f14b0a9931b33c5ec61bae895e Mon Sep 17 00:00:00 2001 From: John Duprey Date: Thu, 16 Jan 2025 11:54:20 -0500 Subject: [PATCH 07/11] Update Invoke-ExecDeleteGDAPRoleMapping.ps1 --- .../Tenant/GDAP/Invoke-ExecDeleteGDAPRoleMapping.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecDeleteGDAPRoleMapping.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecDeleteGDAPRoleMapping.ps1 index 05115ce42df2..a2758b8e8341 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecDeleteGDAPRoleMapping.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecDeleteGDAPRoleMapping.ps1 @@ -14,13 +14,13 @@ Function Invoke-ExecDeleteGDAPRoleMapping { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' $Table = Get-CIPPTable -TableName 'GDAPRoles' - Write-Host $Table + $GroupId = $Request.Query.GroupId ?? $Request.Body.GroupId try { - $Filter = "PartitionKey eq 'Roles' and RowKey eq '{0}'" -f $Request.Query.GroupId + $Filter = "PartitionKey eq 'Roles' and RowKey eq '{0}'" -f $GroupId $Entity = Get-CIPPAzDataTableEntity @Table -Filter $Filter Remove-AzDataTableEntity -Force @Table -Entity $Entity $Results = [pscustomobject]@{'Results' = 'Success. GDAP relationship mapping deleted' } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "GDAP relationship mapping deleted for $($Request.Query.GroupId)" -Sev 'Info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "GDAP relationship mapping deleted for $($GroupId)" -Sev 'Info' } catch { $Results = [pscustomobject]@{'Results' = "Failed. $($_.Exception.Message)" } From 7af2347c6c2bb70f7fc122718a2d2b50fff814cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 16 Jan 2025 18:59:01 +0100 Subject: [PATCH 08/11] FIX: modernize and make it work with the new frontend --- .../Autopilot/Invoke-ExecAssignAPDevice.ps1 | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Autopilot/Invoke-ExecAssignAPDevice.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Autopilot/Invoke-ExecAssignAPDevice.ps1 index 0ae4d1f13cb0..f4d0e10d2526 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Autopilot/Invoke-ExecAssignAPDevice.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Autopilot/Invoke-ExecAssignAPDevice.ps1 @@ -10,24 +10,35 @@ Function Invoke-ExecAssignAPDevice { [CmdletBinding()] param($Request, $TriggerMetadata) $APIName = $TriggerMetadata.FunctionName - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' - $tenantfilter = $Request.Body.TenantFilter + $User = $request.headers.'x-ms-client-principal' + Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $TenantFilter = $Request.body.tenantFilter + + try { + $UserObject = $Request.body.user.addedFields + $DeviceObject = $Request.body.device + $SerialNumber = $Request.body.serialNumber $body = @{ - UserPrincipalName = $Request.body.UserPrincipalName - addressableUserName = $Request.body.addressableUserName + userPrincipalName = $UserObject.userPrincipalName + addressableUserName = $UserObject.addressableUserName } | ConvertTo-Json - New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($request.body.Device)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST - $Results = "Successfully assigned device to $($Request.body.UserPrincipalName) for $($tenantfilter)" + New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($DeviceObject)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST | Out-Null + Write-LogMessage -user $User -API $APINAME -message "Successfully assigned device: $DeviceObject with Serial: $SerialNumber to $($UserObject.userPrincipalName) for $($TenantFilter)" -Sev Info + $Results = "Successfully assigned device: $DeviceObject with Serial: $SerialNumber to $($UserObject.userPrincipalName) for $($TenantFilter)" + $StatusCode = [HttpStatusCode]::OK } catch { - $Results = "Could not $($Request.body.UserPrincipalName) to $($Request.body.device) for $($tenantfilter) Error: $($_.Exception.Message)" + $ErrorMessage = Get-CippException -Exception $_ + Write-LogMessage -user $User -API $APINAME -message "Could not assign $($UserObject.userPrincipalName) to $($DeviceObject) for $($TenantFilter) Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage + $Results = "Could not assign $($UserObject.userPrincipalName) to $($DeviceObject) for $($TenantFilter) Error: $($ErrorMessage.NormalizedError)" + $StatusCode = [HttpStatusCode]::BadRequest } $Results = [pscustomobject]@{'Results' = "$results" } # Associate values to output bindings by calling 'Push-OutputBinding'. Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK + StatusCode = $StatusCode Body = $Results }) From 2113d5d948a9e6e46b2c147b0ac65785923aa944 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Thu, 16 Jan 2025 13:20:46 -0500 Subject: [PATCH 09/11] Update New-GraphGetRequest.ps1 --- .../CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 index 7d8d3ff3ad99..a949da45936e 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 @@ -17,7 +17,12 @@ function New-GraphGetRequest { [switch]$CountOnly, [switch]$IncludeResponseHeaders ) - $IsAuthorised = Get-AuthorisedRequest -Uri $uri -TenantID $tenantid + + if ($NoAuthCheck -eq $false) { + $IsAuthorised = Get-AuthorisedRequest -Uri $uri -TenantID $tenantid + } else { + $IsAuthorised = $true + } if ($NoAuthCheck -eq $true -or $IsAuthorised) { if ($scope -eq 'ExchangeOnline') { From a8686b41e2a3596be78050558db88ed4f99e34ce Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:25:56 +0100 Subject: [PATCH 10/11] Remove temporary --- .../Entrypoints/Activity Triggers/Push-UpdateTenants.ps1 | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdateTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdateTenants.ps1 index 811d54b229be..d3ef1e2711c8 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdateTenants.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-UpdateTenants.ps1 @@ -6,10 +6,7 @@ function Push-UpdateTenants { Param($Item) $QueueReference = 'UpdateTenants' $RunningQueue = Invoke-ListCippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -ne 'Completed' -and $_.Status -ne 'Failed' } - if ($RunningQueue) { - Write-Host 'Update Tenants already running' - return - } + $Queue = New-CippQueueEntry -Name 'Update Tenants' -Reference $QueueReference -TotalTasks 1 try { $QueueTask = @{ @@ -30,4 +27,4 @@ function Push-UpdateTenants { $QueueTask.Status = 'Failed' Set-CippQueueTask @QueueTask } -} \ No newline at end of file +} From 8e52bcd3412693f7e7ed7fe91a92709708e7fa82 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar <49186168+KelvinTegelaar@users.noreply.github.com> Date: Thu, 16 Jan 2025 19:29:54 +0100 Subject: [PATCH 11/11] version up --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index a50da181e9bd..4489f5a6df8f 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -7.0.3 +7.0.4