Merge pull request #130 from KelvinTegelaar/dev

Dev to release
KelvinTegelaar · Mar 18, 2022 · 34eecb9 · 34eecb9
2 parents e75ae22 + 5a0842e
commit 34eecb9
Show file tree

Hide file tree

Showing 41 changed files with 1,136 additions and 349 deletions.
diff --git a/AddAlert/run.ps1 b/AddAlert/run.ps1
@@ -13,18 +13,15 @@ $Results = foreach ($Tenant in $tenants) {
     try {
         $CompleteObject = [PSCustomObject]@{
             tenant          = $tenant
-            AdminPassword   = $Request.body.AdminPassword
-            DefenderMalware = $Request.body.DefenderMalware
-            DefenderStatus  = $Request.body.DefenderStatus
-            DisableRestart  = $Request.body.DisableRestart
-            InstallAsSystem = $Request.body.InstallAsSystem
-            MFAAdmins       = $Request.body.MFAAdmins
-            MFAAlertUsers   = $Request.body.MFAAlertUsers
-            NewApprovedApp  = $Request.body.NewApprovedApp
-            NewGA           = $Request.body.NewGA
-            NewRole         = $Request.body.NewRole
-            QuotaUsed       = $Request.body.QuotaUsed
-            UnusedLicenses  = $Request.body.UnusedLicenses
+            AdminPassword   = [bool]$Request.body.AdminPassword
+            DefenderMalware = [bool]$Request.body.DefenderMalware
+            DefenderStatus  = [bool]$Request.body.DefenderStatus
+            MFAAdmins       = [bool]$Request.body.MFAAdmins
+            MFAAlertUsers   = [bool]$Request.body.MFAAlertUsers
+            NewGA           = [bool]$Request.body.NewGA
+            NewRole         = [bool]$Request.body.NewRole
+            QuotaUsed       = [bool]$Request.body.QuotaUsed
+            UnusedLicenses  = [bool]$Request.body.UnusedLicenses
             Type            = "Alert"
 
         } | ConvertTo-Json

diff --git a/AddEnrollment/run.ps1 b/AddEnrollment/run.ps1
@@ -11,9 +11,7 @@ Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -messa
 Write-Host "PowerShell HTTP trigger function processed a request."
 
 # Input bindings are passed in via param block.
-$user = $request.headers.'x-ms-client-principal'
 $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
-$AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto }
 $Profbod = $Request.body
 $results = foreach ($Tenant in $tenants) {
     try {
@@ -23,7 +21,7 @@ $results = foreach ($Tenant in $tenants) {
             "displayName"                             = "All users and all devices"
             "description"                             = "This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership."
             "showInstallationProgress"                = [bool]$Profbod.ShowProgress
-            "blockDeviceSetupRetryByUser"             = [bool]$Profbod.AllowRetry
+            "blockDeviceSetupRetryByUser"             = [bool]$Profbod.blockDevice
             "allowDeviceResetOnInstallFailure"        = [bool]$Profbod.AllowReset
             "allowLogCollectionOnInstallFailure"      = [bool]$Profbod.EnableLog
             "customErrorMessage"                      = $Profbod.ErrorMessage

diff --git a/BestPracticeAnalyser_All/run.ps1 b/BestPracticeAnalyser_All/run.ps1
@@ -226,12 +226,14 @@ try {
         'X-Requested-With'       = 'XMLHttpRequest' 
     }
 
+    # Import the licenses conversion table
+    $ConvertTable = Import-Csv Conversiontable.csv | Sort-Object -Property 'guid' -Unique
     $WhiteListedSKUs = "FLOW_FREE", "TEAMS_EXPLORATORY", "TEAMS_COMMERCIAL_TRIAL", "POWERAPPS_VIRAL", "POWER_BI_STANDARD", "DYN365_ENTERPRISE_P1_IW", "STREAM", "Dynamics 365 for Financials for IWs", "POWERAPPS_PER_APP_IW"
     $UnusedLicenses = $LicenseUsage | Where-Object { ($_.Purchased -ne $_.Consumed) -and ($WhiteListedSKUs -notcontains $_.AccountSkuId.SkuPartNumber) }
     $UnusedLicensesCount = $UnusedLicenses | Measure-Object | Select-Object -ExpandProperty Count
     $UnusedLicensesResult = if ($UnusedLicensesCount -gt 0) { "FAIL" } else { "PASS" }
     $Result.UnusedLicenseList = ($UnusedLicensesListBuilder = foreach ($License in $UnusedLicenses) {
-            "SKU: $($License.AccountSkuId.SkuPartNumber), Purchased: $($License.Purchased), Consumed: $($License.Consumed)"
+            "License: $($License.Name), Purchased: $($License.Purchased), Consumed: $($License.Consumed)"
         }) -join "<br />"
 
     $TempCount = 0

diff --git a/DNSHelper.psm1 b/DNSHelper.psm1
diff --git a/EditUser/run.ps1 b/EditUser/run.ps1
@@ -34,7 +34,7 @@ try {
             "forceChangePasswordNextSignIn" = [bool]$UserObj.mustchangepass
         }
     } | ForEach-Object {
-        $NonEmptyProperties = $_.psobject.Properties | Where-Object { $_.Value } | Select-Object -ExpandProperty Name
+        $NonEmptyProperties = $_.psobject.Properties | Select-Object -ExpandProperty Name
         $_ | Select-Object -Property $NonEmptyProperties | ConvertTo-Json
     }
     $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($userobj.Userid)" -tenantid $Userobj.tenantid -type PATCH -body $BodyToship  -verbose

diff --git a/ExecAccessChecks/run.ps1 b/ExecAccessChecks/run.ps1
@@ -4,66 +4,130 @@
 param($Request, $TriggerMetadata)
 
 $APIName = $TriggerMetadata.FunctionName
-Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Accessed this API" -Sev "Debug"
+Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 
 
 # Write to the Azure Functions log stream.
-Write-Host "PowerShell HTTP trigger function processed a request."
-if ($Request.query.Permissions -eq "true") {
-    Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Started permissions check" -Sev "Debug"
-    $Results = try {
+Write-Host 'PowerShell HTTP trigger function processed a request.'
+if ($Request.query.Permissions -eq 'true') {
+    Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Started permissions check' -Sev 'Debug'
+    $Messages = [System.Collections.Generic.List[string]]::new()
+    $MissingPermissions = [System.Collections.Generic.List[string]]::new()
+    $Links = [System.Collections.Generic.List[object]]::new()
+    $AccessTokenDetails = [PSCustomObject]@{
+        AppId             = ''
+        AppName           = ''
+        Audience          = ''
+        AuthMethods       = ''
+        IPAddress         = ''
+        Name              = ''
+        Scope             = ''
+        TenantId          = ''
+        UserPrincipalName = ''
+    }
+    $Success = $true
+    try {
         $ExpectedPermissions = @(
-            "Application.Read.All", "Application.ReadWrite.All", "AuditLog.Read.All", "Channel.Create", "Channel.Delete.All", "Channel.ReadBasic.All", "ChannelMember.Read.All", "ChannelMember.ReadWrite.All", "ChannelMessage.Delete", "ChannelMessage.Edit", "ChannelMessage.Read.All", "ChannelMessage.Send", "ChannelSettings.Read.All", "ChannelSettings.ReadWrite.All", "ConsentRequest.Read.All", "Device.Command", "Device.Read", "Device.Read.All", "DeviceManagementApps.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementRBAC.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Directory.AccessAsUser.All", "Domain.Read.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "Mail.Send", "Mail.Send.Shared", "Member.Read.Hidden", "Organization.ReadWrite.All", "Policy.Read.All", "Policy.ReadWrite.AuthenticationFlows", "Policy.ReadWrite.AuthenticationMethod", "Policy.ReadWrite.Authorization", "Policy.ReadWrite.ConsentRequest", "Policy.ReadWrite.DeviceConfiguration", "PrivilegedAccess.Read.AzureResources", "PrivilegedAccess.ReadWrite.AzureResources", "Reports.Read.All", "RoleManagement.ReadWrite.Directory", "SecurityActions.ReadWrite.All", "SecurityEvents.ReadWrite.All", "ServiceHealth.Read.All", "ServiceMessage.Read.All", "Sites.ReadWrite.All", "Team.Create", "Team.ReadBasic.All", "TeamMember.ReadWrite.All", "TeamMember.ReadWriteNonOwnerRole.All", "TeamsActivity.Read", "TeamsActivity.Send", "TeamsApp.Read", "TeamsApp.Read.All", "TeamsApp.ReadWrite", "TeamsApp.ReadWrite.All", "TeamsAppInstallation.ReadForChat", "TeamsAppInstallation.ReadForTeam", "TeamsAppInstallation.ReadForUser", "TeamsAppInstallation.ReadWriteForChat", "TeamsAppInstallation.ReadWriteForTeam", "TeamsAppInstallation.ReadWriteForUser", "TeamsAppInstallation.ReadWriteSelfForChat", "TeamsAppInstallation.ReadWriteSelfForTeam", "TeamsAppInstallation.ReadWriteSelfForUser", "TeamSettings.Read.All", "TeamSettings.ReadWrite.All", "TeamsTab.Create", "TeamsTab.Read.All", "TeamsTab.ReadWrite.All", "TeamsTab.ReadWriteForChat", "TeamsTab.ReadWriteForTeam", "TeamsTab.ReadWriteForUser", "ThreatAssessment.ReadWrite.All", "UnifiedGroupMember.Read.AsGuest", "User.ManageIdentities.All", "User.Read", "User.ReadWrite.All", "UserAuthenticationMethod.Read.All", "UserAuthenticationMethod.ReadWrite", "UserAuthenticationMethod.ReadWrite.All"
+            'Application.Read.All', 'Application.ReadWrite.All', 'AuditLog.Read.All', 'Channel.Create', 'Channel.Delete.All', 'Channel.ReadBasic.All', 'ChannelMember.Read.All', 'ChannelMember.ReadWrite.All', 'ChannelMessage.Delete', 'ChannelMessage.Edit', 'ChannelMessage.Read.All', 'ChannelMessage.Send', 'ChannelSettings.Read.All', 'ChannelSettings.ReadWrite.All', 'ConsentRequest.Read.All', 'Device.Command', 'Device.Read', 'Device.Read.All', 'DeviceManagementApps.ReadWrite.All', 'DeviceManagementConfiguration.ReadWrite.All', 'DeviceManagementManagedDevices.ReadWrite.All', 'DeviceManagementRBAC.ReadWrite.All', 'DeviceManagementServiceConfig.ReadWrite.All', 'Directory.AccessAsUser.All', 'Domain.Read.All', 'Group.ReadWrite.All', 'GroupMember.ReadWrite.All', 'Mail.Send', 'Mail.Send.Shared', 'Member.Read.Hidden', 'Organization.ReadWrite.All', 'Policy.Read.All', 'Policy.ReadWrite.AuthenticationFlows', 'Policy.ReadWrite.AuthenticationMethod', 'Policy.ReadWrite.Authorization', 'Policy.ReadWrite.ConsentRequest', 'Policy.ReadWrite.DeviceConfiguration', 'PrivilegedAccess.Read.AzureResources', 'PrivilegedAccess.ReadWrite.AzureResources', 'Reports.Read.All', 'RoleManagement.ReadWrite.Directory', 'SecurityActions.ReadWrite.All', 'SecurityEvents.ReadWrite.All', 'ServiceHealth.Read.All', 'ServiceMessage.Read.All', 'Sites.ReadWrite.All', 'Team.Create', 'Team.ReadBasic.All', 'TeamMember.ReadWrite.All', 'TeamMember.ReadWriteNonOwnerRole.All', 'TeamsActivity.Read', 'TeamsActivity.Send', 'TeamsApp.Read', 'TeamsApp.Read.All', 'TeamsApp.ReadWrite', 'TeamsApp.ReadWrite.All', 'TeamsAppInstallation.ReadForChat', 'TeamsAppInstallation.ReadForTeam', 'TeamsAppInstallation.ReadForUser', 'TeamsAppInstallation.ReadWriteForChat', 'TeamsAppInstallation.ReadWriteForTeam', 'TeamsAppInstallation.ReadWriteForUser', 'TeamsAppInstallation.ReadWriteSelfForChat', 'TeamsAppInstallation.ReadWriteSelfForTeam', 'TeamsAppInstallation.ReadWriteSelfForUser', 'TeamSettings.Read.All', 'TeamSettings.ReadWrite.All', 'TeamsTab.Create', 'TeamsTab.Read.All', 'TeamsTab.ReadWrite.All', 'TeamsTab.ReadWriteForChat', 'TeamsTab.ReadWriteForTeam', 'TeamsTab.ReadWriteForUser', 'ThreatAssessment.ReadWrite.All', 'UnifiedGroupMember.Read.AsGuest', 'User.ManageIdentities.All', 'User.Read', 'User.ReadWrite.All', 'UserAuthenticationMethod.Read.All', 'UserAuthenticationMethod.ReadWrite', 'UserAuthenticationMethod.ReadWrite.All'
         )
-        $GraphPermissions = ((Get-GraphToken -returnRefresh $true).scope).split(' ') -replace "https://graph.microsoft.com//", "" | Where-Object { $_ -notin @("email", "openid", "profile", ".default") }
-        Write-Host  ($GraphPermissions | ConvertTo-Json)
+        $GraphToken = Get-GraphToken -returnRefresh $true
+        $GraphPermissions = $GraphToken.scope.split(' ') -replace 'https://graph.microsoft.com//', '' | Where-Object { $_ -notin @('email', 'openid', 'profile', '.default') }
+        #Write-Host ($GraphPermissions | ConvertTo-Json)
+
+        try {
+            $AccessTokenDetails = Read-JwtAccessDetails -Token $GraphToken.access_token
+            #Write-Host ($AccessTokenDetails | ConvertTo-Json)
+        }
+        catch {
+            $AccessTokenDetails = [PSCustomObject]@{
+                Name        = ''
+                AuthMethods = @()
+            }
+            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Token exception: $($_) " -Sev 'Error'
+            $Success = $false
+        }
+
+        if ($AccessTokenDetails.Name -eq '') {
+            $Messages.Add('Your refresh token is invalid, check for line breaks or missing characters.') | Out-Null
+            $Success = $false
+        }
+        else {
+            if ($AccessTokenDetails.AuthMethods -contains 'mfa') {
+                $Messages.Add('Your access token contains the MFA claim.') | Out-Null
+            }
+            else {
+                $Messages.Add('Your access token does not contain the MFA claim, Refresh your SAM tokens.') | Out-Null
+                $Success = $false
+                $Links.Add([PSCustomObject]@{
+                        Text = 'MFA Troubleshooting'
+                        Href = 'https://cipp.app/docs/general/troubleshooting/#multi-factor-authentication-troubleshooting'
+                    }
+                ) | Out-Null
+            }
+        }
+
         $MissingPermissions = $ExpectedPermissions | Where-Object { $_ -notin $GraphPermissions } 
         if ($MissingPermissions) {
-            @{ MissingPermissions = @($MissingPermissions) }
+            $MissingPermissions = @($MissingPermissions)
+            $Success = $false
+            $Links.Add([PSCustomObject]@{
+                    Text = 'Permissions'
+                    Href = 'https://cipp.app/docs/user/gettingstarted/permissions/#permissions'
+                }
+            ) | Out-Null
         }
         else {
-            "Your Secure Application Model has all required permissions"
+            $Messages.Add('Your Secure Application Model has all required permissions') | Out-Null
         }
     }
     catch {
-        Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Permissions check failed: $($_) " -Sev "Error"
-        "We could not connect to the API to retrieve the permissions. There might be a problem with the secure application model configuration. The returned error is: $($_.Exception.Response.StatusCode.value__ ) - $($_.Exception.Message)"
+        Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Permissions check failed: $($_) " -Sev 'Error'
+        $Messages.Add("We could not connect to the API to retrieve the permissions. There might be a problem with the secure application model configuration. The returned error is: $($_.Exception.Response.StatusCode.value__ ) - $($_.Exception.Message)") | Out-Null
+        $Success = $false
+    }
+
+    $Results = [PSCustomObject]@{
+        AccessTokenDetails = $AccessTokenDetails
+        Messages           = @($Messages)
+        MissingPermissions = @($MissingPermissions)
+        Links              = @($Links)
+        Success            = $Success
     }
 }
 
-if ($Request.query.Tenants -eq "true") {
+if ($Request.query.Tenants -eq 'true') {
     $Tenants = ($Request.body.tenantid).split(',')
-    if (!$Tenants) { $results = "Could not load the tenants list from cache. Please run permissions check first, or visit the tenants page." }
+    if (!$Tenants) { $results = 'Could not load the tenants list from cache. Please run permissions check first, or visit the tenants page.' }
     $results = foreach ($tenant in $Tenants) {
         try {
             $token = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/users/delta?$select=displayName' -tenantid $tenant
             @{
                 TenantName = "$($Tenant)"
-                Status     = "Succesfully connected" 
+                Status     = 'Succesfully connected' 
             }
-            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check executed succesfully" -Sev "Info"
+            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message 'Tenant access check executed succesfully' -Sev 'Info'
 
         }
         catch {
             @{
                 TenantName = "$($tenant)"
                 Status     = "Failed to connect to $($_.Exception.Message)" 
             }
-            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check failed: $($_) " -Sev "Error"
+            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check failed: $($_) " -Sev 'Error'
 
         }
 
         try {
-            $upn = "notRequired@required.com"
+            $upn = 'notRequired@required.com'
             $tokenvalue = ConvertTo-SecureString (Get-GraphToken -AppID 'a0c73c16-a7e3-4564-9a95-2bdf47383716' -RefreshToken $ENV:ExchangeRefreshToken -Scope 'https://outlook.office365.com/.default' -Tenantid $tenant).Authorization -AsPlainText -Force
             $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
             $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($tenant)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection -ErrorAction Continue
-            $session = Import-PSSession $session -ea Silentlycontinue -AllowClobber -CommandName "Get-OrganizationConfig"
+            $session = Import-PSSession $session -ea Silentlycontinue -AllowClobber -CommandName 'Get-OrganizationConfig'
             $org = Get-OrganizationConfig
             $null = Get-PSSession | Remove-PSSession
             @{ 
                 TenantName = "$($Tenant)"
-                Status     = "Succesfully connected to Exchange" 
+                Status     = 'Succesfully connected to Exchange' 
             }
         }
         catch {
@@ -73,13 +137,13 @@ if ($Request.query.Tenants -eq "true") {
                 TenantName = "$($Tenant)"
                 Status     = "Failed to connect to Exchange: $($Message)" 
             }
-            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check for Exchange failed: $($Message) " -Sev "Error"
+            Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Tenant access check for Exchange failed: $($Message) " -Sev 'Error'
         }
     }
-    if (!$Tenants) { $results = "Could not load the tenants list from cache. Please run permissions check first, or visit the tenants page." }
+    if (!$Tenants) { $results = 'Could not load the tenants list from cache. Please run permissions check first, or visit the tenants page.' }
 }
 
-$body = [pscustomobject]@{"Results" = $Results }
+$body = [pscustomobject]@{'Results' = $Results }
 
 # Associate values to output bindings by calling 'Push-OutputBinding'.
 Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

diff --git a/ExecDnsHelper/function.json → ExecCreateTAP/function.json b/ExecDnsHelper/function.json → ExecCreateTAP/function.json
diff --git a/ExecCreateTAP/run.ps1 b/ExecCreateTAP/run.ps1
@@ -0,0 +1,26 @@
+using namespace System.Net
+
+# Input bindings are passed in via param block.
+param($Request, $TriggerMetadata)
+
+$APIName = $TriggerMetadata.FunctionName
+Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Accessed this API" -Sev "Debug"
+
+# Interact with query parameters or the body of the request.
+$TenantFilter = $Request.Query.TenantFilter
+$Body = "{}"
+try {
+      $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Request.query.ID)/authentication/temporaryAccessPassMethods" -tenantid $TenantFilter -type POST -body $Body  -verbose
+      $Results = [pscustomobject]@{"Results" = "The TAP for this user is $($GraphRequest.temporaryAccessPass) - This TAP is usable for the next $($GraphRequest.LifetimeInMinutes) minutes" }
+      Log-Request -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Created temporary access pass for user $($Request.Query.id)" -Sev "Info"
+
+}
+catch {
+      $Results = [pscustomobject]@{"Results" = "Failed. $($_.Exception.Message)" }
+}
+
+# Associate values to output bindings by calling 'Push-OutputBinding'.
+Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+      })