Merge pull request #2 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev
Fulcra-Networks · Jan 20, 2024 · 416c78b · 416c78b
2 parents 840fc06 + 15451bd
commit 416c78b
Show file tree

Hide file tree

Showing 13 changed files with 45 additions and 17 deletions.
diff --git a/Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json b/Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json
@@ -37,5 +37,5 @@
       "excludeApplications": []
     }
   },
-  "displayName": "Enforce Multi factor authentication for each application"
+  "displayName": "CIPP: Enforce Multi factor authentication for each application"
 }
diff --git a/Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json b/Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json
@@ -32,5 +32,5 @@
     "times": null,
     "clientApplications": null
   },
-  "displayName": "Enforce Multi-factor authentication for Static Web Apps"
+  "displayName": "CIPP: Enforce Multi-factor authentication for Static Web Apps"
 }
diff --git a/Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json b/Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json
@@ -26,11 +26,11 @@
     "platforms": null,
     "clientApplications": null,
     "applications": {
-      "includeApplications": ["None"],
+      "includeApplications": ["All"],
       "includeUserActions": [],
       "includeAuthenticationContextClassReferences": [],
       "excludeApplications": []
     }
   },
-  "displayName": "Block Legacy Authentication"
+  "displayName": "CIPP: Block Legacy Authentication"
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1
@@ -20,9 +20,9 @@ Function Invoke-AddStandardsDeploy {
         $Settings | Add-Member -NotePropertyName 'v2.1' -NotePropertyValue $true -Force
         if ($Settings.phishProtection.remediate) {
             $URL = $request.headers.'x-ms-original-url'.split('/api') | Select-Object -First 1
-            write-host $URL
+            Write-Host $URL
             $Settings.phishProtection = [pscustomobject]@{
-                remediate = $true
+                remediate = [bool]$Settings.phishProtection.remediate
                 URL       = $URL
             }
         }

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1
@@ -12,6 +12,9 @@ Function Invoke-ExecOffboardTenant {
 
         $Tenantfilter = $request.body.tenantfilter
 
+        # temp fix -rvdwegen
+        $tenantId = (Invoke-RestMethod -Method GET "https://login.windows.net/$Tenantfilter/.well-known/openid-configuration").token_endpoint.Split('/')[3]
+
         $results = [System.Collections.ArrayList]@()
         $errors = [System.Collections.ArrayList]@()
 
@@ -105,7 +108,7 @@ Function Invoke-ExecOffboardTenant {
         }
 
         # All customer tenant specific actions ALWAYS have to be completed before this action!
-        if ($request.body.RemoveMultitenantApps) {
+        if ($request.body.RemoveMultitenantCSPApps) {
             # Remove multi-tenant apps with the CSP tenant as origin
             try {
                 $multitenantCSPApps = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$select=displayName,appId,id,appOwnerOrganizationId&`$filter=appOwnerOrganizationId eq $($env:TenantID)" -tenantid $Tenantfilter -ComplexFilter)
@@ -129,18 +132,23 @@ Function Invoke-ExecOffboardTenant {
         if ($request.body.TerminateGDAP) {
             # Terminate GDAP relationships
             try {
-                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$TenantFilter')" -tenantid $env:TenantID)
+                $TenantFilter
+                $TenantFilter
+                $TenantFilter
+                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$tenantid')" -tenantid $env:TenantID)
                 $delegatedAdminRelationships | ForEach-Object {
                     try {
                         $terminate = (New-GraphPostRequest -type 'POST' -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($_.id)/requests" -body '{"action":"terminate"}' -ContentType 'application/json' -tenantid $env:TenantID)
                         $results.Add("Succesfully terminated GDAP relationship $($_.displayName) from tenant $TenantFilter")
                         Write-LogMessage -user $ExecutingUser -API $APIName -message "GDAP Relationship $($_.displayName) has been terminated" -Sev "Info" -tenant $TenantFilter
                     } catch {
+                        $($_.Exception.message)
                         #$results.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                         $errors.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                     }
                 }
             } catch {
+                $($_.Exception.message)
                 #$results.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
                 $errors.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
             }

diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1
@@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
 
diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSharepointQuota.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSharepointQuota.ps1
@@ -18,6 +18,5 @@ function Push-CIPPAlertSharepointQuota {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get SharePoint quota for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1
@@ -22,7 +22,8 @@ function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $N
         try {
             $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType)
         } catch {
-            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error.message
+            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error
+            if ($Message.innerError) { $Message = $Message.Innererror.Message } else { $Message = $Message.Message.Error }
             if ($Message -eq $null) { 
                 try {
                     $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).message

diff --git a/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1 b/Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1
@@ -45,6 +45,21 @@ function New-CIPPCAPolicy {
         # no issues here.
     }
 
+    #If Grant Controls contains authenticationstrength, create these and then replace the id
+    if ($JSONobj.GrantControls.authenticationStrength.policyType -eq 'custom') {
+        $ExistingStrength = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies/' -tenantid $TenantFilter | Where-Object -Property displayName -EQ $JSONobj.GrantControls.authenticationStrength.displayName
+        if ($ExistingStrength) {
+            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+
+        } else {
+            $Body = ConvertTo-Json -InputObject $JSONObj.GrantControls.authenticationStrength
+            $GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/authenticationStrength/policies' -body $body -Type POST -tenantid $tenantfilter
+            $JSONObj.GrantControls.authenticationStrength = @{ id = $ExistingStrength.id }
+            Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created new Authentication Strength Policy: $($JSONObj.GrantControls.authenticationStrength.displayName)" -Sev 'Info'
+        }
+    }
+
+
     #for each of the locations, check if they exist, if not create them. These are in $jsonobj.LocationInfo
     $LocationLookupTable = foreach ($locations in $jsonobj.LocationInfo) {
         foreach ($location in $locations) {
@@ -109,6 +124,7 @@ function New-CIPPCAPolicy {
             return "Created policy $displayname for $tenantfilter"
         }
     } catch {
+        Write-Host "$($_.exception | ConvertTo-Json)"
         throw "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)"
         Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message) " -sev 'Error'
     }

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1
@@ -19,6 +19,11 @@ function Invoke-CIPPStandardPhishProtection {
     If ($Settings.remediate) {
 
         try {
+            if (!$currentBody) {
+                $AddedHeaders = @{'Accept-Language' = 0}
+                $defaultBrandingBody = '{"usernameHintText":null,"signInPageText":null,"backgroundColor":null,"customPrivacyAndCookiesText":null,"customCannotAccessYourAccountText":null,"customForgotMyPasswordText":null,"customTermsOfUseText":null,"loginPageLayoutConfiguration":{"layoutTemplateType":"default","isFooterShown":true,"isHeaderShown":false},"loginPageTextVisibilitySettings":{"hideAccountResetCredentials":false,"hideTermsOfUse":true,"hidePrivacyAndCookies":true},"contentCustomization":{"conditionalAccess":[],"attributeCollection":[]}}'
+                New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/" -ContentType 'application/json' -asApp $true -Type POST -Body $defaultBrandingBody -AddedHeaders $AddedHeaders
+            }
             if ($currentBody -like "*$CSS*") {
                 Write-Host 'Logon Screen Phising Protection system already active'
                 Write-LogMessage -API 'Standards' -tenant $tenant -message 'Logon Screen Phishing Protection system already active' -sev Info

diff --git a/Scheduler_CIPPNotifications/run.ps1 b/Scheduler_CIPPNotifications/run.ps1
@@ -31,7 +31,7 @@ try {
         $JSONBody = @"
                     {
                         "message": {
-                          "subject": "CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
+                          "subject": "$($Tenant): CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
                           "body": {
                             "contentType": "HTML",
                             "content": "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log:<br><br>

diff --git a/version_latest.txt b/version_latest.txt
@@ -1 +1 @@
-4.9.8
+5.0.2
-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses { @@
                 }
             }
         } catch {
-            Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
         }
     }