Merge branch 'KelvinTegelaar:dev' into dev

DChorn-ANS · Jul 26, 2023 · 3538bea · 3538bea
2 parents aad4036 + fb02f03
commit 3538bea
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 18 deletions.
diff --git a/Modules/CIPPCore/Public/New-CIPPAPIConfig.ps1 b/Modules/CIPPCore/Public/New-CIPPAPIConfig.ps1
@@ -9,6 +9,7 @@ function New-CIPPAPIConfig {
     )
     $null = Connect-AzAccount -Identity
     $currentapp = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name "CIPPAPIAPP" -AsPlainText)
+    $subscription = $($ENV:WEBSITE_OWNER_NAME).Split('+')[0]
 
     try {
         if ($currentapp) {
@@ -27,18 +28,6 @@ function New-CIPPAPIConfig {
             Write-Host "Adding serviceprincipal"
             $ServicePrincipal = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/serviceprincipals"  -NoAuthCheck $true -type POST -body "{`"accountEnabled`":true,`"appId`":`"$($APIApp.appId)`",`"displayName`":`"CIPP-API`",`"tags`":[`"WindowsAzureActiveDirectoryIntegratedApp`",`"AppServiceIntegratedApp`"]}"
         }
-        $subscription = $($ENV:WEBSITE_OWNER_NAME).Split('+')[0]
-        $CurrentSettings = New-GraphGetRequest -uri "https://management.azure.com/subscriptions/$($subscription)/resourceGroups/$ENV:WEBSITE_RESOURCE_GROUP/providers/Microsoft.Web/sites/$ENV:WEBSITE_SITE_NAME/Config/authsettingsV2/list?api-version=2018-11-01" -NoAuthCheck $true -scope "https://management.azure.com/.default"
-        Write-Host "setting settings"
-        $currentSettings.properties.identityProviders.azureActiveDirectory = @{
-            registration = @{
-                clientId     = $APIApp.appId
-                openIdIssuer = "https://sts.windows.net/$($ENV:TenantId)/v2.0"
-            }
-            validation   = @{
-                allowedAudiences = @("api://$($APIApp.appId)")
-            }
-        }
         if ($resetpassword) {
             Write-Host "Removing all old passwords"
             $RemovePasswords = New-GraphPOSTRequest -type Patch -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/" -body '{"passwordCredentials":[]}' -NoAuthCheck $true
@@ -47,6 +36,17 @@ function New-CIPPAPIConfig {
             Write-LogMessage -user $ExecutingUser -API $APINAME -tenant 'None '-message "Reset CIPP API Password." -Sev "info"
         }
         else {
+            $CurrentSettings = New-GraphGetRequest -uri "https://management.azure.com/subscriptions/$($subscription)/resourceGroups/$ENV:WEBSITE_RESOURCE_GROUP/providers/Microsoft.Web/sites/$ENV:WEBSITE_SITE_NAME/Config/authsettingsV2/list?api-version=2018-11-01" -NoAuthCheck $true -scope "https://management.azure.com/.default"
+            Write-Host "setting settings"
+            $currentSettings.properties.identityProviders.azureActiveDirectory = @{
+                registration = @{
+                    clientId     = $APIApp.appId
+                    openIdIssuer = "https://sts.windows.net/$($ENV:TenantId)/v2.0"
+                }
+                validation   = @{
+                    allowedAudiences = @("api://$($APIApp.appId)")
+                }
+            }
             $currentBody = ConvertTo-Json -Depth 15 -InputObject ($currentSettings | Select-Object Properties)
             Write-Host "writing to Azure"
             $SetAPIAuth = New-GraphPOSTRequest -type "PUT" -uri "https://management.azure.com/subscriptions/$($subscription)/resourceGroups/$ENV:WEBSITE_RESOURCE_GROUP/providers/Microsoft.Web/sites/$ENV:WEBSITE_SITE_NAME/Config/authsettingsV2?api-version=2018-11-01" -scope "https://management.azure.com/.default" -NoAuthCheck $true -body $currentBody

diff --git a/Modules/CIPPCore/Public/Remove-CIPPLicense.ps1 b/Modules/CIPPCore/Public/Remove-CIPPLicense.ps1
@@ -7,14 +7,16 @@ function Remove-CIPPLicense {
         $APIName = "Remove License",
         $TenantFilter
     )
-
+    Set-Location (Get-Item $PSScriptRoot).FullName
+    $ConvertTable = Import-Csv Conversiontable.csv
     try {
         $CurrentLicenses = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($userid)" -tenantid $tenantFilter).assignedlicenses.skuid
+        $ConvertedLicense = $(($ConvertTable | Where-Object { $_.guid -in $CurrentLicenses }).'Product_Display_Name' | Sort-Object -Unique) -join ','
         $LicensesToRemove = if ($CurrentLicenses) { ConvertTo-Json @( $CurrentLicenses) } else { "[]" }
         $LicenseBody = '{"addLicenses": [], "removeLicenses": ' + $LicensesToRemove + '}'
         $LicRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($userid)/assignlicense" -tenantid $tenantFilter -type POST -body $LicenseBody -verbose
         Write-LogMessage -user $ExecutingUser -API $APIName -message "Removed license for $($username)" -Sev "Info" -tenant $TenantFilter
-        Return "Removed current licenses: $(($ConvertTable | Where-Object { $_.guid -in $CurrentLicenses }).'Product_Display_Name' -join ',')"
+        Return "Removed current licenses: $ConvertedLicense"
 
     }
     catch {

diff --git a/Standards_AuditLog/run.ps1 b/Standards_AuditLog/run.ps1
@@ -1,10 +1,12 @@
 param($tenant)
 
+$DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-OrganizationConfig").IsDehydrated
+if ($DehydratedTenant) {
+    New-ExoRequest -tenantid $Tenant -cmdlet "Enable-OrganizationCustomization"
+}
+
 try {
-    $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-OrganizationConfig").IsDehydrated
-    if ($DehydratedTenant) {
-        New-ExoRequest -tenantid $Tenant -cmdlet "Enable-OrganizationCustomization"
-    }
+
     $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-AdminAuditLogConfig").UnifiedAuditLogIngestionEnabled
     if ($AuditLogEnabled) {
         Write-LogMessage -API "Standards" -tenant $tenant -message "Unified Audit Log already enabled." -sev Info

diff --git a/Standards_DisableAddShortcutsToOneDrive/function.json b/Standards_DisableAddShortcutsToOneDrive/function.json
@@ -0,0 +1,9 @@
+{
+  "bindings": [
+    {
+      "name": "tenant",
+      "type": "activityTrigger",
+      "direction": "in"
+    }
+  ]
+}
diff --git a/Standards_DisableAddShortcutsToOneDrive/run.ps1 b/Standards_DisableAddShortcutsToOneDrive/run.ps1
@@ -0,0 +1,89 @@
+param($tenant)
+
+function GetTenantRequestXml {
+    return @"
+        <Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="16.0.0.0"
+            ApplicationName="SharePoint Online PowerShell (16.0.23814.0)"
+            xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
+            <Actions>
+                <ObjectPath Id="4" ObjectPathId="3" />
+                <Query Id="5" ObjectPathId="3">
+                    <Query SelectAllProperties="true">
+                        <Properties />
+                    </Query>
+                </Query>
+            </Actions>
+            <ObjectPaths>
+                <Constructor Id="3" TypeId="{268004ae-ef6b-4e9b-8425-127220d84719}" />
+            </ObjectPaths>
+        </Request>
+"@
+}
+
+function GetDisableAddShortcutsToOneDriveXml {
+    param(
+        [string]$identity
+    )
+
+    # the json object gives us a space and a newline :(
+    $identity = $identity.Replace(" ", "")
+    $identity = $identity.Replace("`n", "&#xA;")
+    return @"
+        <Request AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0"
+            LibraryVersion="16.0.0.0" ApplicationName="SharePoint Online PowerShell (16.0.23814.0)"
+            xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009">
+            <Actions>
+                <SetProperty Id="7" ObjectPathId="3" Name="DisableAddToOneDrive">
+                    <Parameter Type="Boolean">true</Parameter>
+                </SetProperty>
+            </Actions>
+            <ObjectPaths>
+                <Identity Id="3" Name="$identity" />
+            </ObjectPaths>
+        </Request>
+"@
+}
+
+$log = @{
+    API = "Standards"
+    tenant = $tenant
+    message = ""
+    sev = "Info"
+}
+
+try {
+    $OnMicrosoft = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenant |
+        Where-Object -Property isInitial -EQ $true).id.split('.') | Select-Object -First 1
+    $AdminUrl = "https://$($OnMicrosoft)-admin.sharepoint.com"
+    $graphRequest = @{
+        "scope" = "$AdminURL/.default"
+        "tenantid" = $tenant
+        "uri" = "$AdminURL/_vti_bin/client.svc/ProcessQuery"
+        "type" = "POST"
+        "body" = GetTenantRequestXml
+        "ContentType" = "text/xml"
+    }
+
+    $response = New-GraphPostRequest @graphRequest
+    if (!$response.ErrorInfo.ErrorMessage) {
+        $log.message = "Received Tenant from Sharepoint"
+        Write-LogMessage @log
+    }
+
+    $graphRequest.Body = GetDisableAddShortcutsToOneDriveXml -identity $response._ObjectIdentity_
+    $response = New-GraphPostRequest @graphRequest
+
+    if (!$response.ErrorInfo.ErrorMessage) {
+        $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant"
+    }
+    else {
+        $log.message = "Unable to set DisableAddShortcutsToOneDrive to True `
+            on $($tenant): $($response.ErrorInfo.ErrorMessage)"
+    }
+}
+catch {
+    $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)"
+    $log.sev = "Error"
+}
+
+Write-LogMessage @log