Merge pull request #90 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

.github/workflows/dev_cippkkxvm.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippkkxvm
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippkkxvm'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_171C3E2B1E2346AAA333905DFCA62F2D }}

.github/workflows/dev_cippkwn4s-auditlog.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippkwn4s-auditlog
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippkwn4s-auditlog'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_4CBFBE8BE62240D789C371767B49278E }}

.github/workflows/dev_cipplwwww-proc.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cipplwwww-proc
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cipplwwww-proc'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B8CE64E970E74E6AB2D6655823D95B1A }}

Z_CIPPHttpTrigger/function.json → CIPPHttpTrigger/function.json

@@ -39,12 +39,6 @@
       "name": "alertqueue",
       "queueName": "alertqueue"
     },
-    {
-      "type": "queue",
-      "direction": "out",
-      "name": "gdapqueue",
-      "queueName": "gdapqueue"
-    },
     {
       "type": "queue",
       "direction": "out",

CIPPTimers.json

@@ -4,14 +4,24 @@
     "Description": "Orchestrator to process user scheduled tasks",
     "Cron": "0 */15 * * * *",
     "Priority": 1,
+    "RunOnProcessor": true,
+    "PreferredProcessor": "usertasks"
+  },
+  {
+    "Command": "Start-CIPPProcessorQueue",
+    "Description": "Timer to handle user initiated tasks",
+    "Cron": "0 */15 * * * *",
+    "Priority": 1,
     "RunOnProcessor": true
   },
   {
     "Command": "Start-AuditLogOrchestrator",
     "Description": "Orchestrator to process audit logs",
     "Cron": "0 */15 * * * *",
     "Priority": 2,
-    "RunOnProcessor": true
+    "RunOnProcessor": true,
+    "PreferredProcessor": "auditlog",
+    "IsSystem": true
   },
   {
     "Command": "Start-WebhookOrchestrator",
@@ -25,7 +35,8 @@
     "Description": "Orchestrator to process standards",
     "Cron": "0 0 */4 * * *",
     "Priority": 4,
-    "RunOnProcessor": true
+    "RunOnProcessor": true,
+    "PreferredProcessor": "standards"
   },
   {
     "Command": "Start-CIPPGraphSubscriptionCleanupTimer",
@@ -59,9 +70,10 @@
   {
     "Command": "Start-CIPPGraphSubscriptionRenewalTimer",
     "Description": "Orchestrator to renew Graph subscriptions",
-    "Cron": "0 10 * * * *",
+    "Cron": "0 15 * * * *",
     "Priority": 8,
-    "RunOnProcessor": true
+    "RunOnProcessor": true,
+    "IsSystem": true
   },
   {
     "Command": "Start-DomainOrchestrator",

Modules/CIPPCore/CIPPCore.psm1

@@ -1,5 +1,5 @@
-$Public = @(Get-ChildItem -Path $PSScriptRoot\Public\*.ps1 -Recurse -ErrorAction SilentlyContinue)
-$Private = @(Get-ChildItem -Path $PSScriptRoot\private\*.ps1 -Recurse -ErrorAction SilentlyContinue)
+$Public = @(Get-ChildItem -Path (Join-Path $PSScriptRoot "Public\*.ps1") -Recurse -ErrorAction SilentlyContinue)
+$Private = @(Get-ChildItem -Path (Join-Path $PSScriptRoot "Private\*.ps1") -Recurse -ErrorAction SilentlyContinue)
 $Functions = $Public + $Private
 foreach ($import in @($Functions)) {
     try {

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -91,6 +91,20 @@ function Add-CIPPDelegatedPermission {
             $CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $Tenantfilter -body $Createbody -type POST -NoAuthCheck $true
             $Results.add("Successfully added permissions for $($svcPrincipalId.displayName)")
         } else {
+            # Cleanup multiple scope entries and patch first id
+            if (($OldScope.id | Measure-Object).Count -gt 1) {
+                $OldScopeId = $OldScope.id[0]
+                $OldScope.id | ForEach-Object {
+                    if ($_ -ne $OldScopeId) {
+                        try {
+                            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_" -tenantid $Tenantfilter -type DELETE -NoAuthCheck $true
+                        } catch {
+                        }
+                    }
+                }
+            } else {
+                $OldScopeId = $OldScope.id
+            }
             $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ')
             if (!$compare) {
                 $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)")
@@ -99,8 +113,12 @@ function Add-CIPPDelegatedPermission {
             $Patchbody = @{
                 scope = "$NewScope"
             } | ConvertTo-Json -Compress
-            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScope.id)" -tenantid $Tenantfilter -body $Patchbody -type PATCH -NoAuthCheck $true
-
+            try {
+                $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScopeId)" -tenantid $Tenantfilter -body $Patchbody -type PATCH -NoAuthCheck $true
+            } catch {
+                $Results.add("Failed to update permissions for $($svcPrincipalId.displayName): $(Get-NormalizedError -message $_.Exception.Message)")
+                continue
+            }
             # Added permissions
             $Added = ($Compare | Where-Object { $_.SideIndicator -eq '=>' }).InputObject -join ' '
             $Removed = ($Compare | Where-Object { $_.SideIndicator -eq '<=' }).InputObject -join ' '

Modules/CIPPCore/Public/AdditionalPermissions.json

@@ -1,13 +1,24 @@
 [
   {
-    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
-    "resourceAccess": [{ "id": "AllProfiles.Manage", "type": "Scope" }]
+    "resourceAppId": "00000006-0000-0ff1-ce00-000000000000",
+    "resourceAccess": [
+      {
+        "id": "M365AdminPortal.IntegratedApps.ReadWrite",
+        "type": "Scope"
+      },
+      {
+        "id": "user_impersonation",
+        "type": "Scope"
+      }
+    ]
   },
   {
-    "resourceAppId": "00000006-0000-0ff1-ce00-000000000000",
+    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
     "resourceAccess": [
-      { "id": "M365AdminPortal.IntegratedApps.ReadWrite", "type": "Scope" },
-      { "id": "user_impersonation", "type": "Scope" }
+      {
+        "id": "AllProfiles.Manage",
+        "type": "Scope"
+      }
     ]
   }
-]
+]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuotaUsed.ps1

@@ -18,7 +18,9 @@ function Get-CIPPAlertQuotaUsed {
     }
     $OverQuota = $AlertData | ForEach-Object {
         if ($_.StorageUsedInBytes -eq 0 -or $_.prohibitSendReceiveQuotaInBytes -eq 0) { return }
-        $PercentLeft = [math]::round(($_.storageUsedInBytes / $_.prohibitSendReceiveQuotaInBytes) * 100)
+        try {
+            $PercentLeft = [math]::round(($_.storageUsedInBytes / $_.prohibitSendReceiveQuotaInBytes) * 100)
+        } catch { $PercentLeft = 100 }
         try {
             if ([int]$InputValue -gt 0) {
                 $Value = [int]$InputValue
@@ -34,4 +36,4 @@ function Get-CIPPAlertQuotaUsed {
 
     }
     Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $OverQuota
-}
+}

Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearchResults.ps1

@@ -0,0 +1,23 @@
+function Get-CippAuditLogSearchResults {
+    <#
+    .SYNOPSIS
+        Get the results of an audit log search
+    .DESCRIPTION
+        Get the results of an audit log search from the Graph API
+    .PARAMETER TenantFilter
+        The tenant to filter on.
+    .PARAMETER QueryId
+        The ID of the query to get the results for.
+    #>
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter(ValueFromPipelineByPropertyName = $true, Mandatory = $true)]
+        [Alias('id')]
+        [string]$QueryId
+    )
+
+    process {
+        New-GraphGetRequest -uri ('https://graph.microsoft.com/beta/security/auditLog/queries/{0}/records?$top=999' -f $QueryId) -AsApp $true -tenantid $TenantFilter
+    }
+}

Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearches.ps1

@@ -0,0 +1,23 @@
+function Get-CippAuditLogSearches {
+    <#
+    .SYNOPSIS
+        Get the available audit log searches
+    .DESCRIPTION
+        Query the Graph API for available audit log searches.
+    .PARAMETER TenantFilter
+        The tenant to filter on.
+    #>
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter()]
+        [switch]$ReadyToProcess
+    )
+    $Queries = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/security/auditLog/queries' -AsApp $true -tenantid $TenantFilter
+    if ($ReadyToProcess.IsPresent) {
+        $AuditLogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and CippStatus eq 'Pending'"
+        $Queries = $Queries | Where-Object { $PendingQueries.RowKey -contains $_.id -and $_.status -eq 'succeeded' }
+    }
+    return $Queries
+}