Merge pull request KelvinTegelaar#1051 from KelvinTegelaar/dev

Dev to hotfix

Author: JohnDuprey

.github/workflows/dev_cipphfjdq.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cipphfjdq
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cipphfjdq'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_194504F3E0EE4941A2206C7E71DA4915 }}

.github/workflows/dev_cippopy3o.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippopy3o
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippopy3o'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B5A7200CF39F4853A33349B80D54DC99 }}

Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1

@@ -138,7 +138,7 @@ function Add-CIPPAzDataTableEntity {
                     throw "Error processing entity: $ErrorMessage Linenumber: $($_.InvocationInfo.ScriptLineNumber)"
                 }
             } else {
-                Write-Information "THE ERROR IS $($_.Exception.ErrorCode). The size of the entity is $entitySize."
+                Write-Information "THE ERROR IS $($_.Exception.message). The size of the entity is $entitySize."
                 throw $_
             }
         }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/BPA/Push-BPACollectData.ps1

@@ -19,7 +19,12 @@ function Push-BPACollectData {
         }
     }
     $Table = Get-CippTable -tablename 'cachebpav2'
-    Write-Host "Working on BPA for $($TenantName.displayName) with GUID $($TenantName.customerId) - Report ID $($Item.Template)"
+    $Rerun = Test-CIPPRerun -Type 'BPA' -Tenant $TenantName.defaultDomainName -API $Item.Template
+    if ($Rerun) {
+        Write-Host 'Detected rerun. Exiting cleanly'
+        exit 0
+    }
+    Write-Host "Working on BPA for $($TenantName.defaultDomainName) with GUID $($TenantName.customerId) - Report ID $($Item.Template)"
     $Template = $Templates | Where-Object -Property Name -EQ -Value $Item.Template
     # Build up the result object that will be stored in tables
     $Result = @{

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPStandard.ps1

@@ -12,6 +12,13 @@ function Push-CIPPStandard {
     $Standard = $Item.Standard
     $FunctionName = 'Invoke-CIPPStandard{0}' -f $Standard
     Write-Host "We'll be running $FunctionName"
+    $Rerun = Test-CIPPRerun -Type Standard -Tenant $Tenant -Settings $Item.Settings -API $Standard
+    if ($Rerun) {
+        Write-Host 'Detected rerun. Exiting cleanly'
+        exit 0
+    } else {
+        Write-Host "Rerun is set to false. We'll be running $FunctionName"
+    }
     try {
         & $FunctionName -Tenant $Item.Tenant -Settings $Item.Settings -ErrorAction Stop
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Extensions/Invoke-ExecExtensionsConfig.ps1

@@ -17,21 +17,22 @@ Function Invoke-ExecExtensionsConfig {
     #Connect-AzAccount -UseDeviceAuthentication
     # Write to the Azure Functions log stream.
     Write-Information 'PowerShell HTTP trigger function processed a request.'
+    $Body = [PSCustomObject]$Request.Body
     $results = try {
-        if ($Request.Body.CIPPAPI.Enabled) {
+        if ($Body.CIPPAPI.Enabled) {
             try {
-                $APIConfig = New-CIPPAPIConfig -ExecutingUser $Request.Headers.'x-ms-client-principal' -resetpassword $Request.Body.CIPPAPI.ResetPassword
+                $APIConfig = New-CIPPAPIConfig -ExecutingUser $Request.Headers.'x-ms-client-principal' -resetpassword $Body.CIPPAPI.ResetPassword
                 $AddedText = $APIConfig.Results
             } catch {
                 $AddedText = ' Could not enable CIPP-API. Check the CIPP documentation for API requirements.'
-                $Request.Body = $Request.Body | Select-Object * -ExcludeProperty CIPPAPI
+                $Body = $Body | Select-Object * -ExcludeProperty CIPPAPI
             }
         }
 
         # Check if NinjaOne URL is set correctly and the instance has at least version 5.6
-        if ($Request.Body.NinjaOne) {
+        if ($Body.NinjaOne) {
             try {
-                [version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$(($Request.Body.NinjaOne.Instance -replace '/ws','') -replace 'https://','')/app-version.txt" -ea stop).content
+                [version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$(($Body.NinjaOne.Instance -replace '/ws','') -replace 'https://','')/app-version.txt" -ea stop).content
             } catch {
                 throw "Failed to connect to NinjaOne check your Instance is set correctly eg 'app.ninjarmmm.com'"
             }
@@ -41,39 +42,39 @@ Function Invoke-ExecExtensionsConfig {
         }
 
         $Table = Get-CIPPTable -TableName Extensionsconfig
-        foreach ($APIKey in ([pscustomobject]$Request.Body).psobject.properties.name) {
+        foreach ($APIKey in $Body.PSObject.Properties.Name) {
             Write-Information "Working on $apikey"
-            if ($Request.Body.$APIKey.APIKey -eq 'SentToKeyVault' -or $Request.Body.$APIKey.APIKey -eq '') {
+            if ($Body.$APIKey.APIKey -eq 'SentToKeyVault' -or $Body.$APIKey.APIKey -eq '') {
                 Write-Information 'Not sending to keyvault. Key previously set or left blank.'
             } else {
                 Write-Information 'writing API Key to keyvault, and clearing.'
                 Write-Information "$ENV:WEBSITE_DEPLOYMENT_ID"
-                if ($Request.Body.$APIKey.APIKey) {
+                if ($Body.$APIKey.APIKey) {
                     if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true') {
                         $DevSecretsTable = Get-CIPPTable -tablename 'DevSecrets'
                         $Secret = [PSCustomObject]@{
                             'PartitionKey' = $APIKey
                             'RowKey'       = $APIKey
-                            'APIKey'       = $Request.Body.$APIKey.APIKey
+                            'APIKey'       = $Body.$APIKey.APIKey
                         }
                         Add-CIPPAzDataTableEntity @DevSecretsTable -Entity $Secret -Force
                     } else {
-                        $null = Set-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name $APIKey -SecretValue (ConvertTo-SecureString -AsPlainText -Force -String $Request.Body.$APIKey.APIKey)
+                        $null = Set-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name $APIKey -SecretValue (ConvertTo-SecureString -AsPlainText -Force -String $Body.$APIKey.APIKey)
                     }
                 }
-                if ($Request.Body.$APIKey.PSObject.Properties -notcontains 'APIKey') {
-                    $Request.Body.$APIKey | Add-Member -MemberType NoteProperty -Name APIKey -Value 'SentToKeyVault'
+                if ($Body.$APIKey.PSObject.Properties.Name -notcontains 'APIKey') {
+                    $Body.$APIKey | Add-Member -MemberType NoteProperty -Name APIKey -Value 'SentToKeyVault'
                 } else {
-                    $Request.Body.$APIKey.APIKey = 'SentToKeyVault'
+                    $Body.$APIKey.APIKey = 'SentToKeyVault'
                 }
             }
-            $Request.Body.$APIKey = $Request.Body.$APIKey | Select-Object * -ExcludeProperty ResetPassword
+            $Body.$APIKey = $Body.$APIKey | Select-Object * -ExcludeProperty ResetPassword
         }
-        $body = $Request.Body | Select-Object * -ExcludeProperty APIKey, Enabled | ConvertTo-Json -Depth 10 -Compress
+        $Body = $Body | Select-Object * -ExcludeProperty APIKey, Enabled | ConvertTo-Json -Depth 10 -Compress
         $Config = @{
             'PartitionKey' = 'CippExtensions'
             'RowKey'       = 'Config'
-            'config'       = [string]$body
+            'config'       = [string]$Body
         }
 
         Add-CIPPAzDataTableEntity @Table -Entity $Config -Force | Out-Null

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -136,7 +136,7 @@ Function Invoke-ExecJITAdmin {
             }
         }
 
-        $Parameters = @{
+        $Parameters = [pscustomobject]@{
             TenantFilter = $Request.Body.TenantFilter
             User         = @{
                 'UserPrincipalName' = $Username

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecPerUserMFAAllUsers.ps1

@@ -0,0 +1,29 @@
+function Invoke-ExecPerUserMFAAllUsers {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+
+    .ROLE
+    Identity.User.ReadWrite
+    #>
+    Param(
+        $Request,
+        $TriggerMetadata
+    )
+    $TenantFilter = $request.query.TenantFilter
+    $Users = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users' -tenantid $TenantFilter
+    $Request = @{
+        userId        = $Users.id
+        TenantFilter  = $tenantfilter
+        State         = $Request.query.State
+        executingUser = $Request.Headers.'x-ms-client-principal'
+    }
+    $Result = Set-CIPPPerUserMFA @Request
+    $Body = @{
+        Results = @($Result)
+    }
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Body
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecSendPush.ps1

@@ -52,7 +52,7 @@ Function Invoke-ExecSendPush {
         $SPBody = [pscustomobject]@{
             appId = $MFAAppID
         }
-        $SPID = (New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -type POST -body $SPBody -verbose).id
+        $SPID = (New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -type POST -body $SPBody ).id
     }
 
 
@@ -64,7 +64,7 @@ Function Invoke-ExecSendPush {
         }
     } | ConvertTo-Json -Depth 5
 
-    $TempPass = (New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SPID/addPassword" -tenantid $TenantFilter -type POST -body $PassReqBody -verbose).secretText
+    $TempPass = (New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SPID/addPassword" -tenantid $TenantFilter -type POST -body $PassReqBody -AsApp $true).secretText
 
     # Give it a chance to apply
     #Start-Sleep 5

Modules/CIPPCore/Public/Get-CIPPMFAState.ps1

@@ -17,20 +17,25 @@ function Get-CIPPMFAState {
         }
     }
 
-    $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled
+    try {
+        $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $TenantFilter ).IsEnabled
+    } catch {
+        Write-Host "Secure Defaults not available: $($_.Exception.Message)"
+    }
     $CAState = [System.Collections.Generic.List[object]]::new()
 
     Try {
-        $MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails' -tenantid $TenantFilter)
+        $MFARegistration = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails' -tenantid $TenantFilter)
     } catch {
         $CAState.Add('Not Licensed for Conditional Access') | Out-Null
         $MFARegistration = $null
+        Write-Host "User registration details not available: $($_.Exception.Message)"
     }
 
     if ($null -ne $MFARegistration) {
-        $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -ErrorAction Stop )
-
+        $CASuccess = $true
         try {
+            $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -ErrorAction Stop )
             foreach ($Policy in $CAPolicies) {
                 $IsMFAControl = $policy.grantControls.builtincontrols -eq 'mfa' -or $Policy.grantControls.authenticationStrength.requirementsSatisfied -eq 'mfa' -or $Policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa'
                 $IsAllApps = [bool]($Policy.conditions.applications.includeApplications -eq 'All')
@@ -51,6 +56,8 @@ function Get-CIPPMFAState {
                 }
             }
         } catch {
+            $CASuccess = $false
+            $CAError = "CA policies not available: $($_.Exception.Message)"
         }
     }
 
@@ -59,7 +66,6 @@ function Get-CIPPMFAState {
 
     # Interact with query parameters or the body of the request.
     $GraphRequest = $Users | ForEach-Object {
-        Write-Host 'Processing users'
         $UserCAState = [System.Collections.Generic.List[object]]::new()
         foreach ($CA in $CAState) {
             if ($CA.IncludedUsers -eq 'All' -or $CA.IncludedUsers -contains $_.ObjectId) {
@@ -79,12 +85,16 @@ function Get-CIPPMFAState {
                 $CoveredByCA = 'Enforced - Specific Apps'
             }
         } else {
-            $CoveredByCA = 'Not Enforced'
+            if ($CASuccess -eq $false) {
+                $CoveredByCA = $CAError
+            } else {
+                $CoveredByCA = 'Not Enforced'
+            }
         }
 
         $PerUser = if ($PerUserMFAState -eq $null) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }
 
-        $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).IsMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName) }
+        $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }
 
         [PSCustomObject]@{
             Tenant          = $TenantFilter
@@ -94,8 +104,9 @@ function Get-CIPPMFAState {
             AccountEnabled  = $_.accountEnabled
             PerUser         = $PerUser
             isLicensed      = $_.isLicensed
-            MFARegistration = $MFARegUser.IsMFARegistered
-            MFAMethods      = $MFARegUser.authMethods
+            MFARegistration = $MFARegUser.isMFARegistered
+            MFACapable      = $MFARegUser.isMFACapable
+            MFAMethods      = $MFARegUser.methodsRegistered
             CoveredByCA     = $CoveredByCA
             CAPolicies      = $UserCAState
             CoveredBySD     = $SecureDefaultsState