[pull] master from KelvinTegelaar:master

Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1

@@ -12,6 +12,8 @@ function Test-CIPPAccess {
     # Check help for role
     $APIRole = $Help.Role
 
+    $AnyTenantAllowedFunctions = @('ListTenants', 'ListUserSettings', 'ListUserPhoto', 'GetCippAlerts', 'GetVersion')
+
     if ($Request.Headers.'x-ms-client-principal-idp' -eq 'aad' -and $Request.Headers.'x-ms-client-principal-name' -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') {
         # Direct API Access
         $ForwardedFor = $Request.Headers.'x-forwarded-for' -split ',' | Select-Object -First 1
@@ -106,13 +108,14 @@ function Test-CIPPAccess {
                 }
 
                 if ($APIAllowed) {
+                    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter ?? $env:TenantID
                     # Check tenant level access
                     if (($Role.BlockedTenants | Measure-Object).Count -eq 0 -and $Role.AllowedTenants -contains 'AllTenants') {
                         $TenantAllowed = $true
-                    } elseif ($Request.Query.TenantFilter -eq 'AllTenants' -or $Request.Body.TenantFilter -eq 'AllTenants') {
+                    } elseif ($TenantFilter -eq 'AllTenants') {
                         $TenantAllowed = $false
                     } else {
-                        $Tenant = ($Tenants | Where-Object { $Request.Query.TenantFilter -eq $_.customerId -or $Request.Body.TenantFilter -eq $_.customerId -or $Request.Query.TenantFilter -eq $_.defaultDomainName -or $Request.Body.TenantFilter -eq $_.defaultDomainName }).customerId
+                        $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
                         if ($Role.AllowedTenants -contains 'AllTenants') {
                             $AllowedTenants = $Tenants.customerId
                         } else {
@@ -132,7 +135,7 @@ function Test-CIPPAccess {
             if (!$APIAllowed) {
                 throw "Access to this CIPP API endpoint is not allowed, the '$($Role.Role)' custom role does not have the required permission: $APIRole"
             }
-            if (!$TenantAllowed) {
+            if (!$TenantAllowed -and $AnyTenantAllowedFunctions -notcontains $Request.Params.CIPPEndpoint) {
                 throw 'Access to this tenant is not allowed'
             } else {
                 return $true

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Graph Requests/Push-ListGraphRequestQueue.ps1

@@ -39,7 +39,8 @@ function Push-ListGraphRequestQueue {
         }
 
         $RawGraphRequest = try {
-            Get-GraphRequestList @GraphRequestParams
+            $Results = Get-GraphRequestList @GraphRequestParams
+            $Results | Select-Object -First ($Results.Count - 1)
         } catch {
             $CippException = Get-CippException -Exception $_.Exception
             [PSCustomObject]@{
@@ -57,6 +58,7 @@ function Push-ListGraphRequestQueue {
             Data         = [string]$Json
         }
         Add-CIPPAzDataTableEntity @Table -Entity $GraphResults -Force | Out-Null
+        return $true
     } catch {
         Write-Warning "Queue Error: $($_.Exception.Message)"
         #Write-Information ($GraphResults | ConvertTo-Json -Depth 10 -Compress)

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecSetCIPPAutoBackup.ps1

@@ -15,7 +15,7 @@ Function Invoke-ExecSetCIPPAutoBackup {
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
     $unixtime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
-    if ($Request.Body.Enabled -eq 'True') {
+    if ($Request.Body.Enabled -eq $true) {
         $Table = Get-CIPPTable -TableName 'ScheduledTasks'
         $AutomatedCIPPBackupTask = Get-AzDataTableEntity @table -Filter "Name eq 'Automated CIPP Backup'"
         $task = @{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListGraphBulkRequest.ps1

@@ -15,10 +15,12 @@ function Invoke-ListGraphBulkRequest {
     $TenantFilter = $Request.Body.tenantFilter
     $AsApp = $Request.Body.asApp
     $Requests = $Request.Body.requests
+    $NoPaginateIds = $Request.Body.noPaginateIds
 
     $GraphRequestParams = @{
         tenantid = $TenantFilter
         Requests = @()
+        NoPaginateIds = $NoPaginateIds ?? @()
     }
 
     if ($AsApp) {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-ListScheduledItems.ps1

@@ -44,7 +44,6 @@ Function Invoke-ListScheduledItems {
     }
     $Tasks = Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object { $_.Hidden -ne $HiddenTasks }
     if ($Type) {
-        $Tasks.Command
         $Tasks = $Tasks | Where-Object { $_.command -eq $Type }
     }
 
@@ -61,13 +60,16 @@ Function Invoke-ListScheduledItems {
         } else {
             $Task | Add-Member -NotePropertyName Parameters -NotePropertyValue @{}
         }
+        if ($Task.Recurrence -eq 0 -or [string]::IsNullOrEmpty($Task.Recurrence)) {
+            $Task.Recurrence = 'Once'
+        }
         $Task
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
-            Body       = @($ScheduledTasks)
+            Body       = @($ScheduledTasks | Sort-Object -Property ExecutedTime -Descending)
         })
 
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecHideFromGAL.ps1

@@ -10,8 +10,8 @@ Function Invoke-ExecHideFromGAL {
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
 
-    $Headers = $Request.Headers
     $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
     Write-LogMessage -Headers $Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 
 
@@ -22,19 +22,17 @@ Function Invoke-ExecHideFromGAL {
     $HideFromGAL = [System.Convert]::ToBoolean($HideFromGAL)
 
     Try {
-        $HideResults = Set-CIPPHideFromGAL -tenantFilter $TenantFilter -UserID $UserId -hidefromgal $Hidden -Headers $Request.Headers -APIName $APIName
-        $Results = [pscustomobject]@{'Results' = $HideResults }
+        $Result = Set-CIPPHideFromGAL -tenantFilter $TenantFilter -UserID $UserId -hidefromgal $HideFromGAL -Headers $Headers -APIName $APIName
         $StatusCode = [HttpStatusCode]::OK
 
     } catch {
-        $ErrorMessage = Get-CippException -Exception $_
-        $Results = [pscustomobject]@{'Results' = "Failed. $($ErrorMessage.NormalizedError)" }
+        $Result = $_.Exception.Message
         $StatusCode = [HttpStatusCode]::Forbidden
     }
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode
-            Body       = $Results
+            Body       = @{ 'Results' = $Result }
         })
 
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecStartManagedFolderAssistant.ps1

@@ -24,7 +24,6 @@ Function Invoke-ExecStartManagedFolderAssistant {
 
     $ExoParams = @{
         Identity          = $Identity
-        AggMailboxCleanup = $true
         FullCrawl         = $true
     }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxes.ps1

@@ -11,10 +11,11 @@ Function Invoke-ListMailboxes {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
-    Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
     # Interact with query parameters or the body of the request.
-    $TenantFilter = $Request.Query.TenantFilter
+    $TenantFilter = $Request.Query.tenantFilter
     try {
         $Select = 'id,ExchangeGuid,ArchiveGuid,UserPrincipalName,DisplayName,PrimarySMTPAddress,RecipientType,RecipientTypeDetails,EmailAddresses,WhenSoftDeleted,IsInactiveMailbox,ForwardingSmtpAddress,DeliverToMailboxAndForward,ForwardingAddress,HiddenFromAddressListsEnabled,ExternalDirectoryObjectId,MessageCopyForSendOnBehalfEnabled,MessageCopyForSentAsEnabled'
         $ExoRequest = @{
@@ -32,6 +33,7 @@ Function Invoke-ListMailboxes {
             @{Parameter = 'PublicFolder'; Type = 'Bool' }
             @{Parameter = 'RecipientTypeDetails'; Type = 'String' }
             @{Parameter = 'SoftDeletedMailbox'; Type = 'Bool' }
+            @{Parameter = 'Identity'; Type = 'String' }
         )
 
         foreach ($Param in $Request.Query.PSObject.Properties.Name) {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ListIntunePolicy.ps1

@@ -43,6 +43,16 @@ Function Invoke-ListIntunePolicy {
                     method = 'GET'
                     url    = "/deviceManagement/windowsFeatureUpdateProfiles?`$expand=assignments&top=200"
                 }
+                @{
+                    id     = 'windowsQualityUpdatePolicies'
+                    method = 'GET'
+                    url    = "/deviceManagement/windowsQualityUpdatePolicies?`$expand=assignments&top=200"
+                }
+                @{
+                    id     = 'windowsQualityUpdateProfiles'
+                    method = 'GET'
+                    url    = "/deviceManagement/windowsQualityUpdateProfiles?`$expand=assignments&top=200"
+                }
                 @{
                     id     = 'GroupPolicyConfigurations'
                     method = 'GET'
@@ -78,6 +88,11 @@ Function Invoke-ListIntunePolicy {
                         '*microsoft.graph.macOSEndpointProtectionConfiguration*' { 'MacOS Endpoint Protection' }
                         '*microsoft.graph.androidWorkProfileGeneralDeviceConfiguration*' { 'Android Configuration' }
                         '*windowsFeatureUpdateProfiles*' { 'Feature Update' }
+                        '*windowsQualityUpdatePolicies*' { 'Quality Update' }
+                        '*windowsQualityUpdateProfiles*' { 'Quality Update' }
+                        '*iosUpdateConfiguration*' { 'iOS Update Configuration' }
+                        '*windowsDriverUpdateProfiles*' { 'Driver Update' }
+                        '*configurationPolicies*' { 'Device Configuration' }
                         default { $_.'[email protected]' }
                     }
                     $Assignments = $_.assignments.target | Select-Object -Property '@odata.type', groupId

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecDismissRiskyUser.ps1

@@ -1,47 +1,47 @@
-function Invoke-ExecDismissRiskyUser {
-    <#
-    .FUNCTIONALITY
-        Entrypoint
-    .ROLE
-        Identity.User.ReadWrite
-    #>
-    [CmdletBinding()]
-    param($Request, $TriggerMetadata)
-
-    $APIName = $Request.Params.CIPPEndpoint
-    $Headers = $Request.Headers
-    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
-
-    # Interact with the query or body of the request
-    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
-    $SuspectUser = $Request.Query.userId ?? $Request.Body.userId
-    $userDisplayName = $Request.Query.userDisplayName ?? $Request.Body.userDisplayName
-
-    $GraphRequest = @{
-        'uri'         = 'https://graph.microsoft.com/beta/riskyUsers/dismiss'
-        'tenantid'    = $TenantFilter
-        'type'        = 'POST'
-        'contentType' = 'application/json; charset=utf-8'
-        'body'        = @{
-            'userIds' = @($SuspectUser)
-        } | ConvertTo-Json
-    }
-
-    try {
-        $GraphResults = New-GraphPostRequest @GraphRequest
-        Write-LogMessage -API $APIName -tenant $TenantFilter -message "Dismissed user risk for $userDisplayName" -sev 'Info'
-        $Result = "Successfully dismissed User Risk for user $userDisplayName. $GraphResults"
-        $StatusCode = [HttpStatusCode]::OK
-    } catch {
-        $ErrorMessage = Get-CippException -Exception $_
-        $Result = "Failed to dismiss user risk for $userDisplayName. $($ErrorMessage.NormalizedError)"
-        Write-LogMessage -API $APIName -tenant $TenantFilter -message $Result -sev 'Error' -LogData $ErrorMessage
-        $StatusCode = [HttpStatusCode]::InternalServerError
-    }
-
-    # Associate values to output bindings by calling 'Push-OutputBinding'.
-    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-            StatusCode = $StatusCode
-            Body       = @{ 'Results' = $Result }
-        })
-}
+function Invoke-ExecDismissRiskyUser {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Identity.User.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with the query or body of the request
+    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+    $SuspectUser = $Request.Query.userId ?? $Request.Body.userId
+    $userDisplayName = $Request.Query.userDisplayName ?? $Request.Body.userDisplayName
+
+    $GraphRequest = @{
+        'uri'         = 'https://graph.microsoft.com/beta/riskyUsers/dismiss'
+        'tenantid'    = $TenantFilter
+        'type'        = 'POST'
+        'contentType' = 'application/json; charset=utf-8'
+        'body'        = @{
+            'userIds' = @($SuspectUser)
+        } | ConvertTo-Json
+    }
+
+    try {
+        $GraphResults = New-GraphPostRequest @GraphRequest
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message "Dismissed user risk for $userDisplayName" -sev 'Info'
+        $Result = "Successfully dismissed User Risk for user $userDisplayName. $GraphResults"
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $Result = "Failed to dismiss user risk for $userDisplayName. $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message $Result -sev 'Error' -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{ 'Results' = $Result }
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListUserMailboxDetails.ps1

@@ -183,7 +183,20 @@ Function Invoke-ListUserMailboxDetails {
         AutoExpandingArchive     = $AutoExpandingArchiveEnabled
         RecipientTypeDetails     = $MailboxDetailedRequest.RecipientTypeDetails
         Mailbox                  = $MailboxDetailedRequest
-    }
+        MailboxActionsData       = ($MailboxDetailedRequest | Select-Object id, ExchangeGuid, ArchiveGuid, WhenSoftDeleted, @{ Name = 'UPN'; Expression = { $_.'UserPrincipalName' } },
+            @{ Name = 'displayName'; Expression = { $_.'DisplayName' } },
+            @{ Name = 'primarySmtpAddress'; Expression = { $_.'PrimarySMTPAddress' } },
+            @{ Name = 'recipientType'; Expression = { $_.'RecipientType' } },
+            @{ Name = 'recipientTypeDetails'; Expression = { $_.'RecipientTypeDetails' } },
+            @{ Name = 'AdditionalEmailAddresses'; Expression = { ($_.'EmailAddresses' | Where-Object { $_ -clike 'smtp:*' }).Replace('smtp:', '') -join ', ' } },
+            @{Name = 'ForwardingSmtpAddress'; Expression = { $_.'ForwardingSmtpAddress' -replace 'smtp:', '' } },
+            @{Name = 'InternalForwardingAddress'; Expression = { $_.'ForwardingAddress' } },
+            DeliverToMailboxAndForward,
+            HiddenFromAddressListsEnabled,
+            ExternalDirectoryObjectId,
+            MessageCopyForSendOnBehalfEnabled,
+            MessageCopyForSentAsEnabled)
+    } # Select statement taken from ListMailboxes to save a EXO request
 
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListBPATemplates.ps1

@@ -18,8 +18,9 @@ Function Invoke-ListBPATemplates {
     $Table = Get-CippTable -tablename 'templates'
 
     $Templates = Get-ChildItem 'Config\*.BPATemplate.json' | ForEach-Object {
+        $TemplateJson = Get-Content $_ | ConvertFrom-Json | ConvertTo-Json -Compress -Depth 10
         $Entity = @{
-            JSON         = "$(Get-Content $_)"
+            JSON         = "$TemplateJson"
             RowKey       = "$($_.name)"
             PartitionKey = 'BPATemplate'
             GUID         = "$($_.name)"
@@ -31,10 +32,14 @@ Function Invoke-ListBPATemplates {
     $Templates = Get-CIPPAzDataTableEntity @Table -Filter $Filter
 
     if ($Request.Query.RawJson) {
+        foreach ($Template in $Templates) {
+            $Template.JSON = $Template.JSON -replace '"parameters":', '"Parameters":'
+        }
         $Templates = $Templates.JSON | ConvertFrom-Json
     } else {
         $Templates = $Templates | ForEach-Object {
-            $Template = $_.JSON | ConvertFrom-Json
+            $TemplateJson = $_.JSON -replace '"parameters":', '"Parameters":'
+            $Template = $TemplateJson | ConvertFrom-Json
             @{
                 GUID  = $_.GUID
                 Data  = $Template.fields

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Tools/Invoke-AddBPATemplate.ps1

@@ -18,7 +18,7 @@ Function Invoke-AddBPATemplate {
         $Table = Get-CippTable -tablename 'templates'
         $Table.Force = $true
         Add-CIPPAzDataTableEntity @Table -Entity @{
-            JSON         = "$($Request.body | ConvertTo-Json -Depth 10)"
+            JSON         = "$($Request.body | ConvertTo-Json -Depth 10 -Compress)"
             RowKey       = $Request.body.name
             PartitionKey = 'BPATemplate'
             GUID         = $Request.body.name

Modules/CIPPCore/Public/Entrypoints/Invoke-ListCSPsku.ps1

@@ -14,13 +14,19 @@ Function Invoke-ListCSPsku {
     Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
     $TenantFilter = $Request.Query.tenantFilter
 
-    if ($Request.Query.currentSkuOnly) {
-        $GraphRequest = Get-SherwebCurrentSubscription -TenantFilter $TenantFilter
-    } else {
-        $GraphRequest = Get-SherwebCatalog -TenantFilter $TenantFilter
+    try {
+        if ($Request.Query.currentSkuOnly) {
+            $GraphRequest = Get-SherwebCurrentSubscription -TenantFilter $TenantFilter
+        } else {
+            $GraphRequest = Get-SherwebCatalog -TenantFilter $TenantFilter
+        }
+    } catch {
+        $GraphRequest = [PSCustomObject]@{
+            name = @(@{value = 'Error getting catalog' })
+            sku  = $_.Exception.Message
+        }
     }
 
-
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
             Body       = @($GraphRequest)

Modules/CIPPCore/Public/Get-CIPPLAPSPassword.ps1

@@ -12,7 +12,11 @@ function Get-CIPPLapsPassword {
         $GraphRequest = (New-GraphGetRequest -noauthcheck $true -uri "https://graph.microsoft.com/beta/directory/deviceLocalCredentials/$($device)?`$select=credentials" -tenantid $TenantFilter).credentials | Select-Object -First 1 | ForEach-Object {
             $PlainText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_.passwordBase64))
             $date = $_.BackupDateTime
-            "The password for $($_.AccountName) is $($PlainText) generated at $($date)"
+            [PSCustomObject]@{
+                resultText = "LAPS password retrieved, generated at $($date). Copy the password by clicking the copy button"
+                copyField  = $PlainText
+                state      = 'success'
+            }
         }
         if ($GraphRequest) { return $GraphRequest } else { return "No LAPS password found for $device" }
     } catch {

Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1

@@ -31,7 +31,7 @@ function New-ExoRequest {
         [Parameter(ParameterSetName = 'AvailableCmdlets')]
         [switch]$AvailableCmdlets,
 
-        $ModuleVersion = '3.5.1',
+        $ModuleVersion = '3.7.1',
         [switch]$AsApp
     )
     if ((Get-AuthorisedRequest -TenantID $tenantid) -or $NoAuthCheck -eq $True) {