Merge pull request KelvinTegelaar#984 from KelvinTegelaar/dev

Dev to special ben hotfix

Author: KelvinTegelaar

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -19,19 +19,19 @@ function Add-CIPPScheduledTask {
     $propertiesToCheck = @('Webhook', 'Email', 'PSA')
     $PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ','
     $Parameters = [System.Collections.Hashtable]@{}
-    foreach ($Key in $task.Parameters.Keys) {
+    foreach ($Key in $task.Parameters.PSObject.Properties.Name) {
         $Param = $task.Parameters.$Key
-        if ($Param.Key) {
+        if ($Param -is [System.Collections.IDictionary]) {
             $ht = @{}
-            foreach ($p in $Param) {
-                Write-Host $p.Key
+            foreach ($p in $Param.GetEnumerator()) {
                 $ht[$p.Key] = $p.Value
             }
             $Parameters[$Key] = [PSCustomObject]$ht
         } else {
             $Parameters[$Key] = $Param
         }
     }
+
     $Parameters = ($Parameters | ConvertTo-Json -Depth 10 -Compress)
     $AdditionalProperties = [System.Collections.Hashtable]@{}
     foreach ($Prop in $task.AdditionalProperties) {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecClrImmId.ps1

@@ -20,13 +20,13 @@ Function Invoke-ExecClrImmId {
     Try {
         $TenantFilter = $Request.Query.TenantFilter
         $UserID = $Request.Query.ID
-        $Body = [pscustomobject] @{
-            onPremisesImmutableId = $null
-        } | ConvertTo-Json
-        $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
+        $Body = [pscustomobject]@{ onPremisesImmutableId = $null }
+        $Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress
+        $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
         $Results = [pscustomobject]@{'Results' = 'Successfully Cleared ImmutableId' }
     } catch {
-        $Results = [pscustomobject]@{'Results' = "Failed. $_.Exception.Message"; colour = 'danger' }
+        $ErrorMessage = Get-NormalizedError -Message $_.Exception
+        $Results = [pscustomobject]@{'Results' = "Failed. $ErrorMessage"; colour = 'danger' }
         $_.Exception
     }
 
@@ -35,5 +35,4 @@ Function Invoke-ExecClrImmId {
             StatusCode = [HttpStatusCode]::OK
             Body       = $Results
         })
-
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -11,7 +11,9 @@ Function Invoke-ExecJITAdmin {
     param($Request, $TriggerMetadata)
 
     $APIName = 'ExecJITAdmin'
-    Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $User = $Request.Headers.'x-ms-client-principal'
+
+    Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 
     if ($Request.Query.Action -eq 'List') {
         $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' }
@@ -61,14 +63,14 @@ Function Invoke-ExecJITAdmin {
         if ($Request.Body.UserId -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
             $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.UserId)" -tenantid $Request.Body.TenantFilter).userPrincipalName
         }
-        Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info'
+        Write-LogMessage -user $User -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info'
 
         $Start = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate)).DateTime.ToLocalTime()
         $Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime()
         $Results = [System.Collections.Generic.List[string]]::new()
 
-        if ($Request.Body.useraction -eq 'create') {
-            Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info'
+        if ($Request.Body.useraction -eq 'Create') {
+            Write-LogMessage -user $User -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info'
             Write-Information "Creating JIT Admin user $($Request.Body.UserPrincipalName)"
             $JITAdmin = @{
                 User         = @{
@@ -86,7 +88,7 @@ Function Invoke-ExecJITAdmin {
             if (!$Request.Body.UseTAP) {
                 $Results.Add("Password: $($CreateResult.password)")
             }
-            $Results.Add("JIT Expires: $($Expiration)")
+            $Results.Add("JIT Admin Expires: $($Expiration)")
             Start-Sleep -Seconds 1
         }
 
@@ -101,14 +103,27 @@ Function Invoke-ExecJITAdmin {
                     $TapBody = '{}'
                 }
                 Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods"
-                $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody
+                # Retry creating the TAP up to 5 times, since it can fail due to the user not being fully created yet
+                $Retries = 0
+                do {
+                    try {
+                        $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody
+                    } catch {
+                        Start-Sleep -Seconds 2
+                        Write-Information 'ERROR: Failed to create TAP, retrying'
+                        Write-Information ( ConvertTo-Json -Depth 5 -InputObject (Get-CippException -Exception $_))
+                    }
+                    $Retries++
+                } while ( $null -eq $TapRequest.temporaryAccessPass -and $Retries -le 5 )
 
                 $TempPass = $TapRequest.temporaryAccessPass
                 $PasswordExpiration = $TapRequest.LifetimeInMinutes
 
                 $PasswordLink = New-PwPushLink -Payload $TempPass
                 if ($PasswordLink) {
                     $Password = $PasswordLink
+                } else {
+                    $Password = $TempPass
                 }
                 $Results.Add("Temporary Access Pass: $Password")
                 $Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes")
@@ -147,7 +162,9 @@ Function Invoke-ExecJITAdmin {
                 }
             }
             Add-CIPPScheduledTask -Task $TaskBody -hidden $false
-            Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration
+            if ($Request.Body.useraction -ne 'Create') {
+                Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration
+            }
             $Results.Add("Scheduling JIT Admin enable task for $Username")
         } else {
             $Results.Add("Executing JIT Admin enable task for $Username")
@@ -176,7 +193,7 @@ Function Invoke-ExecJITAdmin {
             }
             ScheduledTime = $Request.Body.EndDate
         }
-        Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
+        $null = Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
         $Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction) task for $Username")
         $Body = @{
             Results = @($Results)

Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1

@@ -21,7 +21,7 @@ Function Invoke-ListDomains {
     $TenantFilter = $Request.Query.TenantFilter
 
     try {
-        $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault
+        $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault -Descending
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message

Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1

@@ -50,6 +50,8 @@ function Set-CIPPUserJITAdmin {
         switch ($Action) {
             'Create' {
                 $Password = New-passwordString
+                $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' }
+
                 $Body = @{
                     givenName         = $User.FirstName
                     surname           = $User.LastName
@@ -62,6 +64,10 @@ function Set-CIPPUserJITAdmin {
                         forceChangePasswordNextSignInWithMfa = $false
                         password                             = $Password
                     }
+                    $Schema.id        = @{
+                        jitAdminEnabled    = $false
+                        jitAdminExpiration = $Expiration.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+                    }
                 }
                 $Json = ConvertTo-Json -Depth 5 -InputObject $Body
                 try {
@@ -135,9 +141,10 @@ function Set-CIPPUserJITAdmin {
                     Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null
                     return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
                 } catch {
-                    return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $($_.Exception.Message)"
+                    $ErrrorMessage = Get-NormalizedError -Message $_.Exception.Message
+                    return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrrorMessage"
                 }
             }
         }
     }
-}
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1

@@ -1,36 +1,35 @@
 function Invoke-CIPPStandardActivityBasedTimeout {
     <#
     .FUNCTIONALITY
-    Internal
-    .APINAME
-    ActivityBasedTimeout
-    .CAT
-    Global Standards
-    .TAG
-    "mediumimpact"
-    "CIS"
-    "spo_idle_session_timeout"
-    .HELPTEXT
-    Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
-    .ADDEDCOMPONENT
-    {"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]}
-    .LABEL
-    Enable Activity based Timeout
-    .IMPACT
-    Medium Impact
-    .POWERSHELLEQUIVALENT
-    Portal or Graph API
-    .RECOMMENDEDBY
-    "CIS"
-    .DOCSDESCRIPTION
-    Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
-    .UPDATECOMMENTBLOCK
-    Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+        Internal
+    .COMPONENT
+        (APIName) ActivityBasedTimeout
+    .SYNOPSIS
+        (Label) Enable Activity based Timeout
+    .DESCRIPTION
+        (Helptext) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
+        (DocsDescription) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps
+    .NOTES
+        CAT
+            Global Standards
+        TAG
+            "mediumimpact"
+            "CIS"
+            "spo_idle_session_timeout"
+        ADDEDCOMPONENT
+            {"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]}
+        IMPACT
+            Medium Impact
+        POWERSHELLEQUIVALENT
+            Portal or Graph API
+        RECOMMENDEDBY
+            "CIS"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
     #>
 
-
-
-
     param($Tenant, $Settings)
 
     # Input validation
@@ -91,8 +90,3 @@ function Invoke-CIPPStandardActivityBasedTimeout {
     }
 
 }
-
-
-
-
-

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1

@@ -1,34 +1,33 @@
 function Invoke-CIPPStandardAddDKIM {
     <#
     .FUNCTIONALITY
-    Internal
-    .APINAME
-    AddDKIM
-    .CAT
-    Exchange Standards
-    .TAG
-    "lowimpact"
-    "CIS"
-    .HELPTEXT
-    Enables DKIM for all domains that currently support it
-    .ADDEDCOMPONENT
-    .LABEL
-    Enables DKIM for all domains that currently support it
-    .IMPACT
-    Low Impact
-    .POWERSHELLEQUIVALENT
-    New-DkimSigningConfig and Set-DkimSigningConfig
-    .RECOMMENDEDBY
-    "CIS"
-    .DOCSDESCRIPTION
-    Enables DKIM for all domains that currently support it
-    .UPDATECOMMENTBLOCK
-    Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+        Internal
+    .COMPONENT
+        (APIName) AddDKIM
+    .SYNOPSIS
+        (Label) Enables DKIM for all domains that currently support it
+    .DESCRIPTION
+        (Helptext) Enables DKIM for all domains that currently support it
+        (DocsDescription) Enables DKIM for all domains that currently support it
+    .NOTES
+        CAT
+            Exchange Standards
+        TAG
+            "lowimpact"
+            "CIS"
+        ADDEDCOMPONENT
+        IMPACT
+            Low Impact
+        POWERSHELLEQUIVALENT
+            New-DkimSigningConfig and Set-DkimSigningConfig
+        RECOMMENDEDBY
+            "CIS"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
     #>
 
-
-
-
     param($Tenant, $Settings)
 
     $AllDomains = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -tenantid $Tenant | Where-Object { $_.supportedServices -contains 'Email' -or $_.id -like '*mail.onmicrosoft.com' }).id
@@ -107,7 +106,3 @@ function Invoke-CIPPStandardAddDKIM {
         Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIMState -StoreAs bool -Tenant $tenant
     }
 }
-
-
-
-

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1

@@ -1,34 +1,31 @@
 function Invoke-CIPPStandardAnonReportDisable {
     <#
     .FUNCTIONALITY
-    Internal
-    .APINAME
-    AnonReportDisable
-    .CAT
-    Global Standards
-    .TAG
-    "lowimpact"
-    .HELPTEXT
-    Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
-    .DOCSDESCRIPTION
-    Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.
-    .ADDEDCOMPONENT
-    .LABEL
-    Enable Usernames instead of pseudo anonymised names in reports
-    .IMPACT
-    Low Impact
-    .POWERSHELLEQUIVALENT
-    Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}
-    .RECOMMENDEDBY
-    .DOCSDESCRIPTION
-    Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
-    .UPDATECOMMENTBLOCK
-    Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+        Internal
+    .COMPONENT
+        (APIName) AnonReportDisable
+    .SYNOPSIS
+        (Label) Enable Usernames instead of pseudo anonymised names in reports
+    .DESCRIPTION
+        (Helptext) Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.
+        (DocsDescription) Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports.
+    .NOTES
+        CAT
+            Global Standards
+        TAG
+            "lowimpact"
+        ADDEDCOMPONENT
+        IMPACT
+            Low Impact
+        POWERSHELLEQUIVALENT
+            Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true}
+        RECOMMENDEDBY
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
     #>
 
-
-
-
     param($Tenant, $Settings)
     $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true
 
@@ -58,7 +55,3 @@ function Invoke-CIPPStandardAnonReportDisable {
         Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue $CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant
     }
 }
-
-
-
-