@@ -8,9 +8,13 @@ function Test-CIPPAccess {
88 # Get function help
99 $FunctionName = ' Invoke-{0}' -f $Request.Params.CIPPEndpoint
1010
11- try {
12- $Help = Get-Help $FunctionName - ErrorAction Stop
13- } catch {}
11+ if ($FunctionName -ne ' Invoke-me' ) {
12+ try {
13+ $Help = Get-Help $FunctionName - ErrorAction Stop
14+ } catch {
15+ Write-Warning " Function '$FunctionName ' not found"
16+ }
17+ }
1418
1519 # Check help for role
1620 $APIRole = $Help.Role
@@ -189,10 +193,39 @@ function Test-CIPPAccess {
189193 if ((($Permission.AllowedTenants | Measure-Object ).Count -eq 0 -or $Permission.AllowedTenants -contains ' AllTenants' ) -and (($Permission.BlockedTenants | Measure-Object ).Count -eq 0 )) {
190194 @ (' AllTenants' )
191195 } else {
192- if ($Permission.AllowedTenants -contains ' AllTenants' ) {
193- $Permission.AllowedTenants = $Tenants.customerId
196+ # Expand tenant groups to individual tenant IDs
197+ $ExpandedAllowedTenants = foreach ($AllowedItem in $Permission.AllowedTenants ) {
198+ if ($AllowedItem -is [PSCustomObject ] -and $AllowedItem.type -eq ' Group' ) {
199+ try {
200+ $GroupMembers = Expand-CIPPTenantGroups - TenantFilter @ ($AllowedItem )
201+ $GroupMembers | ForEach-Object { $_.addedFields.customerId }
202+ } catch {
203+ Write-Warning " Failed to expand tenant group '$ ( $AllowedItem.label ) ': $ ( $_.Exception.Message ) "
204+ @ ()
205+ }
206+ } else {
207+ $AllowedItem
208+ }
209+ }
210+
211+ $ExpandedBlockedTenants = foreach ($BlockedItem in $Permission.BlockedTenants ) {
212+ if ($BlockedItem -is [PSCustomObject ] -and $BlockedItem.type -eq ' Group' ) {
213+ try {
214+ $GroupMembers = Expand-CIPPTenantGroups - TenantFilter @ ($BlockedItem )
215+ $GroupMembers | ForEach-Object { $_.addedFields.customerId }
216+ } catch {
217+ Write-Warning " Failed to expand blocked tenant group '$ ( $BlockedItem.label ) ': $ ( $_.Exception.Message ) "
218+ @ ()
219+ }
220+ } else {
221+ $BlockedItem
222+ }
223+ }
224+
225+ if ($ExpandedAllowedTenants -contains ' AllTenants' ) {
226+ $ExpandedAllowedTenants = $Tenants.customerId
194227 }
195- $Permission .AllowedTenants | Where-Object { $Permission .BlockedTenants -notcontains $_ }
228+ $ExpandedAllowedTenants | Where-Object { $ExpandedBlockedTenants -notcontains $_ }
196229 }
197230 }
198231 return $LimitedTenantList
@@ -217,13 +250,45 @@ function Test-CIPPAccess {
217250 $TenantAllowed = $false
218251 } else {
219252 $Tenant = ($Tenants | Where-Object { $TenantFilter -eq $_.customerId -or $TenantFilter -eq $_.defaultDomainName }).customerId
220- if ($Role.AllowedTenants -contains ' AllTenants' ) {
253+
254+ # Expand allowed tenant groups to individual tenant IDs
255+ $ExpandedAllowedTenants = foreach ($AllowedItem in $Role.AllowedTenants ) {
256+ if ($AllowedItem -is [PSCustomObject ] -and $AllowedItem.type -eq ' Group' ) {
257+ try {
258+ $GroupMembers = Expand-CIPPTenantGroups - TenantFilter @ ($AllowedItem )
259+ $GroupMembers | ForEach-Object { $_.addedFields.customerId }
260+ } catch {
261+ Write-Warning " Failed to expand allowed tenant group '$ ( $AllowedItem.label ) ': $ ( $_.Exception.Message ) "
262+ @ ()
263+ }
264+ } else {
265+ $AllowedItem
266+ }
267+ }
268+
269+ # Expand blocked tenant groups to individual tenant IDs
270+ $ExpandedBlockedTenants = foreach ($BlockedItem in $Role.BlockedTenants ) {
271+ if ($BlockedItem -is [PSCustomObject ] -and $BlockedItem.type -eq ' Group' ) {
272+ try {
273+ $GroupMembers = Expand-CIPPTenantGroups - TenantFilter @ ($BlockedItem )
274+ $GroupMembers | ForEach-Object { $_.addedFields.customerId }
275+ } catch {
276+ Write-Warning " Failed to expand blocked tenant group '$ ( $BlockedItem.label ) ': $ ( $_.Exception.Message ) "
277+ @ ()
278+ }
279+ } else {
280+ $BlockedItem
281+ }
282+ }
283+
284+ if ($ExpandedAllowedTenants -contains ' AllTenants' ) {
221285 $AllowedTenants = $Tenants.customerId
222286 } else {
223- $AllowedTenants = $Role .AllowedTenants
287+ $AllowedTenants = $ExpandedAllowedTenants
224288 }
289+
225290 if ($Tenant ) {
226- $TenantAllowed = $AllowedTenants -contains $Tenant -and $Role .BlockedTenants -notcontains $Tenant
291+ $TenantAllowed = $AllowedTenants -contains $Tenant -and $ExpandedBlockedTenants -notcontains $Tenant
227292 if (! $TenantAllowed ) { continue }
228293 break
229294 } else {
0 commit comments