Skip to content

Commit 23c0c83

Browse files
committed
Revert permission repair changes (AsApp grant application + Jun 30 rework)
1 parent 396606f commit 23c0c83

3 files changed

Lines changed: 18 additions & 65 deletions

File tree

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

Lines changed: 6 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ function Add-CIPPApplicationPermission {
44
$RequiredResourceAccess,
55
$TemplateId,
66
$ApplicationId,
7-
$TenantFilter,
8-
[bool]$AsApp = $false
7+
$TenantFilter
98
)
109
if ($ApplicationId -eq $env:ApplicationID -and $TenantFilter -eq $env:TenantID) {
1110
$RequiredResourceAccess = 'CIPPDefaults'
@@ -58,37 +57,22 @@ function Add-CIPPApplicationPermission {
5857

5958
Write-Information "Adding application permissions to application $ApplicationId in tenant $TenantFilter"
6059

61-
# Use app auth when requested, but fall back to delegated on the first failure - the app may not
62-
# hold the application permissions needed. $UseAsApp latches to $false for the rest of the run.
63-
$UseAsApp = $AsApp
64-
$GetServicePrincipalList = { New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true -AsApp $UseAsApp }
65-
6660
$ServicePrincipalList = [System.Collections.Generic.List[object]]::new()
67-
try {
68-
$SPList = & $GetServicePrincipalList
69-
} catch {
70-
if ($UseAsApp) {
71-
Write-Information "App-auth request failed, falling back to delegated permissions: $($_.Exception.Message)"
72-
$UseAsApp = $false
73-
$SPList = & $GetServicePrincipalList
74-
} else {
75-
throw
76-
}
77-
}
61+
$SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
7862
foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
7963
$ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
8064
if (!$ourSVCPrincipal) {
8165
#Our Service Principal isn't available yet. We do a sleep and reexecute after 3 seconds.
8266
Start-Sleep -Seconds 5
8367
$ServicePrincipalList.Clear()
84-
$SPList = & $GetServicePrincipalList
68+
$SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
8569
foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
8670
$ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
8771
}
8872

8973
$Results = [System.Collections.Generic.List[string]]::new()
9074

91-
$CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true -AsApp $UseAsApp
75+
$CurrentRoles = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/appRoleAssignments" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
9276

9377
# Collect missing service principals and prepare bulk request
9478
$MissingServicePrincipals = [System.Collections.Generic.List[object]]::new()
@@ -118,7 +102,7 @@ function Add-CIPPApplicationPermission {
118102
# Create missing service principals in bulk
119103
if ($MissingServicePrincipals.Count -gt 0) {
120104
try {
121-
$BulkResults = New-GraphBulkRequest -Requests $MissingServicePrincipals -tenantid $TenantFilter -NoAuthCheck $true -AsApp $UseAsApp
105+
$BulkResults = New-GraphBulkRequest -Requests $MissingServicePrincipals -tenantid $TenantFilter -NoAuthCheck $true
122106
foreach ($Result in $BulkResults) {
123107
if ($Result.status -eq 201) {
124108
$ServicePrincipalList.Add($Result.body)
@@ -166,7 +150,7 @@ function Add-CIPPApplicationPermission {
166150
}
167151

168152
try {
169-
$BulkResults = New-GraphBulkRequest -Requests $GrantRequests -tenantid $TenantFilter -NoAuthCheck $true -AsApp $UseAsApp
153+
$BulkResults = New-GraphBulkRequest -Requests $GrantRequests -tenantid $TenantFilter -NoAuthCheck $true
170154
foreach ($Result in $BulkResults) {
171155
if ($Result.status -eq 201) {
172156
$counter++

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

Lines changed: 8 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,7 @@ function Add-CIPPDelegatedPermission {
55
$TemplateId,
66
$ApplicationId,
77
$NoTranslateRequired,
8-
$TenantFilter,
9-
[bool]$AsApp = $false
8+
$TenantFilter
109
)
1110
Write-Information 'Adding Delegated Permissions'
1211
$ApplicationId = $ApplicationId ?? $env:ApplicationID
@@ -72,34 +71,19 @@ function Add-CIPPDelegatedPermission {
7271
}
7372

7473
$Translator = Get-Content (Join-Path $env:CIPPRootPath 'Config\PermissionsTranslator.json') | ConvertFrom-Json
75-
76-
# Use app auth when requested, but fall back to delegated on the first failure - the app may not
77-
# hold the application permissions needed. $UseAsApp latches to $false for the rest of the run.
78-
$UseAsApp = $AsApp
79-
$GetServicePrincipalList = { New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true -AsApp $UseAsApp }
80-
try {
81-
$ServicePrincipalList = & $GetServicePrincipalList
82-
} catch {
83-
if ($UseAsApp) {
84-
Write-Information "App-auth request failed, falling back to delegated permissions: $($_.Exception.Message)"
85-
$UseAsApp = $false
86-
$ServicePrincipalList = & $GetServicePrincipalList
87-
} else {
88-
throw
89-
}
90-
}
74+
$ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
9175
$Results = [System.Collections.Generic.List[string]]::new()
9276

9377
$ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId | Select-Object -First 1
9478
if (!$ourSVCPrincipal) {
95-
$ourSvcPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$ApplicationId')?`$select=appId,id,displayName" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true -AsApp $UseAsApp
79+
$ourSvcPrincipal = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$ApplicationId')?`$select=appId,id,displayName" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
9680
}
9781
if (!$ourSVCPrincipal) {
9882
$Results.Add("Failed to find service principal for application $ApplicationId in tenant $TenantFilter")
9983
return $Results
10084
}
10185

102-
$CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true -AsApp $UseAsApp
86+
$CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
10387

10488
foreach ($App in $RequiredResourceAccess) {
10589
if (!$App) {
@@ -111,7 +95,7 @@ function Add-CIPPDelegatedPermission {
11195
$Body = @{
11296
appId = $App.resourceAppId
11397
} | ConvertTo-Json -Compress
114-
$svcPrincipalId = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -body $Body -type POST -NoAuthCheck $true -AsApp $UseAsApp
98+
$svcPrincipalId = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -body $Body -type POST -NoAuthCheck $true
11599
} catch {
116100
$Results.add("Failed to create service principal for $($App.resourceAppId): $(Get-NormalizedError -message $_.Exception.Message)")
117101
continue
@@ -150,7 +134,7 @@ function Add-CIPPDelegatedPermission {
150134
resourceId = $svcPrincipalId.id
151135
scope = $NewScope
152136
} | ConvertTo-Json -Compress
153-
$CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $TenantFilter -body $Createbody -type POST -NoAuthCheck $true -AsApp $UseAsApp
137+
$CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $TenantFilter -body $Createbody -type POST -NoAuthCheck $true
154138
$Results.add("Successfully added permissions for $($svcPrincipalId.displayName)")
155139
} catch {
156140
$Results.add("Failed to add permissions for $($svcPrincipalId.displayName): $(Get-NormalizedError -message $_.Exception.Message)")
@@ -163,7 +147,7 @@ function Add-CIPPDelegatedPermission {
163147
$OldScope.id | ForEach-Object {
164148
if ($_ -ne $OldScopeId) {
165149
try {
166-
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_" -tenantid $TenantFilter -type DELETE -NoAuthCheck $true -AsApp $UseAsApp
150+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_" -tenantid $TenantFilter -type DELETE -NoAuthCheck $true
167151
} catch {
168152
}
169153
}
@@ -187,7 +171,7 @@ function Add-CIPPDelegatedPermission {
187171
scope = "$NewScope"
188172
} | ConvertTo-Json -Compress
189173
try {
190-
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScopeId)" -tenantid $TenantFilter -body $Patchbody -type PATCH -NoAuthCheck $true -AsApp $UseAsApp
174+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScopeId)" -tenantid $TenantFilter -body $Patchbody -type PATCH -NoAuthCheck $true
191175
} catch {
192176
$Results.add("Failed to update permissions for $($svcPrincipalId.displayName): $(Get-NormalizedError -message $_.Exception.Message)")
193177
continue

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1

Lines changed: 4 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,9 @@
11
function Invoke-ExecPermissionRepair {
22
<#
33
.SYNOPSIS
4-
Reconciles the CIPP-SAM permissions and re-applies them to the partner service principal.
4+
This endpoint will update the CIPP-SAM app permissions.
55
.DESCRIPTION
6-
Reconciles the saved additional-permission set (Update-CippSamPermissions), then refreshes the
7-
grants on the CIPP-SAM service principal in the PARTNER tenant so the current effective set
8-
(manifest + extras) is consented. This never writes the app registration's requiredResourceAccess;
9-
permissions are applied as service-principal grants, the same way the routine refresh does.
10-
Client tenants pick up the same effective set through their own permission refresh.
6+
Merges new permissions from the SAM manifest into the AppPermissions entry for CIPP-SAM.
117
.FUNCTIONALITY
128
Entrypoint
139
.ROLE
@@ -18,19 +14,8 @@ function Invoke-ExecPermissionRepair {
1814

1915
try {
2016
$User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
21-
$UpdatedBy = $User.UserDetails ?? 'CIPP-API'
22-
23-
# 1) Reconcile the saved extras table (no app-registration write).
24-
$TableResult = Update-CippSamPermissions -UpdatedBy $UpdatedBy
25-
26-
# 2) Refresh the grants on the partner CIPP-SAM service principal so the effective set
27-
# (manifest + extras, read from the table) is actually consented on the SP.
28-
$AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID -AsApp $true
29-
$DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID -AsApp $true
30-
31-
$Results = @($TableResult) + @($AppResults) + @($DelegatedResults) | Where-Object { $_ }
32-
Write-LogMessage -Headers $Request.Headers -API 'ExecPermissionRepair' -message "CIPP-SAM permissions repaired by $UpdatedBy" -Sev 'Info' -LogData @{ Results = @($Results) }
33-
$Body = @{'Results' = ($Results -join [Environment]::NewLine) }
17+
$Result = Update-CippSamPermissions -UpdatedBy ($User.UserDetails ?? 'CIPP-API')
18+
$Body = @{'Results' = $Result }
3419
} catch {
3520
$Body = @{
3621
'Results' = "$($_.Exception.Message) - at line $($_.InvocationInfo.ScriptLineNumber)"

0 commit comments

Comments
 (0)