Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: rvdwegen

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1

@@ -29,7 +29,13 @@
     }
 
     try {
-        $RequestedReleases = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ PageSize = 1000; ReleaseStatus = 'Requested'; StartReceivedDate = (Get-Date).AddHours(-6) } -ErrorAction Stop | Select-Object -ExcludeProperty *data.type* | Sort-Object -Property ReceivedTime
+        $cmdParams = @{
+            PageSize          = 1000
+            ReleaseStatus     = 'Requested'
+            StartReceivedDate = (Get-Date).AddHours(-6)
+            EndReceivedDate   = (Get-Date).AddHours(0)
+        }
+        $RequestedReleases = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams $cmdParams -ErrorAction Stop | Select-Object -ExcludeProperty *data.type* | Sort-Object -Property ReceivedTime
 
         if ($RequestedReleases) {
             # Get the CIPP URL for the Quarantine link

Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1

@@ -65,6 +65,14 @@ function New-CIPPAPIConfig {
                 Write-Information $CreateBody
                 $Step = 'Creating Application'
                 $APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -AsApp $true -NoAuthCheck $true -type POST -body $CreateBody
+
+                try {
+                    $PolicyUpdate = Update-AppManagementPolicy -ApplicationId $APIApp.appId
+                    Write-Information $PolicyUpdate.PolicyAction
+                } catch {
+                    Write-Information "Failed to update app management policy: $($_.Exception.Message)"
+                }
+
                 Write-Information 'Creating password'
                 $Step = 'Creating Application Password'
                 $APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}" -maxRetries 3

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -50,9 +50,6 @@ function Push-CIPPDBCacheData {
             'SecureScore'
             'PIMSettings'
             'Domains'
-            'RoleEligibilitySchedules'
-            'RoleManagementPolicies'
-            'RoleAssignmentScheduleInstances'
             'B2BManagementPolicy'
             'AuthenticationFlowsPolicy'
             'DeviceRegistrationPolicy'
@@ -130,13 +127,16 @@ function Push-CIPPDBCacheData {
         }
         #endregion Conditional Access Licensed
 
-        #region Azure AD Premium P2 - Identity Protection features
+        #region Azure AD Premium P2 - Identity Protection/PIM features
         if ($AzureADPremiumP2Capable) {
             $P2CacheFunctions = @(
                 'RiskyUsers'
                 'RiskyServicePrincipals'
                 'ServicePrincipalRiskDetections'
                 'RiskDetections'
+                'RoleEligibilitySchedules'
+                'RoleAssignmentSchedules'
+                'RoleManagementPolicies'
             )
             foreach ($CacheFunction in $P2CacheFunctions) {
                 $Batch.Add(@{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Setup/Invoke-ExecCreateSAMApp.ps1

@@ -68,6 +68,15 @@ function Invoke-ExecCreateSAMApp {
                     }
                 } until ($attempt -gt 3)
             }
+
+            try {
+                $AppPolicyStatus = Update-AppManagementPolicy
+                Write-Information $AppPolicyStatus.PolicyAction
+            } catch {
+                Write-Warning "Error updating app management policy $($_.Exception.Message)."
+                Write-Information ($_.InvocationInfo.PositionMessage)
+            }
+
             $AppPassword = (Invoke-RestMethod "https://graph.microsoft.com/v1.0/applications/$($AppId.id)/addPassword" -Headers @{ authorization = "Bearer $($Token.access_token)" } -Method POST -Body '{"passwordCredential":{"displayName":"CIPPInstall"}}' -ContentType 'application/json').secretText
 
             if ($env:AzureWebJobsStorage -eq 'UseDevelopmentStorage=true' -or $env:NonLocalHostAzurite -eq 'true') {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecSendPush.ps1

@@ -51,6 +51,12 @@ function Invoke-ExecSendPush {
         $SPID = (New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/servicePrincipals' -tenantid $TenantFilter -type POST -body $SPBody -AsApp $true).id
     }
 
+    try {
+        $PolicyUpdate = Update-AppManagementPolicy -TenantFilter $TenantFilter -ApplicationId $MFAAppID
+        Write-Information $PolicyUpdate.PolicyAction
+    } catch {
+        Write-Information "Failed to update app management policy: $($_.Exception.Message)"
+    }
 
     $PassReqBody = @{
         'passwordCredential' = @{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Invoke-SetAuthMethod.ps1

@@ -15,10 +15,20 @@ function Invoke-SetAuthMethod {
     $State = if ($Request.Body.state -eq 'enabled') { $true } else { $false }
     $TenantFilter = $Request.Body.tenantFilter
     $AuthenticationMethodId = $Request.Body.Id
-
+    $GroupIds = $Request.Body.GroupIds
 
     try {
-        $Result = Set-CIPPAuthenticationPolicy -Tenant $TenantFilter -APIName $APIName -AuthenticationMethodId $AuthenticationMethodId -Enabled $State -Headers $Headers
+        $Params = @{
+            Tenant                 = $TenantFilter
+            APIName                = $APIName
+            AuthenticationMethodId = $AuthenticationMethodId
+            Enabled                = $State
+            Headers                = $Headers
+        }
+        if ($GroupIds) {
+            $Params.GroupIds = @($GroupIds)
+        }
+        $Result = Set-CIPPAuthenticationPolicy @Params
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $Result = $_.Exception.Message

Modules/CIPPCore/Public/Entrypoints/Timer Functions/Start-UpdateTokensTimer.ps1

@@ -39,12 +39,21 @@ function Start-UpdateTokensTimer {
         # Check application secret expiration for $env:ApplicationId and generate a new application secret if expiration is within 30 days.
         try {
             $AppId = $env:ApplicationID
-            $PasswordCredentials = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appId='$AppId')?`$select=id,passwordCredentials" -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+            $AppRegistration = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/applications(appId='$AppId')?`$select=id,passwordCredentials,servicePrincipalLockConfiguration" -NoAuthCheck $true -AsApp $true -ErrorAction Stop
             # sort by latest expiration date and get the first one
-            $LastPasswordCredential = $PasswordCredentials.passwordCredentials | Sort-Object -Property endDateTime -Descending | Select-Object -First 1
+            $LastPasswordCredential = $AppRegistration.passwordCredentials | Sort-Object -Property endDateTime -Descending | Select-Object -First 1
+
+            try {
+                $AppPolicyStatus = Update-AppManagementPolicy
+                Write-Information $AppPolicyStatus.PolicyAction
+            } catch {
+                Write-Warning "Error updating app management policy $($_.Exception.Message)."
+                Write-Information ($_.InvocationInfo.PositionMessage)
+            }
+
             if ($LastPasswordCredential.endDateTime -lt (Get-Date).AddDays(30).ToUniversalTime()) {
                 Write-Information "Application secret for $AppId is expiring soon. Generating a new application secret."
-                $AppSecret = New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/applications/$($PasswordCredentials.id)/addPassword" -Body '{"passwordCredential":{"displayName":"UpdateTokens"}}' -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+                $AppSecret = New-GraphPostRequest -uri "https://graph.microsoft.com/v1.0/applications/$($AppRegistration.id)/addPassword" -Body '{"passwordCredential":{"displayName":"UpdateTokens"}}' -NoAuthCheck $true -AsApp $true -ErrorAction Stop
                 Write-Information "New application secret generated for $AppId. Expiration date: $($AppSecret.endDateTime)."
             } else {
                 Write-Information "Application secret for $AppId is valid until $($LastPasswordCredential.endDateTime). No need to generate a new application secret."
@@ -77,6 +86,20 @@ function Start-UpdateTokensTimer {
             } else {
                 Write-Information "No expired application secrets found for $AppId."
             }
+
+            if (!$AppRegistration.servicePrincipalLockConfiguration.isEnabled) {
+                Write-Warning "Service principal lock configuration is not enabled for $AppId"
+                $Body = @{
+                    servicePrincipalLockConfiguration = @{
+                        isEnabled     = $true
+                        allProperties = $true
+                    }
+                } | ConvertTo-Json
+                New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/v1.0/applications/$($AppRegistration.id)" -Body $Body -NoAuthCheck $true -AsApp $true -ErrorAction Stop
+                Write-Information "Service principal lock configuration has been enabled for application $AppId."
+                Write-LogMessage -API 'Update Tokens' -message "Service principal lock configuration has been enabled for application $AppId." -sev 'Info'
+            }
+
         } catch {
             Write-Warning "Error updating application secret $($_.Exception.Message)."
             Write-Information ($_.InvocationInfo.PositionMessage)

Modules/CIPPCore/Public/Get-CIPPCalendarPermissionReport.ps1

@@ -31,8 +31,6 @@ function Get-CIPPCalendarPermissionReport {
     )
 
     try {
-        Write-LogMessage -API 'CalendarPermissionReport' -tenant $TenantFilter -message 'Generating calendar permission report' -sev Info
-
         # Handle AllTenants
         if ($TenantFilter -eq 'AllTenants') {
             # Get all tenants that have calendar data

Modules/CIPPCore/Public/Get-CIPPIntunePolicy.ps1

@@ -35,8 +35,8 @@ function Get-CIPPIntunePolicy {
                 $iOSPolicies = ($BulkResults | Where-Object { $_.id -eq 'iOSPolicies' }).body.value
 
                 if ($DisplayName) {
-                    $androidPolicy = $androidPolicies | Where-Object -Property displayName -EQ $DisplayName
-                    $iOSPolicy = $iOSPolicies | Where-Object -Property displayName -EQ $DisplayName
+                    $androidPolicy = $androidPolicies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
+                    $iOSPolicy = $iOSPolicies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
 
                     # Return the matching policy (Android or iOS) - using full data from bulk request
                     if ($androidPolicy) {
@@ -92,7 +92,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')?`$expand=scheduledActionsForRule(`$expand=scheduledActionConfigurations)" -tenantid $tenantFilter
                         $policyJson = ConvertTo-Json -InputObject $policyDetails -Depth 100 -Compress
@@ -122,7 +122,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $definitionValues = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')/definitionValues" -tenantid $tenantFilter
                         $policy | Add-Member -MemberType NoteProperty -Name 'definitionValues' -Value $definitionValues -Force
@@ -237,7 +237,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime'
@@ -270,7 +270,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property Name -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property Name -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')?`$expand=settings" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object name, description, settings, platforms, technologies, templateReference
@@ -303,7 +303,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime'
@@ -336,7 +336,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime'
@@ -369,7 +369,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime'
@@ -402,7 +402,7 @@ function Get-CIPPIntunePolicy {
 
                 if ($DisplayName) {
                     $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
+                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName | Sort-Object -Property lastModifiedDateTime -Descending | Select-Object -First 1
                     if ($policy) {
                         $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
                         $policyDetails = $policyDetails | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime'