Merge pull request #11 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

@@ -60,8 +60,13 @@ function Add-CIPPApplicationPermission {
     Write-Information "Adding application permissions to application $ApplicationId in tenant $TenantFilter"
 
     $ServicePrincipalList = [System.Collections.Generic.List[object]]::new()
-    $SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
-    foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
+    $CachedSPs = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'ServicePrincipals'
+    if ($CachedSPs) {
+        foreach ($SP in $CachedSPs) { $ServicePrincipalList.Add($SP) }
+    } else {
+        $SPList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $TenantFilter -NoAuthCheck $true
+        foreach ($SP in $SPList) { $ServicePrincipalList.Add($SP) }
+    }
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
         #Our Service Principal isn't available yet. We do a sleep and reexecute after 3 seconds.

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -7,7 +7,7 @@ function Add-CIPPDelegatedPermission {
         $NoTranslateRequired,
         $TenantFilter
     )
-    Write-Host 'Adding Delegated Permissions'
+    Write-Information 'Adding Delegated Permissions'
     Set-Location (Get-Item $PSScriptRoot).FullName
 
     if ($ApplicationId -eq $env:ApplicationID -and $TenantFilter -eq $env:TenantID) {
@@ -71,7 +71,12 @@ function Add-CIPPDelegatedPermission {
 
     $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
     $Translator = Get-Content (Join-Path $ModuleBase 'lib\data\PermissionsTranslator.json') | ConvertFrom-Json
-    $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
+    $CachedSPs = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'ServicePrincipals'
+    $ServicePrincipalList = if ($CachedSPs) {
+        $CachedSPs
+    } else {
+        New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $TenantFilter -skipTokenCache $true -NoAuthCheck $true
+    }
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
     $Results = [System.Collections.Generic.List[string]]::new()
 

Modules/CIPPCore/Public/GraphHelper/Get-CippSamPermissions.ps1

@@ -14,7 +14,7 @@ function Get-CippSamPermissions {
     Internal
     #>
     [CmdletBinding(DefaultParameterSetName = 'Default')]
-    Param(
+    param(
         [Parameter(ParameterSetName = 'ManifestOnly')]
         [switch]$ManifestOnly,
         [Parameter(ParameterSetName = 'Default')]
@@ -24,11 +24,19 @@ function Get-CippSamPermissions {
     )
 
     if (!$SavedOnly.IsPresent) {
+        # Return cached result if available and less than 5 minutes old (avoids duplicate partner-tenant Graph calls within same invocation)
+        if ($NoDiff.IsPresent -and $script:CippSamPermissionsCache -and
+            $script:CippSamPermissionsCacheTime -and
+            ((Get-Date) - $script:CippSamPermissionsCacheTime).TotalMinutes -lt 5) {
+            return $script:CippSamPermissionsCache
+        }
+
         $ModuleBase = Get-Module -Name CIPPCore | Select-Object -ExpandProperty ModuleBase
         $SamManifestFile = Get-Item (Join-Path $ModuleBase 'lib\data\SAMManifest.json')
         $AdditionalPermissions = Get-Item (Join-Path $ModuleBase 'lib\data\AdditionalPermissions.json')
 
         $ServicePrincipalList = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$select=id,appId,displayName' -tenantid $env:TenantID -NoAuthCheck $true
+
         $SAMManifest = Get-Content -Path $SamManifestFile.FullName | ConvertFrom-Json
         $AdditionalPermissions = Get-Content -Path $AdditionalPermissions.FullName | ConvertFrom-Json
 
@@ -191,6 +199,11 @@ function Get-CippSamPermissions {
 
     $SamAppPermissions = $SamAppPermissions | ConvertTo-Json -Depth 10 -Compress | ConvertFrom-Json
 
+    if ($NoDiff.IsPresent) {
+        $script:CippSamPermissionsCache = $SamAppPermissions
+        $script:CippSamPermissionsCacheTime = Get-Date
+    }
+
     return $SamAppPermissions
 }
 

Modules/CIPPCore/Public/New-CIPPDbRequest.ps1

@@ -43,8 +43,6 @@ function New-CIPPDbRequest {
             $Filter = "PartitionKey eq '{0}'" -f $SafeTenantFilter
         }
 
-        Write-Information "Filter: $Filter"
-
         $Results = Get-CIPPAzDataTableEntity @Table -Filter $Filter
 
         return ($Results.Data | ConvertFrom-Json -ErrorAction SilentlyContinue)

Modules/CIPPCore/Public/Set-CIPPCPVConsent.ps1

@@ -21,6 +21,18 @@ function Set-CIPPCPVConsent {
         return @('Application is already consented to this tenant')
     }
 
+    # Skip the Partner Center POST if consent was applied recently and we're not resetting
+    if (-not $ResetSP) {
+        $CpvTable = Get-CIPPTable -TableName cpvtenants
+        $ExistingRow = Get-CIPPAzDataTableEntity @CpvTable -Filter "PartitionKey eq 'Tenant' and RowKey eq '$TenantFilter'"
+        if ($ExistingRow -and $ExistingRow.applicationId -eq $env:ApplicationID -and $ExistingRow.LastApply) {
+            $UnixNow = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+            if (($UnixNow - [int64]$ExistingRow.LastApply) -lt 86400) {
+                return @("CPV consent for $TenantName is current, skipping re-consent")
+            }
+        }
+    }
+
     if ($ResetSP) {
         try {
             if ($PSCmdlet.ShouldProcess($env:ApplicationID, "Delete Service Principal from $TenantName")) {

Modules/CIPPCore/Public/Set-CIPPSAMAdminRoles.ps1

@@ -32,9 +32,21 @@ function Set-CIPPSAMAdminRoles {
     }
 
     if (($SAMRoles | Measure-Object).count -gt 0 -and $Tenants -contains $TenantFilter -or $Tenants -contains 'AllTenants') {
-        $AppMemberOf = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($env:ApplicationID)')/memberOf/#microsoft.graph.directoryRole" -tenantid $TenantFilter -AsApp $true
-
-        $sp = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($env:ApplicationID)')?`$select=id,displayName" -tenantid $TenantFilter -AsApp $true)
+        $InitialRequests = @(
+            [PSCustomObject]@{
+                id     = 'memberOf'
+                method = 'GET'
+                url    = "servicePrincipals(appId='$($env:ApplicationID)')/memberOf/#microsoft.graph.directoryRole"
+            }
+            [PSCustomObject]@{
+                id     = 'sp'
+                method = 'GET'
+                url    = "servicePrincipals(appId='$($env:ApplicationID)')?`$select=id,displayName"
+            }
+        )
+        $InitialResults = New-GraphBulkRequest -tenantid $TenantFilter -Requests $InitialRequests -AsApp $true -NoAuthCheck $true
+        $AppMemberOf = ($InitialResults | Where-Object { $_.id -eq 'memberOf' }).body.value
+        $sp = ($InitialResults | Where-Object { $_.id -eq 'sp' }).body
         $id = $sp.id
 
         $Requests = $SAMRoles | Where-Object { $AppMemberOf.roleTemplateId -notcontains $_.value } | ForEach-Object {