From 3d9affdc02e6169deac7ecf54d8ed24e8a739bf5 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 21 Jan 2025 17:04:41 -0500 Subject: [PATCH 1/3] prevent $domain from leaking to other tenants --- Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 index 4774292f150d..6cd3bd8bb5c6 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 @@ -121,6 +121,7 @@ function Get-Tenants { } catch { $ErrorMessage = Get-CippException -Exception $_ Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -Sev 'Critical' -LogData $ErrorMessage + $Domain = 'Invalid' } finally { $defaultDomainName = $Domain $initialDomainName = $Domain From 9d93401466a2154f76ab25335441784f2843478e Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 21 Jan 2025 17:07:04 -0500 Subject: [PATCH 2/3] handle errors with automap url lookup --- .../HTTP Functions/Teams-Sharepoint/Invoke-ListSites.ps1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ListSites.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ListSites.ps1 index c7c44c70e403..2d23640c9fcd 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ListSites.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ListSites.ps1 @@ -90,7 +90,11 @@ Function Invoke-ListSites { url = "sites/$($Site.siteId)/lists?`$select=id,name,list,parentReference" } } - $Requests = (New-GraphBulkRequest -tenantid $TenantFilter -scope 'https://graph.microsoft.com/.default' -Requests @($Requests) -asapp $true).body.value | Where-Object { $_.list.template -eq 'DocumentLibrary' } + try { + $Requests = (New-GraphBulkRequest -tenantid $TenantFilter -scope 'https://graph.microsoft.com/.default' -Requests @($Requests) -asapp $true).body.value | Where-Object { $_.list.template -eq 'DocumentLibrary' } + } catch { + Write-LogMessage -Message "Error getting auto map urls: $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter -API 'ListSites' -LogData (Get-CippException -Exception $_) + } $GraphRequest = foreach ($Site in $GraphRequest) { $ListId = ($Requests | Where-Object { $_.parentReference.siteId -like "*$($Site.siteId)*" }).id $site.AutoMapUrl = "tenantId=$($TenantId)&webId={$($Site.webId)}&siteid={$($Site.siteId)}&webUrl=$($Site.webUrl)&listId={$($ListId)}" From 2366c443c9b71ea3f1f4d42a5c5525ca339bf9f9 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 21 Jan 2025 22:28:02 -0500 Subject: [PATCH 3/3] fix tenant access from custom roles --- .../Public/Authentication/Get-CIPPRolePermissions.ps1 | 8 +++++--- .../CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 | 6 +++--- .../Tenant/Administration/Tenant/Invoke-ListTenants.ps1 | 1 + 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1 b/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1 index f3e1f525ac57..8bac3674e677 100644 --- a/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1 +++ b/Modules/CIPPCore/Public/Authentication/Get-CIPPRolePermissions.ps1 @@ -18,13 +18,15 @@ function Get-CIPPRolePermissions { $Role = Get-CIPPAzDataTableEntity @Table -Filter $Filter if ($Role) { $Permissions = $Role.Permissions | ConvertFrom-Json + $AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() } + $BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() } [PSCustomObject]@{ Role = $Role.RowKey Permissions = $Permissions.PSObject.Properties.Value - AllowedTenants = if ($Role.AllowedTenants) { $Role.AllowedTenants | ConvertFrom-Json } else { @() } - BlockedTenants = if ($Role.BlockedTenants) { $Role.BlockedTenants | ConvertFrom-Json } else { @() } + AllowedTenants = @($AllowedTenants) + BlockedTenants = @($BlockedTenants) } } else { throw "Role $RoleName not found." } -} \ No newline at end of file +} diff --git a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 index b221d89b7ea5..aa12f2741414 100644 --- a/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 +++ b/Modules/CIPPCore/Public/Authentication/Test-CIPPAccess.ps1 @@ -69,8 +69,8 @@ function Test-CIPPAccess { if ($PermissionsFound) { if ($TenantList.IsPresent) { $LimitedTenantList = foreach ($Permission in $PermissionSet) { - if (($Permission.AllowedTenants | Measure-Object).Count -eq 0 -and ($Permission.BlockedTenants | Measure-Object).Count -eq 0) { - return @('AllTenants') + if ((($Permission.AllowedTenants | Measure-Object).Count -eq 0 -or $Permission.AllowedTenants -contains 'AllTenants') -and (($Permission.BlockedTenants | Measure-Object).Count -eq 0)) { + @('AllTenants') } else { if ($Permission.AllowedTenants -contains 'AllTenants') { $Permission.AllowedTenants = $Tenants.customerId @@ -135,4 +135,4 @@ function Test-CIPPAccess { } else { return $true } -} \ No newline at end of file +} diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 index fccb38d002ef..4227a6f78be8 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Tenant/Invoke-ListTenants.ps1 @@ -14,6 +14,7 @@ Function Invoke-ListTenants { Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' $TenantAccess = Test-CIPPAccess -Request $Request -TenantList + Write-Host "Tenant Access: $TenantAccess" if ($TenantAccess -notcontains 'AllTenants') { $AllTenantSelector = $false