Merge pull request #601 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

CIPPTimers.json

@@ -27,30 +27,20 @@
   },
   {
     "Id": "44a40668-ed71-403c-8c26-b32e320086ad",
-    "Command": "Start-AuditLogOrchestrator",
-    "Description": "Orchestrator to download audit logs",
-    "Cron": "0 */15 * * * *",
-    "Priority": 2,
+    "Command": "Start-AuditLogIngestion",
+    "Description": "Ingest audit logs using Office 365 Management Activity API",
+    "Cron": "0 */30 * * * *",
+    "Priority": 4,
     "RunOnProcessor": true,
     "PreferredProcessor": "auditlog",
     "IsSystem": true
   },
   {
-    "Id": "01cd512a-15c4-44a9-b8cb-1e5d879cfd2d",
+    "Id": "a8f7c3e1-9d2b-4f6a-8e5c-1a3b7d9e4f2c",
     "Command": "Start-AuditLogProcessingOrchestrator",
-    "Description": "Orchestrator to process audit logs",
+    "Description": "Process cached audit logs and apply webhook rules",
     "Cron": "0 */15 * * * *",
-    "Priority": 3,
-    "RunOnProcessor": true,
-    "PreferredProcessor": "auditlog",
-    "IsSystem": true
-  },
-  {
-    "Id": "03475c86-4314-4d7b-90f2-5a0639e3899b",
-    "Command": "Start-AuditLogSearchCreation",
-    "Description": "Timer to create audit log searches",
-    "Cron": "0 */30 * * * *",
-    "Priority": 4,
+    "Priority": 2,
     "RunOnProcessor": true,
     "PreferredProcessor": "auditlog",
     "IsSystem": true

Modules/CIPPCore/Public/Authentication/Test-CIPPAccessUserRole.ps1

@@ -35,7 +35,7 @@ function Test-CIPPAccessUserRole {
     } else {
         try {
             $uri = "https://graph.microsoft.com/beta/users/$($User.userDetails)/transitiveMemberOf"
-            $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
+            $Memberships = New-GraphGetRequest -uri $uri -NoAuthCheck $true -AsApp $true | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' }
             if ($Memberships) {
                 Write-Information "Found group memberships for $($User.userDetails)"
             } else {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogIngestion.ps1

@@ -13,70 +13,9 @@ function Invoke-ExecPermissionRepair {
     param($Request, $TriggerMetadata)
 
     try {
-        $Table = Get-CippTable -tablename 'AppPermissions'
         $User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
-
-        $CurrentPermissions = Get-CippSamPermissions
-        if (($CurrentPermissions.MissingPermissions | Measure-Object).Count -gt 0) {
-            Write-Information 'Missing permissions found'
-            $MissingPermissions = $CurrentPermissions.MissingPermissions
-            $Permissions = $CurrentPermissions.Permissions
-
-            $AppIds = @($Permissions.PSObject.Properties.Name + $MissingPermissions.PSObject.Properties.Name)
-
-            $NewPermissions = @{}
-            foreach ($AppId in $AppIds) {
-                if (!$AppId) { continue }
-                $ApplicationPermissions = [system.collections.generic.list[object]]::new()
-                $DelegatedPermissions = [system.collections.generic.list[object]]::new()
-
-                # App permissions
-                foreach ($Permission in $Permissions.$AppId.applicationPermissions) {
-                    $ApplicationPermissions.Add($Permission)
-                }
-                if (($MissingPermissions.$AppId.applicationPermissions | Measure-Object).Count -gt 0) {
-                    foreach ($MissingPermission in $MissingPermissions.$AppId.applicationPermissions) {
-                        Write-Host "Adding missing permission: $MissingPermission"
-                        $ApplicationPermissions.Add($MissingPermission)
-                    }
-                }
-
-                # Delegated permissions
-                foreach ($Permission in $Permissions.$AppId.delegatedPermissions) {
-                    $DelegatedPermissions.Add($Permission)
-                }
-                if (($MissingPermissions.$AppId.delegatedPermissions | Measure-Object).Count -gt 0) {
-                    foreach ($MissingPermission in $MissingPermissions.$AppId.delegatedPermissions) {
-                        Write-Host "Adding missing permission: $MissingPermission"
-                        $DelegatedPermissions.Add($MissingPermission)
-                    }
-                }
-                # New permission object
-                $NewPermissions.$AppId = @{
-                    applicationPermissions = @($ApplicationPermissions | Sort-Object -Property label)
-                    delegatedPermissions   = @($DelegatedPermissions | Sort-Object -Property label)
-                }
-            }
-
-
-            $Entity = @{
-                'PartitionKey' = 'CIPP-SAM'
-                'RowKey'       = 'CIPP-SAM'
-                'Permissions'  = [string]([PSCustomObject]$NewPermissions | ConvertTo-Json -Depth 10 -Compress)
-                'UpdatedBy'    = $User.UserDetails ?? 'CIPP-API'
-            }
-            $Table = Get-CIPPTable -TableName 'AppPermissions'
-            $null = Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force
-
-            $Body = @{
-                'Results' = 'Permissions Updated'
-            }
-            Write-LogMessage -headers $Request.Headers -API 'ExecPermissionRepair' -message 'CIPP-SAM Permissions Updated' -Sev 'Info' -LogData $Permissions
-        } else {
-            $Body = @{
-                'Results' = 'No permissions to update'
-            }
-        }
+        $Result = Update-CippSamPermissions -UpdatedBy ($User.UserDetails ?? 'CIPP-API')
+        $Body = @{'Results' = $Result }
     } catch {
         $Body = @{
             'Results' = "$($_.Exception.Message) - at line $($_.InvocationInfo.ScriptLineNumber)"