Merge branch 'KelvinTegelaar:master' into master

Author: SimplyICT

CIPP-Permissions.json

@@ -80,14 +80,6 @@
     "RunOnProcessor": true,
     "PreferredProcessor": "standards"
   },
-  {
-    "Id": "5113c66d-c040-42df-9565-39dff90ddd55",
-    "Command": "Start-CIPPGraphSubscriptionCleanupTimer",
-    "Description": "Orchestrator to cleanup old Graph subscriptions",
-    "Cron": "0 0 0 * * *",
-    "Priority": 5,
-    "RunOnProcessor": true
-  },
   {
     "Id": "97145a1d-28f0-4bb2-b929-5a43517d23cc",
     "Command": "Start-SchedulerOrchestrator",

CIPPTimers.json

@@ -1722,6 +1722,35 @@
     "powershellEquivalent": "New-ProtectionAlert and Set-ProtectionAlert",
     "recommendedBy": []
   },
+  {
+    "name": "standards.SafeLinksTemplatePolicy",
+    "label": "SafeLinks Policy Template",
+    "cat": "Templates",
+    "multiple": false,
+    "disabledFeatures": {
+      "report": false,
+      "warn": false,
+      "remediate": false
+    },
+    "impact": "Medium Impact",
+    "addedDate": "2025-04-29",
+    "helpText": "Deploy and manage SafeLinks policy templates to protect against malicious URLs in emails and Office documents.",
+    "addedComponent": [
+      {
+        "type": "autoComplete",
+        "multiple": true,
+        "creatable": false,
+        "name": "standards.SafeLinksTemplatePolicy.TemplateIds",
+        "label": "Select SafeLinks Policy Templates",
+        "api": {
+          "url": "/api/ListSafeLinksPolicyTemplates",
+          "labelField": "TemplateName",
+          "valueField": "GUID",
+          "queryKey": "ListSafeLinksPolicyTemplates"
+        }
+      }
+    ]
+  },
   {
     "name": "standards.SafeLinksPolicy",
     "cat": "Defender Standards",

Cache_SAMSetup/PermissionsTranslator.json

@@ -0,0 +1,71 @@
+function Convert-QuarantinePermissionsValue {
+    [CmdletBinding(DefaultParameterSetName = 'DecimalValue')]
+    param (
+        [Parameter(Mandatory, Position = 0, ParameterSetName = "StringValue")]
+        [ValidateNotNullOrEmpty()]
+        [string]$InputObject,
+
+        [Parameter(Position = 0, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToViewHeader = 0,
+        [Parameter(Position = 1, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDownload = 0,
+        [Parameter(Mandatory, Position = 2, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToAllowSender,
+        [Parameter(Mandatory, Position = 3, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToBlockSender,
+        [Parameter(Mandatory, Position = 4, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRequestRelease,
+        [Parameter(Mandatory, Position = 5, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToRelease,
+        [Parameter(Mandatory, Position = 6, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToPreview,
+        [Parameter(Mandatory, Position = 7, ParameterSetName = "DecimalValue")]
+        [int]$PermissionToDelete
+    )
+
+    #Converts string value with EndUserQuarantinePermissions received from Get-QuarantinePolicy
+    if (($PSCmdlet.ParameterSetName) -eq "StringValue") {
+        try {
+            # Remove square brackets and split into lines
+            $InputObject = $InputObject.Trim('[', ']')
+            $hashtable = @{}
+            $InputObject -split "`n" | ForEach-Object {
+                $key, $value = $_ -split ":\s*"
+                $hashtable[$key.Trim()] = [System.Convert]::ToBoolean($value.Trim())
+            }
+            return $hashtable
+        }
+        catch {
+            throw "Convert-QuarantinePermissionsValue: Failed to convert string to hashtable."
+        }
+    }
+
+    #Converts selected end user quarantine permissions to decimal value used by EndUserQuarantinePermissionsValue property in New-QuarantinePolicy and Set-QuarantinePolicy
+    elseif (($PSCmdlet.ParameterSetName) -eq "DecimalValue") {
+        try {
+            # both PermissionToRequestRelease and PermissionToRelease cannot be set to true at the same time
+            if($PermissionToRequestRelease -eq 1 -and $PermissionToRelease -eq 1) {
+                throw "PermissionToRequestRelease and PermissionToRelease cannot both be set to true."
+            }
+
+            # Convert each permission to a binary string
+            $BinaryValue = [string]@(
+                $PermissionToViewHeader,
+                $PermissionToDownload,
+                $PermissionToAllowSender,
+                $PermissionToBlockSender,
+                $PermissionToRequestRelease,
+                $PermissionToRelease,
+                $PermissionToPreview,
+                $PermissionToDelete
+            ) -replace '\s',''
+
+            # Convert the binary string to an Decimal value
+            return [convert]::ToInt32($BinaryValue,2)
+        }
+        catch {
+            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+            throw "Convert-QuarantinePermissionsValue: Failed to convert QuarantinePermissions to QuarantinePermissionsValue. Error: $ErrorMessage"
+        }
+    }
+}

Cache_SAMSetup/SAMManifest.json

@@ -2,6 +2,7 @@ function Add-CIPPApplicationPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $Tenantfilter
     )
@@ -31,7 +32,34 @@ function Add-CIPPApplicationPermission {
 
             $RequiredResourceAccess.Add($Resource)
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding application permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $AppPermissions = @($Permissions.$AppId.applicationPermissions)
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = [System.Collections.Generic.List[object]]::new()
+                }
+                foreach ($Permission in $AppPermissions) {
+                    $Resource.ResourceAccess.Add(@{
+                            id   = $Permission.id
+                            type = 'Role'
+                        })
+                }
+
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
+
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -skipTokenCache $true -tenantid $Tenantfilter -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property AppId -EQ $ApplicationId
     if (!$ourSVCPrincipal) {
@@ -59,7 +87,7 @@ function Add-CIPPApplicationPermission {
             }
         }
         foreach ($SingleResource in $App.ResourceAccess | Where-Object -Property Type -EQ 'Role') {
-            if ($SingleResource.id -In $CurrentRoles.appRoleId) { continue }
+            if ($SingleResource.id -in $CurrentRoles.appRoleId) { continue }
             [pscustomobject]@{
                 principalId = $($ourSVCPrincipal.id)
                 resourceId  = $($svcPrincipalId.id)

Config/standards.json

@@ -2,6 +2,7 @@ function Add-CIPPDelegatedPermission {
     [CmdletBinding()]
     param(
         $RequiredResourceAccess,
+        $TemplateId,
         $ApplicationId,
         $NoTranslateRequired,
         $Tenantfilter
@@ -40,7 +41,34 @@ function Add-CIPPDelegatedPermission {
             # remove the partner center permission if not pushing to partner tenant
             $RequiredResourceAccess = $RequiredResourceAccess | Where-Object { $_.resourceAppId -ne 'fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd' }
         }
+    } else {
+        if (!$RequiredResourceAccess -and $TemplateId) {
+            Write-Information "Adding delegated permissions for template $TemplateId"
+            $TemplateTable = Get-CIPPTable -TableName 'templates'
+            $Filter = "RowKey eq '$TemplateId' and PartitionKey eq 'AppApprovalTemplate'"
+            $Template = (Get-CIPPAzDataTableEntity @TemplateTable -Filter $Filter).JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+            $ApplicationId = $Template.AppId
+            $Permissions = $Template.Permissions
+            $NoTranslateRequired = $true
+            $RequiredResourceAccess = [System.Collections.Generic.List[object]]::new()
+            foreach ($AppId in $Permissions.PSObject.Properties.Name) {
+                $DelegatedPermissions = @($Permissions.$AppId.delegatedPermissions)
+                $ResourceAccess = [System.Collections.Generic.List[object]]::new()
+                foreach ($Permission in $DelegatedPermissions) {
+                    $ResourceAccess.Add(@{
+                            id   = $Permission.value
+                            type = 'Scope'
+                        })
+                }
+                $Resource = @{
+                    resourceAppId  = $AppId
+                    resourceAccess = @($ResourceAccess)
+                }
+                $RequiredResourceAccess.Add($Resource)
+            }
+        }
     }
+
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=appId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true -NoAuthCheck $true
     $ourSVCPrincipal = $ServicePrincipalList | Where-Object -Property appId -EQ $ApplicationId
@@ -66,6 +94,7 @@ function Add-CIPPDelegatedPermission {
         }
 
         $DelegatedScopes = $App.resourceAccess | Where-Object -Property type -EQ 'Scope'
+
         if ($NoTranslateRequired) {
             $NewScope = @($DelegatedScopes | ForEach-Object { $_.id } | Sort-Object -Unique) -join ' '
         } else {
@@ -85,6 +114,10 @@ function Add-CIPPDelegatedPermission {
         $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id)
 
         if (!$OldScope) {
+            if ([string]::IsNullOrEmpty($NewScope) -or $NewScope -eq ' ') {
+                $Results.add("No delegated permissions to add for $($svcPrincipalId.displayName)")
+                continue
+            }
             try {
                 $Createbody = @{
                     clientId    = $ourSVCPrincipal.id
@@ -118,6 +151,13 @@ function Add-CIPPDelegatedPermission {
                 $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)")
                 continue
             }
+
+            if ([string]::IsNullOrEmpty($NewScope) -or $NewScope -eq ' ') {
+                # No permissions to update
+                $Results.add("No delegated permissions to update for $($svcPrincipalId.displayName)")
+                continue
+            }
+
             $Patchbody = @{
                 scope = "$NewScope"
             } | ConvertTo-Json -Compress

ConversionTable.csv

@@ -7,21 +7,22 @@ function Add-CIPPGroupMember(
     [string]$APIName = 'Add Group Member'
 ) {
     try {
-        if ($member -like '*#EXT#*') { $member = [System.Web.HttpUtility]::UrlEncode($member) }
-        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($member)" -tenantid $TenantFilter).id
-        $addmemberbody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
+        if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
+        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id
+        $AddMemberBody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
-            $Params = @{ Identity = $GroupId; Member = $member; BypassSecurityGroupManagerCheck = $true }
-            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true
+            $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
+            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
         } else {
-            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $addmemberbody -Verbose
+            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $AddMemberBody -Verbose
         }
-        $Message = "Successfully added user $($Member) to $($GroupId)."
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
-        return $message
+        $Results = "Successfully added user $($Member) to $($GroupId)."
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'Info'
+        return $Results
     } catch {
-        $message = "Failed to add user $($Member) to $($GroupId) - $($_.Exception.Message)"
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $message -Sev 'error' -LogData (Get-CippException -Exception $_)
-        return $message
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = "Failed to add user $($Member) to $($GroupId) - $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'error' -LogData $ErrorMessage
+        throw $Results
     }
 }