From 45d9c01657316af7a125373288a50cc66e830854 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Bentsen=20Kj=C3=A6rg=C3=A5rd=20=28KBK=29?= Date: Fri, 6 Sep 2024 08:57:51 +0200 Subject: [PATCH 1/5] Refactor Push-DomainAnalyserDomain to handle MS CNAME DKIM errors without breaking the whole domain function --- .../Domain Analyser/Push-DomainAnalyserDomain.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 index ff311a85737e..59a1edd9b8f1 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 @@ -256,7 +256,7 @@ function Push-DomainAnalyserDomain { continue } # Test if there are already MSCNAME values set, skip domain if there is - $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10 + $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10 -ErrorAction SilentlyContinue if (![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector1.Value) -and ![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector2.Value)) { $Result.MSCNAMEDKIMSelectors = $CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors @@ -298,9 +298,9 @@ function Push-DomainAnalyserDomain { } $Result.MSCNAMEDKIMSelectors = $MSCNAMERecords } catch { - $Message = 'MS DKIM CNAME Error' - Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error - return $Message + $ErrorMessage = Get-CippException -Exception $_ + Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "MS CNAME DKIM error: $($ErrorMessage.NormalizedError)" -LogData $ErrorMessage -sev Error + return $ErrorMessage.NormalizedError } } From 3164818bd2baa9e4c285d2b07a0cf4641f69fadd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Bentsen=20Kj=C3=A6rg=C3=A5rd=20=28KBK=29?= Date: Fri, 6 Sep 2024 09:05:33 +0200 Subject: [PATCH 2/5] This fix works --- .../Domain Analyser/Push-DomainAnalyserDomain.ps1 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 index 59a1edd9b8f1..a787676e9de2 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1 @@ -256,13 +256,16 @@ function Push-DomainAnalyserDomain { continue } # Test if there are already MSCNAME values set, skip domain if there is - $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10 -ErrorAction SilentlyContinue - if (![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector1.Value) -and - ![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector2.Value)) { - $Result.MSCNAMEDKIMSelectors = $CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors - continue + if ($null -ne $DomainObject.DomainAnalyser) { + $CurrentMSCNAMEInfo = ConvertFrom-Json $DomainObject.DomainAnalyser -Depth 10 + if (![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector1.Value) -and + ![string]::IsNullOrWhiteSpace($CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors.selector2.Value)) { + $Result.MSCNAMEDKIMSelectors = $CurrentMSCNAMEInfo.MSCNAMEDKIMSelectors + continue + } } + # Compute the DKIM CNAME records from $Tenant.InitialDomainName according to this logic: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure#syntax-for-dkim-cname-records # Test if it has a - in the domain name if ($Domain -like '*-*') { From 04f03c1eaf515de1dc5ad29f1ba03ec141935941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 16 Sep 2024 21:54:30 +0200 Subject: [PATCH 3/5] Fixed typo causing invalid select --- Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 index f720cf05d8d7..9d829df360a4 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 @@ -55,7 +55,7 @@ function Get-Tenants { } if ($CleanOld) { - $GDAPRelationships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active' and not startsWith(displayName,'MLT_')&`$select=customer,autoExtendDuration,endDateTime`$top=300" -NoAuthCheck:$true + $GDAPRelationships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active' and not startsWith(displayName,'MLT_')&`$select=customer,autoExtendDuration,endDateTime&`$top=300" -NoAuthCheck:$true $GDAPList = foreach ($Relationship in $GDAPRelationships) { [PSCustomObject]@{ customerId = $Relationship.customer.tenantId From 74952d0869c513b4f7b7154c8f9bb76228f0f969 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 16 Sep 2024 23:27:24 +0200 Subject: [PATCH 4/5] Fix default domain duplication when using alternate method If tenant is deleted it would set the default domain of the deleted tenant, to be the one from the previous one right before it --- Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 index 9d829df360a4..0fdcf0571a64 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 @@ -111,13 +111,16 @@ function Get-Tenants { } catch { try { #doing alternative method to temporarily get domains. Nightly refresh will fix this as it will be marked for renew. + Write-Host 'Main method failed, trying alternative method.' $Domain = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='$($LatestRelationship.customerId)')" -NoAuthCheck:$true).defaultDomainName + Write-Host "Alternative method worked, got domain $Domain." $defaultDomainName = $Domain $initialDomainName = $Domain $RequiresRefresh = $true } catch { - Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -level 'Critical' + $ErrorMessage = Get-CippException -Exception $_ + Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($ErrorMessage.NormalizedError)" -Sev 'Critical' -LogData $ErrorMessage } } Write-Host 'finished getting domain' From abeaa39089a8b3f0e517ae79b7c92be4bae545f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 16 Sep 2024 23:40:40 +0200 Subject: [PATCH 5/5] So actually this was the fix instead since when it errored out, the defaultDomainName and initialDomainName variables would still have the values of the previous loop --- .../CIPPCore/Public/GraphHelper/Get-Tenants.ps1 | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 index 0fdcf0571a64..446a1c5fc5ac 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 @@ -86,7 +86,9 @@ function Get-Tenants { $ActiveRelationships = $GDAPList | Where-Object $IncludedTenantFilter | Where-Object { $_.customerId -notin $SkipListCache.customerId } $TenantList = $ActiveRelationships | Group-Object -Property customerId | ForEach-Object { - #Write-Host "Processing $($_.Name) to add to tenant list." + + # Write-Host (ConvertTo-Json -InputObject $_ -Depth 10) + # Write-Host "Processing $($_.Name), $($_.displayName) to add to tenant list." $ExistingTenantInfo = Get-CIPPAzDataTableEntity @TenantsTable -Filter "PartitionKey eq 'Tenants' and RowKey eq '$($_.Name)'" if ($TriggerRefresh.IsPresent -and $ExistingTenantInfo.customerId) { # Reset error count @@ -112,15 +114,16 @@ function Get-Tenants { try { #doing alternative method to temporarily get domains. Nightly refresh will fix this as it will be marked for renew. Write-Host 'Main method failed, trying alternative method.' - $Domain = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='$($LatestRelationship.customerId)')" -NoAuthCheck:$true).defaultDomainName + Write-Host "Domain variable is $Domain" + $Domain = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/tenantRelationships/findTenantInformationByTenantId(tenantId='$($LatestRelationship.customerId)')" -NoAuthCheck:$true ).defaultDomainName Write-Host "Alternative method worked, got domain $Domain." - $defaultDomainName = $Domain - $initialDomainName = $Domain $RequiresRefresh = $true - } catch { $ErrorMessage = Get-CippException -Exception $_ - Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($ErrorMessage.NormalizedError)" -Sev 'Critical' -LogData $ErrorMessage + Write-LogMessage -API 'Get-Tenants' -message "Tried adding $($LatestRelationship.customerId) to tenant list but failed to get domains - $($_.Exception.Message)" -Sev 'Critical' -LogData $ErrorMessage + } finally { + $defaultDomainName = $Domain + $initialDomainName = $Domain } } Write-Host 'finished getting domain' @@ -178,7 +181,7 @@ function Get-Tenants { } foreach ($Tenant in $TenantList | Where-Object $IncludedTenantFilter) { - if ($Tenant.defaultDomainName -eq 'Invalid' -or !$Tenant.defaultDomainName) { + if ($Tenant.defaultDomainName -eq 'Invalid' -or [string]::IsNullOrWhiteSpace($Tenant.defaultDomainName)) { Write-LogMessage -API 'Get-Tenants' -message "We're skipping $($Tenant.displayName) as it has an invalid default domain name. Something is up with this instance." -level 'Critical' continue }