Bugfixes & new audit log search function

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -91,6 +91,20 @@ function Add-CIPPDelegatedPermission {
             $CreateRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -tenantid $Tenantfilter -body $Createbody -type POST -NoAuthCheck $true
             $Results.add("Successfully added permissions for $($svcPrincipalId.displayName)")
         } else {
+            # Cleanup multiple scope entries and patch first id
+            if (($OldScope.id | Measure-Object).Count -gt 1) {
+                $OldScopeId = $OldScope.id[0]
+                $OldScope.id | ForEach-Object {
+                    if ($_ -ne $OldScopeId) {
+                        try {
+                            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$_" -tenantid $Tenantfilter -type DELETE -NoAuthCheck $true
+                        } catch {
+                        }
+                    }
+                }
+            } else {
+                $OldScopeId = $OldScope.id
+            }
             $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ')
             if (!$compare) {
                 $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)")
@@ -99,8 +113,12 @@ function Add-CIPPDelegatedPermission {
             $Patchbody = @{
                 scope = "$NewScope"
             } | ConvertTo-Json -Compress
-            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScope.id)" -tenantid $Tenantfilter -body $Patchbody -type PATCH -NoAuthCheck $true
-
+            try {
+                $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScopeId)" -tenantid $Tenantfilter -body $Patchbody -type PATCH -NoAuthCheck $true
+            } catch {
+                $Results.add("Failed to update permissions for $($svcPrincipalId.displayName): $(Get-NormalizedError -message $_.Exception.Message)")
+                continue
+            }
             # Added permissions
             $Added = ($Compare | Where-Object { $_.SideIndicator -eq '=>' }).InputObject -join ' '
             $Removed = ($Compare | Where-Object { $_.SideIndicator -eq '<=' }).InputObject -join ' '

Modules/CIPPCore/Public/AdditionalPermissions.json

@@ -1,13 +1,24 @@
 [
   {
-    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
-    "resourceAccess": [{ "id": "AllProfiles.Manage", "type": "Scope" }]
+    "resourceAppId": "00000006-0000-0ff1-ce00-000000000000",
+    "resourceAccess": [
+      {
+        "id": "M365AdminPortal.IntegratedApps.ReadWrite",
+        "type": "Scope"
+      },
+      {
+        "id": "user_impersonation",
+        "type": "Scope"
+      }
+    ]
   },
   {
-    "resourceAppId": "00000006-0000-0ff1-ce00-000000000000",
+    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
     "resourceAccess": [
-      { "id": "M365AdminPortal.IntegratedApps.ReadWrite", "type": "Scope" },
-      { "id": "user_impersonation", "type": "Scope" }
+      {
+        "id": "AllProfiles.Manage",
+        "type": "Scope"
+      }
     ]
   }
-]
+]

Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1

@@ -0,0 +1,156 @@
+function New-CippAuditLogSearch {
+    <#
+    .SYNOPSIS
+        Create a new audit log search
+    .DESCRIPTION
+        Create a new audit log search in Microsoft Graph Security API
+    .PARAMETER DisplayName
+        The display name of the audit log search. Default is 'CIPP Audit Search - ' + current date and time.
+    .PARAMETER TenantFilter
+        The tenant to filter on.
+    .PARAMETER StartTime
+        The start time to filter on.
+    .PARAMETER EndTime
+        The end time to filter on.
+    .PARAMETER RecordTypeFilters
+        The record types to filter on.
+    .PARAMETER KeywordFilter
+        The keyword to filter on.
+    .PARAMETER ServiceFilter
+        The service to filter on.
+    .PARAMETER OperationsFilters
+        The operations to filter on.
+    .PARAMETER UserPrincipalNameFilters
+        The user principal names to filter on.
+    .PARAMETER IPAddressFilter
+        The IP addresses to filter on.
+    .PARAMETER ObjectIdFilters
+        The object IDs to filter on.
+    .PARAMETER AdministrativeUnitFilters
+        The administrative units to filter on.
+    #>
+    [CmdletBinding(SupportsShouldProcess = $true)]
+    param(
+        [Parameter()]
+        [string]$DisplayName = 'CIPP Audit Search - ' + (Get-Date).ToString('yyyy-MM-dd HH:mm:ss'),
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [Parameter(Mandatory = $true)]
+        [datetime]$StartTime,
+        [Parameter(Mandatory = $true)]
+        [datetime]$EndTime,
+        [Parameter()]
+        [ValidateSet(
+            'exchangeAdmin', 'exchangeItem', 'exchangeItemGroup', 'sharePoint', 'syntheticProbe', 'sharePointFileOperation',
+            'oneDrive', 'azureActiveDirectory', 'azureActiveDirectoryAccountLogon', 'dataCenterSecurityCmdlet',
+            'complianceDLPSharePoint', 'sway', 'complianceDLPExchange', 'sharePointSharingOperation',
+            'azureActiveDirectoryStsLogon', 'skypeForBusinessPSTNUsage', 'skypeForBusinessUsersBlocked',
+            'securityComplianceCenterEOPCmdlet', 'exchangeAggregatedOperation', 'powerBIAudit', 'crm', 'yammer',
+            'skypeForBusinessCmdlets', 'discovery', 'microsoftTeams', 'threatIntelligence', 'mailSubmission',
+            'microsoftFlow', 'aeD', 'microsoftStream', 'complianceDLPSharePointClassification', 'threatFinder',
+            'project', 'sharePointListOperation', 'sharePointCommentOperation', 'dataGovernance', 'kaizala',
+            'securityComplianceAlerts', 'threatIntelligenceUrl', 'securityComplianceInsights', 'mipLabel',
+            'workplaceAnalytics', 'powerAppsApp', 'powerAppsPlan', 'threatIntelligenceAtpContent', 'labelContentExplorer',
+            'teamsHealthcare', 'exchangeItemAggregated', 'hygieneEvent', 'dataInsightsRestApiAudit',
+            'informationBarrierPolicyApplication', 'sharePointListItemOperation', 'sharePointContentTypeOperation',
+            'sharePointFieldOperation', 'microsoftTeamsAdmin', 'hrSignal', 'microsoftTeamsDevice', 'microsoftTeamsAnalytics',
+            'informationWorkerProtection', 'campaign', 'dlpEndpoint', 'airInvestigation', 'quarantine', 'microsoftForms',
+            'applicationAudit', 'complianceSupervisionExchange', 'customerKeyServiceEncryption', 'officeNative',
+            'mipAutoLabelSharePointItem', 'mipAutoLabelSharePointPolicyLocation', 'microsoftTeamsShifts', 'secureScore',
+            'mipAutoLabelExchangeItem', 'cortanaBriefing', 'search', 'wdatpAlerts', 'powerPlatformAdminDlp',
+            'powerPlatformAdminEnvironment', 'mdatpAudit', 'sensitivityLabelPolicyMatch', 'sensitivityLabelAction',
+            'sensitivityLabeledFileAction', 'attackSim', 'airManualInvestigation', 'securityComplianceRBAC',
+            'userTraining', 'airAdminActionInvestigation', 'mstic', 'physicalBadgingSignal', 'teamsEasyApprovals',
+            'aipDiscover', 'aipSensitivityLabelAction', 'aipProtectionAction', 'aipFileDeleted', 'aipHeartBeat',
+            'mcasAlerts', 'onPremisesFileShareScannerDlp', 'onPremisesSharePointScannerDlp', 'exchangeSearch',
+            'sharePointSearch', 'privacyDataMinimization', 'labelAnalyticsAggregate', 'myAnalyticsSettings',
+            'securityComplianceUserChange', 'complianceDLPExchangeClassification', 'complianceDLPEndpoint',
+            'mipExactDataMatch', 'msdeResponseActions', 'msdeGeneralSettings', 'msdeIndicatorsSettings',
+            'ms365DCustomDetection', 'msdeRolesSettings', 'mapgAlerts', 'mapgPolicy', 'mapgRemediation',
+            'privacyRemediationAction', 'privacyDigestEmail', 'mipAutoLabelSimulationProgress',
+            'mipAutoLabelSimulationCompletion', 'mipAutoLabelProgressFeedback', 'dlpSensitiveInformationType',
+            'mipAutoLabelSimulationStatistics', 'largeContentMetadata', 'microsoft365Group', 'cdpMlInferencingResult',
+            'filteringMailMetadata', 'cdpClassificationMailItem', 'cdpClassificationDocument', 'officeScriptsRunAction',
+            'filteringPostMailDeliveryAction', 'cdpUnifiedFeedback', 'tenantAllowBlockList', 'consumptionResource',
+            'healthcareSignal', 'dlpImportResult', 'cdpCompliancePolicyExecution', 'multiStageDisposition',
+            'privacyDataMatch', 'filteringDocMetadata', 'filteringEmailFeatures', 'powerBIDlp', 'filteringUrlInfo',
+            'filteringAttachmentInfo', 'coreReportingSettings', 'complianceConnector',
+            'powerPlatformLockboxResourceAccessRequest', 'powerPlatformLockboxResourceCommand',
+            'cdpPredictiveCodingLabel', 'cdpCompliancePolicyUserFeedback', 'webpageActivityEndpoint', 'omePortal',
+            'cmImprovementActionChange', 'filteringUrlClick', 'mipLabelAnalyticsAuditRecord', 'filteringEntityEvent',
+            'filteringRuleHits', 'filteringMailSubmission', 'labelExplorer', 'microsoftManagedServicePlatform',
+            'powerPlatformServiceActivity', 'scorePlatformGenericAuditRecord', 'filteringTimeTravelDocMetadata', 'alert',
+            'alertStatus', 'alertIncident', 'incidentStatus', 'case', 'caseInvestigation', 'recordsManagement',
+            'privacyRemediation', 'dataShareOperation', 'cdpDlpSensitive', 'ehrConnector', 'filteringMailGradingResult',
+            'publicFolder', 'privacyTenantAuditHistoryRecord', 'aipScannerDiscoverEvent', 'eduDataLakeDownloadOperation',
+            'm365ComplianceConnector', 'microsoftGraphDataConnectOperation', 'microsoftPurview',
+            'filteringEmailContentFeatures', 'powerPagesSite', 'powerAppsResource', 'plannerPlan', 'plannerCopyPlan',
+            'plannerTask', 'plannerRoster', 'plannerPlanList', 'plannerTaskList', 'plannerTenantSettings',
+            'projectForTheWebProject', 'projectForTheWebTask', 'projectForTheWebRoadmap', 'projectForTheWebRoadmapItem',
+            'projectForTheWebProjectSettings', 'projectForTheWebRoadmapSettings', 'quarantineMetadata',
+            'microsoftTodoAudit', 'timeTravelFilteringDocMetadata', 'teamsQuarantineMetadata',
+            'sharePointAppPermissionOperation', 'microsoftTeamsSensitivityLabelAction', 'filteringTeamsMetadata',
+            'filteringTeamsUrlInfo', 'filteringTeamsPostDeliveryAction', 'mdcAssessments',
+            'mdcRegulatoryComplianceStandards', 'mdcRegulatoryComplianceControls', 'mdcRegulatoryComplianceAssessments',
+            'mdcSecurityConnectors', 'mdaDataSecuritySignal', 'vivaGoals', 'filteringRuntimeInfo', 'attackSimAdmin',
+            'microsoftGraphDataConnectConsent', 'filteringAtpDetonationInfo', 'privacyPortal', 'managedTenants',
+            'unifiedSimulationMatchedItem', 'unifiedSimulationSummary', 'updateQuarantineMetadata', 'ms365DSuppressionRule',
+            'purviewDataMapOperation', 'filteringUrlPostClickAction', 'irmUserDefinedDetectionSignal', 'teamsUpdates',
+            'plannerRosterSensitivityLabel', 'ms365DIncident', 'filteringDelistingMetadata',
+            'complianceDLPSharePointClassificationExtended', 'microsoftDefenderForIdentityAudit',
+            'supervisoryReviewDayXInsight', 'defenderExpertsforXDRAdmin', 'cdpEdgeBlockedMessage', 'hostedRpa',
+            'cdpContentExplorerAggregateRecord', 'cdpHygieneAttachmentInfo', 'cdpHygieneSummary',
+            'cdpPostMailDeliveryAction', 'cdpEmailFeatures', 'cdpHygieneUrlInfo', 'cdpUrlClick',
+            'cdpPackageManagerHygieneEvent', 'filteringDocScan', 'timeTravelFilteringDocScan', 'mapgOnboard'
+        )]
+        [string[]]$RecordTypeFilters,
+        [Parameter()]
+        [string]$KeywordFilter,
+        [Parameter()]
+        [string]$ServiceFilter,
+        [Parameter()]
+        [string[]]$OperationsFilters,
+        [Parameter()]
+        [string[]]$UserPrincipalNameFilters,
+        [Parameter()]
+        [string[]]$IPAddressFilter,
+        [Parameter()]
+        [string[]]$ObjectIdFilters,
+        [Parameter()]
+        [string[]]$AdministrativeUnitFilters
+    )
+
+    $SearchParams = @{
+        displayName         = 'CIPP Audit Search - ' + (Get-Date).ToString('yyyy-MM-dd HH:mm:ss')
+        filterStartDateTime = $StartTime.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss')
+        filterEndDateTime   = $EndTime.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss')
+    }
+    if ($OperationsFilters) {
+        $SearchParams.operationsFilters = $OperationsFilters
+    }
+    if ($RecordTypeFilters) {
+        $SearchParams.recordTypeFilters = @($RecordTypeFilters)
+    }
+    if ($KeywordFilter) {
+        $SearchParams.keywordFilter = $KeywordFilter
+    }
+    if ($ServiceFilter) {
+        $SearchParams.serviceFilter = $ServiceFilter
+    }
+    if ($UserPrincipalNameFilters) {
+        $SearchParams.userPrincipalNameFilters = @($UserPrincipalNameFilters)
+    }
+    if ($IPAddressFilter) {
+        $SearchParams.ipAddressFilter = @($IPAddressFilter)
+    }
+    if ($ObjectIdFilters) {
+        $SearchParams.objectIdFilters = @($ObjectIdFilters)
+    }
+    if ($AdministrativeUnitFilters) {
+        $SearchParams.administrativeUnitFilters = @($AdministrativeUnitFilters)
+    }
+
+    if ($PSCmdlet.ShouldProcess('Create a new audit log search for tenant ' + $TenantFilter)) {
+        New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/security/auditLog/queries' -body ($SearchParams | ConvertTo-Json -Compress) -tenantid $TenantFilter -AsApp $true
+    }
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecServicePrincipals.ps1

@@ -36,7 +36,11 @@ function Invoke-ExecServicePrincipals {
                 if ($Request.Query.AppId) {
                     $Action = 'Get'
                     $Results = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='$($Request.Query.AppId)')" -tenantid $TenantFilter -NoAuthCheck $true
-                } else {
+                } elseif ($Request.Query.Id) {
+                    $Action = 'Get'
+                    $Results = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals/$($Request.Query.Id)" -tenantid $TenantFilter -NoAuthCheck $true
+                }
+                else {
                     $Action = 'List'
                     $Results = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$orderby=displayName&$count=true' -ComplexFilter -tenantid $TenantFilter -NoAuthCheck $true
                 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Teams-Sharepoint/Invoke-ExecSetSharePointMember.ps1

@@ -9,8 +9,9 @@ Function Invoke-ExecSetSharePointMember {
     #>
     [CmdletBinding()]
     param($Request, $TriggerMetadata)
-    $GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)'" -tenantid $Request.Body.TenantFilter).id
+
     if ($Request.body.SharePointType -eq 'Group') {
+        $GroupId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups?`$filter=mail eq '$($Request.Body.GroupID)'" -tenantid $Request.Body.TenantFilter).id
         if ($Request.body.Add -eq $true) {
             $Results = Add-CIPPGroupMember -GroupType 'Team' -GroupID $GroupID -Member $Request.Body.input -TenantFilter $Request.Body.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal'
         } else {

Modules/CIPPCore/Public/New-CIPPAPIConfig.ps1

@@ -8,7 +8,8 @@ function New-CIPPAPIConfig {
         $resetpassword
     )
     $null = Connect-AzAccount -Identity
-    $currentapp = (Get-AzKeyVaultSecret -VaultName $ENV:WEBSITE_DEPLOYMENT_ID -Name 'CIPPAPIAPP' -AsPlainText)
+    $VaultName = ($ENV:WEBSITE_DEPLOYMENT_ID -split '-')[0]
+    $currentapp = (Get-AzKeyVaultSecret -VaultName $VaultName -Name 'CIPPAPIAPP' -AsPlainText)
     $subscription = $($ENV:WEBSITE_OWNER_NAME).Split('+')[0]
 
     try {