Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
function Invoke-ExecPermissionRepair {
<#
.SYNOPSIS
Reconciles the CIPP-SAM permissions and re-applies them to the partner service principal.
This endpoint will update the CIPP-SAM app permissions.
.DESCRIPTION
Reconciles the saved additional-permission set (Update-CippSamPermissions), then refreshes the
grants on the CIPP-SAM service principal in the PARTNER tenant so the current effective set
(manifest + extras) is consented. This never writes the app registration's requiredResourceAccess;
permissions are applied as service-principal grants, the same way the routine refresh does.
Client tenants pick up the same effective set through their own permission refresh.
Merges new permissions from the SAM manifest into the AppPermissions entry for CIPP-SAM.
.FUNCTIONALITY
Entrypoint
.ROLE
Expand All @@ -18,19 +14,8 @@ function Invoke-ExecPermissionRepair {

try {
$User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json
$UpdatedBy = $User.UserDetails ?? 'CIPP-API'

# 1) Reconcile the saved extras table (no app-registration write).
$TableResult = Update-CippSamPermissions -UpdatedBy $UpdatedBy

# 2) Refresh the grants on the partner CIPP-SAM service principal so the effective set
# (manifest + extras, read from the table) is actually consented on the SP.
$AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID
$DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID

$Results = @($TableResult) + @($AppResults) + @($DelegatedResults) | Where-Object { $_ }
Write-LogMessage -Headers $Request.Headers -API 'ExecPermissionRepair' -message "CIPP-SAM permissions repaired by $UpdatedBy" -Sev 'Info' -LogData @{ Results = @($Results) }
$Body = @{'Results' = ($Results -join [Environment]::NewLine) }
$Result = Update-CippSamPermissions -UpdatedBy ($User.UserDetails ?? 'CIPP-API')
$Body = @{'Results' = $Result }
} catch {
$Body = @{
'Results' = "$($_.Exception.Message) - at line $($_.InvocationInfo.ScriptLineNumber)"
Expand Down
4 changes: 2 additions & 2 deletions host.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@
"distributedTracingEnabled": false,
"version": "None"
},
"defaultVersion": "10.5.6",
"defaultVersion": "10.5.7",
"versionMatchStrategy": "Strict",
"versionFailureStrategy": "Fail"
}
}
}
}
2 changes: 1 addition & 1 deletion version_latest.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
10.5.6
10.5.7