diff --git a/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 b/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 index 8cb5eb1cda8ef..513e0bd5aca07 100644 --- a/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 +++ b/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 @@ -1,13 +1,9 @@ function Invoke-ExecPermissionRepair { <# .SYNOPSIS - Reconciles the CIPP-SAM permissions and re-applies them to the partner service principal. + This endpoint will update the CIPP-SAM app permissions. .DESCRIPTION - Reconciles the saved additional-permission set (Update-CippSamPermissions), then refreshes the - grants on the CIPP-SAM service principal in the PARTNER tenant so the current effective set - (manifest + extras) is consented. This never writes the app registration's requiredResourceAccess; - permissions are applied as service-principal grants, the same way the routine refresh does. - Client tenants pick up the same effective set through their own permission refresh. + Merges new permissions from the SAM manifest into the AppPermissions entry for CIPP-SAM. .FUNCTIONALITY Entrypoint .ROLE @@ -18,19 +14,8 @@ function Invoke-ExecPermissionRepair { try { $User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json - $UpdatedBy = $User.UserDetails ?? 'CIPP-API' - - # 1) Reconcile the saved extras table (no app-registration write). - $TableResult = Update-CippSamPermissions -UpdatedBy $UpdatedBy - - # 2) Refresh the grants on the partner CIPP-SAM service principal so the effective set - # (manifest + extras, read from the table) is actually consented on the SP. - $AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID - $DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID - - $Results = @($TableResult) + @($AppResults) + @($DelegatedResults) | Where-Object { $_ } - Write-LogMessage -Headers $Request.Headers -API 'ExecPermissionRepair' -message "CIPP-SAM permissions repaired by $UpdatedBy" -Sev 'Info' -LogData @{ Results = @($Results) } - $Body = @{'Results' = ($Results -join [Environment]::NewLine) } + $Result = Update-CippSamPermissions -UpdatedBy ($User.UserDetails ?? 'CIPP-API') + $Body = @{'Results' = $Result } } catch { $Body = @{ 'Results' = "$($_.Exception.Message) - at line $($_.InvocationInfo.ScriptLineNumber)" diff --git a/host.json b/host.json index cfa1e128d096c..2d527d8c41083 100644 --- a/host.json +++ b/host.json @@ -16,9 +16,9 @@ "distributedTracingEnabled": false, "version": "None" }, - "defaultVersion": "10.5.6", + "defaultVersion": "10.5.7", "versionMatchStrategy": "Strict", "versionFailureStrategy": "Fail" } } -} \ No newline at end of file +} diff --git a/version_latest.txt b/version_latest.txt index 3b24057083036..e9d57a4235a04 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -10.5.6 +10.5.7