From 5c2dc98a9d3dd71beb343662f8133d91e7e55047 Mon Sep 17 00:00:00 2001 From: Zacgoose <107489668+Zacgoose@users.noreply.github.com> Date: Fri, 3 Jul 2026 01:56:59 +0800 Subject: [PATCH 1/2] Revert permission repair changes (AsApp grant application + Jun 30 rework) --- .../Settings/Invoke-ExecPermissionRepair.ps1 | 23 ++++--------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 b/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 index 8cb5eb1cda8ef..513e0bd5aca07 100644 --- a/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 +++ b/Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecPermissionRepair.ps1 @@ -1,13 +1,9 @@ function Invoke-ExecPermissionRepair { <# .SYNOPSIS - Reconciles the CIPP-SAM permissions and re-applies them to the partner service principal. + This endpoint will update the CIPP-SAM app permissions. .DESCRIPTION - Reconciles the saved additional-permission set (Update-CippSamPermissions), then refreshes the - grants on the CIPP-SAM service principal in the PARTNER tenant so the current effective set - (manifest + extras) is consented. This never writes the app registration's requiredResourceAccess; - permissions are applied as service-principal grants, the same way the routine refresh does. - Client tenants pick up the same effective set through their own permission refresh. + Merges new permissions from the SAM manifest into the AppPermissions entry for CIPP-SAM. .FUNCTIONALITY Entrypoint .ROLE @@ -18,19 +14,8 @@ function Invoke-ExecPermissionRepair { try { $User = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Request.Headers.'x-ms-client-principal')) | ConvertFrom-Json - $UpdatedBy = $User.UserDetails ?? 'CIPP-API' - - # 1) Reconcile the saved extras table (no app-registration write). - $TableResult = Update-CippSamPermissions -UpdatedBy $UpdatedBy - - # 2) Refresh the grants on the partner CIPP-SAM service principal so the effective set - # (manifest + extras, read from the table) is actually consented on the SP. - $AppResults = Add-CIPPApplicationPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID - $DelegatedResults = Add-CIPPDelegatedPermission -RequiredResourceAccess 'CIPPDefaults' -ApplicationId $env:ApplicationID -TenantFilter $env:TenantID - - $Results = @($TableResult) + @($AppResults) + @($DelegatedResults) | Where-Object { $_ } - Write-LogMessage -Headers $Request.Headers -API 'ExecPermissionRepair' -message "CIPP-SAM permissions repaired by $UpdatedBy" -Sev 'Info' -LogData @{ Results = @($Results) } - $Body = @{'Results' = ($Results -join [Environment]::NewLine) } + $Result = Update-CippSamPermissions -UpdatedBy ($User.UserDetails ?? 'CIPP-API') + $Body = @{'Results' = $Result } } catch { $Body = @{ 'Results' = "$($_.Exception.Message) - at line $($_.InvocationInfo.ScriptLineNumber)" From 3d835b5dab4c1749da50cdbd15e37d0750d29634 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Thu, 2 Jul 2026 15:17:55 -0400 Subject: [PATCH 2/2] chore: bump version to 10.5.7 --- host.json | 4 ++-- version_latest.txt | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/host.json b/host.json index cfa1e128d096c..2d527d8c41083 100644 --- a/host.json +++ b/host.json @@ -16,9 +16,9 @@ "distributedTracingEnabled": false, "version": "None" }, - "defaultVersion": "10.5.6", + "defaultVersion": "10.5.7", "versionMatchStrategy": "Strict", "versionFailureStrategy": "Fail" } } -} \ No newline at end of file +} diff --git a/version_latest.txt b/version_latest.txt index 3b24057083036..e9d57a4235a04 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -10.5.6 +10.5.7