CPV tweaks

Author: JohnDuprey

Modules/CIPPCore/Public/Add-CIPPApplicationPermission.ps1

@@ -6,7 +6,8 @@ function Add-CIPPApplicationPermission {
         $Tenantfilter
     )
     if ($ApplicationId -eq $ENV:ApplicationID -and $Tenantfilter -eq $env:TenantID) {
-        return @('Cannot modify application permissions for CIPP-SAM on partner tenant')
+        #return @('Cannot modify application permissions for CIPP-SAM on partner tenant')
+        $RequiredResourceAccess = 'CIPPDefaults'
     }
     Set-Location (Get-Item $PSScriptRoot).FullName
     if ($RequiredResourceAccess -eq 'CIPPDefaults') {

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -9,11 +9,14 @@ function Add-CIPPDelegatedPermission {
     Set-Location (Get-Item $PSScriptRoot).FullName
 
     if ($ApplicationId -eq $ENV:ApplicationID -and $Tenantfilter -eq $env:TenantID) {
-        return @('Cannot modify delgated permissions for CIPP-SAM on partner tenant')
+        #return @('Cannot modify delgated permissions for CIPP-SAM on partner tenant')
+        $RequiredResourceAccess = 'CIPPDefaults'
     }
 
     if ($RequiredResourceAccess -eq 'CIPPDefaults') {
         $RequiredResourceAccess = (Get-Content '.\SAMManifest.json' | ConvertFrom-Json).requiredResourceAccess
+        $AdditionalPermissions = Get-Content '.\AdditionalPermissions.json' | ConvertFrom-Json
+        $RequiredResourceAccess = $RequiredResourceAccess + ($AdditionalPermissions | Where-Object { $RequiredResourceAccess.resourceAppId -notcontains $_.resourceAppId })
     }
     $Translator = Get-Content '.\PermissionsTranslator.json' | ConvertFrom-Json
     $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Tenantfilter -skipTokenCache $true
@@ -22,10 +25,17 @@ function Add-CIPPDelegatedPermission {
 
     $CurrentDelegatedScopes = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals/$($ourSVCPrincipal.id)/oauth2PermissionGrants" -skipTokenCache $true -tenantid $Tenantfilter
 
-    foreach ($App in $requiredResourceAccess) {
+    foreach ($App in $RequiredResourceAccess) {
         $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId
+        $AdditionalScopes = ($AdditionalPermissions | Where-Object -Property resourceAppId -EQ $App.resourceAppId).resourceAccess
         if (!$svcPrincipalId) { continue }
-        $NewScope = ($Translator | Where-Object { $_.id -in $App.ResourceAccess.id }).value -join ' '
+        if ($AdditionalScopes) {
+            $NewScope = (($Translator | Where-Object { $_.id -in $App.ResourceAccess.id }).value + $AdditionalScopes.id | Select-Object -Unique) -join ' '
+            Write-Host "NEW SCOPE: $NewScope"
+        } else {
+            $NewScope = ($Translator | Where-Object { $_.id -in $App.ResourceAccess.id }).value -join ' '
+        }
+
         $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id)
 
         if (!$OldScope) {

Modules/CIPPCore/Public/AdditionalPermissions.json

@@ -0,0 +1,15 @@
+[
+  {
+    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
+    "resourceAccess": [{ "id": "AllProfiles.Manage", "type": "Scope" }]
+  },
+  {
+    "resourceAppId": "fb78d390-0c51-40cd-8e17-fdbfab77341b",
+    "resourceAccess": [
+      { "id": "AdminApi.AccessAsUser.All", "type": "Scope" },
+      { "id": "FfoPowerShell.AccessAsUser.All", "type": "Scope" },
+      { "id": "RemotePowerShell.AccessAsUser.All", "type": "Scope" },
+      { "id": "VivaFeatureAccessPolicy.Manage.All", "type": "Scope" }
+    ]
+  }
+]

Modules/CIPPCore/Public/SAMManifest.json

@@ -172,8 +172,7 @@
     {
       "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
       "resourceAccess": [
-        { "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", "type": "Scope" },
-        { "id": "ec4fc4c8-872e-442b-a2a2-d095575807b3", "type": "Scope" }
+        { "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", "type": "Scope" }
       ]
     },
     {