Skip to content

Commit

Permalink
Merge pull request #2468 from subray2014/users/subray/retireDirectory…
Browse files Browse the repository at this point in the history
…Settings

Change preapproval commandlets to not call directory settings apis
  • Loading branch information
timayabi2020 authored Dec 4, 2023
2 parents 4550a3b + 165f558 commit 2cef221
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 232 deletions.
6 changes: 0 additions & 6 deletions src/Teams/beta/custom/GetMgBetaTeamRscConfiguration_Get.cs
Original file line number Diff line number Diff line change
Expand Up @@ -242,11 +242,6 @@ protected override void ProcessRecord()

WriteVerbose($"Fetched permission grant policies for tenant.");

// Get Group consent settings
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection = await this.Client.GetTenantConsentSettings(this, Pipeline);

WriteVerbose($"Fetched Tenant App Settings for tenant.");

if (((Microsoft.Graph.Beta.PowerShell.Runtime.IEventListener)this).Token.IsCancellationRequested) { return; }

// Get authorization policy
Expand All @@ -259,7 +254,6 @@ protected override void ProcessRecord()
RscConfigurationSynthesizer rscConfigurationConverter = new RscConfigurationSynthesizer();
Models.IMicrosoftGraphRscConfiguration microsoftGraphRscConfiguration = rscConfigurationConverter.ConvertToTeamRscConfiguration(
permissionGrantPolicyCollection,
tenantConsentSettingCollection,
authorizationPolicy,
this);

Expand Down
4 changes: 2 additions & 2 deletions src/Teams/beta/custom/MicrosoftGraphRscConfigurationState.cs
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ public enum MicrosoftGraphRscConfigurationState
EnabledForAllApps,

/// <summary>
/// Enabled for selected group of users.
/// RSC configuration is managed by Microsoft.
/// </summary>
EnabledForSelectedGroupOfUsers,
ManagedByMicrosoft,

/// <summary>
/// Custom configuration not understood by the sdk.
Expand Down
192 changes: 78 additions & 114 deletions src/Teams/beta/custom/RscConfigurationSynthesizer.cs
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,19 @@
/// </summary>
internal class RscConfigurationSynthesizer
{
internal const string MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-chat";
internal const string GroupConsentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a";

internal const string MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-group";
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForChats = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-chat";

internal const string MicrosoftCreatedPermissionGrantPolicyForUserConsentLegacy = "ManagePermissionGrantsForSelf.microsoft-user-default-legacy";
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForChats = "ManagePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-chat";

internal const string GroupConsentSettingsTemplateId = "dffd5d46-495d-40a9-8e21-954ff55e198a";
internal const string MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForChats = "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat";

internal const string EnableGroupSpecificConsentKey = "EnableGroupSpecificConsent";
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-team";

internal const string ConstrainGroupSpecificConsentToMembersOfGroupIdKey = "ConstrainGroupSpecificConsentToMembersOfGroupId";
internal const string MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-team";

internal const string MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForTeams = "ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team";

/// <summary>
/// Initializes a new instance of the <see cref="RscConfigurationSynthesizer"/> class.
Expand Down Expand Up @@ -82,33 +84,54 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration(

if (teamsAppSettings.IsChatResourceSpecificConsentEnabled == true)
{
if (assignedPermissionGrantPoliciesApplicableToChatScope.Any())
{
this.LogVerbose(
"Chat RSC is enabled in Teams App Settings and chat scoped permission grant policies are enabled. Not a supported scenario.",
eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
else
{
this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
}
this.LogVerbose("Chat RSC is enabled in Teams App Settings.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
}
else if (assignedPermissionGrantPoliciesApplicableToChatScope.Any())
{
if (assignedPermissionGrantPoliciesApplicableToChatScope.Any(pgp => !string.Equals(
pgp.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForChatRscPreApproval,
StringComparison.OrdinalIgnoreCase)))
int interestingPermissionGrantPolicyCount = assignedPermissionGrantPoliciesApplicableToChatScope.Count();

if (interestingPermissionGrantPolicyCount > 1)
{
this.LogVerbose("Unknown chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
this.LogVerbose("Multiple chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
else if (interestingPermissionGrantPolicyCount == 0)
{
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
}
else
{
this.LogVerbose("Authorization policy contains permission grant policy for chat RSC preapprovals.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
MGTeamsInternalPermissionGrantPolicy interestingPermissionGrantPolicy =
assignedPermissionGrantPoliciesApplicableToChatScope.Single();

if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForChats,
StringComparison.OrdinalIgnoreCase))
{
this.LogVerbose("Authorization policy contains permission grant policy for all chat RSC applications.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
}
else if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForChats,
StringComparison.OrdinalIgnoreCase))
{
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
}
else if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForChats,
StringComparison.OrdinalIgnoreCase))
{
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.ManagedByMicrosoft;
}
else
{
this.LogVerbose("Unknown chat scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
}
}
else
Expand All @@ -124,12 +147,10 @@ internal MicrosoftGraphRscConfiguration ConvertToChatRscConfiguration(
/// Convert the given tenant settings to Team RSC configuration.
/// </summary>
/// <param name="permissionGrantPolicyCollection">Permission grant policy collection.</param>
/// <param name="tenantConsentSettingCollection">Tenant consent setting collection.</param>
/// <param name="authorizationPolicy">Authorization policy.</param>
/// <returns>Rsc configuration.</returns>
internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
MGTeamsInternalPermissionGrantPolicyCollection permissionGrantPolicyCollection,
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection,
MGTeamsInternalAuthorizationPolicy authorizationPolicy,
Runtime.IEventListener eventListener)
{
Expand All @@ -140,13 +161,6 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
"Permission grant policies were not found.");
}

if (tenantConsentSettingCollection?.Value == null)
{
throw new MGTeamsInternalException(
MGTeamsInternalErrorType.ResourceNotFound,
"Tenant consent settings were not found.");
}

if (authorizationPolicy == null)
{
throw new MGTeamsInternalException(
Expand All @@ -161,58 +175,53 @@ internal IMicrosoftGraphRscConfiguration ConvertToTeamRscConfiguration(
State = MicrosoftGraphRscConfigurationState.Custom
};

(string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) projectedGroupConsentSettings = this.GetProjectedGroupConsentSettings(
tenantConsentSettingCollection,
authorizationPolicy,
eventListener);

IEnumerable<MGTeamsInternalPermissionGrantPolicy> assignedPermissionGrantPoliciesApplicableToGroupScope =
this.GetAssignedPermissionGrantPoliciesApplicableToGivenScopeType(
permissionGrantPolicyCollection,
authorizationPolicy,
MicrosoftGraphRscConfigurationScopeType.Team);

if (string.Equals(projectedGroupConsentSettings.isGroupConsentSettingEnabled, true.ToString(), StringComparison.OrdinalIgnoreCase))
int interestingPermissionGrantPolicyCount = assignedPermissionGrantPoliciesApplicableToGroupScope.Count();

if (interestingPermissionGrantPolicyCount > 1)
{
if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any())
{
this.LogVerbose(
"Projected group consent setting value is enabled and group scoped permission grant policies are enabled. Not a supported scenario.",
eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
else if (string.IsNullOrWhiteSpace(projectedGroupConsentSettings.groupConsentConstrainedToGroupId))
this.LogVerbose("Multiple group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
else if (interestingPermissionGrantPolicyCount == 0)
{
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
}
else
{
MGTeamsInternalPermissionGrantPolicy interestingPermissionGrantPolicy = assignedPermissionGrantPoliciesApplicableToGroupScope.Single();
if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForAllAppsForTeams,
StringComparison.OrdinalIgnoreCase))
{
this.LogVerbose("Projected group consent setting value is enabled. No constraints on users able to grant consent.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForAllApps;
}
else
else if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyEnabledForPreapprovedAppsForTeams,
StringComparison.OrdinalIgnoreCase))
{
this.LogVerbose($"Projected group consent setting value is enabled. Consent is constrained to users belonging to group '{projectedGroupConsentSettings.groupConsentConstrainedToGroupId}'.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForSelectedGroupOfUsers;
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
}
}
else if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any())
{
if (assignedPermissionGrantPoliciesApplicableToGroupScope.Any(pgp => !string.Equals(
pgp.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForTeamRscPreApproval,
StringComparison.OrdinalIgnoreCase)))
else if (string.Equals(
interestingPermissionGrantPolicy.ManagePermissionGrantsForOwnedResourcePrefixedId,
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyManagedByMicrosoftForTeams,
StringComparison.OrdinalIgnoreCase))
{
this.LogVerbose("Unknown group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.ManagedByMicrosoft;
}
else
{
this.LogVerbose("Authorization policy contains permission grant policy for team RSC preapprovals.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.EnabledForPreApprovedAppsOnly;
this.LogVerbose("Unknown group scoped permission grant policies are enabled. Not a supported scenario.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.Custom;
}
}
else
{
this.LogVerbose("Team RSC is disabled.", eventListener);
microsoftGraphRscConfiguration.State = MicrosoftGraphRscConfigurationState.DisabledForAllApps;
}

return microsoftGraphRscConfiguration;
}
Expand All @@ -233,7 +242,7 @@ internal IEnumerable<MGTeamsInternalPermissionGrantPolicy> GetAssignedPermission
switch (rscConfigurationScopeType)
{
case MicrosoftGraphRscConfigurationScopeType.Team:
identitySpecificScopeType = "group";
identitySpecificScopeType = "team";
break;

case MicrosoftGraphRscConfigurationScopeType.Chat:
Expand Down Expand Up @@ -262,51 +271,6 @@ internal IEnumerable<MGTeamsInternalPermissionGrantPolicy> GetAssignedPermission
return assignedPermissionGrantPoliciesApplicableToGivenScope;
}

/// <summary>
/// Get the projected value of group consent settings. i.e.
/// 1. Whether group consent is enabled. This is derived from group consent and user consent settings.
/// 2. Specific groups that group consent is restricted to.
/// </summary>
/// <param name="tenantConsentSettingCollection">Tenant consent setting collection.</param>
/// <param name="authorizationPolicy">The authorization policy.</param>
/// <param name="eventListener">The event listener.</param>
/// <returns>Projected value of group consent settings.</returns>
private (string isGroupConsentSettingEnabled, string groupConsentConstrainedToGroupId) GetProjectedGroupConsentSettings(
MGTeamsInternalTenantConsentSettingsCollection tenantConsentSettingCollection,
MGTeamsInternalAuthorizationPolicy authorizationPolicy,
IEventListener eventListener)
{
MGTeamsInternalTenantConsentSettings groupConsentSettings = tenantConsentSettingCollection.Value?.FirstOrDefault(
v => string.Equals(v.TemplateId, RscConfigurationSynthesizer.GroupConsentSettingsTemplateId, StringComparison.OrdinalIgnoreCase));

if (groupConsentSettings == null)
{
this.LogVerbose("Group Consent settings were not found.", eventListener);

if (authorizationPolicy
?.DefaultUserRolePermissions
?.PermissionGrantPoliciesAssigned
?.Contains(
RscConfigurationSynthesizer.MicrosoftCreatedPermissionGrantPolicyForUserConsentLegacy, StringComparer.OrdinalIgnoreCase) == true)
{
this.LogVerbose("Legacy policy for user consent was found in default user role permissions. Projecting group consent to be true.", eventListener);
return (isGroupConsentSettingEnabled: true.ToString(), groupConsentConstrainedToGroupId: null);
}

return (isGroupConsentSettingEnabled: false.ToString(), groupConsentConstrainedToGroupId: null);
}

MGTeamsInternalTenantConsentSettingValue isGroupConsentEnabledSettingValue = groupConsentSettings.Values?.SingleOrDefault(
v => string.Equals(v.Name, RscConfigurationSynthesizer.EnableGroupSpecificConsentKey, StringComparison.OrdinalIgnoreCase));

MGTeamsInternalTenantConsentSettingValue groupConsentConstrainedToGroupId = groupConsentSettings.Values?.SingleOrDefault(
v => string.Equals(v.Name, RscConfigurationSynthesizer.ConstrainGroupSpecificConsentToMembersOfGroupIdKey, StringComparison.OrdinalIgnoreCase));

return
(isGroupConsentSettingEnabled: isGroupConsentEnabledSettingValue?.Value,
groupConsentConstrainedToGroupId: groupConsentConstrainedToGroupId?.Value);
}

/// <summary>
/// Log verbose.
/// </summary>
Expand Down
Loading

0 comments on commit 2cef221

Please sign in to comment.