|
| 1 | +using namespace System.Net |
| 2 | + |
| 3 | +Function Invoke-ExecModifyMBPerms { |
| 4 | + <# |
| 5 | + .FUNCTIONALITY |
| 6 | + Entrypoint |
| 7 | + .ROLE |
| 8 | + Exchange.Mailbox.ReadWrite |
| 9 | + #> |
| 10 | + [CmdletBinding()] |
| 11 | + param($Request, $TriggerMetadata) |
| 12 | + |
| 13 | + $APIName = $Request.Params.CIPPEndpoint |
| 14 | + Write-LogMessage -headers $Request.Headers -API $APINAME-message 'Accessed this API' -Sev 'Debug' |
| 15 | + |
| 16 | + $Username = $request.body.userID |
| 17 | + $Tenantfilter = $request.body.tenantfilter |
| 18 | + $Permissions = $request.body.permissions |
| 19 | + |
| 20 | + if ($username -eq $null) { exit } |
| 21 | + |
| 22 | + $userid = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($username)" -tenantid $Tenantfilter).id |
| 23 | + $Results = [System.Collections.ArrayList]::new() |
| 24 | + |
| 25 | + # Convert permissions to array format if it's an object with numeric keys |
| 26 | + if ($Permissions -is [PSCustomObject]) { |
| 27 | + if ($Permissions.PSObject.Properties.Name -match '^\d+$') { |
| 28 | + $Permissions = $Permissions.PSObject.Properties.Value |
| 29 | + } |
| 30 | + else { |
| 31 | + $Permissions = @($Permissions) |
| 32 | + } |
| 33 | + } |
| 34 | + |
| 35 | + foreach ($Permission in $Permissions) { |
| 36 | + $PermissionLevel = $Permission.PermissionLevel |
| 37 | + $Modification = $Permission.Modification |
| 38 | + $AutoMap = if ($Permission.PSObject.Properties.Name -contains 'AutoMap') { $Permission.AutoMap } else { $true } |
| 39 | + |
| 40 | + # Handle UserID as array of objects or single value |
| 41 | + $TargetUsers = if ($Permission.UserID -is [array]) { |
| 42 | + $Permission.UserID | ForEach-Object { $_.value } |
| 43 | + } |
| 44 | + else { |
| 45 | + @($Permission.UserID) |
| 46 | + } |
| 47 | + |
| 48 | + foreach ($TargetUser in $TargetUsers) { |
| 49 | + try { |
| 50 | + switch ($PermissionLevel) { |
| 51 | + 'FullAccess' { |
| 52 | + if ($Modification -eq 'Remove') { |
| 53 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Remove-mailboxpermission' -cmdParams @{ |
| 54 | + Identity = $userid |
| 55 | + user = $TargetUser |
| 56 | + accessRights = @('FullAccess') |
| 57 | + Confirm = $false |
| 58 | + } |
| 59 | + $null = $results.Add("Removed $($TargetUser) from $($username) Shared Mailbox permissions") |
| 60 | + } |
| 61 | + else { |
| 62 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Add-MailboxPermission' -cmdParams @{ |
| 63 | + Identity = $userid |
| 64 | + user = $TargetUser |
| 65 | + accessRights = @('FullAccess') |
| 66 | + automapping = $AutoMap |
| 67 | + Confirm = $false |
| 68 | + } |
| 69 | + $null = $results.Add("Granted $($TargetUser) access to $($username) Mailbox with automapping set to $($AutoMap)") |
| 70 | + } |
| 71 | + } |
| 72 | + 'SendAs' { |
| 73 | + if ($Modification -eq 'Remove') { |
| 74 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Remove-RecipientPermission' -cmdParams @{ |
| 75 | + Identity = $userid |
| 76 | + Trustee = $TargetUser |
| 77 | + accessRights = @('SendAs') |
| 78 | + Confirm = $false |
| 79 | + } |
| 80 | + $null = $results.Add("Removed $($TargetUser) from $($username) with Send As permissions") |
| 81 | + } |
| 82 | + else { |
| 83 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Add-RecipientPermission' -cmdParams @{ |
| 84 | + Identity = $userid |
| 85 | + Trustee = $TargetUser |
| 86 | + accessRights = @('SendAs') |
| 87 | + Confirm = $false |
| 88 | + } |
| 89 | + $null = $results.Add("Granted $($TargetUser) access to $($username) with Send As permissions") |
| 90 | + } |
| 91 | + } |
| 92 | + 'SendOnBehalf' { |
| 93 | + if ($Modification -eq 'Remove') { |
| 94 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Set-Mailbox' -cmdParams @{ |
| 95 | + Identity = $userid |
| 96 | + GrantSendonBehalfTo = @{ |
| 97 | + '@odata.type' = '#Exchange.GenericHashTable' |
| 98 | + remove = $TargetUser |
| 99 | + } |
| 100 | + Confirm = $false |
| 101 | + } |
| 102 | + $null = $results.Add("Removed $($TargetUser) from $($username) Send on Behalf Permissions") |
| 103 | + } |
| 104 | + else { |
| 105 | + $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Set-Mailbox' -cmdParams @{ |
| 106 | + Identity = $userid |
| 107 | + GrantSendonBehalfTo = @{ |
| 108 | + '@odata.type' = '#Exchange.GenericHashTable' |
| 109 | + add = $TargetUser |
| 110 | + } |
| 111 | + Confirm = $false |
| 112 | + } |
| 113 | + $null = $results.Add("Granted $($TargetUser) access to $($username) with Send On Behalf Permissions") |
| 114 | + } |
| 115 | + } |
| 116 | + } |
| 117 | + Write-LogMessage -headers $Request.Headers -API $APINAME-message "Executed $($PermissionLevel) permission modification for $($TargetUser) on $($username)" -Sev 'Info' -tenant $TenantFilter |
| 118 | + } |
| 119 | + catch { |
| 120 | + Write-LogMessage -headers $Request.Headers -API $APINAME-message "Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username)" -Sev 'Error' -tenant $TenantFilter |
| 121 | + $null = $results.Add("Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username). Error: $($_.Exception.Message)") |
| 122 | + } |
| 123 | + } |
| 124 | + } |
| 125 | + |
| 126 | + $body = [pscustomobject]@{'Results' = @($results) } |
| 127 | + |
| 128 | + # Associate values to output bindings by calling 'Push-OutputBinding'. |
| 129 | + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ |
| 130 | + StatusCode = [HttpStatusCode]::OK |
| 131 | + Body = $Body |
| 132 | + }) |
| 133 | +} |
0 commit comments