public async Task <ActionResult> ClearAll(bool confirm = false) { try { GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(null); if (confirm) { await graphConditionalAccess.ClearConditonalAccessPolicies(); } return(new HttpStatusCodeResult(204)); } catch (Exception e) { Flash(e.Message); return(RedirectToAction("Index", "Home")); } }
public async Task <ActionResult> DownloadAll(string clientId = null) { SignalRMessage signalR = new SignalRMessage(clientId); try { GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); IEnumerable <ConditionalAccessPolicy> conditionalAccessPolicies = await graphConditionalAccess.GetConditionalAccessPoliciesAsync(); using (MemoryStream ms = new MemoryStream()) { using (var archive = new ZipArchive(ms, ZipArchiveMode.Create, true)) { foreach (ConditionalAccessPolicy item in conditionalAccessPolicies) { byte[] temp = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(item, Formatting.Indented).ToString()); string displayName = item.displayName; char[] illegal = Path.GetInvalidFileNameChars(); foreach (char illegalChar in illegal) { displayName = displayName.Replace(illegalChar, '-'); } var zipArchiveEntry = archive.CreateEntry(displayName + "_" + item.id.Substring(0, 8) + ".json", CompressionLevel.Fastest); using (var zipStream = zipArchiveEntry.Open()) zipStream.Write(temp, 0, temp.Length); } } string domainName = await GraphHelper.GetDefaultDomain(clientId); return(File(ms.ToArray(), "application/zip", "ConditionalAccessConfig_" + domainName + ".zip")); } } catch (Exception e) { signalR.sendMessage("Error " + e); } return(new HttpStatusCodeResult(204)); }
//public async Task<ActionResult> ClearAll(bool confirm = false) //{ // GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(null); // if (confirm) // { // await graphConditionalAccess.ClearConditonalAccessPolicies(); // } // return new HttpStatusCodeResult(204); //} public async Task <ActionResult> CreateDocumentation(string clientId = null) { IEnumerable <ConditionalAccessPolicy> conditionalAccessPolicies = null; SignalRMessage signalR = new SignalRMessage(clientId); try { GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); conditionalAccessPolicies = await graphConditionalAccess.GetConditionalAccessPoliciesAsync(); DataTable dataTable = new DataTable(); dataTable.BeginInit(); dataTable.Columns.Add("Name"); dataTable.Columns.Add("State"); // Assignments: first include then exclude dataTable.Columns.Add("IncludeUsers"); dataTable.Columns.Add("IncludeGroups"); dataTable.Columns.Add("IncludeRoles"); dataTable.Columns.Add("ExcludeUsers"); dataTable.Columns.Add("ExcludeGroups"); dataTable.Columns.Add("ExcludeRoles"); dataTable.Columns.Add("IncludeApps"); dataTable.Columns.Add("ExcludeApps"); dataTable.Columns.Add("IncludeUserActions"); dataTable.Columns.Add("ClientAppTypes"); dataTable.Columns.Add("IncludePlatforms"); dataTable.Columns.Add("ExcludePlatforms"); dataTable.Columns.Add("IncludeLocations"); dataTable.Columns.Add("ExcludeLocations"); dataTable.Columns.Add("IncludeDeviceStates"); dataTable.Columns.Add("ExcludeDeviceStates"); dataTable.Columns.Add("GrantControls"); dataTable.Columns.Add("GrantControlsOperator"); dataTable.Columns.Add("ApplicationEnforcedRestrictions"); dataTable.Columns.Add("CloudAppSecurity"); dataTable.Columns.Add("PersistentBrowser"); dataTable.Columns.Add("SignInFrequency"); // Init cache for AAD Object ID's in CA policies AzureADIDCache azureADIDCache = new AzureADIDCache(clientId); foreach (ConditionalAccessPolicy conditionalAccessPolicy in conditionalAccessPolicies) { try { // Init a new row DataRow row = dataTable.NewRow(); row["Name"] = conditionalAccessPolicy.displayName; row["State"] = conditionalAccessPolicy.state; row["IncludeUsers"] = $"\"{String.Join("\n", await azureADIDCache.getUserDisplayNamesAsync(conditionalAccessPolicy.conditions.users.includeUsers))}\""; row["ExcludeUsers"] = $"\"{String.Join("\n", await azureADIDCache.getUserDisplayNamesAsync(conditionalAccessPolicy.conditions.users.excludeUsers))}\""; row["IncludeGroups"] = $"\"{String.Join("\n", await azureADIDCache.getGroupDisplayNamesAsync(conditionalAccessPolicy.conditions.users.includeGroups))}\""; row["ExcludeGroups"] = $"\"{String.Join("\n", await azureADIDCache.getGroupDisplayNamesAsync(conditionalAccessPolicy.conditions.users.excludeGroups))}\""; row["IncludeRoles"] = $"\"{String.Join("\n", await azureADIDCache.getRoleDisplayNamesAsync(conditionalAccessPolicy.conditions.users.includeRoles))}\""; row["ExcludeRoles"] = $"\"{String.Join("\n", await azureADIDCache.getRoleDisplayNamesAsync(conditionalAccessPolicy.conditions.users.excludeRoles))}\""; row["IncludeApps"] = $"\"{String.Join("\n", await azureADIDCache.getApplicationDisplayNamesAsync(conditionalAccessPolicy.conditions.applications.includeApplications))}\""; row["ExcludeApps"] = $"\"{String.Join("\n", await azureADIDCache.getApplicationDisplayNamesAsync(conditionalAccessPolicy.conditions.applications.excludeApplications))}\""; row["IncludeUserActions"] = $"\"{String.Join("\n", await azureADIDCache.getApplicationDisplayNamesAsync(conditionalAccessPolicy.conditions.applications.includeUserActions))}\""; if (conditionalAccessPolicy.conditions.platforms != null && conditionalAccessPolicy.conditions.platforms.includePlatforms != null) { row["IncludePlatforms"] = $"\"{String.Join("\n", conditionalAccessPolicy.conditions.platforms.includePlatforms)}\""; } if (conditionalAccessPolicy.conditions.platforms != null && conditionalAccessPolicy.conditions.platforms.excludePlatforms != null) { row["ExcludePlatforms"] = $"\"{String.Join("\n", conditionalAccessPolicy.conditions.platforms.excludePlatforms)}\""; } if (conditionalAccessPolicy.conditions.locations != null && conditionalAccessPolicy.conditions.locations.includeLocations != null) { row["IncludeLocations"] = $"\"{String.Join("\n", await azureADIDCache.getNamedLocationDisplayNamesAsync(conditionalAccessPolicy.conditions.locations.includeLocations))}\""; } if (conditionalAccessPolicy.conditions.locations != null && conditionalAccessPolicy.conditions.locations.excludeLocations != null) { row["ExcludeLocations"] = $"\"{String.Join("\n", await azureADIDCache.getNamedLocationDisplayNamesAsync(conditionalAccessPolicy.conditions.locations.excludeLocations))}\""; } row["ClientAppTypes"] = $"\"{String.Join("\n", conditionalAccessPolicy.conditions.clientAppTypes)}\""; if (conditionalAccessPolicy.conditions.devices != null && conditionalAccessPolicy.conditions.devices.includeDeviceStates != null) { row["IncludeDeviceStates"] = $"\"{String.Join("\n", conditionalAccessPolicy.conditions.devices.includeDeviceStates)}\""; } if (conditionalAccessPolicy.conditions.devices != null && conditionalAccessPolicy.conditions.devices.excludeDeviceStates != null) { row["IncludeDeviceStates"] = $"\"{String.Join("\n", conditionalAccessPolicy.conditions.devices.excludeDeviceStates)}\""; } if (conditionalAccessPolicy.grantControls != null && conditionalAccessPolicy.grantControls.builtInControls != null) { row["GrantControls"] = $"\"{String.Join("\n", conditionalAccessPolicy.grantControls.builtInControls)}\""; row["GrantControlsOperator"] = $"\"{String.Join("\n", conditionalAccessPolicy.grantControls.op)}\""; } if (conditionalAccessPolicy.sessionControls != null && conditionalAccessPolicy.sessionControls.applicationEnforcedRestrictions != null) { row["ApplicationEnforcedRestrictions"] = $"\"{String.Join("\n", conditionalAccessPolicy.sessionControls.applicationEnforcedRestrictions.isEnabled)}\""; } if (conditionalAccessPolicy.sessionControls != null && conditionalAccessPolicy.sessionControls.cloudAppSecurity != null) { row["CloudAppSecurity"] = $"\"{String.Join("\n", conditionalAccessPolicy.sessionControls.cloudAppSecurity)}\""; } if (conditionalAccessPolicy.sessionControls != null && conditionalAccessPolicy.sessionControls.persistentBrowser != null) { row["PersistentBrowser"] = conditionalAccessPolicy.sessionControls.persistentBrowser.mode; } if (conditionalAccessPolicy.sessionControls != null && conditionalAccessPolicy.sessionControls.signInFrequency != null) { row["SignInFrequency"] = conditionalAccessPolicy.sessionControls.signInFrequency.value + " " + conditionalAccessPolicy.sessionControls.signInFrequency.type; } // Add new row to table dataTable.Rows.Add(row); } catch (Exception e) { signalR.sendMessage("Error: " + e); } } // Convert datatable to CSV string output StringBuilder sb = new StringBuilder(); IEnumerable <string> columnNames = dataTable.Columns.Cast <DataColumn>().Select(column => column.ColumnName); sb.AppendLine(string.Join(",", columnNames)); foreach (DataRow row in dataTable.Rows) { IEnumerable <string> fields = row.ItemArray.Select(field => field.ToString()); sb.AppendLine(string.Join(",", fields)); } string domainName = await GraphHelper.GetDefaultDomain(clientId); if (!string.IsNullOrEmpty(clientId)) { signalR.sendMessage("Success: Report generated"); } return(File(Encoding.ASCII.GetBytes(sb.ToString()), "text/csvt", "ConditionalAccessReport_" + domainName + ".csv")); } catch (Exception e) { signalR.sendMessage($"Error {e.Message}"); } return(new HttpStatusCodeResult(204)); }
public async Task <ActionResult> Upload(HttpPostedFileBase[] files, OverwriteBehaviour overwriteBehaviour, string clientId) { SignalRMessage signalRMessage = new SignalRMessage(clientId); try { GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); IEnumerable <ConditionalAccessPolicy> conditionalAccessPolicies = await graphConditionalAccess.GetConditionalAccessPoliciesAsync(); List <string> uploadedConditionalAccessPolicies = new List <string>(); if (files.Length > 0 && files[0].FileName.Contains(".json")) { foreach (HttpPostedFileBase file in files) { BinaryReader binaryReader = new BinaryReader(file.InputStream); byte[] binData = binaryReader.ReadBytes(file.ContentLength); uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(binData)); } } else if (files.Length > 0 && files[0].FileName.Contains(".zip")) { try { MemoryStream target = new MemoryStream(); files[0].InputStream.CopyTo(target); byte[] data = target.ToArray(); using (var zippedStream = new MemoryStream(data)) { using (var archive = new ZipArchive(zippedStream)) { foreach (var entry in archive.Entries) { try { if (entry != null) { using (var unzippedEntryStream = entry.Open()) { using (var ms = new MemoryStream()) { unzippedEntryStream.CopyTo(ms); var unzippedArray = ms.ToArray(); uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(unzippedArray)); } } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } } } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } } foreach (string uploadedPolicy in uploadedConditionalAccessPolicies) { ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(uploadedPolicy); switch (overwriteBehaviour) { case OverwriteBehaviour.DISCARD: // Check for any policy with same name or id if (conditionalAccessPolicies.All(p => !p.id.Contains(conditionalAccessPolicy.id) && conditionalAccessPolicies.All(policy => !policy.displayName.Equals(conditionalAccessPolicy.displayName)))) { var response = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } else { if (conditionalAccessPolicies.Any(p => p.id.Contains(conditionalAccessPolicy.id))) { signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' ({conditionalAccessPolicy.id}) already exists!"); } else { signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' - policy with this name already exists!"); } } break; case OverwriteBehaviour.IMPORT_AS_DUPLICATE: await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); break; case OverwriteBehaviour.OVERWRITE_BY_ID: // match by object ID if (conditionalAccessPolicies.Any(policy => policy.id.Equals(conditionalAccessPolicy.id))) { await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy); } // Create a new policy else { var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } break; case OverwriteBehaviour.OVERWRITE_BY_NAME: if (conditionalAccessPolicies.Any(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName))) { string replaceObjectId = conditionalAccessPolicies.Where(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName)).Select(policy => policy.id).First(); conditionalAccessPolicy.id = replaceObjectId; await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy); } else { var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } break; } } } catch (Exception e) { signalRMessage.sendMessage("Error: " + e.Message); } signalRMessage.sendMessage("Done#!"); return(new HttpStatusCodeResult(204)); }
public async Task <ActionResult> DeployBaseline(string displayName, string selectedBaseline, string policyPrefix, string allowLegacyAuth, string clientId = null) { SignalRMessage signalR = new SignalRMessage(clientId); GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId); signalR.sendMessage("Selected baseline: " + selectedBaseline); try { // Create exclusion group (if the group already exists we retrieve the ID) Microsoft.Graph.Group createdGroup = await GraphHelper.CreateGroup(displayName, clientId); List <string> groupsCreated = new List <string> { createdGroup.Id }; // Load CA policies for policy set string[] filePaths = Directory.GetFiles(Server.MapPath(TEMPLATE_CA_POLICY_FOLDER_PATH + selectedBaseline), "*.json"); if (filePaths.Length == 0) { signalR.sendMessage($"Warning no Conditional Access Policies found within selected set ({selectedBaseline})!"); } // Modify exclusions & Display Name List <ConditionalAccessPolicy> conditionalAccessPolicies = new List <ConditionalAccessPolicy>(); foreach (string filePath in filePaths) { try { if (System.IO.File.Exists(filePath)) { using (var streamReader = new StreamReader(filePath, Encoding.UTF8)) { string textCaPolicy = streamReader.ReadToEnd(); // Modify properties on template ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(textCaPolicy); conditionalAccessPolicy.conditions.users.excludeGroups = groupsCreated.ToArray(); string placeholder = "<RING> -"; int startDisplayName = conditionalAccessPolicy.displayName.IndexOf(placeholder) + placeholder.Length; conditionalAccessPolicy.displayName = conditionalAccessPolicy.displayName.Substring(startDisplayName, conditionalAccessPolicy.displayName.Length - startDisplayName); conditionalAccessPolicy.displayName = conditionalAccessPolicy.displayName.Insert(0, policyPrefix).Replace("<PREFIX> -", "").Trim(); // Check for legacy auth exclusion group if (conditionalAccessPolicy.conditions.clientAppTypes.Contains("other") && conditionalAccessPolicy.grantControls.builtInControls.Contains("block")) { // Wee need to initialize a new list to avoid modifications to the existing! List <String> newGroupsCreated = new List <String>(groupsCreated); Microsoft.Graph.Group allowLegacyAuthGroup = await GraphHelper.CreateGroup(allowLegacyAuth, clientId); newGroupsCreated.Add(allowLegacyAuthGroup.Id); conditionalAccessPolicy.conditions.users.excludeGroups = newGroupsCreated.ToArray(); } // Create the policy await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy); } } } catch (Exception e) { signalR.sendMessage("Error: " + e.Message); } } } catch (Exception e) { signalR.sendMessage("Error: " + e.Message); } signalR.sendMessage("Done#!"); return(new HttpStatusCodeResult(204)); }