/// <summary>
/// Update the navigation property conditionalAccessPolicies in policies
/// <param name="body"></param>
/// <param name="requestConfiguration">Configuration for the request such as headers, query parameters, and middleware options.</param>
/// </summary>
public RequestInformation CreatePatchRequestInformation(ConditionalAccessPolicy body, Action <ConditionalAccessPolicyItemRequestBuilderPatchRequestConfiguration> requestConfiguration = default)
{
_ = body ?? throw new ArgumentNullException(nameof(body));
var requestInfo = new RequestInformation {
HttpMethod = Method.PATCH,
UrlTemplate = UrlTemplate,
PathParameters = PathParameters,
};
requestInfo.SetContentFromParsable(RequestAdapter, "application/json", body);
if (requestConfiguration != null)
{
var requestConfig = new ConditionalAccessPolicyItemRequestBuilderPatchRequestConfiguration();
requestConfiguration.Invoke(requestConfig);
requestInfo.AddRequestOptions(requestConfig.Options);
requestInfo.AddHeaders(requestConfig.Headers);
}
return(requestInfo);
}
public async Task <ActionResult> DeployBaseline(string displayName, string selectedBaseline, string policyPrefix, string allowLegacyAuth, string clientId = null)
{
SignalRMessage signalR = new SignalRMessage
{
clientId = clientId
};
signalR.sendMessage("Selected baseline: " + selectedBaseline);
try
{
// Create exclusion group (if the group already exists we retrieve the ID)
Microsoft.Graph.Group createdGroup = await GraphHelper.CreateGroup(displayName, clientId);
List <string> groupsCreated = new List <string>
{
createdGroup.Id
};
// Load CA policies for policy set
string[] filePaths = Directory.GetFiles(Server.MapPath(TEMPLATE_CA_POLICY_FOLDER_PATH + selectedBaseline), "*.json");
if (filePaths.Length == 0)
{
signalR.sendMessage($"Warning no Conditional Access Policies found within selected set ({selectedBaseline})!");
}
// Modify exclusions & Display Name
List <ConditionalAccessPolicy> conditionalAccessPolicies = new List <ConditionalAccessPolicy>();
foreach (string filePath in filePaths)
{
try
{
if (System.IO.File.Exists(filePath))
{
using (var streamReader = new StreamReader(filePath, Encoding.UTF8))
{
string textCaPolicy = streamReader.ReadToEnd();
// Modify properties on template
ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(textCaPolicy);
conditionalAccessPolicy.conditions.users.excludeGroups = groupsCreated.ToArray();
conditionalAccessPolicy.displayName = conditionalAccessPolicy.displayName.Insert(0, policyPrefix).Replace("<PREFIX> -", "").Trim();
// Check for legacy auth exclusion group
if (conditionalAccessPolicy.conditions.clientAppTypes.Contains("other") && conditionalAccessPolicy.grantControls.builtInControls.Contains("block"))
{
// Wee need to initialize a new list to avoid modifications to the existing!
List <String> newGroupsCreated = new List <String>(groupsCreated);
Microsoft.Graph.Group allowLegacyAuthGroup = await GraphHelper.CreateGroup(allowLegacyAuth, clientId);
newGroupsCreated.Add(allowLegacyAuthGroup.Id);
conditionalAccessPolicy.conditions.users.excludeGroups = newGroupsCreated.ToArray();
}
// Create the policy
await GraphHelper.ImportCaConfig(JsonConvert.SerializeObject(conditionalAccessPolicy), clientId);
}
}
}
catch (Exception e)
{
signalR.sendMessage("Error: " + e.Message);
}
}
}
catch (Exception e)
{
signalR.sendMessage("Error: " + e.Message);
}
signalR.sendMessage("Done#!");
return(new HttpStatusCodeResult(204));
}
public async Task <ActionResult> Upload(HttpPostedFileBase[] files, OverwriteBehaviour overwriteBehaviour, string clientId)
{
SignalRMessage signalRMessage = new SignalRMessage(clientId);
try
{
GraphConditionalAccess graphConditionalAccess = new GraphConditionalAccess(clientId);
IEnumerable <ConditionalAccessPolicy> conditionalAccessPolicies = await graphConditionalAccess.GetConditionalAccessPoliciesAsync();
List <string> uploadedConditionalAccessPolicies = new List <string>();
if (files.Length > 0 && files[0].FileName.Contains(".json"))
{
foreach (HttpPostedFileBase file in files)
{
BinaryReader binaryReader = new BinaryReader(file.InputStream);
byte[] binData = binaryReader.ReadBytes(file.ContentLength);
uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(binData));
}
}
else if (files.Length > 0 && files[0].FileName.Contains(".zip"))
{
try
{
MemoryStream target = new MemoryStream();
files[0].InputStream.CopyTo(target);
byte[] data = target.ToArray();
using (var zippedStream = new MemoryStream(data))
{
using (var archive = new ZipArchive(zippedStream))
{
foreach (var entry in archive.Entries)
{
try
{
if (entry != null)
{
using (var unzippedEntryStream = entry.Open())
{
using (var ms = new MemoryStream())
{
unzippedEntryStream.CopyTo(ms);
var unzippedArray = ms.ToArray();
uploadedConditionalAccessPolicies.Add(Encoding.UTF8.GetString(unzippedArray));
}
}
}
}
catch (Exception e)
{
signalRMessage.sendMessage("Error: " + e.Message);
}
}
}
}
}
catch (Exception e)
{
signalRMessage.sendMessage("Error: " + e.Message);
}
}
foreach (string uploadedPolicy in uploadedConditionalAccessPolicies)
{
ConditionalAccessPolicy conditionalAccessPolicy = JsonConvert.DeserializeObject <ConditionalAccessPolicy>(uploadedPolicy);
switch (overwriteBehaviour)
{
case OverwriteBehaviour.DISCARD:
// Check for any policy with same name or id
if (conditionalAccessPolicies.All(p => !p.id.Contains(conditionalAccessPolicy.id) && conditionalAccessPolicies.All(policy => !policy.displayName.Equals(conditionalAccessPolicy.displayName))))
{
var response = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy);
}
else
{
if (conditionalAccessPolicies.Any(p => p.id.Contains(conditionalAccessPolicy.id)))
{
signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' ({conditionalAccessPolicy.id}) already exists!");
}
else
{
signalRMessage.sendMessage($"Discarding Policy '{conditionalAccessPolicy.displayName}' - policy with this name already exists!");
}
}
break;
case OverwriteBehaviour.IMPORT_AS_DUPLICATE:
await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy);
break;
case OverwriteBehaviour.OVERWRITE_BY_ID:
// match by object ID
if (conditionalAccessPolicies.Any(policy => policy.id.Equals(conditionalAccessPolicy.id)))
{
await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy);
}
// Create a new policy
else
{
var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy);
}
break;
case OverwriteBehaviour.OVERWRITE_BY_NAME:
if (conditionalAccessPolicies.Any(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName)))
{
string replaceObjectId = conditionalAccessPolicies.Where(policy => policy.displayName.Equals(conditionalAccessPolicy.displayName)).Select(policy => policy.id).First();
conditionalAccessPolicy.id = replaceObjectId;
await graphConditionalAccess.PatchConditionalAccessPolicyAsync(conditionalAccessPolicy);
}
else
{
var result = await graphConditionalAccess.TryAddConditionalAccessPolicyAsync(conditionalAccessPolicy);
}
break;
}
}
}
catch (Exception e)
{
signalRMessage.sendMessage("Error: " + e.Message);
}
signalRMessage.sendMessage("Done#!");
return(new HttpStatusCodeResult(204));
}
