sync: Auto-sync from ACG-M-L5090 at 2026-03-10 19:11:00
Synced files: - Quote wizard frontend (all components, hooks, types, config) - API updates (config, models, routers, schemas, services) - Client work (bg-builders, gurushow) - Scripts (BGB Lesley termination, CIPP, Datto, migration) - Temp files (Bardach contacts, VWP investigation, misc) - Credentials and session logs - Email service, PHP API, session logs Machine: ACG-M-L5090 Timestamp: 2026-03-10 19:11:00 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
93
scripts/claude-msp-update-permissions.ps1
Normal file
93
scripts/claude-msp-update-permissions.ps1
Normal file
@@ -0,0 +1,93 @@
|
||||
# Claude-MSP-Access - Update App Registration with Combined CIPP + Investigation Permissions
|
||||
# App ID: fabb3421-8b34-484b-bc17-e46de9703418
|
||||
# Partner Tenant: ce61461e-81a0-4c84-bb4a-7b354a9a356d
|
||||
#
|
||||
# This script updates the app registration to include:
|
||||
# - All CIPP SAM required permissions (Graph, Exchange, SharePoint, Intune, PowerBI, Partner Center)
|
||||
# - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All, etc.)
|
||||
#
|
||||
# After running this, the admin consent URL will grant everything in one click.
|
||||
|
||||
$ErrorActionPreference = "Stop"
|
||||
$tenantId = "ce61461e-81a0-4c84-bb4a-7b354a9a356d"
|
||||
$appId = "fabb3421-8b34-484b-bc17-e46de9703418"
|
||||
|
||||
Write-Output "========================================="
|
||||
Write-Output " Claude-MSP-Access - Permission Update"
|
||||
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
||||
Write-Output "========================================="
|
||||
|
||||
# --- STEP 1: Connect to Graph ---
|
||||
Write-Output "`n[STEP 1] Connecting to Microsoft Graph..."
|
||||
Import-Module Microsoft.Graph.Authentication
|
||||
Import-Module Microsoft.Graph.Applications
|
||||
Connect-MgGraph -TenantId $tenantId -Scopes 'Application.ReadWrite.All' -NoWelcome
|
||||
Write-Output "[OK] Connected to Graph"
|
||||
|
||||
# --- STEP 2: Get current app registration ---
|
||||
Write-Output "`n[STEP 2] Reading current app registration..."
|
||||
$app = Get-MgApplication -Filter "appId eq '$appId'"
|
||||
if (-not $app) {
|
||||
Write-Output "[ERROR] App not found: $appId"
|
||||
exit 1
|
||||
}
|
||||
Write-Output "[OK] Found: $($app.DisplayName) (Object ID: $($app.Id))"
|
||||
$currentPerms = ($app.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count
|
||||
Write-Output "[INFO] Current permission count: $currentPerms"
|
||||
|
||||
# --- STEP 3: Load combined manifest ---
|
||||
Write-Output "`n[STEP 3] Loading combined permission manifest..."
|
||||
$manifestPath = Join-Path $PSScriptRoot "claude-msp-combined-manifest.json"
|
||||
$manifest = Get-Content $manifestPath -Raw | ConvertFrom-Json
|
||||
|
||||
# Build the requiredResourceAccess array
|
||||
$resourceAccess = @()
|
||||
foreach ($resource in $manifest.requiredResourceAccess) {
|
||||
$accessList = @()
|
||||
foreach ($access in $resource.resourceAccess) {
|
||||
$accessList += @{
|
||||
Id = $access.id
|
||||
Type = $access.type
|
||||
}
|
||||
}
|
||||
$resourceAccess += @{
|
||||
ResourceAppId = $resource.resourceAppId
|
||||
ResourceAccess = $accessList
|
||||
}
|
||||
}
|
||||
|
||||
$newPerms = ($manifest.requiredResourceAccess | ForEach-Object { $_.resourceAccess }).Count
|
||||
Write-Output "[INFO] New permission count: $newPerms"
|
||||
|
||||
# --- STEP 4: Update app registration ---
|
||||
Write-Output "`n[STEP 4] Updating app registration..."
|
||||
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $resourceAccess
|
||||
Write-Output "[OK] App registration updated with combined permissions"
|
||||
|
||||
# --- STEP 5: Verify ---
|
||||
Write-Output "`n[STEP 5] Verifying update..."
|
||||
$updated = Get-MgApplication -ApplicationId $app.Id
|
||||
$updatedPerms = ($updated.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count
|
||||
Write-Output "[OK] Verified: $updatedPerms permissions across $($updated.RequiredResourceAccess.Count) resource APIs"
|
||||
|
||||
# --- STEP 6: Show admin consent URL ---
|
||||
Write-Output "`n[STEP 6] Admin consent URL (use this to onboard tenants):"
|
||||
Write-Output ""
|
||||
Write-Output " https://login.microsoftonline.com/common/adminconsent?client_id=$appId&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient"
|
||||
Write-Output ""
|
||||
Write-Output "[INFO] This single URL now grants ALL permissions:"
|
||||
Write-Output " - Microsoft Graph (application + delegated)"
|
||||
Write-Output " - Exchange Online (ManageAsApp + Calendars + Mailbox)"
|
||||
Write-Output " - SharePoint Online (FullControl)"
|
||||
Write-Output " - Intune (user_impersonation)"
|
||||
Write-Output " - PowerBI (Vulnerability.Read)"
|
||||
Write-Output " - Partner Center (user_impersonation)"
|
||||
Write-Output " - Office Management API (ActivityFeed.Read)"
|
||||
Write-Output " - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All)"
|
||||
|
||||
Write-Output "`n========================================="
|
||||
Write-Output " UPDATE COMPLETE"
|
||||
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
||||
Write-Output "========================================="
|
||||
|
||||
Disconnect-MgGraph
|
||||
Reference in New Issue
Block a user