claudetools/scripts/cipp-add-claude-app-template.ps1

# CIPP - Add Claude-MSP-Access as Auto-Consent App Template
# This adds Claude's app to CIPP so it gets automatically consented
# when you add new tenants via CIPP.
#
# Uses the CIPP API (ClaudeCipp2 credentials)

$ErrorActionPreference = "Stop"

$cippUrl = "https://cippcanvb.azurewebsites.net"
$cippTenantId = "ce61461e-81a0-4c84-bb4a-7b354a9a356d"
$cippClientId = "420cb849-542d-4374-9cb2-3d8ae0e1835b"
$cippClientSecret = "MOn8Q~otmxJPLvmL~_aCVTV8Va4t4~SrYrukGbJT"
$cippScope = "api://420cb849-542d-4374-9cb2-3d8ae0e1835b/.default"

$claudeAppId = "fabb3421-8b34-484b-bc17-e46de9703418"

Write-Output "========================================="
Write-Output " CIPP - Add Claude-MSP-Access Template"
Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Output "========================================="

# --- STEP 1: Get CIPP API token ---
Write-Output "`n[STEP 1] Getting CIPP API token..."
$tokenBody = @{
    client_id     = $cippClientId
    client_secret = $cippClientSecret
    scope         = $cippScope
    grant_type    = "client_credentials"
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$cippTenantId/oauth2/v2.0/token" -Method POST -Body $tokenBody
$token = $tokenResponse.access_token
Write-Output "[OK] Got CIPP API token"

$headers = @{
    "Authorization" = "Bearer $token"
    "Content-Type"  = "application/json"
}

# --- STEP 2: Check existing app approval templates ---
Write-Output "`n[STEP 2] Checking existing app approval templates..."
try {
    $existing = Invoke-RestMethod -Uri "$cippUrl/api/ExecAppPermissionTemplate" -Headers $headers -Method GET
    Write-Output "[INFO] Found $($existing.Count) existing template(s)"
    foreach ($tmpl in $existing) {
        Write-Output "  - $($tmpl.displayName) ($($tmpl.appId))"
    }
} catch {
    Write-Output "[INFO] No existing templates or endpoint returned error: $($_.Exception.Message)"
}

# --- STEP 3: Add Claude-MSP-Access as app template ---
Write-Output "`n[STEP 3] Adding Claude-MSP-Access app template..."

# Application permissions Claude needs consented in each customer tenant
$appPermissions = @(
    "User.ReadWrite.All",
    "Directory.ReadWrite.All",
    "Mail.ReadWrite",
    "MailboxSettings.ReadWrite",
    "AuditLog.Read.All",
    "Application.ReadWrite.All",
    "DelegatedPermissionGrant.ReadWrite.All",
    "Group.ReadWrite.All",
    "GroupMember.ReadWrite.All",
    "SecurityEvents.ReadWrite.All",
    "SecurityEvents.Read.All",
    "SecurityIncident.ReadWrite.All",
    "AppRoleAssignment.ReadWrite.All",
    "UserAuthenticationMethod.ReadWrite.All",
    "Organization.ReadWrite.All",
    "Domain.Read.All",
    "Policy.Read.All",
    "Policy.ReadWrite.ConditionalAccess",
    "Policy.ReadWrite.AuthenticationMethod",
    "Policy.ReadWrite.AuthenticationFlows",
    "Policy.ReadWrite.ApplicationConfiguration",
    "Policy.ReadWrite.ConsentRequest",
    "Policy.ReadWrite.CrossTenantAccess",
    "Reports.Read.All",
    "ReportSettings.ReadWrite.All",
    "Device.ReadWrite.All",
    "DeviceManagementApps.ReadWrite.All",
    "DeviceManagementConfiguration.ReadWrite.All",
    "DeviceManagementManagedDevices.ReadWrite.All",
    "DeviceManagementManagedDevices.PrivilegedOperations.All",
    "DeviceManagementRBAC.ReadWrite.All",
    "DeviceManagementServiceConfig.ReadWrite.All",
    "CrossTenantInformation.ReadBasic.All",
    "Channel.Create",
    "Channel.ReadBasic.All",
    "ChannelMember.ReadWrite.All",
    "Files.ReadWrite.All",
    "Group.Create",
    "InformationProtectionPolicy.Read.All",
    "Place.Read.All",
    "PrivilegedAccess.ReadWrite.AzureADGroup",
    "SharePointTenantSettings.ReadWrite.All",
    "Sites.FullControl.All",
    "TeamMember.ReadWrite.All",
    "TeamMember.ReadWriteNonOwnerRole.All",
    "TeamsTelephoneNumber.ReadWrite.All"
)

$templateBody = @{
    AppId       = $claudeAppId
    displayName = "Claude-MSP-Access (AI Investigation & Remediation)"
    Permissions = $appPermissions
} | ConvertTo-Json -Depth 5

try {
    $result = Invoke-RestMethod -Uri "$cippUrl/api/ExecAppPermissionTemplate" -Headers $headers -Method POST -Body $templateBody
    Write-Output "[OK] Template added: $($result | ConvertTo-Json -Compress)"
} catch {
    $errBody = $_.ErrorDetails.Message
    Write-Output "[WARNING] API response: $errBody"
    Write-Output "[INFO] If the endpoint doesn't support POST, you can add the template manually:"
    Write-Output "  CIPP > Settings > Application Approval > Add Application"
    Write-Output "  App ID: $claudeAppId"
    Write-Output "  Name: Claude-MSP-Access (AI Investigation & Remediation)"
    Write-Output ""
    Write-Output "Or use the CIPP UI to navigate to:"
    Write-Output "  Tenant Administration > Application Approval"
    Write-Output "  Click 'Add App' and enter the App ID above"
}

# --- STEP 4: Summary ---
Write-Output "`n========================================="
Write-Output " TEMPLATE SETUP SUMMARY"
Write-Output "========================================="
Write-Output ""
Write-Output "App ID:   $claudeAppId"
Write-Output "Name:     Claude-MSP-Access (AI Investigation & Remediation)"
Write-Output "Perms:    $($appPermissions.Count) application permissions"
Write-Output ""
Write-Output "What happens now:"
Write-Output "  1. When you add a new tenant in CIPP, Claude's app gets auto-consented"
Write-Output "  2. For existing tenants, run CPV Refresh in CIPP to push the permissions"
Write-Output "  3. The admin consent URL also works as a manual fallback:"
Write-Output ""
Write-Output "  https://login.microsoftonline.com/common/adminconsent?client_id=$claudeAppId&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient"
Write-Output ""