From 25136a34ad055961055bfae28612dd93f6912bf4 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 30 Nov 2023 13:27:52 +0100 Subject: [PATCH 01/78] fix casting issue --- .../Invoke-ExecAddMultiTenantApp.ps1 | 12 ++++-------- .../Entrypoints/Push-ExecAddMultiTenantApp.ps1 | 17 +++++++---------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 index d027158c7be7..cb68a725d7e3 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAddMultiTenantApp.ps1 @@ -16,16 +16,14 @@ function Invoke-ExecAddMultiTenantApp { $ExistingApp = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/applications(appId='$($Request.body.AppId)')" -tenantid $ENV:tenantid -NoAuthCheck $true $DelegateResourceAccess = $Existingapp.requiredResourceAccess $ApplicationResourceAccess = $Existingapp.requiredResourceAccess - } - catch { + } catch { 'Failed to get existing permissions. The app does not exist in the partner tenant.' } } #This needs to be moved to a queue. if ('allTenants' -in $Request.body.SelectedTenants.defaultDomainName) { $TenantFilter = (Get-Tenants).defaultDomainName - } - else { + } else { $TenantFilter = $Request.body.SelectedTenants.defaultDomainName } @@ -39,14 +37,12 @@ function Invoke-ExecAddMultiTenantApp { delegateResourceAccess = $DelegateResourceAccess }) "Queued application to tenant $Tenant. See the logbook for deployment details" - } - catch { + } catch { "Error queuing application to tenant $Tenant - $($_.Exception.Message)" } } $StatusCode = [HttpStatusCode]::OK - } - catch { + } catch { $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message) $Results = "Function Error: $ErrorMsg" $StatusCode = [HttpStatusCode]::BadRequest diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1 index b3ccd8a704ee..4c10f456584e 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-ExecAddMultiTenantApp.ps1 @@ -4,16 +4,13 @@ function Push-ExecAddMultiTenantApp($QueueItem, $TriggerMetadata) { $ServicePrincipalList = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$select=AppId,id,displayName&`$top=999" -tenantid $Queueitem.Tenant if ($Queueitem.AppId -Notin $ServicePrincipalList.appId) { $PostResults = New-GraphPostRequest 'https://graph.microsoft.com/beta/servicePrincipals' -type POST -tenantid $queueitem.tenant -body "{ `"appId`": `"$($Queueitem.appId)`" }" - Write-LogMessage -message "Added $($Queueitem.AppId) to tenant $($Queueitem.Tenant)" -tenant $Queueitem.Tenant -API "Add Multitenant App" -sev Info + Write-LogMessage -message "Added $($Queueitem.AppId) to tenant $($Queueitem.Tenant)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info + } else { + Write-LogMessage -message "This app already exists in tenant $($Queueitem.Tenant). We're adding the required permissions." -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Info } - else { - Write-LogMessage -message "This app already exists in tenant $($Queueitem.Tenant). We're adding the required permissions." -tenant $Queueitem.Tenant -API "Add Multitenant App" -sev Info - } - - Add-CIPPApplicationPermission -RequiredResourceAccess $queueitem.applicationResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant - Add-CIPPDelegatedPermission -RequiredResourceAccess $queueitem.DelegateResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant - } - catch { - Write-LogMessage -message "Error adding application to tenant $($Queueitem.Tenant) - $($_.Exception.Message)" -tenant $Queueitem.Tenant -API "Add Multitenant App" -sev Error + Add-CIPPApplicationPermission -RequiredResourceAccess [pscustomobject]$queueitem.applicationResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant + Add-CIPPDelegatedPermission -RequiredResourceAccess [pscustomobject]$queueitem.DelegateResourceAccess -ApplicationId $queueitem.AppId -Tenantfilter $Queueitem.Tenant + } catch { + Write-LogMessage -message "Error adding application to tenant $($Queueitem.Tenant) - $($_.Exception.Message)" -tenant $Queueitem.Tenant -API 'Add Multitenant App' -sev Error } } \ No newline at end of file From 9cf6c7566c9f1706ce9b8984fae0316dc1b29b82 Mon Sep 17 00:00:00 2001 From: Jr7468 Date: Fri, 1 Dec 2023 10:59:29 +0000 Subject: [PATCH 02/78] Changed formatting of returned message. --- Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 b/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 index 8365e4b64a90..925faa8f6c49 100644 --- a/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 @@ -27,7 +27,7 @@ function Set-CIPPOutOfOffice { else { $OutOfOffice = New-ExoRequest -tenantid $TenantFilter -cmdlet "Set-MailboxAutoReplyConfiguration" -cmdParams @{Identity = $userid; AutoReplyState = $State; InternalMessage = $InternalMessage; ExternalMessage = $ExternalMessage; StartTime = $StartTime; EndTime = $EndTime } -Anchor $userid Write-LogMessage -user $ExecutingUser -API $APIName -message "Scheduled Out-of-office for $($userid) between $StartTime and $EndTime" -Sev "Info" -tenant $TenantFilter - return "Scheduled Out-of-office for $($userid) between $StartTime and $EndTime" + return "Scheduled Out-of-office for $($userid) between $($StartTime.toString("yyyy-MM-dd HH:mm")) and $($EndTime.toString("yyyy-MM-dd HH:mm"))" } } catch { From f80f58ab3e7b0462de3cceb569ef5fc387cd4d5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sun, 3 Dec 2023 20:45:56 +0100 Subject: [PATCH 03/78] Add tenant level check for if AEA is enabled Also remove a redundant command to make it more BRRR --- .../Entrypoints/Invoke-ListUserMailboxDetails.ps1 | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserMailboxDetails.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserMailboxDetails.ps1 index e59ecf17a22a..6a043ace73b2 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserMailboxDetails.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserMailboxDetails.ps1 @@ -31,12 +31,18 @@ Function Invoke-ListUserMailboxDetails { } $MailboxDetailedRequest = New-ExoRequest -TenantID $TenantFilter -cmdlet 'Get-Mailbox' -cmdParams $FetchParam try { - $Archive = New-ExoRequest -TenantID $TenantFilter -cmdlet 'Get-Mailbox' -cmdParams $FetchParam - if ($Archive.ArchiveStatus -eq 'Active') { + if ($MailboxDetailedRequest.ArchiveStatus -eq 'Active') { $ArchiveEnabled = $True } else { $ArchiveEnabled = $False } + # Get organization config of auto expanding archive if it's disabled on user level + if (!$MailboxDetailedRequest.AutoExpandingArchiveEnabled -and $ArchiveEnabled) { + $OrgConfig = New-ExoRequest -TenantID $TenantFilter -cmdlet 'Get-OrganizationConfig' + $AutoExpandingArchiveEnabled = $OrgConfig.AutoExpandingArchiveEnabled + } else { + $AutoExpandingArchiveEnabled = $MailboxDetailedRequest.AutoExpandingArchiveEnabled + } $FetchParam = @{ Identity = $MailRequest.PrimarySmtpAddress @@ -116,7 +122,7 @@ Function Invoke-ListUserMailboxDetails { TotalArchiveItemCount = [math]::Round($ArchiveSize.ItemCount, 2) BlockedForSpam = $BlockedForSpam ArchiveMailBox = $ArchiveEnabled - AutoExpandingArchive = $Archive.AutoExpandingArchiveEnabled + AutoExpandingArchive = $AutoExpandingArchiveEnabled RecipientTypeDetails = $MailboxDetailedRequest.RecipientTypeDetails } } else { @@ -140,7 +146,7 @@ Function Invoke-ListUserMailboxDetails { TotalArchiveItemCount = 0 BlockedForSpam = $BlockedForSpam ArchiveMailBox = $ArchiveEnabled - AutoExpandingArchive = $Archive.AutoExpandingArchiveEnabled + AutoExpandingArchive = $AutoExpandingArchiveEnabled RecipientTypeDetails = $MailboxDetailedRequest.RecipientTypeDetails } } From 94d55318092b0878df66f81155d3df1d9af8dae3 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:35:58 +0000 Subject: [PATCH 04/78] Fix for users entering https:// in Ninja config --- .../CIPPCore/Public/Entrypoints/Invoke-ExecExtensionsConfig.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionsConfig.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionsConfig.ps1 index fd9725fe5ff9..772e36bfac74 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionsConfig.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionsConfig.ps1 @@ -23,7 +23,7 @@ $results = try { # Check if NinjaOne URL is set correctly and the intance has at least version 5.6 if ($request.body.NinjaOne) { try { - [version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$($request.body.NinjaOne.Instance -replace '/ws','')/app-version.txt" -ea stop).content + [version]$Version = (Invoke-WebRequest -Method GET -Uri "https://$(($request.body.NinjaOne.Instance -replace '/ws','') -replace 'https://','')/app-version.txt" -ea stop).content } catch { throw "Failed to connect to NinjaOne check your Instance is set correctly eg 'app.ninjarmmm.com'" } From 5afd327063d8b9a470d3a59cb8fc420e342a97ad Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:38:52 +0000 Subject: [PATCH 05/78] Fixed Mailbox and OneDrive Use Graphs --- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index d84c6aaee35e..61b14e932937 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -1037,13 +1037,13 @@ function Invoke-NinjaOneTenantSync { $OneDriveUseColor = if ($OneDriveUse.Percent -ge 95) { '#D53948' - } elseif ($MailboxUse.Percent -ge 85) { + } elseif ($OneDriveUse.Percent -ge 85) { '#FFA500' } else { '#26A644' } - $OneDriveParsed = '
' + $OneDriveParsed = '
' } else { $OneDriveUse = [PSCustomObject]@{ @@ -1097,7 +1097,7 @@ function Invoke-NinjaOneTenantSync { '#26A644' } - $MailboxParsed = '
' + $MailboxParsed = '
' } else { $MailboxUse = [PSCustomObject]@{ @@ -2270,4 +2270,4 @@ function Invoke-NinjaOneTenantSync { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev 'Error' } -} \ No newline at end of file +} From 4e925b8ea902da27ee17fc09816c96065ef93577 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Mon, 4 Dec 2023 22:43:02 +0000 Subject: [PATCH 06/78] Update Invoke-NinjaOneTenantSync.ps1 --- .../NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 61b14e932937..26470b2b5069 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -1327,7 +1327,7 @@ function Invoke-NinjaOneTenantSync { # Create New Users if (($NinjaUserCreation | Measure-Object).count -ge 100) { Write-Host "Creating NinjaOne Users" - $CreatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserCreation.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$CreatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserCreation.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 Remove-AzDataTableEntity @UsersUpdateTable -Entity $NinjaUserCreation [System.Collections.Generic.List[PSCustomObject]]$NinjaUserCreation = @() } @@ -1339,7 +1339,7 @@ function Invoke-NinjaOneTenantSync { # Update Users if (($NinjaUserUpdates | Measure-Object).count -ge 100) { Write-Host "Updating NinjaOne Users" - $UpdatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserUpdates.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$UpdatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserUpdates.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 Remove-AzDataTableEntity @UsersUpdateTable -Entity $NinjaUserUpdates [System.Collections.Generic.List[PSCustomObject]]$NinjaUserUpdates = @() } @@ -1348,7 +1348,7 @@ function Invoke-NinjaOneTenantSync { } - $UserDocResults = $UpdatedUsers + $CreatedUsers + [System.Collections.Generic.List[PSCustomObject]]$UserDocResults = $UpdatedUsers + $CreatedUsers if (($UserDocResults | Where-Object { $Null -ne $_ -and $_ -ne '' } | Measure-Object).count -ge 1) { $UserDocResults | Where-Object { $Null -ne $_ -and $_ -ne '' } | ForEach-Object { @@ -1402,7 +1402,7 @@ function Invoke-NinjaOneTenantSync { # Create New Users if (($NinjaUserCreation | Measure-Object).count -ge 1) { Write-Host "Creating NinjaOne Users" - $CreatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserCreation.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$CreatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserCreation.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 Remove-AzDataTableEntity @UsersUpdateTable -Entity $NinjaUserCreation } @@ -1414,7 +1414,7 @@ function Invoke-NinjaOneTenantSync { # Update Users if (($NinjaUserUpdates | Measure-Object).count -ge 1) { Write-Host "Updating NinjaOne Users" - $UpdatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserUpdates.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$UpdatedUsers = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ("[$($NinjaUserUpdates.body -join ',')]") -EA Stop).content | ConvertFrom-Json -Depth 100 Remove-AzDataTableEntity @UsersUpdateTable -Entity $NinjaUserUpdates } } Catch { @@ -1425,7 +1425,7 @@ function Invoke-NinjaOneTenantSync { # Parse out the NinjaOne ID to MS ID - $UserDocResults = $UpdatedUsers + $CreatedUsers + [System.Collections.Generic.List[PSCustomObject]]$UserDocResults = $UpdatedUsers + $CreatedUsers if (($UserDocResults | Where-Object { $Null -ne $_ -and $_ -ne '' } | Measure-Object).count -ge 1) { $UserDocResults | Where-Object { $Null -ne $_ -and $_ -ne '' } | ForEach-Object { @@ -1598,7 +1598,7 @@ function Invoke-NinjaOneTenantSync { # Create New Subscriptions if (($NinjaLicenseCreation | Measure-Object).count -ge 1) { Write-Host "Creating NinjaOne Licenses" - $CreatedLicenses = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ($NinjaLicenseCreation | ConvertTo-Json -Depth 100 -AsArray) -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$CreatedLicenses = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method POST -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ($NinjaLicenseCreation | ConvertTo-Json -Depth 100 -AsArray) -EA Stop).content | ConvertFrom-Json -Depth 100 } } Catch { Write-Host "Bulk Creation Error, but may have been successful as only 1 record with an issue could have been the cause: $_" @@ -1608,14 +1608,14 @@ function Invoke-NinjaOneTenantSync { # Update Subscriptions if (($NinjaLicenseUpdates | Measure-Object).count -ge 1) { Write-Host "Updating NinjaOne Licenses" - $UpdatedLicenses = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ($NinjaLicenseUpdates | ConvertTo-Json -Depth 100 -AsArray) -EA Stop).content | ConvertFrom-Json -Depth 100 + [System.Collections.Generic.List[PSCustomObject]]$UpdatedLicenses = (Invoke-WebRequest -uri "https://$($Configuration.Instance)/api/v2/organization/documents" -Method PATCH -Headers @{Authorization = "Bearer $($token.access_token)" } -ContentType 'application/json' -Body ($NinjaLicenseUpdates | ConvertTo-Json -Depth 100 -AsArray) -EA Stop).content | ConvertFrom-Json -Depth 100 Write-Host "Completed Update" } } Catch { Write-Host "Bulk Update Errored, but may have been successful as only 1 record with an issue could have been the cause: $_" } - $LicenseDocs = $CreatedLicenses + $UpdatedLicenses + [System.Collections.Generic.List[PSCustomObject]]$LicenseDocs = $CreatedLicenses + $UpdatedLicenses if ($Configuration.LicenseDocumentsEnabled -eq $True -and $Configuration.UserDocumentsEnabled -eq $True) { # Relate Subscriptions to Users From 34211d5919c600ffcdd90274b2c44f7c894ea568 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:04:54 +0000 Subject: [PATCH 07/78] Include Standards.json for NinjaOne Integration --- Config/standards.json | 585 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 585 insertions(+) create mode 100644 Config/standards.json diff --git a/Config/standards.json b/Config/standards.json new file mode 100644 index 000000000000..4ef78d3553e4 --- /dev/null +++ b/Config/standards.json @@ -0,0 +1,585 @@ +[ + { + "name": "standards.MailContacts.GeneralContact.Enabled", + "cat": "Global", + "helpText": "Receives emails about updates about subscriptions etc", + "addedComponent": { + "type": "input", + "name": "standards.MailContacts.GeneralContact.Mail", + "label": "General Contact" + }, + "label": "Set General Contact e-mail" + }, + { + "name": "standards.MailContacts.SecurityContact.Enabled", + "cat": "Global", + "helpText": "Receives emails about security alerts or advisories by Microsoft", + "addedComponent": { + "type": "input", + "name": "standards.MailContacts.SecurityContact.Mail", + "label": "Security Contact" + }, + "label": "Set Security Contact e-mail" + }, + { + "name": "standards.MailContacts.MarketingContact.Enabled", + "cat": "Global", + "helpText": "Receives the emails related to marketing; new features etc", + "addedComponent": { + "type": "input", + "name": "standards.MailContacts.MarketingContact.Mail", + "label": "Marketing Contact" + }, + "label": "Set Marketing Contact e-mail" + }, + { + "name": "standards.MailContacts.TechContact.Enabled", + "cat": "Global", + "helpText": "Receives emails related to possible technical issues, service disruptions, etc", + "addedComponent": { + "type": "input", + "name": "standards.MailContacts.TechContact.Mail", + "label": "Technical Contact" + }, + "label": "Set Technical Contact e-mail" + }, + { + "name": "standards.AuditLog", + "cat": "Global", + "helpText": "Also runs Enable-OrganizationCustomization if needed", + "addedComponent": null, + "label": "Enable the Unified Audit Log" + }, + { + "name": "standards.AnonReportDisable", + "cat": "Global", + "helpText": "", + "addedComponent": null, + "label": "Enable Usernames instead of pseudo anonymised names in reports" + }, + { + "name": "standards.DisableGuestDirectory", + "cat": "Global", + "helpText": "See the standards documentation for more information about the implications of this standard", + "addedComponent": null, + "label": "Restrict guest user access to directory objects" + }, + { + "name": "standards.DisableBasicAuthSMTP", + "cat": "Global", + "helpText": "Disables SMTP AUTH for the organization. This is the default for new tenants. Can be overridden by enabling SMTP AUTH on specific users", + "addedComponent": null, + "label": "Disable SMTP Basic Authentication" + }, + { + "name": "standards.laps", + "cat": "AAD", + "helpText": "Enables the tenant to use LAPS", + "addedComponent": null, + "label": "Enable LAPs on the tenant" + }, + { + "cat": "AAD", + "name": "standards.PWdisplayAppInformationRequiredState", + "helpText": "Enables the MS authenticator app to display information about the app that is requesting authentication", + "addedComponent": null, + "label": "Enable Passwordless with Location information and Number Matching" + }, + { + "cat": "AAD", + "name": "standards.allowOTPTokens", + "helpText": "Allows you to use MS authenticator OTP tokens", + "addedComponent": null, + "label": "Enable OTP via Authenticator." + }, + { + "cat": "AAD", + "name": "standards.allowOAuthTokens", + "helpText": "Allows you to use any OTP token generator", + "addedComponent": null, + "label": "Enable OTP Software oAuth tokens." + }, + { + "cat": "AAD", + "name": "standards.PWcompanionAppAllowedState.Enabled", + "helpText": "Sets the state of Authenticator Lite, in Outlook for mobile", + "addedComponent": { + "type": "Select", + "label": "Select value", + "name": "standards.PWcompanionAppAllowedState.state", + "values": [ + { + "label": "Enabled", + "value": "enabled" + }, + { + "label": "Disabled", + "value": "disabled" + } + ] + }, + "label": "Set Authenticator Lite state" + }, + { + "cat": "AAD", + "name": "standards.TAP.Enabled", + "helpText": "Enables TAP and sets the default TAP lifetime to 1 hour and maximum lifetime to 8 hours.", + "addedComponent": { + "type": "Select", + "label": "Select TAP Lifetime", + "name": "standards.TAP.config", + "values": [ + { + "label": "Only Once", + "value": "true" + }, + { + "label": "Multiple Logons", + "value": "false" + } + ] + }, + "label": "Enable Temporary Access Passwords" + }, + { + "cat": "AAD", + "name": "standards.SecurityDefaults", + "helpText": "Enables security defaults for the tenant. This has a lot of implications and should be carefully considered before enabling", + "addedComponent": null, + "label": "Enable Security Defaults" + }, + { + "cat": "AAD", + "name": "standards.PasswordExpireDisabled", + "helpText": "Disables the expiration of passwords for the tenant", + "addedComponent": null, + "label": "Do not expire passwords" + }, + { + "cat": "AAD", + "name": "standards.DisableSecurityGroupUsers", + "helpText": "Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams", + "addedComponent": null, + "label": "Disable Security Group creation by users" + }, + { + "cat": "AAD", + "name": "standards.DisableTenantCreation", + "helpText": "Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles", + "addedComponent": null, + "label": "Disable M365 Tenant creation by users" + }, + { + "cat": "AAD", + "name": "standards.OauthConsent.Enabled", + "helpText": "Disables users from being able to consent to applications, except for those specified in the field below", + "addedComponent": { + "type": "input", + "name": "standards.OauthConsent.AllowedApps", + "label": "Allowed application IDs, comma separated" + }, + "label": "Require admin consent for applications (Prevent OAuth phishing.)" + }, + { + "cat": "AAD", + "name": "standards.OauthConsentLowSec", + "helpText": "", + "label": "Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure.)" + }, + { + "cat": "AAD", + "name": "standards.EnableAppConsentRequests.Enabled", + "helpText": "Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings", + "addedComponent": { + "type": "AdminRolesMultiSelect", + "label": "App Consent Reviewer Roles", + "name": "standards.EnableAppConsentRequests.ReviewerRoles" + }, + "label": "Enable App consent admin requests" + }, + { + "cat": "AAD", + "name": "standards.LegacyMFACleanup", + "helpText": "Removes legacy Per-User MFA if the tenant has Security Defaults or an All Users Conditional Access rule enabled.", + "addedComponent": null, + "label": "Remove Legacy MFA if SD or CA is active" + }, + { + "cat": "AAD", + "name": "standards.NudgeMFA.enable", + "helpText": "Enables registration campaign for the tenant", + "addedComponent": null, + "label": "Request to setup Authenticator if not setup yet." + }, + { + "cat": "AAD", + "name": "standards.NudgeMFA.disable", + "helpText": "Disables registration campaign for the tenant", + "addedComponent": null, + "label": "Disables the request to setup Authenticator if setup." + }, + { + "cat": "AAD", + "name": "standards.DisableSelfServiceLicenses", + "helpText": "This standard currently does not function and can be safely disabled", + "addedComponent": null, + "label": "Disable Self Service Licensing" + }, + { + "cat": "AAD", + "name": "standards.DisableM365GroupUsers", + "helpText": "Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc", + "addedComponent": null, + "label": "Disable M365 Group creation by users" + }, + { + "cat": "AAD", + "name": "standards.UndoOauth", + "helpText": "Disables App consent and set to Allow user consent for apps", + "addedComponent": null, + "label": "Undo App Consent Standard" + }, + { + "cat": "AAD", + "name": "standards.DisableGuests", + "helpText": "Blocks login for guest users that have not logged in for 90 days", + "addedComponent": null, + "label": "Disable Guest accounts that have not logged on for 90 days" + }, + { + "cat": "AAD", + "name": "standards.EnableFIDO2", + "helpText": "Enables the FIDO2 authenticationMethod for the tenant", + "addedComponent": null, + "label": "Enable FIDO2 capabilities" + }, + + { + "name": "standards.OutBoundSpamAlert.Enabled", + "cat": "Exchange", + "helpText": "Set the Outbound Spam Alert e-mail address.", + "addedComponent": { + "type": "input", + "name": "standards.OutBoundSpamAlert.OutboundSpamContact", + "label": "Outbound spam contact" + }, + "label": "Set Outbound Spam Alert e-mail" + }, + { + "name": "standards.SafeSendersDisable", + "cat": "Exchange", + "helpText": "", + "addedComponent": null, + "label": "Remove Safe Senders to prevent SPF bypass" + }, + { + "name": "standards.DisableSharedMailbox", + "cat": "Exchange", + "helpText": "Blocks login for all accounts that are marked as a shared mailbox", + "addedComponent": null, + "label": "Disable Shared Mailbox AAD accounts" + }, + { + "name": "standards.DelegateSentItems", + "cat": "Exchange", + "helpText": "Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder", + "addedComponent": null, + "label": "Set mailbox Sent Items delegation (Sent items for shared mailboxes)" + }, + { + "name": "standards.SendFromAlias", + "cat": "Exchange", + "helpText": "", + "addedComponent": null, + "label": "Allow users to send from their alias addresses" + }, + { + "name": "standards.AutoExpandArchive", + "cat": "Exchange", + "helpText": "Enables auto-expanding archives for the tenant", + "addedComponent": null, + "label": "Enable Auto-expanding archives" + }, + { + "name": "standards.SpoofWarn.enable", + "cat": "Exchange", + "helpText": "Adds indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA", + "addedComponent": null, + "label": "Enable Spoofing warnings for Outlook (This e-mail is external identifiers)" + }, + { + "name": "standards.SpoofWarn.disable", + "cat": "Exchange", + "helpText": "Disables spoof warnings from external senders in Outlook.", + "addedComponent": null, + "label": "Disable Spoofing warnings for Outlook (This e-mail is external identifiers)" + }, + { + "name": "standards.DisableViva", + "cat": "Exchange", + "helpText": "", + "addedComponent": null, + "label": "Disable daily Insight/Viva reports" + }, + { + "name": "standards.RotateDKIM", + "cat": "Exchange", + "helpText": "Rotate DKIM keys that are 1024 bit to 2048 bit", + "addedComponent": null, + "label": "Rotate DKIM keys that are 1024 bit to 2048 bit" + }, + { + "name": "standards.AddDKIM", + "cat": "Exchange", + "helpText": "Enables DKIM for all domains that currently support it", + "addedComponent": null, + "label": "Enables DKIM for all domains that currently support it" + }, + { + "name": "standards.ActivityBasedTimeout", + "cat": "Global", + "helpText": "Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps", + "addedComponent": null, + "label": "Enable 1 hour Activity based Timeout" + }, + { + "name": "standards.SendReceiveLimitTenant.Enabled", + "cat": "Exchange", + "helpText": "Sets the Send and Receive limits for new users. Valid values are 1KB to 150MB. Invalid values will be set to EXO standard of 35MB,36MB", + "addedComponent": { + "type": "input", + "name": "standards.SendReceiveLimitTenant.SendReceiveLimit", + "label": "Send limit and Receive limit, comma separated" + }, + "label": "Set send/receive size limits" + }, + + { + "name": "standards.calDefault.Enabled", + "cat": "Exchange", + "helpText": "Sets the default sharing level for the default calendar, for all users", + "addedComponent": { + "type": "Select", + "label": "Select Sharing Level", + "name": "standards.calDefault.permissionlevel", + "values": [ + { + "label": "Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.", + "value": "Owner" + }, + { + "label": "Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.", + "value": "PublishingEditor" + }, + { + "label": "Reviewer - The user can read all items in the folder.", + "value": "Reviewer" + }, + { + "label": "Editor - The user can create items in the folder. The contents of the folder do not appear.", + "value": "Contributor" + }, + { + "label": "Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.", + "value": "LimitedDetails" + }, + { + "label": "Availability Only - Indicates that the user can view only free/busy time within the calendar.", + "value": "AvailabilityOnly" + }, + { + "label": "None - The user has no permissions on the folder.", + "value": "none" + } + ] + }, + "label": "Set Sharing Level for Default calendar" + }, + { + "name": "standards.UserSubmissions.enable", + "cat": "Exchange", + "helpText": "", + "addedComponent": null, + "label": "Enable the built-in Report button in Outlook" + }, + { + "name": "standards.UserSubmissions.disable", + "cat": "Exchange", + "helpText": "", + "addedComponent": null, + "label": "Disable the built-in Report button in Outlook" + }, + { + "name": "standards.intuneDeviceReg.Enabled", + "cat": "Intune", + "helpText": "", + "addedComponent": { + "type": "input", + "name": "standards.intuneDeviceReg.max", + "label": "Maximum devices (Enter 2147483647 for unlimited.)" + }, + "label": "Set Maximum Number of Devices per user" + }, + { + "name": "standards.intuneDeviceRetirementDays.Enabled", + "cat": "Intune", + "helpText": "A value between 0 and 270 is supported. A value of 0 disables retirement.", + "addedComponent": { + "type": "input", + "name": "standards.intuneDeviceRetirementDays.days", + "label": "Maximum days (0 equals disabled)" + }, + "label": "Set inactive device retirement days" + }, + { + "name": "standards.intuneRequireMFA", + "cat": "Intune", + "helpText": "", + "label": "Require Multifactor Authentication to register or join devices with Microsoft Entra" + }, + { + "name": "standards.sharingCapability.Enabled", + "cat": "SharePoint", + "helpText": "Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level", + "addedComponent": { + "type": "Select", + "label": "Select Sharing Level", + "name": "standards.sharingCapability.Level", + "values": [ + { + "label": "Users can share only with people in the organization. No external sharing is allowed.", + "value": "disabled" + }, + { + "label": "Users can share with new and existing guests. Guests must sign in or provide a verification code.", + "value": "externalUserSharingOnly" + }, + { + "label": "Users can share with anyone by using links that do not require sign-in.", + "value": "externalUserAndGuestSharing" + }, + { + "label": "Users can share with existing guests (those already in the directory of the organization).", + "value": "existingExternalUserSharingOnly" + } + ] + }, + "label": "Set Sharing Level for OneDrive and Sharepoint" + }, + { + "name": "standards.ExcludedfileExt.Enabled", + "cat": "SharePoint", + "helpText": "", + "addedComponent": { + "type": "input", + "name": "standards.ExcludedfileExt.ext", + "label": "Extensions, Comma separated" + }, + "label": "Exclude File Extensions from Syncing" + }, + { + "name": "standards.disableMacSync", + "cat": "SharePoint", + "helpText": "", + "addedComponent": null, + "label": "Do not allow Mac devices to sync using OneDrive" + }, + { + "name": "standards.DisableReshare", + "cat": "SharePoint", + "helpText": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access", + "addedComponent": null, + "label": "Disable Resharing by External Users" + }, + { + "name": "standards.DeletedUserRentention", + "cat": "SharePoint", + "helpText": "Sets the retention period for deleted users OneDrive to 1 year/365 days", + "addedComponent": null, + "label": "Retain a deleted user OneDrive for 1 year" + }, + { + "name": "standards.DisableUserSiteCreate", + "cat": "SharePoint", + "helpText": "Disables users from creating new SharePoint sites", + "addedComponent": null, + "label": "Disable site creation by standard users" + }, + { + "name": "standards.unmanagedSync", + "cat": "SharePoint", + "helpText": "", + "addedComponent": null, + "label": "Only allow users to sync OneDrive from AAD joined devices" + }, + { + "name": "standards.DisableAddShortcutsToOneDrive", + "cat": "SharePoint", + "helpText": "When the feature is disabled the option Add shortcut to My files will be removed; any folders that have already been added will remain on the user's computer.", + "addedComponent": null, + "label": "Disable Add Shortcuts To OneDrive" + }, + { + "name": "standards.IntuneTemplate.enabled", + "cat": "templates", + "helpText": "", + "addedComponent": null, + "label": "Intune Templates" + }, + { + "name": "standards.GroupTemplate.enabled", + "cat": "templates", + "helpText": "", + "addedComponent": null, + "label": "Group Templates" + }, + { + "name": "standards.ExConnector.enabled", + "cat": "templates", + "helpText": "", + "addedComponent": null, + "label": "Exchange Connector Templates" + }, + { + "name": "standards.ConditionalAccess.enabled", + "cat": "templates", + "helpText": "", + "addedComponent": null, + "label": "Conditional Access Templates" + }, + { + "name": "standards.TransportRuleTemplate.enabled", + "cat": "templates", + "helpText": "", + "addedComponent": null, + "label": "Transport Rule Templates" + }, + { + "name": "standards.ModernAuth", + "cat": "legacy", + "helpText": "Modern Authentication is enabled by default. This standard is no longer required and can be safely disabled", + "addedComponent": null, + "label": "Enable Modern Authentication" + }, + { + "name": "standards.DisableBasicAuth", + "cat": "legacy", + "helpText": "Basic Authentication is disabled by default. This standard is no longer required and can be safely disabled", + "addedComponent": null, + "label": "Disable Basic Authentication" + }, + { + "name": "standards.PWnumberMatchingRequiredState", + "cat": "legacy", + "helpText": "Passwordless with number matching is now enabled by default. This standard is no longer required and can be safely disabled", + "addedComponent": null, + "label": "Enable Passwordless with Number Matching" + }, + { + "cat": "legacy", + "name": "standards.LegacyMFA", + "helpText": "This standard is no longer works and can be safely disabled", + "addedComponent": null, + "label": "Enable per-user MFA for all user (Legacy, Requires DAP.)" + } +] From 570fa9539448e26b7399a1b06174fd351cad6ce0 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Mon, 4 Dec 2023 23:29:02 +0000 Subject: [PATCH 08/78] Fixed Parsing Secure Score --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 26470b2b5069..56d702d516fa 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -322,7 +322,7 @@ function Invoke-NinjaOneTenantSync { [System.Collections.Generic.List[PSCustomObject]]$SecureScoreProfiles = Get-GraphBulkResultByID -value -Results $TenantResults -ID 'SecureScoreControlProfiles' - $CurrentSecureScore = ($SecureScore | Sort-Object createDateTiime -Descending)[0] + $CurrentSecureScore = ($SecureScore | Sort-Object createDateTime -Descending | Select-Object -First 1) $MaxSecureScoreRank = ($SecureScoreProfiles.rank | Measure-Object -Maximum).maximum $MaxSecureScore = $CurrentSecureScore.maxScore From 239a629691e9f1106192f5034a256432bb95d76f Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Tue, 5 Dec 2023 09:37:44 +0000 Subject: [PATCH 09/78] Introduce Rate Limiting --- Modules/CippExtensions/CippExtensions.psd1 | Bin 11302 -> 11372 bytes .../NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 28 +++++++++++++++--- .../Public/Get-ExtensionRateLimit.ps1 | 16 ++++++++++ 3 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 diff --git a/Modules/CippExtensions/CippExtensions.psd1 b/Modules/CippExtensions/CippExtensions.psd1 index edf5fbcddae74ba8496593f6193daa3c83243cd6..ae659f3753dd6e77c3fd91a055a4b286fe58bd60 100644 GIT binary patch delta 42 wcmZ1$@g`zJkM!g#ViJ=Z#5gANhzSV>F(fjSFr+g0Fk~|10&&UaPU*P<05$;(#{d8T delta 12 TcmaD8u`FUkkM!nC(z65rD#``q diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 56d702d516fa..5624a39e8bdc 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -8,9 +8,24 @@ function Invoke-NinjaOneTenantSync { $StartTime = Get-Date Write-Host "$(Get-Date) - Starting NinjaOne Sync" + # Check Global Rate Limiting + $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOrgsMapping' -RateLimit 5 -WaitTime 60 + + # Check for active instances for this tenant + $CurrentItem = $CurrentMap | where-object {$_.RowKey -eq $MappedTenant.RowKey} + + if ($CurrentItem.lastStartTime -gt (Get-Date).AddMinutes(-10) -and ($CurrentItem.lastStartTime -gt $CurrentItem.lastEndTime -or $Null -eq $CurrentItem.lastEndTime)){ + Throw "NinjaOne Sync for Tenant $($MappedTenant.RowKey) is still running, please wait 10 minutes and try again." + } + + # Set Last Start Time + $MappingTable = Get-CIPPTable -TableName CIPPMapping + $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue (Get-Date) -Force + Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force + # Fetch Custom NinjaOne Settings $Table = Get-CIPPTable -TableName NinjaOneSettings - $NinjaSettings = (Get-AzDataTableEntity @Table) + $NinjaSettings = (Get-CIPPAzDataTableEntity @Table) $CIPPUrl = ($NinjaSettings | Where-Object { $_.RowKey -eq 'CIPPURL' }).SettingValue # Parse out the Tenant we are processing @@ -30,13 +45,13 @@ function Invoke-NinjaOneTenantSync { # Get the NinjaOne general extension settings. $Table = Get-CIPPTable -TableName Extensionsconfig - $Configuration = ((Get-AzDataTableEntity @Table).config | ConvertFrom-Json).NinjaOne + $Configuration = ((Get-CIPPAzDataTableEntity @Table).config | ConvertFrom-Json).NinjaOne # Pull the list of field Mappings so we know which fields to render. $MappedFields = [pscustomobject]@{} $CIPPMapping = Get-CIPPTable -TableName CippMapping $Filter = "PartitionKey eq 'NinjaFieldMapping'" - Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } | ForEach-Object { + Get-CIPPAzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } | ForEach-Object { $MappedFields | Add-Member -NotePropertyName $_.RowKey -NotePropertyValue $($_.NinjaOne) } @@ -1969,7 +1984,7 @@ function Invoke-NinjaOneTenantSync { $Filter = "PartitionKey eq 'standards'" - $AllStandards = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json -Depth 100 + $AllStandards = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json -Depth 100 $AppliedStandards = ($AllStandards | Where-Object { $_.Tenant -eq $Customer.defaultDomainName -or $_.Tenant -eq 'AllTenants' }) @@ -2264,6 +2279,11 @@ function Invoke-NinjaOneTenantSync { Write-Host "Total Fetch Time: $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds)" Write-Host "Completed Total Time: $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds)" + + # Set Last End Time + $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue (Get-Date) -Force + Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force + Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' } catch { diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 new file mode 100644 index 000000000000..530c6aac0c0f --- /dev/null +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -0,0 +1,16 @@ +function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLimit, $WaitTime) { + + $MappingTable = Get-CIPPTable -TableName CIPPMapping + $CurrentMap = (Get-CIPPAzDataTableEntity @MappingTable -Filter "PartitionKey eq '$ExtensionPartitionKey'") + + # Check Global Rate Limiting + $ActiveJobs = $CurrentMap | Where-Object { $_.lastStartTime -gt (Get-Date).AddMinutes(-10) -and ($_.lastStartTime -gt $_.lastEndTime -or $Null -eq $_.lastEndTime) } + if (($ActiveJobs | Measure-Object).count -ge $RateLimit) { + Write-LogMessage -API 'ExtensionRateLimiting' -user 'CIPP' -message "$ExtensionName Rate Limited" -Sev 'Info' + Start-Sleep -Seconds $WaitTime + $CurrentMap = Get-ExtensionRateLimit -ExtensionName $ExtensionName -ExtensionPartitionKey $ExtensionPartitionKey -RateLimit $RateLimit -WaitTime $WaitTime + } + + Return $CurrentMap + +} \ No newline at end of file From 053ea3a1e8215e5b8ea0e31fdaae46153fe6d7d9 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Tue, 5 Dec 2023 10:13:32 +0000 Subject: [PATCH 10/78] Start / End Time Tweaks --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 2 +- Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 5624a39e8bdc..1ccf71f967ea 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -19,7 +19,7 @@ function Invoke-NinjaOneTenantSync { } # Set Last Start Time - $MappingTable = Get-CIPPTable -TableName CIPPMapping + $MappingTable = Get-CIPPTable -TableName CippMapping $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue (Get-Date) -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index 530c6aac0c0f..a680def3fc1a 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -1,6 +1,6 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLimit, $WaitTime) { - $MappingTable = Get-CIPPTable -TableName CIPPMapping + $MappingTable = Get-CIPPTable -TableName CippMapping $CurrentMap = (Get-CIPPAzDataTableEntity @MappingTable -Filter "PartitionKey eq '$ExtensionPartitionKey'") # Check Global Rate Limiting From b5234a5461c8acb7bc57d769d2e04bcd8ca86cbd Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 5 Dec 2023 12:38:29 +0100 Subject: [PATCH 11/78] add recipient api --- .../Entrypoints/Invoke-ListRecipients.ps1 | 45 +++++++++++++++++++ .../CIPPCore/Public/Set-CIPPForwarding.ps1 | 1 + 2 files changed, 46 insertions(+) create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ListRecipients.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListRecipients.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListRecipients.ps1 new file mode 100644 index 000000000000..29bc8bd8a01a --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListRecipients.ps1 @@ -0,0 +1,45 @@ +using namespace System.Net + +Function Invoke-ListRecipients { + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + + # Interact with query parameters or the body of the request. + $TenantFilter = $Request.Query.TenantFilter + try { + $Select = 'id,DisplayName,ExchangeGuid,ArchiveGuid,PrimarySmtpAddress,PrimarySMTPAddress,RecipientType,RecipientTypeDetails,EmailAddresses' + $ExoRequest = @{ + tenantid = $TenantFilter + cmdlet = 'Get-Recipient' + cmdParams = @{resultsize = 'unlimited' } + Select = $select + } + + $GraphRequest = (New-ExoRequest @ExoRequest) | Select-Object id, ExchangeGuid, ArchiveGuid, + @{ Name = 'UPN'; Expression = { $_.'PrimarySmtpAddress' } }, + @{ Name = 'mail'; Expression = { $_.'PrimarySmtpAddress' } }, + @{ Name = 'displayName'; Expression = { $_.'DisplayName' } } + $StatusCode = [HttpStatusCode]::OK + } catch { + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message + $StatusCode = [HttpStatusCode]::Forbidden + $GraphRequest = $ErrorMessage + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = @($GraphRequest) + }) + +} diff --git a/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 b/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 index 9db8ddd5002a..fa11fa72bbf5 100644 --- a/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 @@ -24,3 +24,4 @@ function Set-CIPPForwarding { return "Could not add forwarding for $($username). Error: $($_.Exception.Message)" } } +a \ No newline at end of file From ba7012b1e2dab8c24934253e78e430d04b618a9a Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 5 Dec 2023 17:27:19 +0100 Subject: [PATCH 12/78] remove accidental letter --- Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 b/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 index fa11fa72bbf5..2b3361a6054d 100644 --- a/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPForwarding.ps1 @@ -6,7 +6,7 @@ function Set-CIPPForwarding { $tenantFilter, $username, $ExecutingUser, - $APIName = "Forwarding", + $APIName = 'Forwarding', $Forward, $KeepCopy, $Disable @@ -14,14 +14,12 @@ function Set-CIPPForwarding { try { if (!$username) { $username = $userid } - $permissions = New-ExoRequest -tenantid $tenantFilter -cmdlet "Set-mailbox" -cmdParams @{Identity = $userid; ForwardingSMTPAddress = $forwardingSMTPAddress; ForwardingAddress = $Forward ; DeliverToMailboxAndForward = [bool]$KeepCopy } -Anchor $username + $permissions = New-ExoRequest -tenantid $tenantFilter -cmdlet 'Set-mailbox' -cmdParams @{Identity = $userid; ForwardingSMTPAddress = $forwardingSMTPAddress; ForwardingAddress = $Forward ; DeliverToMailboxAndForward = [bool]$KeepCopy } -Anchor $username if (!$Disable) { "Forwarding all email for $username to $Forward" } else { "Disabled forwarding for $username" } - Write-LogMessage -user $ExecutingUser -API $APIName -message "Set Forwarding for $($username) to $Forward" -Sev "Info" -tenant $TenantFilter - } - catch { - Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add forwarding for $($username)" -Sev "Error" -tenant $TenantFilter + Write-LogMessage -user $ExecutingUser -API $APIName -message "Set Forwarding for $($username) to $Forward" -Sev 'Info' -tenant $TenantFilter + } catch { + Write-LogMessage -user $ExecutingUser -API $APIName -message "Could not add forwarding for $($username)" -Sev 'Error' -tenant $TenantFilter return "Could not add forwarding for $($username). Error: $($_.Exception.Message)" } } -a \ No newline at end of file From 0f9af67bcd5ea5c5b6029eb0f42e2697d1dfd010 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Tue, 5 Dec 2023 19:07:05 +0000 Subject: [PATCH 13/78] Rate Limit Fixes --- .../NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 20 ++++++++++++------- .../Public/Get-ExtensionRateLimit.ps1 | 7 ++++++- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 1ccf71f967ea..92a0753ef2a3 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -4,23 +4,28 @@ function Invoke-NinjaOneTenantSync { $QueueItem ) try { - $StartTime = Get-Date Write-Host "$(Get-Date) - Starting NinjaOne Sync" # Check Global Rate Limiting $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOrgsMapping' -RateLimit 5 -WaitTime 60 + # Parse out the Tenant we are processing + $MappedTenant = $QueueItem.MappedTenant + # Check for active instances for this tenant - $CurrentItem = $CurrentMap | where-object {$_.RowKey -eq $MappedTenant.RowKey} + $CurrentItem = $CurrentMap | where-object { $_.RowKey -eq $MappedTenant.RowKey } + + $StartDate = try { Get-Date($CurrentItem.lastStartTime) } catch { $Null } + $EndDate = try { Get-Date($CurrentItem.lastEndTime) } catch { $Null } - if ($CurrentItem.lastStartTime -gt (Get-Date).AddMinutes(-10) -and ($CurrentItem.lastStartTime -gt $CurrentItem.lastEndTime -or $Null -eq $CurrentItem.lastEndTime)){ + if (($null -ne $CurrentItem.lastStartTime -or $StartDate -gt (Get-Date).AddMinutes(-10)) -and ( $Null -eq $CurrentItem.lastEndTime -or ($StartDate -gt $EndDate))) { Throw "NinjaOne Sync for Tenant $($MappedTenant.RowKey) is still running, please wait 10 minutes and try again." } # Set Last Start Time $MappingTable = Get-CIPPTable -TableName CippMapping - $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue (Get-Date) -Force + $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force # Fetch Custom NinjaOne Settings @@ -28,8 +33,7 @@ function Invoke-NinjaOneTenantSync { $NinjaSettings = (Get-CIPPAzDataTableEntity @Table) $CIPPUrl = ($NinjaSettings | Where-Object { $_.RowKey -eq 'CIPPURL' }).SettingValue - # Parse out the Tenant we are processing - $MappedTenant = $QueueItem.MappedTenant + $Customer = Get-Tenants | where-object { $_.customerId -eq $MappedTenant.RowKey } Write-Host "Processing: $($Customer.displayName)" @@ -2281,7 +2285,7 @@ function Invoke-NinjaOneTenantSync { Write-Host "Completed Total Time: $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds)" # Set Last End Time - $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue (Get-Date) -Force + $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' @@ -2289,5 +2293,7 @@ function Invoke-NinjaOneTenantSync { } catch { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev 'Error' + $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force } } diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index a680def3fc1a..feae7545ac10 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -4,9 +4,14 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLim $CurrentMap = (Get-CIPPAzDataTableEntity @MappingTable -Filter "PartitionKey eq '$ExtensionPartitionKey'") # Check Global Rate Limiting - $ActiveJobs = $CurrentMap | Where-Object { $_.lastStartTime -gt (Get-Date).AddMinutes(-10) -and ($_.lastStartTime -gt $_.lastEndTime -or $Null -eq $_.lastEndTime) } + try { + $ActiveJobs = $CurrentMap | Where-Object { ($Null -ne $_.lastStartTime -or $_.lastStartTime -gt (Get-Date).AddMinutes(-10)) -and ($Null -eq $_.lastEndTime -or $_.lastStartTime -gt $_.lastEndTime) } + } catch { + $ActiveJobs = 'FirstRun' + } if (($ActiveJobs | Measure-Object).count -ge $RateLimit) { Write-LogMessage -API 'ExtensionRateLimiting' -user 'CIPP' -message "$ExtensionName Rate Limited" -Sev 'Info' + Write-Host "Rate Limiting" Start-Sleep -Seconds $WaitTime $CurrentMap = Get-ExtensionRateLimit -ExtensionName $ExtensionName -ExtensionPartitionKey $ExtensionPartitionKey -RateLimit $RateLimit -WaitTime $WaitTime } From 9b52598d8430a38473ab4f8a40f74124cedbed39 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Tue, 5 Dec 2023 21:34:27 +0100 Subject: [PATCH 14/78] Fix being unable to remove exconnectors --- .../CIPPCore/Public/Invoke-RemoveExConnector.ps1 | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/Modules/CIPPCore/Public/Invoke-RemoveExConnector.ps1 b/Modules/CIPPCore/Public/Invoke-RemoveExConnector.ps1 index 09c474712e18..f16befc4906b 100644 --- a/Modules/CIPPCore/Public/Invoke-RemoveExConnector.ps1 +++ b/Modules/CIPPCore/Public/Invoke-RemoveExConnector.ps1 @@ -11,19 +11,15 @@ Function Invoke-RemoveExConnector { $APIName = $TriggerMetadata.FunctionName Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' $Tenantfilter = $request.Query.tenantfilter - - - $Params = @{ - Identity = $request.query.guid - } - + try { + $Params = @{ Identity = $request.query.GUID } - - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "Remove-$($Request.query.Type)Connector" -cmdParams $params + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "Remove-$($Request.query.Type)Connector" -cmdParams $params -useSystemMailbox $true $Result = "Deleted $($Request.query.guid)" Write-LogMessage -API 'TransportRules' -tenant $tenantfilter -message "Deleted transport rule $($Request.query.guid)" -sev Debug - } catch { + } + catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception $Result = $ErrorMessage } From 505b2d695e8ffa9b1ec47273a3df278046f60a0e Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Tue, 5 Dec 2023 22:49:33 +0000 Subject: [PATCH 15/78] Added dequeue and state tracking --- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 ++++ host.json | 7 +++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 92a0753ef2a3..38f4e633173f 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -7,6 +7,7 @@ function Invoke-NinjaOneTenantSync { $StartTime = Get-Date Write-Host "$(Get-Date) - Starting NinjaOne Sync" + # Check Global Rate Limiting $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOrgsMapping' -RateLimit 5 -WaitTime 60 @@ -26,6 +27,7 @@ function Invoke-NinjaOneTenantSync { # Set Last Start Time $MappingTable = Get-CIPPTable -TableName CippMapping $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Running' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force # Fetch Custom NinjaOne Settings @@ -2286,6 +2288,7 @@ function Invoke-NinjaOneTenantSync { # Set Last End Time $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Completed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' @@ -2294,6 +2297,7 @@ function Invoke-NinjaOneTenantSync { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev 'Error' $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Failed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force } } diff --git a/host.json b/host.json index c35d7ceb5451..ee3245a61b88 100644 --- a/host.json +++ b/host.json @@ -8,8 +8,11 @@ "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[2.*, 3.0.0)" }, - "extensions": {}, + "extensions": { + "queues": { + "maxDequeueCount": 5 + }}, "logging": { "fileLoggingMode": "never" - } + } } From c6af60a8d83cbd3ac0ab7a78826da7e90b7308d8 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 08:42:56 +0000 Subject: [PATCH 16/78] More rate limit fixes --- Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index feae7545ac10..29b29374e2bb 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -5,13 +5,13 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLim # Check Global Rate Limiting try { - $ActiveJobs = $CurrentMap | Where-Object { ($Null -ne $_.lastStartTime -or $_.lastStartTime -gt (Get-Date).AddMinutes(-10)) -and ($Null -eq $_.lastEndTime -or $_.lastStartTime -gt $_.lastEndTime) } + $ActiveJobs = $CurrentMap | Where-Object { ($Null -ne $_.lastStartTime) -and ($_.lastStartTime -gt (Get-Date).AddMinutes(-10)) -and ($Null -eq $_.lastEndTime -or $_.lastStartTime -gt $_.lastEndTime) } } catch { $ActiveJobs = 'FirstRun' } if (($ActiveJobs | Measure-Object).count -ge $RateLimit) { - Write-LogMessage -API 'ExtensionRateLimiting' -user 'CIPP' -message "$ExtensionName Rate Limited" -Sev 'Info' - Write-Host "Rate Limiting" + Write-LogMessage -API 'ExtensionRateLimiting' -user 'CIPP' -message "$ExtensionName Rate Limited $($ActiveJobs.count) active jobs" -Sev 'Info' + Write-Host "Rate Limiting. Currently $($ActiveJobs.count) Active Jobs" Start-Sleep -Seconds $WaitTime $CurrentMap = Get-ExtensionRateLimit -ExtensionName $ExtensionName -ExtensionPartitionKey $ExtensionPartitionKey -RateLimit $RateLimit -WaitTime $WaitTime } From fcdb76284c430da967535ee77172c1f63fd54198 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:11:05 +0000 Subject: [PATCH 17/78] Even more rate limit fixes --- .../Public/Get-ExtensionRateLimit.ps1 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index 29b29374e2bb..71209e413bfa 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -2,6 +2,19 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLim $MappingTable = Get-CIPPTable -TableName CippMapping $CurrentMap = (Get-CIPPAzDataTableEntity @MappingTable -Filter "PartitionKey eq '$ExtensionPartitionKey'") + $CurrentMap | ForEach-Object { + if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne ''){ + $_.lastEndTime = (Get-Date($_.lastEndTime)) + } else { + $_.lastEndTime = $Null + } + + if ($Null -ne $_.lastStartTime -and $_.lastStartTime -ne '') { + $_.lastStartTime = (Get-Date($_.lastStartTime)) + } else { + $_.lastStartTime = $Null + } + } # Check Global Rate Limiting try { From 3f7818e4cf8e819fecb4bff4d6bec91655d163a2 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 09:26:50 +0000 Subject: [PATCH 18/78] Even even more rate limit fixes --- Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index 71209e413bfa..c6ab4abb2fac 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -6,13 +6,13 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLim if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne ''){ $_.lastEndTime = (Get-Date($_.lastEndTime)) } else { - $_.lastEndTime = $Null + $_ | Add-Member -NotePropertyName lastEndTime -NotePropertyValue $Null -Force } if ($Null -ne $_.lastStartTime -and $_.lastStartTime -ne '') { $_.lastStartTime = (Get-Date($_.lastStartTime)) } else { - $_.lastStartTime = $Null + $_ | Add-Member -NotePropertyName lastStartTime -NotePropertyValue $Null -Force } } From 5fa1d875b524536fb9b1c1bd0c7f68bdd38ecc21 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 11:34:29 +0100 Subject: [PATCH 19/78] blacklisted specific commands --- .../Entrypoints/Invoke-ListFunctionParameters.ps1 | 7 +++---- .../CIPPCore/Public/GraphHelper/Convert-SKUName.ps1 | 4 ++++ .../Public/GraphHelper/Get-AuthorisedRequest.ps1 | 4 ++++ Modules/CIPPCore/Public/GraphHelper/Get-CIPPTable.ps1 | 4 ++++ .../Public/GraphHelper/Get-ClassicAPIToken.ps1 | 4 ++++ .../Public/GraphHelper/Get-GraphBulkResultByID.ps1 | 4 ++++ .../CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 | 4 ++++ .../Public/GraphHelper/Get-NormalizedError.ps1 | 4 ++++ Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 | 4 ++++ .../Public/GraphHelper/New-ClassicAPIGetRequest.ps1 | 5 ++++- .../CIPPCore/Public/GraphHelper/New-DeviceLogin.ps1 | 4 ++++ .../CIPPCore/Public/GraphHelper/New-ExoRequest.ps1 | 5 ++++- .../Public/GraphHelper/New-GraphBulkRequest.ps1 | 4 ++++ .../Public/GraphHelper/New-GraphGetRequest.ps1 | 4 ++++ .../Public/GraphHelper/New-GraphPOSTRequest.ps1 | 4 ++++ .../Public/GraphHelper/New-TeamsAPIGetRequest.ps1 | 4 ++++ .../Public/GraphHelper/New-passwordString.ps1 | 4 ++++ .../Public/GraphHelper/Read-JwtAccessDetails.ps1 | 11 ++--------- .../CIPPCore/Public/GraphHelper/Remove-CIPPCache.ps1 | 4 ++++ .../CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 | 4 ++++ 20 files changed, 77 insertions(+), 15 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 index 13395bcac219..9460428ac793 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListFunctionParameters.ps1 @@ -25,17 +25,16 @@ function Invoke-ListFunctionParameters { if ($Function) { $CommandQuery.Name = $Function } - + $IgnoreList = 'entryPoint', 'internal' $CommonParameters = @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction', 'ErrorVariable', 'WarningVariable', 'InformationVariable', 'OutVariable', 'OutBuffer', 'PipelineVariable', 'TenantFilter', 'APIName', 'ExecutingUser') - #temporary until I clean up the coremodule and move things private. - $TemporaryBlacklist = 'Get-CIPPAuthentication', 'Invoke-CippWebhookProcessing', 'Invoke-ListFunctionParameters', 'New-CIPPAPIConfig', 'New-CIPPGraphSubscription.ps1' + $TemporaryBlacklist = 'Get-CIPPAuthentication', 'Invoke-CippWebhookProcessing', 'Invoke-ListFunctionParameters', 'New-CIPPAPIConfig', 'New-CIPPGraphSubscription' try { $Functions = Get-Command @CommandQuery | Where-Object { $_.Visibility -eq 'Public' } $Results = foreach ($Function in $Functions) { if ($Function -In $TemporaryBlacklist) { continue } $Help = Get-Help $Function $ParamsHelp = ($Help | Select-Object -ExpandProperty parameters).parameter | Select-Object name, @{n = 'description'; exp = { $_.description.Text } } - if ($Help.Functionality -eq 'Entrypoint') { continue } + if ($Help.Functionality -in $IgnoreList) { continue } $Parameters = foreach ($Key in $Function.Parameters.Keys) { if ($CommonParameters -notcontains $Key) { $Param = $Function.Parameters.$Key diff --git a/Modules/CIPPCore/Public/GraphHelper/Convert-SKUName.ps1 b/Modules/CIPPCore/Public/GraphHelper/Convert-SKUName.ps1 index 2bd91fcf7a19..7d0d5e874aea 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Convert-SKUName.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Convert-SKUName.ps1 @@ -1,4 +1,8 @@ function Convert-SKUname($skuname, $skuID) { + <# + .FUNCTIONALITY + Internal + #> $ConvertTable = Import-Csv Conversiontable.csv if ($skuname) { $ReturnedName = ($ConvertTable | Where-Object { $_.String_Id -eq $skuname } | Select-Object -Last 1).'Product_Display_Name' } if ($skuID) { $ReturnedName = ($ConvertTable | Where-Object { $_.guid -eq $skuid } | Select-Object -Last 1).'Product_Display_Name' } diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-AuthorisedRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-AuthorisedRequest.ps1 index 89f8684d2e8e..f8891f84899d 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-AuthorisedRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-AuthorisedRequest.ps1 @@ -1,5 +1,9 @@ function Get-AuthorisedRequest { + <# + .FUNCTIONALITY + Internal + #> [CmdletBinding()] Param( [string]$TenantID, diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-CIPPTable.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-CIPPTable.ps1 index 99567e300e18..b050af128cee 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-CIPPTable.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-CIPPTable.ps1 @@ -1,4 +1,8 @@ function Get-CIPPTable { + <# + .FUNCTIONALITY + Internal + #> [CmdletBinding()] param ( $tablename = 'CippLogs' diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-ClassicAPIToken.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-ClassicAPIToken.ps1 index 6568e28b867a..f887e8ce850e 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-ClassicAPIToken.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-ClassicAPIToken.ps1 @@ -1,4 +1,8 @@ function Get-ClassicAPIToken($tenantID, $Resource) { + <# + .FUNCTIONALITY + Internal + #> $TokenKey = '{0}-{1}' -f $TenantID, $Resource if ($script:classictoken.$TokenKey -and [int](Get-Date -UFormat %s -Millisecond 0) -lt $script:classictoken.$TokenKey.expires_on) { Write-Host 'Classic: cached token' diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-GraphBulkResultByID.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-GraphBulkResultByID.ps1 index e71d8c8ffb25..ed8d6de49833 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-GraphBulkResultByID.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-GraphBulkResultByID.ps1 @@ -1,4 +1,8 @@ function Get-GraphBulkResultByID ($Results, $ID, [switch]$Value) { + <# + .FUNCTIONALITY + Internal + #> if ($Value) { ($Results | Where-Object { $_.id -eq $ID }).body.value } else { diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 index 8a654c8e979a..05b1b7f9c8fc 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-GraphToken.ps1 @@ -1,4 +1,8 @@ function Get-GraphToken($tenantid, $scope, $AsApp, $AppID, $refreshToken, $ReturnRefresh, $SkipCache) { + <# + .FUNCTIONALITY + Internal + #> if (!$scope) { $scope = 'https://graph.microsoft.com/.default' } if (!$env:SetFromProfile) { $CIPPAuth = Get-CIPPAuthentication; Write-Host 'Could not get Refreshtoken from environment variable. Reloading token.' } $AuthBody = @{ diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-NormalizedError.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-NormalizedError.ps1 index 96d5b0b4533c..98ce8bdbf8dc 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-NormalizedError.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-NormalizedError.ps1 @@ -1,4 +1,8 @@ function Get-NormalizedError { + <# + .FUNCTIONALITY + Internal + #> [CmdletBinding()] param ( [string]$message diff --git a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 index 4f0c1a16cbf8..e44eccbea5d9 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Get-Tenants.ps1 @@ -1,4 +1,8 @@ function Get-Tenants { + <# + .FUNCTIONALITY + Internal + #> param ( [Parameter( ParameterSetName = 'Skip', Mandatory = $True )] [switch]$SkipList, diff --git a/Modules/CIPPCore/Public/GraphHelper/New-ClassicAPIGetRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-ClassicAPIGetRequest.ps1 index 1528e0e4393d..d97dfc3bb99f 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-ClassicAPIGetRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-ClassicAPIGetRequest.ps1 @@ -1,6 +1,9 @@ function New-ClassicAPIGetRequest($TenantID, $Uri, $Method = 'GET', $Resource = 'https://admin.microsoft.com', $ContentType = 'application/json') { - + <# + .FUNCTIONALITY + Internal + #> if ((Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) { $token = Get-ClassicAPIToken -Tenant $tenantID -Resource $Resource diff --git a/Modules/CIPPCore/Public/GraphHelper/New-DeviceLogin.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-DeviceLogin.ps1 index 1d80e47ba069..2046e3fa158b 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-DeviceLogin.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-DeviceLogin.ps1 @@ -1,4 +1,8 @@ function New-DeviceLogin { + <# + .FUNCTIONALITY + Internal + #> [CmdletBinding()] param ( [string]$clientid, diff --git a/Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1 index d5df999e6a03..cfe78a4af8c6 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-ExoRequest.ps1 @@ -1,5 +1,8 @@ function New-ExoRequest ($tenantid, $cmdlet, $cmdParams, $useSystemMailbox, $Anchor, $NoAuthCheck, $Select) { - + <# + .FUNCTIONALITY + Internal + #> if ((Get-AuthorisedRequest -TenantID $tenantid) -or $NoAuthCheck -eq $True) { $token = Get-ClassicAPIToken -resource 'https://outlook.office365.com' -Tenantid $tenantid $tenant = (get-tenants -IncludeErrors | Where-Object { $_.defaultDomainName -eq $tenantid -or $_.customerId -eq $tenantid }).customerId diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1 index d328a7518865..ebe6af9675b9 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-GraphBulkRequest.ps1 @@ -1,4 +1,8 @@ function New-GraphBulkRequest { + <# + .FUNCTIONALITY + Internal + #> Param( $tenantid, $NoAuthCheck, diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 index 731c09da25b0..bc0ef417a3c3 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1 @@ -1,4 +1,8 @@ function New-GraphGetRequest { + <# + .FUNCTIONALITY + Internal + #> Param( $uri, $tenantid, diff --git a/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 index a133d7a93f7d..9b4848253d98 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1 @@ -1,5 +1,9 @@ function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders) { + <# + .FUNCTIONALITY + Internal + #> if ($NoAuthCheck -or (Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) { $headers = Get-GraphToken -tenantid $tenantid -scope $scope -AsApp $asapp -SkipCache $skipTokenCache if ($AddedHeaders) { diff --git a/Modules/CIPPCore/Public/GraphHelper/New-TeamsAPIGetRequest.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-TeamsAPIGetRequest.ps1 index 7ac373da6ffb..91dd8ce4a74b 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-TeamsAPIGetRequest.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-TeamsAPIGetRequest.ps1 @@ -1,4 +1,8 @@ function New-TeamsAPIGetRequest($Uri, $tenantID, $Method = 'GET', $Resource = '48ac35b8-9aa8-4d74-927d-1f4a14a0b239', $ContentType = 'application/json') { + <# + .FUNCTIONALITY + Internal + #> if ((Get-AuthorisedRequest -Uri $uri -TenantID $tenantid)) { $token = Get-ClassicAPIToken -Tenant $tenantid -Resource $Resource diff --git a/Modules/CIPPCore/Public/GraphHelper/New-passwordString.ps1 b/Modules/CIPPCore/Public/GraphHelper/New-passwordString.ps1 index 4e6e27befdc8..6793c5cc17b3 100644 --- a/Modules/CIPPCore/Public/GraphHelper/New-passwordString.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/New-passwordString.ps1 @@ -1,4 +1,8 @@ function New-passwordString { + <# + .FUNCTIONALITY + Internal + #> [CmdletBinding()] param ( [int]$count = 12 diff --git a/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1 b/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1 index b789fe87e298..1fa4b612af40 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Read-JwtAccessDetails.ps1 @@ -1,14 +1,7 @@ function Read-JwtAccessDetails { <# - .SYNOPSIS - Parse Microsoft JWT access tokens - - .DESCRIPTION - Extract JWT access token details for verification - - .PARAMETER Token - Token to get details for - + .FUNCTIONALITY + Internal #> [cmdletbinding()] param( diff --git a/Modules/CIPPCore/Public/GraphHelper/Remove-CIPPCache.ps1 b/Modules/CIPPCore/Public/GraphHelper/Remove-CIPPCache.ps1 index b2da4587453c..1bbab4a3f025 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Remove-CIPPCache.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Remove-CIPPCache.ps1 @@ -1,4 +1,8 @@ function Remove-CIPPCache { + <# + .FUNCTIONALITY + Internal + #> param ( $TenantsOnly ) diff --git a/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 b/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 index 2c5ea7d00ba7..fbef7fae41bf 100644 --- a/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 +++ b/Modules/CIPPCore/Public/GraphHelper/Write-LogMessage.ps1 @@ -1,4 +1,8 @@ function Write-LogMessage ($message, $tenant = 'None', $API = 'None', $tenantId = $null, $user, $sev) { + <# + .FUNCTIONALITY + Internal + #> try { $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails } catch { From e16591012f19f1946d5f4c5aa1c58f7e2c3d3d22 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:20:38 +0000 Subject: [PATCH 20/78] Active instance check bug fix and date conversion fix --- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 38f4e633173f..7d76c5740571 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -20,7 +20,7 @@ function Invoke-NinjaOneTenantSync { $StartDate = try { Get-Date($CurrentItem.lastStartTime) } catch { $Null } $EndDate = try { Get-Date($CurrentItem.lastEndTime) } catch { $Null } - if (($null -ne $CurrentItem.lastStartTime -or $StartDate -gt (Get-Date).AddMinutes(-10)) -and ( $Null -eq $CurrentItem.lastEndTime -or ($StartDate -gt $EndDate))) { + if (($null -ne $CurrentItem.lastStartTime) -and ($StartDate -gt (Get-Date).AddMinutes(-10)) -and ( $Null -eq $CurrentItem.lastEndTime -or ($StartDate -gt $EndDate))) { Throw "NinjaOne Sync for Tenant $($MappedTenant.RowKey) is still running, please wait 10 minutes and try again." } @@ -28,6 +28,10 @@ function Invoke-NinjaOneTenantSync { $MappingTable = Get-CIPPTable -TableName CippMapping $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Running' -Force + if ($Null -ne $CurrentItem.lastEndTime -and $CurrentItem.lastEndTime -ne '' ) { + $CurrentItem.lastEndTime = ([string]$(($_.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) + $_.lastEndTime = (Get-Date($_.lastEndTime)) + } Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force # Fetch Custom NinjaOne Settings From 5859dfe96f1d933124d2350a10b2fa81a39a00a5 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:34:34 +0000 Subject: [PATCH 21/78] Fix incorrect variable --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 7d76c5740571..9c14d120d04b 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -29,8 +29,7 @@ function Invoke-NinjaOneTenantSync { $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Running' -Force if ($Null -ne $CurrentItem.lastEndTime -and $CurrentItem.lastEndTime -ne '' ) { - $CurrentItem.lastEndTime = ([string]$(($_.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) - $_.lastEndTime = (Get-Date($_.lastEndTime)) + $CurrentItem.lastEndTime = ([string]$(($CurrentItem.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) } Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force From e80d58ca9fbec9124b1f817706554ef2fe80883a Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 11:55:13 +0000 Subject: [PATCH 22/78] Fixed log user and use actual start time --- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 9c14d120d04b..153fecb90ef7 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -26,7 +26,7 @@ function Invoke-NinjaOneTenantSync { # Set Last Start Time $MappingTable = Get-CIPPTable -TableName CippMapping - $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$(($StartTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Running' -Force if ($Null -ne $CurrentItem.lastEndTime -and $CurrentItem.lastEndTime -ne '' ) { $CurrentItem.lastEndTime = ([string]$(($CurrentItem.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) @@ -42,7 +42,7 @@ function Invoke-NinjaOneTenantSync { $Customer = Get-Tenants | where-object { $_.customerId -eq $MappedTenant.RowKey } Write-Host "Processing: $($Customer.displayName)" - Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Processing NinjaOne Synchronization for $($Customer.displayName)" -Sev 'Info' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Processing NinjaOne Synchronization for $($Customer.displayName)" -Sev 'Info' if (($Customer | Measure-Object).count -ne 1) { Throw "Unable to match the recieved ID to a tenant QueueItem: $($QueueItem | ConvertTo-Json -Depth 100 | Out-String) Matched Customer: $($Customer| ConvertTo-Json -Depth 100 | Out-String)" @@ -2294,11 +2294,11 @@ function Invoke-NinjaOneTenantSync { $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Completed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force - Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' } catch { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" - Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev 'Error' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev 'Error' $CurrentItem | Add-Member -NotePropertyName lastEndTime -NotePropertyValue ([string]$((Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Failed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force From 14cebcfa49bcbc0bb285d4405df0d4946975a188 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 12:24:37 +0000 Subject: [PATCH 23/78] Added Staggered Start --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 153fecb90ef7..fece930d063d 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -6,7 +6,9 @@ function Invoke-NinjaOneTenantSync { try { $StartTime = Get-Date Write-Host "$(Get-Date) - Starting NinjaOne Sync" - + + # Stagger start + Start-Sleep -Milliseconds (Get-Random -Minimum 0 -Maximum 5001) # Check Global Rate Limiting $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOrgsMapping' -RateLimit 5 -WaitTime 60 From be1168e896769bd3a17b57b707a3a43df45f995a Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 15:56:03 +0100 Subject: [PATCH 24/78] prep for standards revision --- .../Invoke-ListMailboxMobileDevices copy.ps1 | 55 +++++++++++ .../Invoke-ActivityBasedTimeout-Remediate.ps1 | 23 +++++ .../Remediate/Invoke-AddDKIM-Remediate.ps1 | 17 ++++ .../Invoke-AnonReportDisable-Remediate.ps1 | 14 +++ .../Remediate/Invoke-AuditLog-Remediate.ps1 | 30 ++++++ .../Invoke-AutoExpandArchive-Remediate.ps1 | 19 ++++ .../Invoke-AzurePortal-Remediate.ps1 | 9 ++ .../Invoke-ConditionalAccess-Remediate.ps1 | 28 ++++++ .../Invoke-DelegateSentItems-Remediate.ps1 | 21 +++++ ...Invoke-DeletedUserRentention-Remediate.ps1 | 16 ++++ ...isableAddShortcutsToOneDrive-Remediate.ps1 | 93 +++++++++++++++++++ .../Invoke-DisableBasicAuth-Remediate.ps1 | 8 ++ .../Invoke-DisableBasicAuthSMTP-Remediate.ps1 | 14 +++ ...Invoke-DisableGuestDirectory-Remediate.ps1 | 16 ++++ .../Invoke-DisableGuests-Remediate.ps1 | 19 ++++ ...Invoke-DisableM365GroupUsers-Remediate.ps1 | 23 +++++ .../Invoke-DisableReshare-Remediate.ps1 | 16 ++++ ...ke-DisableSecurityGroupUsers-Remediate.ps1 | 16 ++++ ...e-DisableSelfServiceLicenses-Remediate.ps1 | 14 +++ .../Invoke-DisableSharedMailbox-Remediate.ps1 | 17 ++++ ...Invoke-DisableTenantCreation-Remediate.ps1 | 15 +++ ...Invoke-DisableUserSiteCreate-Remediate.ps1 | 15 +++ .../Invoke-DisableViva-Remediate.ps1 | 17 ++++ .../Invoke-EnableFIDO2-Remediate.ps1 | 15 +++ ...Invoke-EnableOnlineArchiving-Remediate.ps1 | 17 ++++ .../Invoke-ExConnector-Remediate.ps1 | 35 +++++++ .../Invoke-ExcludedfileExt-Remediate.ps1 | 21 +++++ .../Remediate/Invoke-GetQueue-Remediate.ps1 | 33 +++++++ .../Invoke-GroupTemplate-Remediate.ps1 | 64 +++++++++++++ .../Invoke-IntuneTemplate-Remediate.ps1 | 90 ++++++++++++++++++ .../Remediate/Invoke-LegacyMFA-Remediate.ps1 | 29 ++++++ .../Invoke-LegacyMFACleanup-Remediate.ps1 | 64 +++++++++++++ .../Invoke-MailContacts-Remediate.ps1 | 28 ++++++ .../Remediate/Invoke-ModernAuth-Remediate.ps1 | 9 ++ .../Remediate/Invoke-NudgeMFA-Remediate.ps1 | 26 ++++++ .../Invoke-OauthConsent-Remediate.ps1 | 40 ++++++++ .../Invoke-OauthConsentLowSec-Remediate.ps1 | 18 ++++ .../Invoke-Orchestration-Remediate.ps1 | 31 +++++++ .../Invoke-OrchestrationStarter-Remediate.ps1 | 27 ++++++ ...ke-OrchestrationStarterTimer-Remediate.ps1 | 16 ++++ .../Invoke-OutBoundSpamAlert-Remediate.ps1 | 19 ++++ ...e-PWcompanionAppAllowedState-Remediate.ps1 | 46 +++++++++ ...yAppInformationRequiredState-Remediate.ps1 | 18 ++++ ...WnumberMatchingRequiredState-Remediate.ps1 | 13 +++ ...nvoke-PasswordExpireDisabled-Remediate.ps1 | 15 +++ .../Remediate/Invoke-RotateDKIM-Remediate.ps1 | 17 ++++ .../Remediate/Invoke-SSPR-Remediate.ps1 | 12 +++ .../Invoke-SecurityDefaults-Remediate.ps1 | 20 ++++ .../Invoke-SendFromAlias-Remediate.ps1 | 18 ++++ .../Remediate/Invoke-SpoofWarn-Remediate.ps1 | 24 +++++ .../Remediate/Invoke-TAP-Remediate.ps1 | 36 +++++++ ...Invoke-TransportRuleTemplate-Remediate.ps1 | 39 ++++++++ .../Remediate/Invoke-UndoOauth-Remediate.ps1 | 13 +++ .../Remediate/Invoke-UndoSSPR-Remediate.ps1 | 8 ++ .../Invoke-UserSubmissions-Remediate.ps1 | 44 +++++++++ .../Remediate/Invoke-calDefault-Remediate.ps1 | 30 ++++++ .../Invoke-disableMacSync-Remediate.ps1 | 15 +++ .../Invoke-fwdAdminAlerts-Remediate.ps1 | 30 ++++++ .../Invoke-intuneDeviceReg-Remediate.ps1 | 21 +++++ ...e-intuneDeviceRetirementDays-Remediate.ps1 | 24 +++++ .../Remediate/Invoke-laps-Remediate.ps1 | 16 ++++ .../Invoke-sharingCapability-Remediate.ps1 | 20 ++++ .../Invoke-unmanagedSync-Remediate.ps1 | 15 +++ .../CIPPCore/Public/Start-CIPPStandard.ps1 | 30 ++++++ 64 files changed, 1621 insertions(+) create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxMobileDevices copy.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Start-CIPPStandard.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxMobileDevices copy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxMobileDevices copy.ps1 new file mode 100644 index 000000000000..8199d4204326 --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxMobileDevices copy.ps1 @@ -0,0 +1,55 @@ +using namespace System.Net + +Function Invoke-ListMailboxMobileDevices { + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + + # Interact with query parameters or the body of the request. + $TenantFilter = $Request.Query.TenantFilter + $Mailbox = $Request.Query.Mailbox + + Write-Host $TenantFilter + Write-Host $Mailbox + + $Bytes = [System.Text.Encoding]::UTF8.GetBytes($Mailbox) + $base64IdentityParam = [Convert]::ToBase64String($Bytes) + + try { + $GraphRequest = New-GraphGetRequest -uri "https://outlook.office365.com:443/adminapi/beta/$($TenantFilter)/mailbox('$($base64IdentityParam)')/MobileDevice/Exchange.GetMobileDeviceStatistics()/?IsEncoded=True" -Tenantid $tenantfilter -scope ExchangeOnline | Select-Object @{ Name = 'clientType'; Expression = { $_.ClientType } }, + @{ Name = 'clientVersion'; Expression = { $_.ClientVersion } }, + @{ Name = 'deviceAccessState'; Expression = { $_.DeviceAccessState } }, + @{ Name = 'deviceFriendlyName'; Expression = { if ([string]::IsNullOrEmpty($_.DeviceFriendlyName)) { 'Unknown' }else { $_.DeviceFriendlyName } } }, + @{ Name = 'deviceModel'; Expression = { $_.DeviceModel } }, + @{ Name = 'deviceOS'; Expression = { $_.DeviceOS } }, + @{ Name = 'deviceType'; Expression = { $_.DeviceType } }, + @{ Name = 'firstSync'; Expression = { $_.FirstSyncTime.toString() } }, + @{ Name = 'lastSyncAttempt'; Expression = { $_.LastSyncAttemptTime.toString() } }, + @{ Name = 'lastSuccessSync'; Expression = { $_.LastSuccessSync.toString() } }, + @{ Name = 'status'; Expression = { $_.Status } }, + @{ Name = 'deviceID'; Expression = { $_.deviceID } }, + @{ Name = 'Guid'; Expression = { $_.Guid } } + + $StatusCode = [HttpStatusCode]::OK + } catch { + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message + $StatusCode = [HttpStatusCode]::Forbidden + $GraphRequest = $ErrorMessage + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = @($GraphRequest) + }) + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 new file mode 100644 index 000000000000..2e47aecf00c7 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 @@ -0,0 +1,23 @@ +function Invoke-ActivityBasedTimeout-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id + if (!$State) { + $body = @' +{ + "displayName": "DefaultTimeoutPolicy", + "isOrganizationDefault": true, + "definition":["{\"ActivityBasedTimeoutPolicy\":{\"Version\":1,\"ApplicationPolicies\":[{\"ApplicationId\":\"default\",\"WebSessionIdleTimeout\":\"01:00:00\"}]}}"] +} +'@ + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -Type POST -Body $body -ContentType 'application/json') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Activity Based Timeout of one hour' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Activity Based Timeout $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 new file mode 100644 index 000000000000..5c04e03219ba --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 @@ -0,0 +1,17 @@ +function Invoke-AddDKIM-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false | ForEach-Object { + (New-ExoRequest -tenantid $tenant -cmdlet 'New-DkimSigningConfig' -cmdparams @{ KeySize = 2048; DomainName = $_.Identity; Enabled = $true } -useSystemMailbox $true) + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DKIM Setup' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DKIM. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 new file mode 100644 index 000000000000..b1d07c98ad84 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 @@ -0,0 +1,14 @@ +function Invoke-AnonReportDisable-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports Disabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 new file mode 100644 index 000000000000..c4ac08a1c52d --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 @@ -0,0 +1,30 @@ +function Invoke-AuditLog-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated + if ($DehydratedTenant) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Enable-OrganizationCustomization' + } + + try { + + $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled + if ($AuditLogEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log already enabled.' -sev Info + } else { + $AdminAuditLogParams = @{ + UnifiedAuditLogIngestionEnabled = $true + } + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AdminAuditLogConfig' -cmdParams $AdminAuditLogParams + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log Enabled.' -sev Info + } + + } catch { + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 new file mode 100644 index 000000000000..4cabde40c2e2 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 @@ -0,0 +1,19 @@ +function Invoke-AutoExpandArchive-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + + $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled + if (!$currentstate) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{AutoExpandingArchive = $true } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Added Auto Expanding Archive.' -sev Info + } + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 new file mode 100644 index 000000000000..c1d3fa083fc8 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 @@ -0,0 +1,9 @@ +function Invoke-AzurePortal-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Azure Portal disablement is no longer functional. Please remove this standard.' -sev Error +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 new file mode 100644 index 000000000000..8291bbbc2631 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 @@ -0,0 +1,28 @@ +function Invoke-ConditionalAccess-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ConditionalAccess + } + + $APINAME = 'Standards' + + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Template.value)'" + $JSONObj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON + $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $JSONObj -Overwrite $true -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)" -sev 'Error' + } + } + + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 new file mode 100644 index 000000000000..20e670bcd337 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 @@ -0,0 +1,21 @@ +function Invoke-DelegateSentItems-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } | ForEach-Object { + try { + $username = $_.UserPrincipalName + New-ExoRequest -tenantid $Tenant -cmdlet 'set-mailbox' -cmdParams @{Identity = $_.GUID ; MessageCopyForSendOnBehalfEnabled = $True; MessageCopyForSentAsEnabled = $True } -anchor $username + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not enable delegate sent item style for $($username): $($_.Exception.message)" -sev Warn + } + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 new file mode 100644 index 000000000000..416d381be5d5 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-DeletedUserRentention-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type PATCH -Body $body -ContentType 'application/json' + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set deleted user rentention of OneDrive to 1 year' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 new file mode 100644 index 000000000000..124a322eaab6 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 @@ -0,0 +1,93 @@ +function Invoke-DisableAddShortcutsToOneDrive-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + function GetTenantRequestXml { + return @' + + + + + + + + + + + + + +'@ + } + + function GetDisableAddShortcutsToOneDriveXml { + param( + [string]$identity + ) + + # the json object gives us a space and a newline :( + $identity = $identity.Replace(' ', '') + $identity = $identity.Replace("`n", ' ') + return @" + + + + true + + + + + + +"@ + } + + $log = @{ + API = 'Standards' + tenant = $tenant + message = '' + sev = 'Info' + } + + try { + $OnMicrosoft = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenant | + Where-Object -Property isInitial -EQ $true).id.split('.') | Select-Object -First 1 + $AdminUrl = "https://$($OnMicrosoft)-admin.sharepoint.com" + $graphRequest = @{ + 'scope' = "$AdminURL/.default" + 'tenantid' = $tenant + 'uri' = "$AdminURL/_vti_bin/client.svc/ProcessQuery" + 'type' = 'POST' + 'body' = GetTenantRequestXml + 'ContentType' = 'text/xml' + } + + $response = New-GraphPostRequest @graphRequest + if (!$response.ErrorInfo.ErrorMessage) { + $log.message = 'Received Tenant from Sharepoint' + Write-LogMessage @log + } + + $graphRequest.Body = GetDisableAddShortcutsToOneDriveXml -identity $response._ObjectIdentity_ + $response = New-GraphPostRequest @graphRequest + + if (!$response.ErrorInfo.ErrorMessage) { + $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant" + } else { + $log.message = "Unable to set DisableAddShortcutsToOneDrive to True ` + on $($tenant): $($response.ErrorInfo.ErrorMessage)" + } + } catch { + $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)" + $log.sev = 'Error' + } + + Write-LogMessage @log +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 new file mode 100644 index 000000000000..ceddfc551581 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 @@ -0,0 +1,8 @@ +function Invoke-DisableBasicAuth-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + Write-LogMessage -API 'Standards' -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 new file mode 100644 index 000000000000..e354a399b7c4 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 @@ -0,0 +1,14 @@ +function Invoke-DisableBasicAuthSMTP-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 new file mode 100644 index 000000000000..bd425616ab07 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-DisableGuestDirectory-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Guest access to directory information.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Guest access to directory information.: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 new file mode 100644 index 000000000000..0e63b10fd3e5 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 @@ -0,0 +1,19 @@ +function Invoke-DisableGuests-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') + $GraphRequest = New-GraphgetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastSignInDateTime le $lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } + foreach ($guest in $GraphRequest) { + New-GraphPostRequest -type Patch -tenantid $tenant -uri "https://graph.microsoft.com/beta/users/$($guest.id)" -body '{"accountEnabled":"false"}' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling guest $($guest.UserPrincipalName) ($($guest.id))" -sev Info + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests accounts with a login longer than 90 days ago.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 new file mode 100644 index 000000000000..42b50fb80fcb --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 @@ -0,0 +1,23 @@ +function Invoke-DisableM365GroupUsers-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' + if (!$CurrentState) { + #if no current configuration is found, we set it to the default template supplied by MS. + $CurrentState = '{"id":"","displayName":"Group.Unified","templateId":"62375ab9-6b52-47ed-826b-58e47e0e304b","values":[{"name":"NewUnifiedGroupWritebackDefault","value":"true"},{"name":"EnableMIPLabels","value":"false"},{"name":"CustomBlockedWordsList","value":""},{"name":"EnableMSStandardBlockedWords","value":"false"},{"name":"ClassificationDescriptions","value":""},{"name":"DefaultClassification","value":""},{"name":"PrefixSuffixNamingRequirement","value":""},{"name":"AllowGuestsToBeGroupOwner","value":"false"},{"name":"AllowGuestsToAccessGroups","value":"true"},{"name":"GuestUsageGuidelinesUrl","value":""},{"name":"GroupCreationAllowedGroupId","value":""},{"name":"AllowToAddGuests","value":"true"},{"name":"UsageGuidelinesUrl","value":""},{"name":"ClassificationList","value":""},{"name":"EnableGroupCreation","value":"true"}]}' + (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type POST -Body $CurrentState -ContentType 'application/json') + $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' + } + ($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value = 'false' + $body = "{values : $($CurrentState.values | ConvertTo-Json -Compress)}" + (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type patch -Body $body -ContentType 'application/json') + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating M365 Groups.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 new file mode 100644 index 000000000000..3329b7a2a236 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-DisableReshare-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"isResharingByExternalUsersEnabled": "False"}' + $Request = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-Host ($Request | ConvertTo-Json) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests from resharing files' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 new file mode 100644 index 000000000000..9d2c39a28672 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-DisableSecurityGroupUsers-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating Security Groups.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating Security Groups: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 new file mode 100644 index 000000000000..d46bb4b4b350 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 @@ -0,0 +1,14 @@ +function Invoke-DisableSelfServiceLicenses-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + Write-LogMessage "Standards API: $($tenant) failed to disable License Buy Self Service: $($exception.message)" -sev Error + + } catch { + Write-LogMessage "Standards API: $($tenant) failed to disable License Buy Self Service: $($exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 new file mode 100644 index 000000000000..2c6c6a579b25 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 @@ -0,0 +1,17 @@ +function Invoke-DisableSharedMailbox-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($tenant)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { + New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'AAD Accounts for shared mailboxes disabled.' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 new file mode 100644 index 000000000000..06cca88c620b --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-DisableTenantCreation-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating tenants.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 new file mode 100644 index 000000000000..d35d98ae2462 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-DisableUserSiteCreate-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"isSiteCreationEnabled": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled standard users from creating sites' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 new file mode 100644 index 000000000000..2a51cc679d59 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 @@ -0,0 +1,17 @@ +function Invoke-DisableViva-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { + (New-ExoRequest -tenantid $tenant -cmdlet 'Set-UserBriefingConfig' -cmdparams @{ Identity = $_.UserPrincipalName; Enabled = $false }) + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disable daily Viva reports' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 new file mode 100644 index 000000000000..f4dc4eeeee4f --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-EnableFIDO2-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled FIDO2 Support' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable FIDO2 Support: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 new file mode 100644 index 000000000000..2f60e8f42ddd --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 @@ -0,0 +1,17 @@ +function Invoke-EnableOnlineArchiving-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { + (New-ExoRequest -tenantid $tenant -cmdlet 'enable-Mailbox' -cmdparams @{ Identity = $_.UserPrincipalName; Archive = $true }) + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Online Archiving for all accounts' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 new file mode 100644 index 000000000000..9b561f50c0a4 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 @@ -0,0 +1,35 @@ +function Invoke-ExConnector-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExConnector + } + $APINAME = 'Standards' + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'ExConnectorTemplate' and RowKey eq '$($Template.value)'" + $connectorType = (Get-AzDataTableEntity @Table -Filter $Filter).direction + $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet "Get-$($ConnectorType)connector" | Where-Object -Property Identity -EQ $RequestParams.name + if ($Existing) { + $RequestParams | Add-Member -NotePropertyValue $Existing.Identity -NotePropertyName Identity -Force + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant)" -sev info + } else { + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant)" -sev info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Exchange Connector Rule: $($_.exception.message)" -sev 'Error' + } + + } + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 new file mode 100644 index 000000000000..3c1bbdaf030e --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 @@ -0,0 +1,21 @@ +function Invoke-ExcludedfileExt-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExcludedfileExt + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExcludedfileExt + } + + try { + $Exts = $Setting.ext -split ',' + $body = ConvertTo-Json -InputObject @{ excludedFileExtensionsForSyncApp = @($Exts) } + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Added $($Setting.ext) to excluded synced files" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Setting.ext) to excluded synced files: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 new file mode 100644 index 000000000000..ae47f294b61c --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 @@ -0,0 +1,33 @@ +function Invoke-GetQueue-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($name) + + Write-Host 'QUEUEQUE' + $Table = Get-CippTable -tablename 'standards' + $tenants = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + + $object = foreach ($Tenant in $tenants) { + $tenant.standards.psobject.properties.name | ForEach-Object { + $Standard = $_ + if ($tenant.Tenant -ne 'AllTenants') { + Write-Host 'Not all tenants. Single object' + [pscustomobject]@{ + Tenant = $tenant.Tenant + Standard = $Standard + } + } else { + get-tenants | ForEach-Object { + [pscustomobject]@{ + Tenant = $_.defaultDomainName + Standard = $Standard + } + } + } + } + + } + $object +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 new file mode 100644 index 000000000000..a38c05313ab9 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 @@ -0,0 +1,64 @@ +function Invoke-GroupTemplate-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.GroupTemplate + } + + + + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" + $groupobj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($tenant)" } + $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname + if (!$CheckExististing) { + if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { + + $BodyToship = [pscustomobject] @{ + 'displayName' = $groupobj.Displayname + 'description' = $groupobj.Description + 'mailNickname' = $groupobj.username + mailEnabled = [bool]$false + securityEnabled = [bool]$true + isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ 'AzureRole') + + } + if ($groupobj.membershipRules) { + $BodyToship | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($groupobj.membershipRules) + $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership') + $BodyToship | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On' + } + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose + } else { + $Params = @{ + Name = $groupobj.Displayname + Alias = $groupobj.username + Description = $groupobj.Description + PrimarySmtpAddress = $email + Type = $groupobj.groupType + RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal + } + $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev 'Info' + + } else { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Group exists $($groupobj.displayname). Did not create" -Sev 'Info' + + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create group: $($_.exception.message)" -sev 'Error' + } + } + + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 new file mode 100644 index 000000000000..dfc60dacf3bd --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 @@ -0,0 +1,90 @@ +function Invoke-IntuneTemplate-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.IntuneTemplate + } + + $APINAME = 'Standards' + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'IntuneTemplate'" + $Request = @{body = $null } + $Request.body = (Get-AzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($template.value)*").JSON | ConvertFrom-Json + $displayname = $request.body.Displayname + $description = $request.body.Description + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } + $RawJSON = $Request.body.RawJSON + + switch ($Request.body.Type) { + 'Admin' { + $TemplateTypeURL = 'groupPolicyConfigurations' + $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($displayname -in $CheckExististing.displayName) { + $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname + $ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/definitionValues" -tenantid $tenant + $DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10 + $DeleteJson.deletedIds = @($ExistingData.id) + $DeleteJson.added = @() + $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson + $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson + $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' + + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody + $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname) to template defaults" -Sev 'info' + + } + } + 'Device' { + $TemplateTypeURL = 'deviceConfigurations' + $PolicyName = ($RawJSON | ConvertFrom-Json).displayName + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($PolicyName -in $CheckExististing.displayName) { + $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName + $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' + + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' + + } + } + 'Catalog' { + $TemplateTypeURL = 'configurationPolicies' + $PolicyName = ($RawJSON | ConvertFrom-Json).Name + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($PolicyName -in $CheckExististing.name) { + $ExistingID = $CheckExististing | Where-Object -Property Name -EQ $PolicyName + $PUTRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON + + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' + + } + } + + } + if ($AssignTo) { + $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant)" -sev 'Info' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev 'Error' + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 new file mode 100644 index 000000000000..bcf58603d51c --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 @@ -0,0 +1,29 @@ +function Invoke-LegacyMFA-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') + $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId + $TrackingGuid = (New-Guid).GUID + $LogonPost = @" +http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 +"@ + $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' + $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -eq $null -and $_.UserPrincipalName -notlike 'Sync_*') } + foreach ($user in $users) { + Write-Host $user.UserPrincipalName + $MSOLXML = @" +http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID)*0001-01-01T00:00:00Enabled +"@ + $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled per user MFA.' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable (legacy) per user MFA: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 new file mode 100644 index 000000000000..67817d61be86 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 @@ -0,0 +1,64 @@ +function Invoke-LegacyMFACleanup-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') + $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant).customerId + + try { + $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) + $SecDefaults = $SecureDefaultsState.IsEnabled + Write-LogMessage -API 'Standards' -tenant $tenant -message "Security default state: $SecDefaults" -sev Debug + } catch { + $SecDefaults = $false + } + + if ($SecDefaults -eq $false) { + try { + $AllUsersCAPolicy = (New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?`$filter=(grantControls/builtInControls/any(b:b eq 'mfa') or grantControls/customAuthenticationFactors/any(c:c eq 'RequireDuoMfa')) and state eq 'enabled' and conditions/users/includeUsers/any(u:u eq 'All')&`$count=true" -ComplexFilter -tenantid $tenant).displayName + Write-LogMessage -API 'Standards' -tenant $tenant -message "All users CA policy: $AllUsersCAPolicy" -sev Debug + + if ($AllUsersCAPolicy) { + $AADPremiumUsers = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/?`$select=id,userPrincipalName&`$filter=assignedPlans/any(c:c/service eq 'AADPremiumService' and c/capabilityStatus eq 'Enabled')&`$count=true" -tenantid $tenant -ComplexFilter).userPrincipalName + Write-LogMessage -API 'Standards' -tenant $tenant -message "AAD Premium Users: $($AADPremiumUsers -join ', ')" -sev Debug + } + } catch { + $AllUsersCAPolicy = $false + } + } + + if ($SecDefaults -or $AllUsersCAPolicy) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Tenant meets requirements for Legacy MFA cleanup' -sev Info + $TrackingGuid = (New-Guid).GUID + $LogonPost = @" +http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 +"@ + $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' + $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -eq 'Enabled' -or $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -EQ 'Enforced' } + if (($Users | Measure-Object | Select-Object -ExpandProperty Count) -gt 0) { + foreach ($user in $users) { + if ($AllUsersCAPolicy -and $AADPremiumUsers -notcontains $user.UserPrincipalName) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Skipping user $($user.UserPrincipalName) does not have AAD Premium" -sev Debug + continue + } + Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling legacy MFA for $($user.UserPrincipalName)" -sev Info + $MSOLXML = @" +http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID) +"@ + $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Legacy MFA cleanup complete.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'No Legacy MFA to cleanup.' -sev Info + } + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unable to clean up per user MFA, tenant does not have Security Defaults or an all users CA policy requiring MFA' -sev Error + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to clean up (legacy) per user MFA: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 new file mode 100644 index 000000000000..0b1e0e99ac28 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 @@ -0,0 +1,28 @@ +function Invoke-MailContacts-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + $ConfigTable = Get-CippTable -tablename 'standards' + $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.MailContacts + if (!$Contacts) { + $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.MailContacts + } + + try { + $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) + $Body = [pscustomobject]@{} + switch ($Contacts) { + { $Contacts.marketingcontact.mail } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.marketingcontact.mail) } + { $Contacts.SecurityContact.Mail } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact.Mail) } + { $Contacts.TechContact.Mail } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact.Mail) } + { $Contacts.GeneralContact.Mail } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact.Mail } } + } + Write-Host (ConvertTo-Json -InputObject $body) + New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -Type patch -Body (ConvertTo-Json -InputObject $body) -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Contact email's set." -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 new file mode 100644 index 000000000000..d751a333cfe1 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 @@ -0,0 +1,9 @@ +function Invoke-ModernAuth-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Modern Authentication is enabled by default. This standard is no longer required.' -sev Info +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 new file mode 100644 index 000000000000..01fefad0c0b1 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 @@ -0,0 +1,26 @@ +function Invoke-NudgeMFA-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.NudgeMFA + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.NudgeMFA + } + Write-Output $setting + $status = if ($Setting.enable -and $Setting.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error + Exit + } elseif ($setting.enable) { 'enabled' } else { 'disabled' } + Write-Output $status + try { + $body = '{"registrationEnforcement":{"authenticationMethodsRegistrationCampaign":{"snoozeDurationInDays":0,"state":"' + $status + '","excludeTargets":[],"includeTargets":[{"id":"all_users","targetType":"group","targetedAuthenticationMethod":"microsoftAuthenticator","displayName":"All users"}]}}}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "$status Authenticator App Nudge" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $status Authenticator App Nudge: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 new file mode 100644 index 000000000000..520c0915147c --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 @@ -0,0 +1,40 @@ +function Invoke-OauthConsent-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + $ConfigTable = Get-CippTable -tablename 'standards' + $AllowedAppIdsForTenant = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' + if (!$AllowedAppIdsForTenant) { + $AllowedAppIdsForTenant = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' + } + try { + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('ManagePermissionGrantsForSelf.cipp-1sent-policy')) { + Write-Host 'Going to set' + + $Existing = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/' -tenantid $tenant) | Where-Object -Property id -EQ 'cipp-consent-policy' + if (!$Existing) { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies' -Type POST -Body '{ "id":"cipp-consent-policy", "displayName":"Application Consent Policy", "description":"This policy controls the current application consent policies."}' -ContentType 'application/json' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body '{"permissionClassification":"all","permissionType":"delegated","clientApplicationIds":["d414ee2d-73e5-4e5b-bb16-03ef55fea597"]}' -ContentType 'application/json' + } + try { + foreach ($AllowedApp in $AllowedAppIdsForTenant) { + Write-Host "$AllowedApp" + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{"permissionType": "delegated","clientApplicationIds": ["' + $AllowedApp + '"]}') -ContentType 'application/json' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{ "permissionType": "Application", "clientApplicationIds": ["' + $AllowedApp + '"] }') -ContentType 'application/json' + } + } catch { + "Could not add exclusions, probably already exist: $($_)" + } + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.cipp-consent-policy"]}' -ContentType 'application/json' + } + if ($AllowedAppIdsForTenant) { + } + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 new file mode 100644 index 000000000000..63214fcd1bb4 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 @@ -0,0 +1,18 @@ +function Invoke-OauthConsentLowSec-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { + Write-Host 'Going to set' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.microsoft-user-default-low"]}' -ContentType 'application/json' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 new file mode 100644 index 000000000000..722f56803893 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 @@ -0,0 +1,31 @@ +function Invoke-Orchestration-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Context) + + $DurableRetryOptions = @{ + FirstRetryInterval = (New-TimeSpan -Seconds 5) + MaxNumberOfAttempts = 3 + BackoffCoefficient = 2 + } + $RetryOptions = New-DurableRetryOptions @DurableRetryOptions + + $Batch = (Invoke-ActivityFunction -FunctionName 'Standards_GetQueue' -Input 'LetsGo') + $ParallelTasks = foreach ($Item in $Batch) { + if ($item['Standard']) { + try { + Invoke-DurableActivity -FunctionName "Standards_$($item['Standard'])" -Input "$($item['Tenant'])" -NoWait -RetryOptions $RetryOptions + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Task error: $($_.Exception.Message)" -sev Error + + } + } + } + + if (($ParallelTasks).count -gt 0) { + $Outputs = Wait-ActivityFunction -Task $ParallelTasks + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deployment finished.' -sev Info + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 new file mode 100644 index 000000000000..866e408dc363 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 @@ -0,0 +1,27 @@ +function Invoke-OrchestrationStarter-Remediate { + <# + .FUNCTIONALITY + Internal + #> + using namespace System.Net + + param($Request, $TriggerMetadata) + if ($CurrentlyRunning) { + $Results = [pscustomobject]@{'Results' = 'Already running. Please wait for the current instance to finish' } + Write-LogMessage -API 'StandardsApply' -message 'Attempted to Standards but an instance was already running.' -sev Info + } else { + $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' + Write-Host "Started orchestration with ID = '$InstanceId'" + $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId + Write-Host ($Response | ConvertTo-Json) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Started applying the standard templates to tenants.' -sev Info + $Results = [pscustomobject]@{'Results' = 'Started Applying Standards' } + } + Write-Host ($Orchestrator | ConvertTo-Json) + + + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $results + }) +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 new file mode 100644 index 000000000000..7da0269a9a28 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-OrchestrationStarterTimer-Remediate { + <# + .FUNCTIONALITY + Internal + #> + using namespace System.Net + + param($Timer) + + $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' + Write-Host "Started orchestration with ID = '$InstanceId'" + + $Response = New-OrchestrationCheckStatusResponse -Request $timer -InstanceId $InstanceId + Write-Host ($Response | ConvertTo-Json) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Started applying the standard templates to tenants.' -sev Info +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 new file mode 100644 index 000000000000..eafcbdfda1a6 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 @@ -0,0 +1,19 @@ +function Invoke-OutBoundSpamAlert-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + $ConfigTable = Get-CippTable -tablename 'standards' + $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert + if (!$Contacts) { + $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert + } + + try { + New-ExoRequest -tenantid $tenant -cmdlet 'Set-HostedOutboundSpamFilterPolicy' -cmdparams @{ Identity = 'Default'; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set outbound spam filter alert to $($Contacts.OutboundSpamContact)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 new file mode 100644 index 000000000000..40cc5d613969 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 @@ -0,0 +1,46 @@ +function Invoke-PWcompanionAppAllowedState-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState + } + + try { + + # Get current state of microsoftAuthenticator policy + $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) + + # Remove number matching from featureSettings because this is now Microsoft enforced and shipping it returns an error + $authenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') + + # Define feature body + $featureBody = @{ + state = $Setting.state + includeTarget = [PSCustomObject]@{ + targetType = 'group' + id = 'all_users' + } + excludeTarget = [PSCustomObject]@{ + targetType = 'group' + id = '00000000-0000-0000-0000-000000000000' + } + } + + # Set body for companionAppAllowedState + $authenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody + + $body = $authenticatorFeaturesState | ConvertTo-Json -Depth 3 + + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled companionAppAllowedState.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 new file mode 100644 index 000000000000..1ab011ca53d9 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 @@ -0,0 +1,18 @@ +function Invoke-PWdisplayAppInformationRequiredState-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = @' +{"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","authenticationMode":"any"}],"excludeTargets":[],"state":"enabled","isSoftwareOathEnabled":false,"featureSettings":{"displayLocationInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"displayAppInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"companionAppAllowedState":{"state":"default","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}}}} +'@ + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled passwordless with Information and Number Matching.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 new file mode 100644 index 000000000000..4bee1ea43ac8 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 @@ -0,0 +1,13 @@ +function Invoke-PWnumberMatchingRequiredState-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with number matching is now enabled by default.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Number Matching. Error: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 new file mode 100644 index 000000000000..de3ed1342621 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-PasswordExpireDisabled-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { + New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Password Expiration' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 new file mode 100644 index 000000000000..5fdc3e193ac6 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 @@ -0,0 +1,17 @@ +function Invoke-RotateDKIM-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } | ForEach-Object { + (New-ExoRequest -tenantid $tenant -cmdlet 'Rotate-DkimSigningConfig' -cmdparams @{ KeySize = 2048; Identity = $_.Identity } -useSystemMailbox $true) + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Rotated DKIM' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 new file mode 100644 index 000000000000..0cfa569ee6e4 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 @@ -0,0 +1,12 @@ +function Invoke-SSPR-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SSPR standard is no longer available' -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable SSPR $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 new file mode 100644 index 000000000000..4614993bed28 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 @@ -0,0 +1,20 @@ +function Invoke-SecurityDefaults-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) + + if ($SecureDefaultsState.IsEnabled -ne $true) { + Write-Host "Secure Defaults is disabled. Enabling for $tenant" -ForegroundColor Yellow + $body = '{ "isEnabled": true }' + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -ContentType 'application/json') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Security Defaults Enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev 'Error' + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 new file mode 100644 index 000000000000..154418d7f9c9 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 @@ -0,0 +1,18 @@ +function Invoke-SendFromAlias-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $AdminAuditLogParams = @{ + SendFromAliasEnabled = $true + } + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams $AdminAuditLogParams + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias Enabled.' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 new file mode 100644 index 000000000000..006930fdf7a9 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 @@ -0,0 +1,24 @@ +function Invoke-SpoofWarn-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.spoofwarn + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.spoofwarn + } + $status = if ($Setting.enable -and $Setting.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error + Exit + } elseif ($setting.enable) { $true } else { $false } + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ExternalInOutlook' -cmdParams @{ Enabled = $status; } + Write-LogMessage -API 'Standards' -tenant $tenant -message "Spoofing warnings set to $status." -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 new file mode 100644 index 000000000000..39bba97132ce --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 @@ -0,0 +1,36 @@ +function Invoke-TAP-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + $ConfigTable = Get-CippTable -tablename 'standards' + $TAPConfig = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.TAP.config + if (!$TAPConfig) { + $TAPConfig = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.TAP.config + } + if (!$TAPConfig) { $TAPConfig = 'true' } + try { + $MinimumLifetime = '60' #Minutes + $MaximumLifetime = '480' #minutes + $DefaultLifeTime = '60' #minutes + $DefaultLength = '8' + $body = @" + {"@odata.type":"#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration", + "id":"TemporaryAccessPass", + "includeTargets":[{"id":"all_users", + "isRegistrationRequired":false, + "targetType":"group","displayName":"All users"}], + "defaultLength":$DefaultLength, + "defaultLifetimeInMinutes":$DefaultLifeTime, + "isUsableOnce": $TAPConfig, + "maximumLifetimeInMinutes":$MaximumLifetime, + "minimumLifetimeInMinutes":$MinimumLifetime, + "state":"enabled"} +"@ + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -Type patch -asApp $true -Body $body -ContentType 'application/json') + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Temporary Access Passwords.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 new file mode 100644 index 000000000000..f7363f1d5e85 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 @@ -0,0 +1,39 @@ +function Invoke-TransportRuleTemplate-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate + } + + foreach ($Template in $Setting.TemplateList) { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'TransportTemplate' and RowKey eq '$($Template.value)'" + $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet 'Get-TransportRule' -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name + + + try { + if ($Existing) { + Write-Host 'Found existing' + $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully set transport rule for $tenant" -sev 'Info' + } else { + Write-Host 'Creating new' + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-TransportRule' -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully created transport rule for $tenant" -sev 'Info' + } + + Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($tenantfilter)" -sev 'Debug' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" -sev 'Error' + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 new file mode 100644 index 000000000000..918a07153e7a --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 @@ -0,0 +1,13 @@ +function Invoke-UndoOauth-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been disabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set Application Consent Mode to disabled Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 new file mode 100644 index 000000000000..10c6bab44b6e --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 @@ -0,0 +1,8 @@ +function Invoke-UndoSSPR-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 new file mode 100644 index 000000000000..2b06376b4029 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 @@ -0,0 +1,44 @@ +function Invoke-UserSubmissions-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.usersubmissions + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.usersubmissions + } + if ($Setting.enable -and $Setting.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error + Exit + } elseif ($setting.enable) { + $status = $true + try { + $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' + if ($Policy.length -eq 0) { + New-ExoRequest -tenantid $Tenant -cmdlet 'New-ReportSubmissionPolicy' + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } else { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); } + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error + } + } else { + $status = $false + try { + $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' + if ($Policy.length -eq 0) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } else { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); EnableThirdPartyAddress = $status; ReportJunkToCustomizedAddress = $status; ReportNotJunkToCustomizedAddress = $status; ReportPhishToCustomizedAddress = $status; } + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 new file mode 100644 index 000000000000..2e559913f514 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 @@ -0,0 +1,30 @@ +function Invoke-calDefault-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault + } + + + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' + foreach ($Mailbox in $Mailboxes) { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($setting.permissionlevel)" -sev Error + + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set default calendar permissions. Error: $($_.exception.message)" -sev Error + } + + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 new file mode 100644 index 000000000000..778a04f9720b --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-disableMacSync-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"isMacSyncAppEnabled": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Mac OneDrive Sync' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 new file mode 100644 index 000000000000..0084e67d8afd --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 @@ -0,0 +1,30 @@ +function Invoke-fwdAdminAlerts-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault + } + + + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' + foreach ($Mailbox in $Mailboxes) { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($setting.permissionlevel)" -sev Error + + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set default calendar permissions. Error: $($_.exception.message)" -sev Error + } + + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info + +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 new file mode 100644 index 000000000000..138542ee7cf8 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 @@ -0,0 +1,21 @@ +function Invoke-intuneDeviceReg-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.intuneDeviceReg + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.intuneDeviceReg + } + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant + $PreviousSetting.userDeviceQuota = $Setting.max + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set user device quota to $($setting.max)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($setting.max) : $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 new file mode 100644 index 000000000000..f3d8a4f06319 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 @@ -0,0 +1,24 @@ +function Invoke-intuneDeviceRetirementDays-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays + } + + try { + + $body = @{ DeviceInactivityBeforeRetirementInDays = $Setting.days } | ConvertTo-Json + + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -Type PATCH -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DeviceInactivityBeforeRetirementInDays.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 new file mode 100644 index 000000000000..166fca5fe4c7 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-laps-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + try { + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant + $previoussetting.localadminpassword.isEnabled = $true + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $newBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS has been enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 new file mode 100644 index 000000000000..558f9b683bdb --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 @@ -0,0 +1,20 @@ +function Invoke-sharingCapability-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.sharingCapability + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.sharingCapability + } + + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Setting.Level)`"}" -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Setting.level)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Setting.level): $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 new file mode 100644 index 000000000000..9b5e42d50409 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 @@ -0,0 +1,15 @@ +function Invoke-unmanagedSync-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($tenant) + + try { + $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Sync for unmanaged devices' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error + } +} diff --git a/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 b/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 new file mode 100644 index 000000000000..01bf5fa6b40e --- /dev/null +++ b/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 @@ -0,0 +1,30 @@ +function Start-CIPPStandard { + param ( + $Tenant, + $Standard, + $Remediate, + $Alert, + $AlertLevel + ) + + if ($Remediate) { + $FunctionName = 'Invoke-{0}-Remediate' -f $Standard + try { + $RemediateFeedback = & $FunctionName -Tenant $Tenant + $AddedText = 'but we remediated this.' + } catch { + $AddedText = "but we failed to remediate. Error: $($_.exception.message)" + $AlertLevel = 'Alert' + } + } + + if ($Alert) { + $FunctionName = 'Invoke-{0}-Alert' -f $Standard + $AlertFeedback = & $FunctionName -Tenant $Tenant + $AlertText = "The standard $($Standard) is not in the expected state. The alert was $AlertFeedback. $AddedText" + $AlertText + #Generate a cipp log alert based on the setting? + } + + #Create another case for the reporting functionality? +} \ No newline at end of file From db38248f5b73a7332b670770a84fcae020d08c52 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 15:01:15 +0000 Subject: [PATCH 25/78] Queue oldest first --- Scheduler_Extensions/run.ps1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Scheduler_Extensions/run.ps1 b/Scheduler_Extensions/run.ps1 index b8d80be6a5bf..c23fbcc86ec3 100644 --- a/Scheduler_Extensions/run.ps1 +++ b/Scheduler_Extensions/run.ps1 @@ -15,7 +15,6 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { $Settings = (Get-AzDataTableEntity @Table) $TimeSetting = ($Settings | Where-Object { $_.RowKey -eq 'NinjaSyncTime' }).SettingValue - if (($TimeSetting | Measure-Object).count -ne 1) { [int]$TimeSetting = Get-Random -Minimum 1 -Maximum 95 @@ -44,7 +43,7 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { $Filter = "PartitionKey eq 'NinjaOrgsMapping'" $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } - foreach ($Tenant in $TenantsToProcess) { + foreach ($Tenant in $TenantsToProcess | Sort-Object lastEndTime) { Push-OutputBinding -Name NinjaProcess -Value @{ 'NinjaAction' = 'SyncTenant' 'MappedTenant' = $Tenant From 562873ee8d95c7d794b036cff28820e0898a9108 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 21:03:00 +0100 Subject: [PATCH 26/78] changes --- .../Entrypoints/Invoke-AddStandardsDeploy.ps1 | 69 ++++++++++--------- .../CIPPCore/Public/Start-CIPPStandard.ps1 | 16 ++--- Scheduler_Standards/function.json | 16 +++++ Scheduler_Standards/run.ps1 | 66 ++++++++++++++++++ 4 files changed, 123 insertions(+), 44 deletions(-) create mode 100644 Scheduler_Standards/function.json create mode 100644 Scheduler_Standards/run.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 index fda5dbc33053..aed41b0e540f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddStandardsDeploy { +Function Invoke-AddStandardsDeploy { <# .FUNCTIONALITY Entrypoint @@ -8,43 +8,44 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$user = $request.headers.'x-ms-client-principal' -$username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails + $user = $request.headers.'x-ms-client-principal' + $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails -try { - $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value - $Settings = ($request.body | Select-Object -Property * -ExcludeProperty Select_*, None ) - foreach ($Tenant in $tenants) { + try { + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Settings = ($request.body | Select-Object -Property *, 'v2' -ExcludeProperty Select_*, None ) + $Settings.v2 = $true + foreach ($Tenant in $tenants) { - $object = [PSCustomObject]@{ - Tenant = $tenant - AddedBy = $username - AppliedAt = (Get-Date).ToString('s') - Standards = $Settings - } | ConvertTo-Json -Depth 10 - $Table = Get-CippTable -tablename 'standards' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$object" - RowKey = "$Tenant" - PartitionKey = "standards" + $object = [PSCustomObject]@{ + Tenant = $tenant + AddedBy = $username + AppliedAt = (Get-Date).ToString('s') + Standards = $Settings + v2 = $true + } | ConvertTo-Json -Depth 10 + $Table = Get-CippTable -tablename 'standards' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$Tenant" + PartitionKey = 'standards' + } } + $body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' } + } catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Standards API failed. $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" } } - $body = [pscustomobject]@{"Results" = "Successfully added standards deployment" } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Standards API failed. $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Failed to add standard: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 b/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 index 01bf5fa6b40e..390e248af676 100644 --- a/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 +++ b/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 @@ -9,22 +9,18 @@ function Start-CIPPStandard { if ($Remediate) { $FunctionName = 'Invoke-{0}-Remediate' -f $Standard - try { - $RemediateFeedback = & $FunctionName -Tenant $Tenant + $RemediateFeedback = & $FunctionName -Tenant $Tenant + if ($RemediateFeedback -eq 'Good') { $AddedText = 'but we remediated this.' - } catch { - $AddedText = "but we failed to remediate. Error: $($_.exception.message)" - $AlertLevel = 'Alert' + } else { + $AddedText = 'and we failed to remediate this.' } } if ($Alert) { $FunctionName = 'Invoke-{0}-Alert' -f $Standard $AlertFeedback = & $FunctionName -Tenant $Tenant - $AlertText = "The standard $($Standard) is not in the expected state. The alert was $AlertFeedback. $AddedText" - $AlertText - #Generate a cipp log alert based on the setting? + $AlertText = "The standard $($Standard) is not in the expected state. The alert was $AlertFeedback. $AddedText" + Write-LogMessage -API "Standards_$($Standard)" -tenant $tenant -message $AlertText -sev $AlertLevel } - - #Create another case for the reporting functionality? } \ No newline at end of file diff --git a/Scheduler_Standards/function.json b/Scheduler_Standards/function.json new file mode 100644 index 000000000000..9c3371b066d6 --- /dev/null +++ b/Scheduler_Standards/function.json @@ -0,0 +1,16 @@ +{ + "bindings": [ + { + "name": "Timer", + "schedule": "0 * */3 * * *", + "direction": "in", + "type": "timerTrigger" + }, + { + "type": "queue", + "direction": "out", + "name": "QueueItem", + "queueName": "CIPPGenericQueue" + } + ] +} diff --git a/Scheduler_Standards/run.ps1 b/Scheduler_Standards/run.ps1 new file mode 100644 index 000000000000..aeb13784d122 --- /dev/null +++ b/Scheduler_Standards/run.ps1 @@ -0,0 +1,66 @@ +using namespace System.Net + +param($Timer) + +Write-Host 'Starting process for standards.' +$Table = Get-CippTable -tablename 'standards' +$SkipList = Get-Tenants -SkipList +$Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + +#Migrate from old standards to new standards. +$Tenants | Where-Object -Property 'v2' -NE $true | ForEach-Object { + $OldStd = $_ + $OldStd.standards.psobject.properties.name | ForEach-Object { + $OldStd.Standards.$_ = [pscustomobject]@{ remediate = $true } + } + $OldStd | Add-Member -NotePropertyName 'v2' -NotePropertyValue $true -PassThru -Force + $Entity = @{ + PartitionKey = 'standards' + RowKey = "$($OldStd.Tenant)" + JSON = "$($OldStd | ConvertTo-Json -Depth 10)" + } + Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force +} + +#Execute standards + +$object = foreach ($Tenant in $Tenants) { + $Tenant.standards.psobject.properties.name | ForEach-Object { + $Standard = $_ + if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { + if ($Standard -ne 'OverrideAllTenants') { + [pscustomobject]@{ + Tenant = $tenant.Tenant + Standard = $Standard + Settings = $Tenant.standards.$Standard + } + } + } elseif ($Tenant.Tenant -eq 'AllTenants') { + Write-Host "Working on all Tenants Standard. Showing which tasks we'll run below this." + Get-Tenants | ForEach-Object { + $TenantForStandard = $_ + $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } + if ($TenantStandard.standards.OverrideAllTenants.remediate -ne $true) { + Write-Host "$($TenantForStandard.defaultDomainName) - $Standard" + [pscustomobject]@{ + Tenant = $_.defaultDomainName + Standard = $Standard + Settings = $Tenant.standards.$Standard + } + } + } + } + } +} + +#For each item in our object, run the queue. +$object | Where-Object -Property Standard -NE 'v2' #filter out the v2 standard + +foreach ($task in $object) { + $QueueItem = [pscustomobject]@{ + Tenant = $task.Tenant + Standard = $task.Standard + Settings = $task.Settings + } + +} \ No newline at end of file From fc802855811f838923eac9a7083992058ad37f68 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 22:22:38 +0100 Subject: [PATCH 27/78] add settings --- .../Push-CIPPStandard.ps1} | 19 ++--- .../Invoke-ActivityBasedTimeout-Remediate.ps1 | 2 +- .../Remediate/Invoke-AddDKIM-Remediate.ps1 | 2 +- .../Invoke-AnonReportDisable-Remediate.ps1 | 2 +- .../Remediate/Invoke-AuditLog-Remediate.ps1 | 2 +- .../Invoke-AutoExpandArchive-Remediate.ps1 | 2 +- .../Invoke-AzurePortal-Remediate.ps1 | 2 +- .../Invoke-ConditionalAccess-Remediate.ps1 | 2 +- .../Invoke-DelegateSentItems-Remediate.ps1 | 2 +- ...Invoke-DeletedUserRentention-Remediate.ps1 | 2 +- ...isableAddShortcutsToOneDrive-Remediate.ps1 | 4 +- .../Invoke-DisableBasicAuth-Remediate.ps1 | 2 +- .../Invoke-DisableBasicAuthSMTP-Remediate.ps1 | 2 +- ...Invoke-DisableGuestDirectory-Remediate.ps1 | 2 +- .../Invoke-DisableGuests-Remediate.ps1 | 2 +- ...Invoke-DisableM365GroupUsers-Remediate.ps1 | 2 +- .../Invoke-DisableReshare-Remediate.ps1 | 2 +- ...ke-DisableSecurityGroupUsers-Remediate.ps1 | 2 +- ...e-DisableSelfServiceLicenses-Remediate.ps1 | 6 +- .../Invoke-DisableSharedMailbox-Remediate.ps1 | 4 +- ...Invoke-DisableTenantCreation-Remediate.ps1 | 2 +- ...Invoke-DisableUserSiteCreate-Remediate.ps1 | 2 +- .../Invoke-DisableViva-Remediate.ps1 | 2 +- ...oke-EnableAppConsentRequests-Remediate.ps1 | 72 +++++++++++++++++++ .../Invoke-EnableFIDO2-Remediate.ps1 | 2 +- ...Invoke-EnableOnlineArchiving-Remediate.ps1 | 2 +- .../Invoke-ExConnector-Remediate.ps1 | 6 +- .../Invoke-ExcludedfileExt-Remediate.ps1 | 2 +- .../Remediate/Invoke-GetQueue-Remediate.ps1 | 46 ++++++------ .../Invoke-GroupTemplate-Remediate.ps1 | 4 +- .../Invoke-IntuneTemplate-Remediate.ps1 | 16 ++--- .../Remediate/Invoke-LegacyMFA-Remediate.ps1 | 2 +- .../Invoke-LegacyMFACleanup-Remediate.ps1 | 2 +- .../Invoke-MailContacts-Remediate.ps1 | 2 +- .../Remediate/Invoke-ModernAuth-Remediate.ps1 | 2 +- .../Remediate/Invoke-NudgeMFA-Remediate.ps1 | 2 +- .../Invoke-OauthConsent-Remediate.ps1 | 2 +- .../Invoke-OauthConsentLowSec-Remediate.ps1 | 2 +- .../Invoke-Orchestration-Remediate.ps1 | 47 ++++++------ .../Invoke-OrchestrationStarter-Remediate.ps1 | 43 +++++------ ...ke-OrchestrationStarterTimer-Remediate.ps1 | 20 ++---- .../Invoke-OutBoundSpamAlert-Remediate.ps1 | 2 +- ...e-PWcompanionAppAllowedState-Remediate.ps1 | 2 +- ...yAppInformationRequiredState-Remediate.ps1 | 2 +- ...WnumberMatchingRequiredState-Remediate.ps1 | 2 +- ...nvoke-PasswordExpireDisabled-Remediate.ps1 | 2 +- .../Remediate/Invoke-RotateDKIM-Remediate.ps1 | 2 +- .../Remediate/Invoke-SSPR-Remediate.ps1 | 2 +- .../Invoke-SafeSendersDisable-Remediate.ps1 | 20 ++++++ .../Invoke-SecurityDefaults-Remediate.ps1 | 2 +- .../Invoke-SendFromAlias-Remediate.ps1 | 2 +- ...nvoke-SendReceiveLimitTenant-Remediate.ps1 | 57 +++++++++++++++ .../Remediate/Invoke-SpoofWarn-Remediate.ps1 | 2 +- .../Remediate/Invoke-TAP-Remediate.ps1 | 2 +- ...Invoke-TransportRuleTemplate-Remediate.ps1 | 2 +- .../Remediate/Invoke-UndoOauth-Remediate.ps1 | 2 +- .../Remediate/Invoke-UndoSSPR-Remediate.ps1 | 6 +- .../Invoke-UserSubmissions-Remediate.ps1 | 2 +- .../Invoke-allowOAuthTokens-Remediate.ps1 | 18 +++++ .../Invoke-allowOTPTokens-Remediate.ps1 | 19 +++++ .../Remediate/Invoke-calDefault-Remediate.ps1 | 2 +- .../Invoke-disableMacSync-Remediate.ps1 | 2 +- .../Invoke-fwdAdminAlerts-Remediate.ps1 | 2 +- .../Invoke-intuneDeviceReg-Remediate.ps1 | 2 +- ...e-intuneDeviceRetirementDays-Remediate.ps1 | 2 +- .../Invoke-intuneRequireMFA-Remediate.ps1 | 16 +++++ .../Remediate/Invoke-laps-Remediate.ps1 | 2 +- .../Invoke-sharingCapability-Remediate.ps1 | 2 +- .../Invoke-unmanagedSync-Remediate.ps1 | 2 +- Scheduler_Standards/function.json | 2 +- Scheduler_Standards/run.ps1 | 12 ++-- 71 files changed, 369 insertions(+), 170 deletions(-) rename Modules/CIPPCore/Public/{Start-CIPPStandard.ps1 => Entrypoints/Push-CIPPStandard.ps1} (59%) create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 diff --git a/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 similarity index 59% rename from Modules/CIPPCore/Public/Start-CIPPStandard.ps1 rename to Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 index 390e248af676..fae28db5ebc2 100644 --- a/Modules/CIPPCore/Public/Start-CIPPStandard.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 @@ -1,15 +1,17 @@ -function Start-CIPPStandard { +function Push-CIPPStandard { param ( - $Tenant, - $Standard, - $Remediate, - $Alert, - $AlertLevel + $QueueItem, $TriggerMetadata ) - + + Write-Host "Received queue item for $($QueueItem.Tenant) and standard $($QueueItem.Standard)" + $Tenant = $QueueItem.Tenant + $Standard = $QueueItem.Standard + $Remediate = $QueueItem.Settings.remediate + $Alert = $QueueItem.Settings.alert + $AlertLevel = $QueueItem.Settings.alertLevel if ($Remediate) { $FunctionName = 'Invoke-{0}-Remediate' -f $Standard - $RemediateFeedback = & $FunctionName -Tenant $Tenant + $RemediateFeedback = & $FunctionName -Tenant $Tenant -Settings $QueueItem.Settings if ($RemediateFeedback -eq 'Good') { $AddedText = 'but we remediated this.' } else { @@ -23,4 +25,5 @@ function Start-CIPPStandard { $AlertText = "The standard $($Standard) is not in the expected state. The alert was $AlertFeedback. $AddedText" Write-LogMessage -API "Standards_$($Standard)" -tenant $tenant -message $AlertText -sev $AlertLevel } + } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 index 2e47aecf00c7..d2adef1a6085 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-ActivityBasedTimeout-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id if (!$State) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 index 5c04e03219ba..9d3788eaf169 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-AddDKIM-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false | ForEach-Object { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 index b1d07c98ad84..4917c2945492 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-AnonReportDisable-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 index c4ac08a1c52d..8cf0f1913094 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-AuditLog-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated if ($DehydratedTenant) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 index 4cabde40c2e2..23e585dcf6a5 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-AutoExpandArchive-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 index c1d3fa083fc8..b8a103c1b3f8 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-AzurePortal-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message 'Azure Portal disablement is no longer functional. Please remove this standard.' -sev Error } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 index 8291bbbc2631..15ab90841c5c 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-ConditionalAccess-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 index 20e670bcd337..b8e79c535269 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DelegateSentItems-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } | ForEach-Object { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 index 416d381be5d5..a98e0362516f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DeletedUserRentention-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 index 124a322eaab6..e4bb5a012a29 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableAddShortcutsToOneDrive-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) function GetTenantRequestXml { return @' @@ -82,7 +82,7 @@ function Invoke-DisableAddShortcutsToOneDrive-Remediate { $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant" } else { $log.message = "Unable to set DisableAddShortcutsToOneDrive to True ` - on $($tenant): $($response.ErrorInfo.ErrorMessage)" + on $($Tenant, $Settings): $($response.ErrorInfo.ErrorMessage)" } } catch { $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)" diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 index ceddfc551581..93c57ae6167f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 @@ -3,6 +3,6 @@ function Invoke-DisableBasicAuth-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 index e354a399b7c4..569bfc0748f8 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableBasicAuthSMTP-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 index bd425616ab07..777e3e9cfbe3 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableGuestDirectory-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 index 0e63b10fd3e5..20bb39555644 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableGuests-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 index 42b50fb80fcb..f2e2cebfb7ba 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableM365GroupUsers-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 index 3329b7a2a236..a681764d9186 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableReshare-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"isResharingByExternalUsersEnabled": "False"}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 index 9d2c39a28672..8038dbfa1ada 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableSecurityGroupUsers-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 index d46bb4b4b350..5ce67d5778dc 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 @@ -3,12 +3,12 @@ function Invoke-DisableSelfServiceLicenses-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { - Write-LogMessage "Standards API: $($tenant) failed to disable License Buy Self Service: $($exception.message)" -sev Error + Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error } catch { - Write-LogMessage "Standards API: $($tenant) failed to disable License Buy Self Service: $($exception.message)" -sev Error + Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error } } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 index 2c6c6a579b25..b904828f6117 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 @@ -3,10 +3,10 @@ function Invoke-DisableSharedMailbox-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { - $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($tenant)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { + $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant, $Settings)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant } Write-LogMessage -API 'Standards' -tenant $tenant -message 'AAD Accounts for shared mailboxes disabled.' -sev Info diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 index 06cca88c620b..eef8d1934648 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableTenantCreation-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 index d35d98ae2462..997ae091c58d 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableUserSiteCreate-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"isSiteCreationEnabled": false}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 index 2a51cc679d59..8b2ab3981b30 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-DisableViva-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 new file mode 100644 index 000000000000..919f8421e6c6 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 @@ -0,0 +1,72 @@ +function Invoke-EnableAppConsentRequests-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + try { + + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests + if (!$Setting) { + $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests + } + + # Get current state + $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant + + # Change state to enabled with default settings + $CurrentInfo.isEnabled = 'true' + $CurrentInfo.notifyReviewers = 'true' + $CurrentInfo.remindersEnabled = 'true' + $CurrentInfo.requestDurationInDays = 30 + + # Roles from standards table + $RolesToAdd = $Setting.ReviewerRoles.value + $RoleNames = $Setting.ReviewerRoles.label -join ', ' + + # Set default if no roles are selected + if (!$RolesToAdd) { + $RolesToAdd = @('62e90394-69f5-4237-9190-012177145e10') + $RoleNames = '(Default) Global Administrator' + } + + $NewReviewers = foreach ($Role in $RolesToAdd) { + @{ + query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$Role'" + queryType = 'MicrosoftGraph' + queryRoot = 'null' + } + } + + # Add existing reviewers + $Reviewers = [System.Collections.Generic.List[object]]::new() + foreach ($Reviewer in $CurrentInfo.reviewers) { + $RoleFound = $false + foreach ($Role in $RolesToAdd) { + if ($Reviewer.query -match $Role -or $Reviewers.query -contains $Reviewer.query) { + $RoleFound = $true + } + } + if (!$RoleFound) { + $Reviewers.add($Reviewer) + } + } + + # Add new reviewer roles + foreach ($NewReviewer in $NewReviewers) { + $Reviewers.add($NewReviewer) + } + + # Update reviewer list + $CurrentInfo.reviewers = @($Reviewers) + $body = (ConvertTo-Json -Compress -Depth 10 -InputObject $CurrentInfo) + + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -Type put -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Enabled App consent admin requests for the following roles: $RoleNames" -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error + } + +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 index f4dc4eeeee4f..8861b3f183c1 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-EnableFIDO2-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 index 2f60e8f42ddd..26b2d757b49b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-EnableOnlineArchiving-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 index 9b561f50c0a4..886304b1b497 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-ExConnector-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector @@ -21,10 +21,10 @@ function Invoke-ExConnector-Remediate { if ($Existing) { $RequestParams | Add-Member -NotePropertyValue $Existing.Identity -NotePropertyName Identity -Force $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant)" -sev info + Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant, $Settings)" -sev info } else { $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant)" -sev info + Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant, $Settings)" -sev info } } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Exchange Connector Rule: $($_.exception.message)" -sev 'Error' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 index 3c1bbdaf030e..19ffe76cc9b0 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-ExcludedfileExt-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExcludedfileExt if (!$Setting) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 index ae47f294b61c..24a4f64dc523 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 @@ -1,33 +1,37 @@ -function Invoke-GetQueue-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($name) +param($name) - Write-Host 'QUEUEQUE' - $Table = Get-CippTable -tablename 'standards' - $tenants = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json +Write-Host 'QUEUEQUE' +$Table = Get-CippTable -tablename 'standards' +$SkipList = Get-Tenants -SkipList +$Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $object = foreach ($Tenant in $tenants) { - $tenant.standards.psobject.properties.name | ForEach-Object { - $Standard = $_ - if ($tenant.Tenant -ne 'AllTenants') { - Write-Host 'Not all tenants. Single object' - [pscustomobject]@{ +$object = foreach ($Tenant in $Tenants) { + $Tenant.standards.psobject.properties.name | ForEach-Object { + $Standard = $_ + Write-Host "Standard is $Standard" + if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { + Write-Host 'Not all tenants. Single object' + if ($Standard -ne "OverrideAllTenants") { + [pscustomobject]@{ Tenant = $tenant.Tenant Standard = $Standard } - } else { - get-tenants | ForEach-Object { - [pscustomobject]@{ + } + } + elseif ($Tenant.Tenant -eq 'AllTenants') { + Get-Tenants | ForEach-Object { + $TenantForStandard = $_ + $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } + Write-Host "Working on all Tenants. Current Tenant is $($Tenant.defaultDomainName) and standard is $Standard" + if ($TenantStandard.standards.OverrideAllTenants -ne $true) { + [pscustomobject]@{ Tenant = $_.defaultDomainName - Standard = $Standard + Standard = $Standard } } } } - } - $object } + +$object \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 index a38c05313ab9..c1170a0a8700 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-GroupTemplate-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate @@ -18,7 +18,7 @@ function Invoke-GroupTemplate-Remediate { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" $groupobj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($tenant)" } + $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($Tenant, $Settings)" } $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname if (!$CheckExististing) { if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 index dfc60dacf3bd..c08098fc654a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-IntuneTemplate-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate @@ -37,12 +37,12 @@ function Invoke-IntuneTemplate-Remediate { $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname) to template defaults" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($Displayname) to template defaults" -Sev 'info' } } @@ -53,11 +53,11 @@ function Invoke-IntuneTemplate-Remediate { if ($PolicyName -in $CheckExististing.displayName) { $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' } } @@ -71,7 +71,7 @@ function Invoke-IntuneTemplate-Remediate { } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' } } @@ -80,9 +80,9 @@ function Invoke-IntuneTemplate-Remediate { if ($AssignTo) { $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant)" -sev 'Info' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant, $Settings)" -sev 'Info' } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev 'Error' } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 index bcf58603d51c..b46ca66f2351 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-LegacyMFA-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 index 67817d61be86..473b8d03ea15 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-LegacyMFACleanup-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 index 0b1e0e99ac28..75e38daa198a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-MailContacts-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.MailContacts if (!$Contacts) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 index d751a333cfe1..c3c17c205bae 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-ModernAuth-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message 'Modern Authentication is enabled by default. This standard is no longer required.' -sev Info } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 index 01fefad0c0b1..939eee60a120 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-NudgeMFA-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.NudgeMFA diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 index 520c0915147c..8f00f81fd93f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-OauthConsent-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $AllowedAppIdsForTenant = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' if (!$AllowedAppIdsForTenant) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 index 63214fcd1bb4..0ccbc7d5f904 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-OauthConsentLowSec-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 index 722f56803893..5e20d3ed21d4 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 @@ -1,31 +1,32 @@ -function Invoke-Orchestration-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Context) +param($Context) - $DurableRetryOptions = @{ +$DurableRetryOptions = @{ FirstRetryInterval = (New-TimeSpan -Seconds 5) MaxNumberOfAttempts = 3 BackoffCoefficient = 2 - } - $RetryOptions = New-DurableRetryOptions @DurableRetryOptions - - $Batch = (Invoke-ActivityFunction -FunctionName 'Standards_GetQueue' -Input 'LetsGo') - $ParallelTasks = foreach ($Item in $Batch) { - if ($item['Standard']) { - try { - Invoke-DurableActivity -FunctionName "Standards_$($item['Standard'])" -Input "$($item['Tenant'])" -NoWait -RetryOptions $RetryOptions - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Task error: $($_.Exception.Message)" -sev Error +} +$RetryOptions = New-DurableRetryOptions @DurableRetryOptions - } +$Batch = Invoke-ActivityFunction -FunctionName 'Standards_GetQueue' -Input 'LetsGo' -ErrorAction Stop +if ($null -ne $Batch -and ($Batch | Measure-Object).Count -gt 0) { + $ParallelTasks = foreach ($Item in $Batch) { + if ($item['Standard']) { + try { + Invoke-DurableActivity -FunctionName "Standards_$($item['Standard'])" -Input "$($item['Tenant'])" -NoWait -RetryOptions $RetryOptions -ErrorAction Stop + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Task error: $($_.Exception.Message)" -sev Error + } + } } - } - if (($ParallelTasks).count -gt 0) { - $Outputs = Wait-ActivityFunction -Task $ParallelTasks - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deployment finished.' -sev Info - } + if (($ParallelTasks | Measure-Object).Count -gt 0) { + try { + $Outputs = Wait-ActivityFunction -Task $ParallelTasks -ErrorAction Stop + } catch { + Write-Information "Standards Wait-ActivityFunction error: $($_.Exception.Message)" + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deployment finished.' -sev Info + } +} else { + Write-Information 'No Standards to process' } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 index 866e408dc363..514c3edf0980 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 @@ -1,27 +1,22 @@ -function Invoke-OrchestrationStarter-Remediate { - <# - .FUNCTIONALITY - Internal - #> - using namespace System.Net +using namespace System.Net - param($Request, $TriggerMetadata) - if ($CurrentlyRunning) { - $Results = [pscustomobject]@{'Results' = 'Already running. Please wait for the current instance to finish' } - Write-LogMessage -API 'StandardsApply' -message 'Attempted to Standards but an instance was already running.' -sev Info - } else { - $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' - Write-Host "Started orchestration with ID = '$InstanceId'" - $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId - Write-Host ($Response | ConvertTo-Json) - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Started applying the standard templates to tenants.' -sev Info - $Results = [pscustomobject]@{'Results' = 'Started Applying Standards' } - } - Write-Host ($Orchestrator | ConvertTo-Json) +param($Request, $TriggerMetadata) +if ($CurrentlyRunning) { + $Results = [pscustomobject]@{"Results" = "Already running. Please wait for the current instance to finish" } + Write-LogMessage -API "StandardsApply" -message "Attempted to Standards but an instance was already running." -sev Info +} +else { + $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' + Write-Host "Started orchestration with ID = '$InstanceId'" + $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId + Write-Host ($Response | ConvertTo-Json) + Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info + $Results = [pscustomobject]@{"Results" = "Started Applying Standards" } +} +Write-Host ($Orchestrator | ConvertTo-Json) - Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $results - }) -} +Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $results + }) \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 index 7da0269a9a28..4fa90a9e8720 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 @@ -1,16 +1,10 @@ -function Invoke-OrchestrationStarterTimer-Remediate { - <# - .FUNCTIONALITY - Internal - #> - using namespace System.Net +using namespace System.Net - param($Timer) +param($Timer) - $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' - Write-Host "Started orchestration with ID = '$InstanceId'" +$InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' +Write-Host "Started orchestration with ID = '$InstanceId'" - $Response = New-OrchestrationCheckStatusResponse -Request $timer -InstanceId $InstanceId - Write-Host ($Response | ConvertTo-Json) - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Started applying the standard templates to tenants.' -sev Info -} +$Response = New-OrchestrationCheckStatusResponse -Request $timer -InstanceId $InstanceId +Write-Host ($Response | ConvertTo-Json) +Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 index eafcbdfda1a6..b8fdc0fef213 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-OutBoundSpamAlert-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert if (!$Contacts) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 index 40cc5d613969..9b874f846a95 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-PWcompanionAppAllowedState-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 index 1ab011ca53d9..d5abe09d8de7 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-PWdisplayAppInformationRequiredState-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = @' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 index 4bee1ea43ac8..01de1c538da5 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-PWnumberMatchingRequiredState-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with number matching is now enabled by default.' -sev Info diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 index de3ed1342621..2c1040b0fa51 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-PasswordExpireDisabled-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 index 5fdc3e193ac6..b947d5dacb01 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-RotateDKIM-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } | ForEach-Object { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 index 0cfa569ee6e4..06e5d753c1c3 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-SSPR-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SSPR standard is no longer available' -sev Error } catch { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 new file mode 100644 index 000000000000..64fcba5c44bc --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 @@ -0,0 +1,20 @@ +function Invoke-SafeSendersDisable-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + try { + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' | ForEach-Object { + try { + $username = $_.UserPrincipalName + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxJunkEmailConfiguration' -cmdParams @{Identity = $_.GUID ; TrustedRecipientsAndDomains = $null } -anchor $username + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not disbale SafeSenders list for $($username): $($_.Exception.message)" -sev Warn + } + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Safe Senders disabled' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SafeSenders. Error: $($_.exception.message)" -sev Error + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 index 4614993bed28..3ca668a594fc 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-SecurityDefaults-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 index 154418d7f9c9..41f7962385ed 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-SendFromAlias-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $AdminAuditLogParams = @{ diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 new file mode 100644 index 000000000000..8e9aedac9eda --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 @@ -0,0 +1,57 @@ +function Invoke-SendReceiveLimitTenant-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + # Get the tenant standards settings + $ConfigTable = Get-CippTable -tablename 'standards' + $Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' + if (!$Limits) { + $Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' + } + + # Parse the send limits and convert to bytes + if ($Limits[0] -like '*MB*') { + $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1MB + } elseif ($Limits[0] -like '*KB*') { + $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1KB + } # Default to 35MB if invalid input + else { + $MaxSendSize = 35MB + } + # Test if the send limit is larger allowed and correct if needed + if ($MaxSendSize -gt 150MB) { + $MaxSendSize = 150MB + } + + # Parse the receive limits and convert to bytes + if ($Limits[1] -like '*MB*') { + $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1MB + } elseif ($Limits[1] -like '*KB*') { + $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1KB + } # Default to 36MB if invalid input + else { + $MaxReceiveSize = 36MB + } + # Test if the receive limit is larger allowed and correct if needed + if ($MaxReceiveSize -gt 150MB) { + $MaxReceiveSize = 150MB + } + + try { + # Get all mailbox plans + $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxPlan' | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID + + # Loop through all mailbox plans and set the send and receive limits for each if needed + foreach ($MailboxPlan in $AllMailBoxPlans) { + if ($MailboxPlan.MaxSendSize -ne $MaxSendSize -and $MailboxPlan.MaxReceiveSize -ne $MaxReceiveSize) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxPlan' -cmdParams @{Identity = $MailboxPlan.GUID; MaxSendSize = $MaxSendSize; MaxReceiveSize = $MaxReceiveSize } -useSystemMailbox $true + } + } + # Write to log on success + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully set the tenant send and receive limits ' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 index 006930fdf7a9..b55c37008747 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-SpoofWarn-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.spoofwarn diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 index 39bba97132ce..503f843c620b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-TAP-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $TAPConfig = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.TAP.config if (!$TAPConfig) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 index f7363f1d5e85..9a2d1d50530e 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-TransportRuleTemplate-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 index 918a07153e7a..458205022395 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-UndoOauth-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been disabled.' -sev Info diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 index 10c6bab44b6e..e1d961597176 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 @@ -1,8 +1,8 @@ function Invoke-UndoSSPR-Remediate { - <# + <# .FUNCTIONALITY Internal #> - param($tenant) - Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error + param($Tenant, $Settings) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 index 2b06376b4029..359cb578322f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-UserSubmissions-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.usersubmissions diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 new file mode 100644 index 000000000000..b11dac74d53d --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 @@ -0,0 +1,18 @@ +function Invoke-allowOAuthTokens-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + try { + + $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant + $CurrentInfo.state = 'enabled' + $body = ($CurrentInfo | ConvertTo-Json -Depth 10) + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled software OTP/oAuth tokens' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev 'Error' + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 new file mode 100644 index 000000000000..72cd93d9e5f1 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 @@ -0,0 +1,19 @@ +function Invoke-allowOTPTokens-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + try { + + $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant + $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') + $CurrentInfo.isSoftwareOathEnabled = $true + $body = ($CurrentInfo | ConvertTo-Json -Depth 10) + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled MS authenticator OTP/oAuth tokens' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 index 2e559913f514..96c74fcf35fc 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-calDefault-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 index 778a04f9720b..7e9a846c00d2 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-disableMacSync-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"isMacSyncAppEnabled": false}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 index 0084e67d8afd..532e4c753035 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-fwdAdminAlerts-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 index 138542ee7cf8..40ff19ef5e80 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-intuneDeviceReg-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.intuneDeviceReg diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 index f3d8a4f06319..1b2bc4cfd9e5 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-intuneDeviceRetirementDays-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 new file mode 100644 index 000000000000..1decdecc18f2 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 @@ -0,0 +1,16 @@ +function Invoke-intuneRequireMFA-Remediate { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + try { + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant + $PreviousSetting.multiFactorAuthConfiguration = '1' + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set required to use MFA when joining Intune Devices' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 index 166fca5fe4c7..8599f059bc26 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-laps-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant $previoussetting.localadminpassword.isEnabled = $true diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 index 558f9b683bdb..a28bb246c9bf 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-sharingCapability-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.sharingCapability diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 index 9b5e42d50409..0e3ef8c21ed6 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 @@ -3,7 +3,7 @@ function Invoke-unmanagedSync-Remediate { .FUNCTIONALITY Internal #> - param($tenant) + param($Tenant, $Settings) try { $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' diff --git a/Scheduler_Standards/function.json b/Scheduler_Standards/function.json index 9c3371b066d6..f9f3ccb2d877 100644 --- a/Scheduler_Standards/function.json +++ b/Scheduler_Standards/function.json @@ -2,7 +2,7 @@ "bindings": [ { "name": "Timer", - "schedule": "0 * */3 * * *", + "schedule": "0 */1 * * * *", "direction": "in", "type": "timerTrigger" }, diff --git a/Scheduler_Standards/run.ps1 b/Scheduler_Standards/run.ps1 index aeb13784d122..42122f8f2007 100644 --- a/Scheduler_Standards/run.ps1 +++ b/Scheduler_Standards/run.ps1 @@ -54,13 +54,13 @@ $object = foreach ($Tenant in $Tenants) { } #For each item in our object, run the queue. -$object | Where-Object -Property Standard -NE 'v2' #filter out the v2 standard -foreach ($task in $object) { +foreach ($task in $object | Where-Object -Property Standard -NE 'v2') { $QueueItem = [pscustomobject]@{ - Tenant = $task.Tenant - Standard = $task.Standard - Settings = $task.Settings + Tenant = $task.Tenant + Standard = $task.Standard + Settings = $task.Settings + FunctionName = 'CIPPStandard' } - + Push-OutputBinding -Name QueueItem -Value $QueueItem } \ No newline at end of file From f67ce47787c8747c14ce292c6ba2714718f030a8 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 22:23:37 +0100 Subject: [PATCH 28/78] remove functions that are not required --- .../Invoke-Orchestration-Remediate.ps1 | 32 ------------------- .../Invoke-OrchestrationStarter-Remediate.ps1 | 22 ------------- ...ke-OrchestrationStarterTimer-Remediate.ps1 | 10 ------ 3 files changed, 64 deletions(-) delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 deleted file mode 100644 index 5e20d3ed21d4..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-Orchestration-Remediate.ps1 +++ /dev/null @@ -1,32 +0,0 @@ -param($Context) - -$DurableRetryOptions = @{ - FirstRetryInterval = (New-TimeSpan -Seconds 5) - MaxNumberOfAttempts = 3 - BackoffCoefficient = 2 -} -$RetryOptions = New-DurableRetryOptions @DurableRetryOptions - -$Batch = Invoke-ActivityFunction -FunctionName 'Standards_GetQueue' -Input 'LetsGo' -ErrorAction Stop -if ($null -ne $Batch -and ($Batch | Measure-Object).Count -gt 0) { - $ParallelTasks = foreach ($Item in $Batch) { - if ($item['Standard']) { - try { - Invoke-DurableActivity -FunctionName "Standards_$($item['Standard'])" -Input "$($item['Tenant'])" -NoWait -RetryOptions $RetryOptions -ErrorAction Stop - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Task error: $($_.Exception.Message)" -sev Error - } - } - } - - if (($ParallelTasks | Measure-Object).Count -gt 0) { - try { - $Outputs = Wait-ActivityFunction -Task $ParallelTasks -ErrorAction Stop - } catch { - Write-Information "Standards Wait-ActivityFunction error: $($_.Exception.Message)" - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deployment finished.' -sev Info - } -} else { - Write-Information 'No Standards to process' -} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 deleted file mode 100644 index 514c3edf0980..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarter-Remediate.ps1 +++ /dev/null @@ -1,22 +0,0 @@ -using namespace System.Net - -param($Request, $TriggerMetadata) -if ($CurrentlyRunning) { - $Results = [pscustomobject]@{"Results" = "Already running. Please wait for the current instance to finish" } - Write-LogMessage -API "StandardsApply" -message "Attempted to Standards but an instance was already running." -sev Info -} -else { - $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' - Write-Host "Started orchestration with ID = '$InstanceId'" - $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId - Write-Host ($Response | ConvertTo-Json) - Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info - $Results = [pscustomobject]@{"Results" = "Started Applying Standards" } -} -Write-Host ($Orchestrator | ConvertTo-Json) - - -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $results - }) \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 deleted file mode 100644 index 4fa90a9e8720..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OrchestrationStarterTimer-Remediate.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -using namespace System.Net - -param($Timer) - -$InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' -Write-Host "Started orchestration with ID = '$InstanceId'" - -$Response = New-OrchestrationCheckStatusResponse -Request $timer -InstanceId $InstanceId -Write-Host ($Response | ConvertTo-Json) -Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info From 76350cc4ae064d087c9e27261a7f8e9c8dcb16f1 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 6 Dec 2023 22:24:23 +0100 Subject: [PATCH 29/78] another not required file --- .../Remediate/Invoke-GetQueue-Remediate.ps1 | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 deleted file mode 100644 index 24a4f64dc523..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GetQueue-Remediate.ps1 +++ /dev/null @@ -1,37 +0,0 @@ -param($name) - -Write-Host 'QUEUEQUE' -$Table = Get-CippTable -tablename 'standards' -$SkipList = Get-Tenants -SkipList -$Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - -$object = foreach ($Tenant in $Tenants) { - $Tenant.standards.psobject.properties.name | ForEach-Object { - $Standard = $_ - Write-Host "Standard is $Standard" - if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { - Write-Host 'Not all tenants. Single object' - if ($Standard -ne "OverrideAllTenants") { - [pscustomobject]@{ - Tenant = $tenant.Tenant - Standard = $Standard - } - } - } - elseif ($Tenant.Tenant -eq 'AllTenants') { - Get-Tenants | ForEach-Object { - $TenantForStandard = $_ - $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } - Write-Host "Working on all Tenants. Current Tenant is $($Tenant.defaultDomainName) and standard is $Standard" - if ($TenantStandard.standards.OverrideAllTenants -ne $true) { - [pscustomobject]@{ - Tenant = $_.defaultDomainName - Standard = $Standard - } - } - } - } - } -} - -$object \ No newline at end of file From 290781d97029a0e8c9864ba00d9b23233e45195e Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 21:52:56 +0000 Subject: [PATCH 30/78] Added Queue Requeue --- Scheduler_Extensions/run.ps1 | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/Scheduler_Extensions/run.ps1 b/Scheduler_Extensions/run.ps1 index c23fbcc86ec3..767e1ec2ece5 100644 --- a/Scheduler_Extensions/run.ps1 +++ b/Scheduler_Extensions/run.ps1 @@ -37,12 +37,12 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { Write-Host "Current Interval: $CurrentInterval" + $CIPPMapping = Get-CIPPTable -TableName CippMapping + $Filter = "PartitionKey eq 'NinjaOrgsMapping'" + $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } + if ($Null -eq $LastRunTime -or $LastRunTime -le (Get-Date).addhours(-25) -or $TimeSetting -eq $CurrentInterval) { Write-Host "Executing" - $CIPPMapping = Get-CIPPTable -TableName CippMapping - $Filter = "PartitionKey eq 'NinjaOrgsMapping'" - $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } - foreach ($Tenant in $TenantsToProcess | Sort-Object lastEndTime) { Push-OutputBinding -Name NinjaProcess -Value @{ 'NinjaAction' = 'SyncTenant' @@ -60,5 +60,29 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { Write-LogMessage -API 'NinjaOneAutoMap_Queue' -user 'CIPP' -message "NinjaOne Synchronization Queued for $(($TenantsToProcess | Measure-Object).count) Tenants" -Sev 'Info' - } -} \ No newline at end of file + } else { + if ($LastRunTime -lt (Get-Date).AddMinutes(-90)) { + $TenantsToProcess | ForEach-Object { + if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne ''){ + $_.lastEndTime = (Get-Date($_.lastEndTime)) + } else { + $_ | Add-Member -NotePropertyName lastEndTime -NotePropertyValue $Null -Force + } + + if ($Null -ne $_.lastStartTime -and $_.lastStartTime -ne '') { + $_.lastStartTime = (Get-Date($_.lastStartTime)) + } else { + $_ | Add-Member -NotePropertyName lastStartTime -NotePropertyValue $Null -Force + } + } + foreach ($Tenant in $TenantsToProcess | where-object { (((($_.lastEndTime -eq $Null) -or ($_.lastStartTime -gt $_.lastEndTime)) -and ($_.lastStartTime -lt (Get-Date).AddMinutes(-30)))) -or ($_.lastStartTime -lt $LastRunTime) }) { + Push-OutputBinding -Name NinjaProcess -Value @{ + 'NinjaAction' = 'SyncTenant' + 'MappedTenant' = $Tenant + } + + } + } + + } + } \ No newline at end of file From 55ee7297cd1f4dea8c895de57171ea73fc69c035 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Wed, 6 Dec 2023 23:22:14 +0100 Subject: [PATCH 31/78] Logging, formatting and spellchecking For all Invoke-Adds --- .../Public/Entrypoints/Invoke-AddAPDevice.ps1 | 74 +-- .../Public/Entrypoints/Invoke-AddAlert.ps1 | 9 +- .../Entrypoints/Invoke-AddAutopilotConfig.ps1 | 113 +++-- .../Public/Entrypoints/Invoke-AddCAPolicy.ps1 | 50 +- .../Entrypoints/Invoke-AddCATemplate.ps1 | 104 ++--- .../Public/Entrypoints/Invoke-AddChocoApp.ps1 | 99 ++-- .../Public/Entrypoints/Invoke-AddContact.ps1 | 63 ++- .../Invoke-AddDefenderDeployment.ps1 | 430 +++++++++--------- .../Entrypoints/Invoke-AddEnrollment.ps1 | 94 ++-- .../Entrypoints/Invoke-AddExConnector.ps1 | 48 +- .../Invoke-AddExConnectorTemplate.ps1 | 83 ++-- .../Public/Entrypoints/Invoke-AddGroup.ps1 | 116 ++--- .../Entrypoints/Invoke-AddGroupTemplate.ps1 | 76 ++-- .../Public/Entrypoints/Invoke-AddGuest.ps1 | 90 ++-- .../Entrypoints/Invoke-AddIntuneTemplate.ps1 | 199 ++++---- .../Public/Entrypoints/Invoke-AddMSPApp.ps1 | 158 +++---- .../Entrypoints/Invoke-AddNamedLocation.ps1 | 90 ++-- .../Entrypoints/Invoke-AddOfficeApp.ps1 | 158 +++---- .../Public/Entrypoints/Invoke-AddPolicy.ps1 | 122 ++--- .../Entrypoints/Invoke-AddSharedMailbox.ps1 | 59 ++- .../Entrypoints/Invoke-AddSpamFilter.ps1 | 58 +-- .../Invoke-AddSpamFilterTemplate.ps1 | 70 +-- .../Entrypoints/Invoke-AddStandardsDeploy.ps1 | 69 +-- .../Public/Entrypoints/Invoke-AddTeam.ps1 | 78 ++-- .../Entrypoints/Invoke-AddTransportRule.ps1 | 62 +-- .../Invoke-AddTransportTemplate.ps1 | 70 +-- .../Public/Entrypoints/Invoke-AddUser.ps1 | 207 ++++----- .../Entrypoints/Invoke-AddWinGetApp.ps1 | 98 ++-- 28 files changed, 1476 insertions(+), 1471 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAPDevice.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAPDevice.ps1 index be59d3c44b89..262bb17f79bc 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAPDevice.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAPDevice.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddAPDevice { +Function Invoke-AddAPDevice { <# .FUNCTIONALITY Entrypoint @@ -8,43 +8,43 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -$TenantFilter = (Get-Tenants | Where-Object { $_.defaultDomainName -eq $Request.body.TenantFilter }).customerId -$GroupName = if ($Request.body.Groupname) { $Request.body.Groupname } else { (New-Guid).GUID } -$rawDevices = $request.body.autopilotData -$Devices = ConvertTo-Json @($rawDevices) -Write-Host $Devices -$Result = try { - $CurrentStatus = (New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation') - if ($groupname -in $CurrentStatus.items.id) { throw "This device batch name already exists. Please try with another name." } - $body = '{"batchId":"' + $($GroupName) + '","devices":' + $Devices + '}' - $GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation') - Write-Host ($GraphRequest | ConvertTo-Json) - Start-Sleep 5 - $NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation' - Write-Host $($Newstatus | ConvertTo-Json) - if ($Newstatus.totalcount -eq $CurrentStatus.totalcount) { throw "We could not find the new autopilot device. Please check if your input is correct." } - Write-Host $CurrentStatus.Items - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev "Info" - "Created Autopilot devices group for $($Request.body.TenantFilter). Group ID is $GroupName" -} -catch { - "$($Request.body.TenantFilter): Failed to create autopilot devices. $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Failed to create autopilot devices. $($_.Exception.Message)" -Sev "Error" -} + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + $TenantFilter = (Get-Tenants | Where-Object { $_.defaultDomainName -eq $Request.body.TenantFilter }).customerId + $GroupName = if ($Request.body.Groupname) { $Request.body.Groupname } else { (New-Guid).GUID } + $rawDevices = $request.body.autopilotData + $Devices = ConvertTo-Json @($rawDevices) + Write-Host $Devices + $Result = try { + $CurrentStatus = (New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation') + if ($groupname -in $CurrentStatus.items.id) { throw 'This device batch name already exists. Please try with another name.' } + $body = '{"batchId":"' + $($GroupName) + '","devices":' + $Devices + '}' + $GraphRequest = (New-GraphPostRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$TenantFilter/DeviceBatches" -body $body -scope 'https://api.partnercenter.microsoft.com/user_impersonation') + Write-Host ($GraphRequest | ConvertTo-Json) + Start-Sleep 5 + $NewStatus = New-GraphgetRequest -uri "https://api.partnercenter.microsoft.com/v1/customers/$tenantfilter/DeviceBatches" -scope 'https://api.partnercenter.microsoft.com/user_impersonation' + Write-Host $($Newstatus | ConvertTo-Json) + if ($Newstatus.totalcount -eq $CurrentStatus.totalcount) { throw 'We could not find the new autopilot device. Please check if your input is correct.' } + Write-Host $CurrentStatus.Items + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Created Autopilot devices group. Group ID is $GroupName" -Sev 'Info' + "Created Autopilot devices group for $($Request.body.TenantFilter). Group ID is $GroupName" + } + catch { + "$($Request.body.TenantFilter): Failed to create autopilot devices. $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($Request.body.TenantFilter) -message "Failed to create autopilot devices. $($_.Exception.Message)" -Sev 'Error' + } -$body = [pscustomobject]@{"Results" = $Result } -Write-Host $body -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body + $body = [pscustomobject]@{'Results' = $Result } + Write-Host $body + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body - }) + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAlert.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAlert.ps1 index 25740fc87531..475147d04df3 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAlert.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAlert.ps1 @@ -15,7 +15,8 @@ Function Invoke-AddAlert { try { $TenantID = if ($tenant -ne 'AllTenants') { (get-tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId - } else { + } + else { 'AllTenants' } if ($Request.body.SetAlerts) { @@ -64,7 +65,8 @@ Function Invoke-AddAlert { Push-OutputBinding -Name Subscription -Value $Params } } - } else { + } + else { foreach ($eventType in $Request.body.EventTypes.value) { $params = @{ TenantFilter = $tenant @@ -80,7 +82,8 @@ Function Invoke-AddAlert { } "Successfully added Alert for $($Tenant) to queue." Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Successfully added Alert for $($Tenant) to queue." -Sev 'Info' - } catch { + } + catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Alert for for $($Tenant) to queue" -Sev 'Error' "Failed to add Alert for for $($Tenant) to queue $($_.Exception.message)" } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 index f850042fc7d2..cb50e36fc054 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddAutopilotConfig { +Function Invoke-AddAutopilotConfig { <# .FUNCTIONALITY Entrypoint @@ -8,70 +8,69 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' -# Input bindings are passed in via param block. -$user = $request.headers.'x-ms-client-principal' -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$displayname = $request.body.Displayname -$description = $request.body.Description -$AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto } -$Profbod = $Request.body -$usertype = if ($Profbod.NotLocalAdmin -eq "true") { "standard" } else { "administrator" } -$DeploymentMode = if ($profbod.DeploymentMode -eq "true") { "shared" } else { "singleUser" } -$results = foreach ($Tenant in $tenants) { - try { - $ObjBody = [pscustomobject]@{ - "@odata.type" = "#microsoft.graph.azureADWindowsAutopilotDeploymentProfile" - "displayName" = "$($displayname)" - "description" = "$($description)" - "deviceNameTemplate" = "$($profbod.DeviceNameTemplate)" - "language" = "os-default" - "enableWhiteGlove" = $([bool]($profbod.allowWhiteGlove)) - "deviceType" = "windowsPc" - "extractHardwareHash" = $([bool]($profbod.CollectHash)) - "roleScopeTagIds" = @() - "hybridAzureADJoinSkipConnectivityCheck" = $false - "outOfBoxExperienceSettings" = @{ - "deviceUsageType" = "$DeploymentMode" - "hideEscapeLink" = $([bool]($Profbod.hideChangeAccount)) - "hidePrivacySettings" = $([bool]($Profbod.hidePrivacy)) - "hideEULA" = $([bool]($Profbod.hideTerms)) - "userType" = "$usertype" - "skipKeyboardSelectionPage" = $([bool]($Profbod.Autokeyboard)) + # Input bindings are passed in via param block. + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $displayname = $request.body.Displayname + $description = $request.body.Description + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } + $Profbod = $Request.body + $usertype = if ($Profbod.NotLocalAdmin -eq 'true') { 'standard' } else { 'administrator' } + $DeploymentMode = if ($profbod.DeploymentMode -eq 'true') { 'shared' } else { 'singleUser' } + $results = foreach ($Tenant in $tenants) { + try { + $ObjBody = [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.azureADWindowsAutopilotDeploymentProfile' + 'displayName' = "$($displayname)" + 'description' = "$($description)" + 'deviceNameTemplate' = "$($profbod.DeviceNameTemplate)" + 'language' = 'os-default' + 'enableWhiteGlove' = $([bool]($profbod.allowWhiteGlove)) + 'deviceType' = 'windowsPc' + 'extractHardwareHash' = $([bool]($profbod.CollectHash)) + 'roleScopeTagIds' = @() + 'hybridAzureADJoinSkipConnectivityCheck' = $false + 'outOfBoxExperienceSettings' = @{ + 'deviceUsageType' = "$DeploymentMode" + 'hideEscapeLink' = $([bool]($Profbod.hideChangeAccount)) + 'hidePrivacySettings' = $([bool]($Profbod.hidePrivacy)) + 'hideEULA' = $([bool]($Profbod.hideTerms)) + 'userType' = "$usertype" + 'skipKeyboardSelectionPage' = $([bool]($Profbod.Autokeyboard)) + } } + $Body = ConvertTo-Json -InputObject $ObjBody + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles' -body $body -tenantid $Tenant + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Added Autopilot profile $($Displayname)" -Sev 'Info' + if ($AssignTo) { + $AssignBody = '{"target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}}' + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($GraphRequest.id)/assignments" -tenantid $Tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Assigned autopilot profile $($Displayname) to $AssignTo" -Sev 'Info' + } + "Successfully added profile for $($Tenant)" } - $Body = ConvertTo-Json -InputObject $ObjBody - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" -body $body -tenantid $Tenant - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Added Autopilot profile $($Displayname)" -Sev "Info" - if ($AssignTo) { - $AssignBody = '{"target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}}' - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($GraphRequest.id)/assignments" -tenantid $Tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Assigned autopilot profile $($Displayname) to $AssignTo" -Sev "Info" + catch { + "Failed to add profile for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } - "Successfully added profile for $($Tenant)" - } - catch { - "Failed to add profile for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } -} + } -$body = [pscustomobject]@{"Results" = $results } + $body = [pscustomobject]@{'Results' = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCAPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCAPolicy.ps1 index ab0fcfffb7d3..ab6635459e4b 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCAPolicy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCAPolicy.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddCAPolicy { +Function Invoke-AddCAPolicy { <# .FUNCTIONALITY Entrypoint @@ -8,32 +8,32 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -if ("AllTenants" -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } -$results = foreach ($Tenant in $tenants) { - try { - $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $Request.body.RawJSON -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added Conditional Access Policy $($Displayname)" -Sev "Error" - "Successfully added Conditional Access Policy for $($Tenant)" - } - catch { - "Failed to add policy for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed adding Conditional Access Policy $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } + $results = foreach ($Tenant in $tenants) { + try { + $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $Request.body.RawJSON -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added Conditional Access Policy $($Displayname)" -Sev 'Info' + "Successfully added Conditional Access Policy for $($Tenant)" + } + catch { + "Failed to add policy for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed to add Conditional Access Policy $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue + } -} + } -$body = [pscustomobject]@{"Results" = @($results) } + $body = [pscustomobject]@{'Results' = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCATemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCATemplate.ps1 index 9fcd305891ba..9c5d7ee1261e 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCATemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddCATemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddCATemplate { +Function Invoke-AddCATemplate { <# .FUNCTIONALITY Entrypoint @@ -8,65 +8,65 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$TenantFilter = $Request.Query.TenantFilter -try { - $GUID = (New-Guid).GUID - $JSON = if ($request.body.rawjson) { - ([pscustomobject]$request.body.rawjson) | ConvertFrom-Json - } - else { + $TenantFilter = $Request.Query.TenantFilter + try { + $GUID = (New-Guid).GUID + $JSON = if ($request.body.rawjson) { + ([pscustomobject]$request.body.rawjson) | ConvertFrom-Json + } + else { ([pscustomobject]$Request.body) | ForEach-Object { - $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name - $_ | Select-Object -Property $NonEmptyProperties + $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name + $_ | Select-Object -Property $NonEmptyProperties + } } - } - - $includelocations = New-Object System.Collections.ArrayList - $IncludeJSON = foreach ($Location in $JSON.conditions.locations.includeLocations) { - $locationinfo = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations" -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time* - $null = if ($locationinfo) { $includelocations.add($locationinfo.displayName) } else { $includelocations.add($location) } - $locationinfo - } - if ($includelocations) { $JSON.conditions.locations.includeLocations = $includelocations } + $includelocations = New-Object System.Collections.ArrayList + $IncludeJSON = foreach ($Location in $JSON.conditions.locations.includeLocations) { + $locationinfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time* + $null = if ($locationinfo) { $includelocations.add($locationinfo.displayName) } else { $includelocations.add($location) } + $locationinfo + } + if ($includelocations) { $JSON.conditions.locations.includeLocations = $includelocations } - $excludelocations = New-Object System.Collections.ArrayList - $ExcludeJSON = foreach ($Location in $JSON.conditions.locations.excludeLocations) { - $locationinfo = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations" -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time* - $null = if ($locationinfo) { $excludelocations.add($locationinfo.displayName) } else { $excludelocations.add($location) } - $locationinfo - } - if ($excludelocations) { $JSON.conditions.locations.excludeLocations = $excludelocations } + $excludelocations = New-Object System.Collections.ArrayList + $ExcludeJSON = foreach ($Location in $JSON.conditions.locations.excludeLocations) { + $locationinfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $TenantFilter | Where-Object -Property id -EQ $location | Select-Object * -ExcludeProperty id, *time* + $null = if ($locationinfo) { $excludelocations.add($locationinfo.displayName) } else { $excludelocations.add($location) } + $locationinfo + } - $JSON | Add-Member -NotePropertyName 'LocationInfo' -NotePropertyValue @($IncludeJSON, $ExcludeJSON) + if ($excludelocations) { $JSON.conditions.locations.excludeLocations = $excludelocations } - $JSON = ($JSON | ConvertTo-Json -Depth 100) - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$JSON" - RowKey = "$GUID" - PartitionKey = "CATemplate" - GUID = "$GUID" - } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Transport Rule Template $($Request.body.name) with GUID $GUID" -Sev "Debug" - $body = [pscustomobject]@{"Results" = "Successfully added template" } + $JSON | Add-Member -NotePropertyName 'LocationInfo' -NotePropertyValue @($IncludeJSON, $ExcludeJSON) + + $JSON = ($JSON | ConvertTo-Json -Depth 100) + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$JSON" + RowKey = "$GUID" + PartitionKey = 'CATemplate' + GUID = "$GUID" + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Transport Rule Template $($Request.body.name) with GUID $GUID" -Sev 'Debug' + $body = [pscustomobject]@{'Results' = 'Successfully added template' } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Transport Rule Template: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Intune Template Deployment failed: $($_.Exception.Message)" } -} + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Transport Rule Template: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Intune Template Deployment failed: $($_.Exception.Message)" } + } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddChocoApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddChocoApp.ps1 index 033f7a909a6a..d469e507a5db 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddChocoApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddChocoApp.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddChocoApp { +Function Invoke-AddChocoApp { <# .FUNCTIONALITY Entrypoint @@ -8,57 +8,56 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -Write-Host "PowerShell HTTP trigger function processed a request." -$ChocoApp = $request.body -$intuneBody = Get-Content "AddChocoApp\choco.app.json" | ConvertFrom-Json -$assignTo = $Request.body.AssignTo -$intuneBody.description = $ChocoApp.description -$intuneBody.displayName = $chocoapp.ApplicationName -$intuneBody.installExperience.runAsAccount = if ($ChocoApp.InstallAsSystem) { "system" } else { "user" } -$intuneBody.installExperience.deviceRestartBehavior = if ($ChocoApp.DisableRestart) { "suppress" } else { "allow" } -$intuneBody.installCommandLine = "powershell.exe -executionpolicy bypass .\Install.ps1 -InstallChoco -Packagename $($chocoapp.PackageName)" -if ($ChocoApp.customrepo) { - $intuneBody.installCommandLine = $intuneBody.installCommandLine + " -CustomRepo $($chocoapp.CustomRepo)" -} -$intuneBody.UninstallCommandLine = "powershell.exe -executionpolicy bypass .\Uninstall.ps1 -Packagename $($chocoapp.PackageName)" -$intunebody.detectionRules[0].path = "$($ENV:SystemDrive)\programdata\chocolatey\lib" -$intunebody.detectionRules[0].fileOrFolderName = "$($chocoapp.PackageName)" + Write-Host 'PowerShell HTTP trigger function processed a request.' + $ChocoApp = $request.body + $intuneBody = Get-Content 'AddChocoApp\choco.app.json' | ConvertFrom-Json + $assignTo = $Request.body.AssignTo + $intuneBody.description = $ChocoApp.description + $intuneBody.displayName = $chocoapp.ApplicationName + $intuneBody.installExperience.runAsAccount = if ($ChocoApp.InstallAsSystem) { 'system' } else { 'user' } + $intuneBody.installExperience.deviceRestartBehavior = if ($ChocoApp.DisableRestart) { 'suppress' } else { 'allow' } + $intuneBody.installCommandLine = "powershell.exe -executionpolicy bypass .\Install.ps1 -InstallChoco -Packagename $($chocoapp.PackageName)" + if ($ChocoApp.customrepo) { + $intuneBody.installCommandLine = $intuneBody.installCommandLine + " -CustomRepo $($chocoapp.CustomRepo)" + } + $intuneBody.UninstallCommandLine = "powershell.exe -executionpolicy bypass .\Uninstall.ps1 -Packagename $($chocoapp.PackageName)" + $intunebody.detectionRules[0].path = "$($ENV:SystemDrive)\programdata\chocolatey\lib" + $intunebody.detectionRules[0].fileOrFolderName = "$($chocoapp.PackageName)" -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Results = foreach ($Tenant in $tenants) { - try { - $CompleteObject = [PSCustomObject]@{ - tenant = $tenant - Applicationname = $ChocoApp.ApplicationName - assignTo = $assignTo - InstallationIntent = $request.body.InstallationIntent - IntuneBody = $intunebody - } | ConvertTo-Json -Depth 15 - $Table = Get-CippTable -tablename 'apps' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$CompleteObject" - RowKey = "$((New-Guid).GUID)" - PartitionKey = "apps" + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Results = foreach ($Tenant in $tenants) { + try { + $CompleteObject = [PSCustomObject]@{ + tenant = $tenant + Applicationname = $ChocoApp.ApplicationName + assignTo = $assignTo + InstallationIntent = $request.body.InstallationIntent + IntuneBody = $intunebody + } | ConvertTo-Json -Depth 15 + $Table = Get-CippTable -tablename 'apps' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$CompleteObject" + RowKey = "$((New-Guid).GUID)" + PartitionKey = 'apps' + } + "Successfully added Choco App for $($Tenant) to queue." + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Chocolatey Application $($intunebody.Displayname) queued to add" -Sev 'Info' + } + catch { + "Failed adding Choco App for $($Tenant) to queue" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Chocolatey Application $($intunebody.Displayname) to queue" -Sev 'Error' } - "Successfully added Choco App for $($Tenant) to queue." - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Chocolatey Application $($intunebody.Displayname) queued to add" -Sev "Info" - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Chocolatey Application $($intunebody.Displayname) to queue" -Sev "Error" - "Failed added Choco App for $($Tenant) to queue" } -} - -$body = [pscustomobject]@{"Results" = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + $body = [pscustomobject]@{'Results' = $results } - } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddContact.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddContact.ps1 index 1c4f2963635d..ebd0d9be935b 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddContact.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddContact.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddContact { +Function Invoke-AddContact { <# .FUNCTIONALITY Entrypoint @@ -8,41 +8,40 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$contactobj = $Request.body -$user = $request.headers.'x-ms-client-principal' + $contactobj = $Request.body -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -try { + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + try { - $BodyToship = [pscustomobject] @{ - "displayName" = $contactobj.Displayname - "name" = $contactobj.displayName - "ExternalEmailAddress" = $contactobj.Email - FirstName = $contactObj.firstname - lastname = $contactobj.lastname + $BodyToship = [pscustomobject] @{ + 'displayName' = $contactobj.Displayname + 'name' = $contactobj.displayName + 'ExternalEmailAddress' = $contactobj.Email + FirstName = $contactObj.firstname + lastname = $contactobj.lastname - } - $NewContact = New-ExoRequest -tenantid $Request.body.tenantid -cmdlet "New-MailContact" -cmdparams $BodyToship -UseSystemMailbox $true - Write-Host ( $NewContact | ConvertTo-Json) - New-ExoRequest -tenantid $Request.body.tenantid -cmdlet "Set-MailContact" -cmdparams @{identity = $NewContact.id; HiddenFromAddressListsEnabled = [boolean]$contactobj.hidefromGAL } -UseSystemMailbox $true - $body = [pscustomobject]@{"Results" = "Successfully added a contact." } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($contactobj.tenantid) -message "Created contact $($contactobj.displayname) with id $($GraphRequest.id) for " -Sev "Info" + } + $NewContact = New-ExoRequest -tenantid $Request.body.tenantid -cmdlet 'New-MailContact' -cmdparams $BodyToship -UseSystemMailbox $true + Write-Host ( $NewContact | ConvertTo-Json) + New-ExoRequest -tenantid $Request.body.tenantid -cmdlet 'Set-MailContact' -cmdparams @{identity = $NewContact.id; HiddenFromAddressListsEnabled = [boolean]$contactobj.hidefromGAL } -UseSystemMailbox $true + $body = [pscustomobject]@{'Results' = 'Successfully added a contact.' } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($contactobj.tenantid) -message "Created contact $($contactobj.displayname) with id $($GraphRequest.id) for " -Sev 'Info' -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($contactobj.tenantid) -message "contact creation API failed. $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Failed to create contact. $($_.Exception.Message)" } + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($contactobj.tenantid) -message "Contact creation API failed. $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Failed to create contact. $($_.Exception.Message)" } -} + } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddDefenderDeployment.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddDefenderDeployment.ps1 index 8d2fcc9113b3..e38a8fd67769 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddDefenderDeployment.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddDefenderDeployment.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddDefenderDeployment { +Function Invoke-AddDefenderDeployment { <# .FUNCTIONALITY Entrypoint @@ -8,237 +8,237 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$Tenants = ($Request.body.selectedTenants).defaultDomainName -if ("AllTenants" -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } -$Compliance = $request.body.Compliance -$PolicySettings = $request.body.Policy -$ASR = $request.body.ASR -$EDR = $request.body.EDR -$results = foreach ($Tenant in $tenants) { - try { - $SettingsObj = @{ - id = 'fc780465-2017-40d4-a0c5-307022471b92' - androidEnabled = [bool]$Compliance.ConnectAndroid - iosEnabled = [bool]$Compliance.ConnectIos - windowsEnabled = [bool]$Compliance.Connectwindows - macEnabled = [bool]$Compliance.ConnectMac - partnerUnsupportedOsVersionBlocked = [bool]$Compliance.BlockunsupportedOS - partnerUnresponsivenessThresholdInDays = 7 - allowPartnerToCollectIOSApplicationMetadata = [bool]$Compliance.ConnectIosCompliance - allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance - androidMobileApplicationManagementEnabled = [bool]$Compliance.ConnectAndroidCompliance - iosMobileApplicationManagementEnabled = [bool]$Compliance.appSync - microsoftDefenderForEndpointAttachEnabled = [bool]$compliance.AllowMEMEnforceCompliance - } | ConvertTo-Json -Compress - $SettingsRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/" -tenantid $tenant -type POST -body $SettingsObj - "$($Tenant): Successfully set Defender Compliance and Reporting settings" - - $Settings = switch ($PolicySettings) { - { $_.ScanArchives } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1'; settingValueTemplateReference = @{settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' } } } - } { $_.AllowBehavior } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowbehaviormonitoring' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowbehaviormonitoring_1'; settingValueTemplateReference = @{settingValueTemplateId = '905921da-95e2-4a10-9e30-fe5540002ce1' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '8eef615a-1aa0-46f4-a25a-12cbe65de5ab' } } } - } { $_.AllowCloudProtection } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowcloudprotection'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowcloudprotection_1'; settingValueTemplateReference = @{settingValueTemplateId = '16fe8afd-67be-4c50-8619-d535451a500c' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '7da139f1-9b7e-407d-853a-c2e5037cdc70' } } } - } { $_.AllowEmailScanning } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowemailscanning' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowemailscanning_1'; settingValueTemplateReference = @{settingValueTemplateId = 'fdf107fd-e13b-4507-9d8f-db4d93476af9' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'b0d9ee81-de6a-4750-86d7-9397961c9852' } } } - } { $_.AllowFullScanNetwork } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowfullscanonmappednetworkdrives' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowfullscanonmappednetworkdrives_1' ; settingValueTemplateReference = @{settingValueTemplateId = '3e920b10-3773-4ac5-957e-e5573aec6d04' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'dac47505-f072-48d6-9f23-8d93262d58ed' } } } - } { $_.AllowFullScanRemovable } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning_1' ; settingValueTemplateReference = @{settingValueTemplateId = '366c5727-629b-4a81-b50b-52f90282fa2c' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'fb36e70b-5bc9-488a-a949-8ea3ac1634d5' } } } - } { $_.AllowIPS } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowintrusionpreventionsystem' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowintrusionpreventionsystem_1'; settingValueTemplateReference = @{settingValueTemplateId = '03738a99-7065-44cb-ba1e-93530ed906a7' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'd47f06e2-5378-43f2-adbc-e924538f1512' } } } - } { $_.AllowDownloadable } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowioavprotection' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowioavprotection_1'; settingValueTemplateReference = @{settingValueTemplateId = 'df4e6cbd-f7ff-41c8-88cd-fa25264a237e' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'fa06231d-aed4-4601-b631-3a37e85b62a0' } } } - } { $_.AllowRealTime } { - @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1'; settingValueTemplateReference = @{settingValueTemplateId = '0492c452-1069-4b91-9363-93b8e006ab12' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f0790e28-9231-4d37-8f44-84bb47ca1b3e' } } } - } { $_.AllowNetwork } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowscanningnetworkfiles' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowscanningnetworkfiles_1' ; settingValueTemplateReference = @{settingValueTemplateId = '7b8c858c-a17d-4623-9e20-f34b851670ce' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f8f28442-0a6b-4b52-b42c-d31d9687c1cf' } } } - } { $_.AllowScriptScan } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowscriptscanning'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowscriptscanning_1'; settingValueTemplateReference = @{settingValueTemplateId = 'ab9e4320-c953-4067-ac9a-be2becd06b4a' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = '000cf176-949c-4c08-a5d4-90ed43718db7' } } } - } { $_.AllowUI } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowuseruiaccess' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowuseruiaccess_1' ; settingValueTemplateReference = @{settingValueTemplateId = '4b6c9739-4449-4006-8e5f-3049136470ea' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '0170a900-b0bc-4ccc-b7ce-dda9be49189b' } } } - } { $_.CheckSig } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_checkforsignaturesbeforerunningscan' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_checkforsignaturesbeforerunningscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = '010779d1-edd4-441d-8034-89ad57a863fe' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = '4fea56e3-7bb6-4ad3-88c6-e364dd2f97b9' } } } - } { $_.DisableCatchupFullScan } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_disablecatchupfullscan'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_disablecatchupfullscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = '1b26092f-48c4-447b-99d4-e9c501542f1c' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f881b08c-f047-40d2-b7d9-3dde7ce9ef64' } } } - } { $_.DisableCatchupQuickScan } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_disablecatchupquickscan' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_disablecatchupquickscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = 'd263ced7-0d23-4095-9326-99c8b3f5d35b' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'dabf6781-9d5d-42da-822a-d4327aa2bdd1' } } } - } { $_.NetworkProtectionBlock } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_enablenetworkprotection' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_enablenetworkprotection_1' ; settingValueTemplateReference = @{settingValueTemplateId = 'ee58fb51-9ae5-408b-9406-b92b643f388a' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f53ab20e-8af6-48f5-9fa1-46863e1e517e' } } } - } { $_.LowCPU } { - @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_enablelowcpupriority' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_enablelowcpupriority_1' ; settingValueTemplateReference = @{settingValueTemplateId = '045a4a13-deee-4e24-9fe4-985c9357680d' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'cdeb96cf-18f5-4477-a710-0ea9ecc618af' } } } + $Tenants = ($Request.body.selectedTenants).defaultDomainName + if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } + $Compliance = $request.body.Compliance + $PolicySettings = $request.body.Policy + $ASR = $request.body.ASR + $EDR = $request.body.EDR + $results = foreach ($Tenant in $tenants) { + try { + $SettingsObj = @{ + id = 'fc780465-2017-40d4-a0c5-307022471b92' + androidEnabled = [bool]$Compliance.ConnectAndroid + iosEnabled = [bool]$Compliance.ConnectIos + windowsEnabled = [bool]$Compliance.Connectwindows + macEnabled = [bool]$Compliance.ConnectMac + partnerUnsupportedOsVersionBlocked = [bool]$Compliance.BlockunsupportedOS + partnerUnresponsivenessThresholdInDays = 7 + allowPartnerToCollectIOSApplicationMetadata = [bool]$Compliance.ConnectIosCompliance + allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance + androidMobileApplicationManagementEnabled = [bool]$Compliance.ConnectAndroidCompliance + iosMobileApplicationManagementEnabled = [bool]$Compliance.appSync + microsoftDefenderForEndpointAttachEnabled = [bool]$compliance.AllowMEMEnforceCompliance + } | ConvertTo-Json -Compress + $SettingsRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj + "$($Tenant): Successfully set Defender Compliance and Reporting settings" + + $Settings = switch ($PolicySettings) { + { $_.ScanArchives } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowarchivescanning'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowarchivescanning_1'; settingValueTemplateReference = @{settingValueTemplateId = '9ead75d4-6f30-4bc5-8cc5-ab0f999d79f0' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '7c5c9cde-f74d-4d11-904f-de4c27f72d89' } } } + } { $_.AllowBehavior } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowbehaviormonitoring' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowbehaviormonitoring_1'; settingValueTemplateReference = @{settingValueTemplateId = '905921da-95e2-4a10-9e30-fe5540002ce1' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '8eef615a-1aa0-46f4-a25a-12cbe65de5ab' } } } + } { $_.AllowCloudProtection } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowcloudprotection'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowcloudprotection_1'; settingValueTemplateReference = @{settingValueTemplateId = '16fe8afd-67be-4c50-8619-d535451a500c' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '7da139f1-9b7e-407d-853a-c2e5037cdc70' } } } + } { $_.AllowEmailScanning } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowemailscanning' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowemailscanning_1'; settingValueTemplateReference = @{settingValueTemplateId = 'fdf107fd-e13b-4507-9d8f-db4d93476af9' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'b0d9ee81-de6a-4750-86d7-9397961c9852' } } } + } { $_.AllowFullScanNetwork } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowfullscanonmappednetworkdrives' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowfullscanonmappednetworkdrives_1' ; settingValueTemplateReference = @{settingValueTemplateId = '3e920b10-3773-4ac5-957e-e5573aec6d04' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'dac47505-f072-48d6-9f23-8d93262d58ed' } } } + } { $_.AllowFullScanRemovable } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning_1' ; settingValueTemplateReference = @{settingValueTemplateId = '366c5727-629b-4a81-b50b-52f90282fa2c' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'fb36e70b-5bc9-488a-a949-8ea3ac1634d5' } } } + } { $_.AllowIPS } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowintrusionpreventionsystem' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowintrusionpreventionsystem_1'; settingValueTemplateReference = @{settingValueTemplateId = '03738a99-7065-44cb-ba1e-93530ed906a7' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'd47f06e2-5378-43f2-adbc-e924538f1512' } } } + } { $_.AllowDownloadable } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowioavprotection' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowioavprotection_1'; settingValueTemplateReference = @{settingValueTemplateId = 'df4e6cbd-f7ff-41c8-88cd-fa25264a237e' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'fa06231d-aed4-4601-b631-3a37e85b62a0' } } } + } { $_.AllowRealTime } { + @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring_1'; settingValueTemplateReference = @{settingValueTemplateId = '0492c452-1069-4b91-9363-93b8e006ab12' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f0790e28-9231-4d37-8f44-84bb47ca1b3e' } } } + } { $_.AllowNetwork } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowscanningnetworkfiles' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_allowscanningnetworkfiles_1' ; settingValueTemplateReference = @{settingValueTemplateId = '7b8c858c-a17d-4623-9e20-f34b851670ce' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f8f28442-0a6b-4b52-b42c-d31d9687c1cf' } } } + } { $_.AllowScriptScan } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowscriptscanning'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowscriptscanning_1'; settingValueTemplateReference = @{settingValueTemplateId = 'ab9e4320-c953-4067-ac9a-be2becd06b4a' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = '000cf176-949c-4c08-a5d4-90ed43718db7' } } } + } { $_.AllowUI } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_allowuseruiaccess' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_allowuseruiaccess_1' ; settingValueTemplateReference = @{settingValueTemplateId = '4b6c9739-4449-4006-8e5f-3049136470ea' } }; settingInstanceTemplateReference = @{settingInstanceTemplateId = '0170a900-b0bc-4ccc-b7ce-dda9be49189b' } } } + } { $_.CheckSig } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_checkforsignaturesbeforerunningscan' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_checkforsignaturesbeforerunningscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = '010779d1-edd4-441d-8034-89ad57a863fe' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = '4fea56e3-7bb6-4ad3-88c6-e364dd2f97b9' } } } + } { $_.DisableCatchupFullScan } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_disablecatchupfullscan'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_disablecatchupfullscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = '1b26092f-48c4-447b-99d4-e9c501542f1c' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f881b08c-f047-40d2-b7d9-3dde7ce9ef64' } } } + } { $_.DisableCatchupQuickScan } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_disablecatchupquickscan' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_disablecatchupquickscan_1' ; settingValueTemplateReference = @{settingValueTemplateId = 'd263ced7-0d23-4095-9326-99c8b3f5d35b' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'dabf6781-9d5d-42da-822a-d4327aa2bdd1' } } } + } { $_.NetworkProtectionBlock } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting'; settingInstance = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_enablenetworkprotection' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_enablenetworkprotection_1' ; settingValueTemplateReference = @{settingValueTemplateId = 'ee58fb51-9ae5-408b-9406-b92b643f388a' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'f53ab20e-8af6-48f5-9fa1-46863e1e517e' } } } + } { $_.LowCPU } { + @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' ; settingInstance = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_enablelowcpupriority' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_enablelowcpupriority_1' ; settingValueTemplateReference = @{settingValueTemplateId = '045a4a13-deee-4e24-9fe4-985c9357680d' } } ; settingInstanceTemplateReference = @{settingInstanceTemplateId = 'cdeb96cf-18f5-4477-a710-0ea9ecc618af' } } } + } } - } - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant - Write-Host ($CheckExististing | ConvertTo-Json) - if ('Default AV Policy' -in $CheckExististing.Name) { - "$($Tenant): AV Policy already exists. Skipping" - } - else { - $PolBody = ConvertTo-Json -Depth 10 -Compress -InputObject @{ - name = 'Default AV Policy' + $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant + Write-Host ($CheckExististing | ConvertTo-Json) + if ('Default AV Policy' -in $CheckExististing.Name) { + "$($Tenant): AV Policy already exists. Skipping" + } + else { + $PolBody = ConvertTo-Json -Depth 10 -Compress -InputObject @{ + name = 'Default AV Policy' + description = '' + platforms = 'windows10' + technologies = 'mdm,microsoftSense' + roleScopeTagIds = @('0') + templateReference = @{templateId = '804339ad-1553-4478-a742-138fb5807418_1' } + settings = $Settings + } + $PolicyRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $PolBody + if ($PolicySettings.AssignTo -ne 'None') { + $AssignBody = if ($PolicySettings.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($PolicySettings.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($PolicyRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $($PolicySettings.AssignTo)" -Sev 'Info' + } + "$($Tenant): Successfully set Default AV Policy settings" + } + $ASRSettings = switch ($ASR) { + { $_.BlockAdobeChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block' } } } + { $_.BlockWin32Macro } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block' } } } + { $_.BlockCredentialStealing } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block' } } } + { $_.BlockPSExec } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block' } } } + { $_.WMIPersistence } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block' } } } + { $_.BlockOfficeExes } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block' } } } + { $_.BlockOfficeApps } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block' } } } + { $_.BlockYoungExe } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block' } } } + { $_.blockJSVB } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block' } } } + { $_.blockOfficeComChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block' } } } + { $_.blockOfficeChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block' } } } + { $_.BlockUntrustedUSB } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block' } } } + { $_.EnableRansomwareVac } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block' } } } + { $_.BlockExesMail } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block' } } } + { $_.BlockUnsignedDrivers } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block' } } } + + } + + + $ASRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{ + name = 'ASR Default rules' description = '' platforms = 'windows10' technologies = 'mdm,microsoftSense' roleScopeTagIds = @('0') - templateReference = @{templateId = '804339ad-1553-4478-a742-138fb5807418_1' } - settings = $Settings - } - $PolicyRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant -type POST -body $PolBody - if ($PolicySettings.AssignTo -ne "None") { - $AssignBody = if ($PolicySettings.AssignTo -ne "AllDevicesAndUsers") { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($PolicySettings.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($PolicyRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $($PolicySettings.AssignTo)" -Sev "Info" + templateReference = @{templateId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' } + settings = @(@{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' + settingInstance = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + groupSettingCollectionValue = @(@{children = $asrSettings }) + settingInstanceTemplateReference = @{settingInstanceTemplateId = '19600663-e264-4c02-8f55-f2983216d6d7' } + } + }) } - "$($Tenant): Successfully set Default AV Policy settings" - } - $ASRSettings = switch ($ASR) { - { $_.BlockAdobeChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block' } } } - { $_.BlockWin32Macro } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block' } } } - { $_.BlockCredentialStealing } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block' } } } - { $_.BlockPSExec } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block' } } } - { $_.WMIPersistence } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block' } } } - { $_.BlockOfficeExes } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block' } } } - { $_.BlockOfficeApps } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block' } } } - { $_.BlockYoungExe } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block' } } } - { $_.blockJSVB } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block' } } } - { $_.blockOfficeComChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses' ; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block' } } } - { $_.blockOfficeChild } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block' } } } - { $_.BlockUntrustedUSB } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' ; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block' } } } - { $_.EnableRansomwareVac } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware'; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block' } } } - { $_.BlockExesMail } { @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail' ; choiceSettingValue = @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue' ; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block' } } } - { $_.BlockUnsignedDrivers } { @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'; settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers'; choiceSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationchoiceSettingValue'; value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block' } } } - - } - - - $ASRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{ - name = 'ASR Default rules' - description = '' - platforms = 'windows10' - technologies = 'mdm,microsoftSense' - roleScopeTagIds = @('0') - templateReference = @{templateId = 'e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1' } - settings = @(@{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - settingInstance = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' - groupSettingCollectionValue = @(@{children = $asrSettings }) - settingInstanceTemplateReference = @{settingInstanceTemplateId = '19600663-e264-4c02-8f55-f2983216d6d7' } - } - }) - } - $CheckExististingASR = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant - if ('ASR Default rules' -in $CheckExististingASR.Name) { - "$($Tenant): ASR Policy already exists. Skipping" - } - else { - Write-Host $ASRbody - $ASRRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant -type POST -body $ASRbody - Write-Host ($ASRRequest.id) - if ($ASR.AssignTo -ne "none") { - $AssignBody = if ($ASR.AssignTo -ne "AllDevicesAndUsers") { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ASRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $($ASR.AssignTo)" -Sev "Info" + $CheckExististingASR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant + if ('ASR Default rules' -in $CheckExististingASR.Name) { + "$($Tenant): ASR Policy already exists. Skipping" } - "$($Tenant): Successfully added ASR Settings" - } - - $EDRSettings = switch ($EDR) { - { $_.SampleSharing } { - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - settingInstance = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing" - choiceSettingValue = @{ - settingValueTemplateReference = @{settingValueTemplateId = "f72c326c-7c5b-4224-b890-0b9b54522bd9" } - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue" - 'value' = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_1" - } - settingInstanceTemplateReference = @{settingInstanceTemplateId = "6998c81e-2814-4f5e-b492-a6159128a97b" } - } - } + else { + Write-Host $ASRbody + $ASRRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $ASRbody + Write-Host ($ASRRequest.id) + if ($ASR.AssignTo -ne 'none') { + $AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ASRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $($ASR.AssignTo)" -Sev 'Info' + } + "$($Tenant): Successfully added ASR Settings" } - { $_.Telemetry } { - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - settingInstance = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_configuration_telemetryreportingfrequency" - choiceSettingValue = @{ - settingValueTemplateReference = @{settingValueTemplateId = "350b0bea-b67b-43d4-9a04-c796edb961fd" } - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue" - 'value' = "device_vendor_msft_windowsadvancedthreatprotection_configuration_telemetryreportingfrequency_2" + + $EDRSettings = switch ($EDR) { + { $_.SampleSharing } { + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' + settingInstance = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + choiceSettingValue = @{ + settingValueTemplateReference = @{settingValueTemplateId = 'f72c326c-7c5b-4224-b890-0b9b54522bd9' } + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' + 'value' = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_1' + } + settingInstanceTemplateReference = @{settingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' } } - settingInstanceTemplateReference = @{settingInstanceTemplateId = "03de6095-07c4-4f35-be38-c1cd3bae4484" } - } - } - - } - { $_.Config } { - @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - settingInstance = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_configurationtype" - choiceSettingValue = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue" - 'value' = "device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector" - settingValueTemplateReference = @{settingValueTemplateId = "e5c7c98c-c854-4140-836e-bd22db59d651" } - children = @(@{'@odata.type' = "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance" ; settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding_fromconnector' ; simpleSettingValue = @{'@odata.type' = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" ; value = "Microsoft ATP connector enabled"; valueState = "NotEncrypted" } } ) + } + } + { $_.Telemetry } { + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' + settingInstance = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_telemetryreportingfrequency' + choiceSettingValue = @{ + settingValueTemplateReference = @{settingValueTemplateId = '350b0bea-b67b-43d4-9a04-c796edb961fd' } + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' + 'value' = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_telemetryreportingfrequency_2' + } + settingInstanceTemplateReference = @{settingInstanceTemplateId = '03de6095-07c4-4f35-be38-c1cd3bae4484' } } + } + + } + { $_.Config } { + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' + settingInstance = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + choiceSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingValue' + 'value' = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector' + settingValueTemplateReference = @{settingValueTemplateId = 'e5c7c98c-c854-4140-836e-bd22db59d651' } + children = @(@{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' ; settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding_fromconnector' ; simpleSettingValue = @{'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSecretSettingValue' ; value = 'Microsoft ATP connector enabled'; valueState = 'NotEncrypted' } } ) + } - settingInstanceTemplateReference = @{settingInstanceTemplateId = "23ab0ea3-1b12-429a-8ed0-7390cf699160" } - } - } + settingInstanceTemplateReference = @{settingInstanceTemplateId = '23ab0ea3-1b12-429a-8ed0-7390cf699160' } + } + } + } } - } - $EDRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{ - name = 'EDR Configuration' - description = '' - platforms = 'windows10' - technologies = 'mdm,microsoftSense' - roleScopeTagIds = @('0') - templateReference = @{templateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' } - settings = @($EDRSettings) - } - Write-Host ( $EDRbody) - $CheckExististingEDR = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant - if ('EDR Configuration' -in $CheckExististingEDR.Name) { - "$($Tenant): EDR Policy already exists. Skipping" - } - else { - $EDRRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -tenantid $tenant -type POST -body $EDRbody - if ($ASR.AssignTo -ne "none") { - $AssignBody = if ($ASR.AssignTo -ne "AllDevicesAndUsers") { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($EDRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned EDR policy $($Displayname) to $($ASR.AssignTo)" -Sev "Info" + $EDRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{ + name = 'EDR Configuration' + description = '' + platforms = 'windows10' + technologies = 'mdm,microsoftSense' + roleScopeTagIds = @('0') + templateReference = @{templateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' } + settings = @($EDRSettings) + } + Write-Host ( $EDRbody) + $CheckExististingEDR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant + if ('EDR Configuration' -in $CheckExististingEDR.Name) { + "$($Tenant): EDR Policy already exists. Skipping" + } + else { + $EDRRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $EDRbody + if ($ASR.AssignTo -ne 'none') { + $AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($EDRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned EDR policy $($Displayname) to $($ASR.AssignTo)" -Sev 'Info' + } + "$($Tenant): Successfully added EDR Settings" } - "$($Tenant): Successfully added EDR Settings" + + } + catch { + "Failed to add policy for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed adding policy $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } } - catch { - "Failed to add policy for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed adding policy $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } - -} -$body = [pscustomobject]@{"Results" = @($results) } + $body = [pscustomobject]@{'Results' = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 index 512c7ac30956..196c0e1dca26 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddEnrollment { +Function Invoke-AddEnrollment { <# .FUNCTIONALITY Entrypoint @@ -8,57 +8,57 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' -# Input bindings are passed in via param block. -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Profbod = $Request.body -$results = foreach ($Tenant in $tenants) { - try { - $ObjBody = [pscustomobject]@{ - "@odata.type" = "#microsoft.graph.windows10EnrollmentCompletionPageConfiguration" - "id" = "DefaultWindows10EnrollmentCompletionPageConfiguration" - "displayName" = "All users and all devices" - "description" = "This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership." - "showInstallationProgress" = [bool]$Profbod.ShowProgress - "blockDeviceSetupRetryByUser" = [bool]$Profbod.blockDevice - "allowDeviceResetOnInstallFailure" = [bool]$Profbod.AllowReset - "allowLogCollectionOnInstallFailure" = [bool]$Profbod.EnableLog - "customErrorMessage" = $Profbod.ErrorMessage - "installProgressTimeoutInMinutes" = $Profbod.TimeOutInMinutes - "allowDeviceUseOnInstallFailure" = [bool]$Profbod.AllowFail - "selectedMobileAppIds" = @() - "trackInstallProgressForAutopilotOnly" = [bool]$Profbod.OBEEOnly - "disableUserStatusTrackingAfterFirstUser" = $true - "roleScopeTagIds" = @() + # Input bindings are passed in via param block. + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Profbod = $Request.body + $results = foreach ($Tenant in $tenants) { + try { + $ObjBody = [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.windows10EnrollmentCompletionPageConfiguration' + 'id' = 'DefaultWindows10EnrollmentCompletionPageConfiguration' + 'displayName' = 'All users and all devices' + 'description' = 'This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership.' + 'showInstallationProgress' = [bool]$Profbod.ShowProgress + 'blockDeviceSetupRetryByUser' = [bool]$Profbod.blockDevice + 'allowDeviceResetOnInstallFailure' = [bool]$Profbod.AllowReset + 'allowLogCollectionOnInstallFailure' = [bool]$Profbod.EnableLog + 'customErrorMessage' = $Profbod.ErrorMessage + 'installProgressTimeoutInMinutes' = $Profbod.TimeOutInMinutes + 'allowDeviceUseOnInstallFailure' = [bool]$Profbod.AllowFail + 'selectedMobileAppIds' = @() + 'trackInstallProgressForAutopilotOnly' = [bool]$Profbod.OBEEOnly + 'disableUserStatusTrackingAfterFirstUser' = $true + 'roleScopeTagIds' = @() + } + $Body = ConvertTo-Json -InputObject $ObjBody + Write-Host $body + $ExistingStatusPage = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations' -tenantid $Tenant) | Where-Object { $_.id -like '*DefaultWindows10EnrollmentCompletionPageConfiguration' } + $GraphRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($ExistingStatusPage.ID)" -body $body -Type PATCH -tenantid $tenant + "Successfully changed default enrollment status page for $($Tenant)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Added Autopilot Enrollment Status Page $($Displayname)" -Sev 'Info' + + } + catch { + "Failed to change default enrollment status page for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed adding Autopilot Enrollment Status Page $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } - $Body = ConvertTo-Json -InputObject $ObjBody - Write-Host $body - $ExistingStatusPage = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" -tenantid $Tenant) | Where-Object { $_.id -like "*DefaultWindows10EnrollmentCompletionPageConfiguration" } - $GraphRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($ExistingStatusPage.ID)" -body $body -Type PATCH -tenantid $tenant - "Successfully changed default enrollment status page for $($Tenant)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Added Autopilot Enrollment Status Page $($Displayname)" -Sev "Info" } - catch { - "Failed to change default enrollment status page for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed adding Autopilot Enrollment Status Page $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } -} + $body = [pscustomobject]@{'Results' = $results } -$body = [pscustomobject]@{"Results" = $results } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) - - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnector.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnector.ps1 index fb4e739bfed4..3686d66c124d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnector.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnector.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddExConnector { +Function Invoke-AddExConnector { <# .FUNCTIONALITY Entrypoint @@ -8,28 +8,30 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$ConnectorType = ($Request.body.PowerShellCommand | ConvertFrom-Json).cippConnectorType -$RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, cippConnectorType, comments + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Result = foreach ($Tenantfilter in $tenants) { - try { - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams - "Successfully created transport rule for $tenantfilter." - Write-LogMessage -API $APINAME -tenant $tenantfilter -message "Created transport rule for $($tenantfilter)" -sev Debug - } - catch { - "Could not create created transport rule for $($tenantfilter): $($_.Exception.message)" + $ConnectorType = ($Request.body.PowerShellCommand | ConvertFrom-Json).cippConnectorType + $RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, cippConnectorType, comments + + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Result = foreach ($Tenantfilter in $tenants) { + try { + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams + "Successfully created transport rule for $Tenantfilter." + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Tenantfilter -message "Created transport rule for $($Tenantfilter)" -sev 'Info' + } + catch { + "Could not create created transport rule for $($Tenantfilter): $($_.Exception.message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Tenantfilter -message "Could not create created transport rule for $($Tenantfilter): $($_.Exception.message)" -sev 'Error' + } } -} - -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @{Results = @($Result) } - }) - } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{Results = @($Result) } + }) + +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnectorTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnectorTemplate.ps1 index 099d51c2a7c0..73cf56b8d910 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnectorTemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddExConnectorTemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddExConnectorTemplate { +Function Invoke-AddExConnectorTemplate { <# .FUNCTIONALITY Entrypoint @@ -8,49 +8,50 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -Write-Host ($request | ConvertTo-Json -Compress) + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -try { - $GUID = (New-Guid).GUID - $Select = if ($Request.body.cippconnectortype -eq "outbound") { - @( - "name", "AllAcceptedDomains", "CloudServicesMailEnabled", "Comment", "Confirm", "ConnectorSource", "ConnectorType", "Enabled", "IsTransportRuleScoped", "RecipientDomains", "RouteAllMessagesViaOnPremises", "SenderRewritingEnabled", "SmartHosts", "TestMode", "TlsDomain", "TlsSettings", "UseMXRecord" - ) - } - else { - @( - "name", "SenderDomains", "ConnectorSource", "ConnectorType", "EFSkipIPs", "EFSkipLastIP", "EFSkipMailGateway", "EFTestMode", "EFUsers", "Enabled ", "RequireTls", "RestrictDomainsToCertificate", "RestrictDomainsToIPAddresses", "ScanAndDropRecipients", "SenderIPAddresses", "TlsSenderCertificateName", "TreatMessagesAsInternal", "TrustedOrganizations" - ) - } + Write-Host ($request | ConvertTo-Json -Compress) - $JSON = ([pscustomobject]$Request.body | Select-Object $Select) | ForEach-Object { - $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name - $_ | Select-Object -Property $NonEmptyProperties + try { + $GUID = (New-Guid).GUID + $Select = if ($Request.body.cippconnectortype -eq 'outbound') { + @( + 'name', 'AllAcceptedDomains', 'CloudServicesMailEnabled', 'Comment', 'Confirm', 'ConnectorSource', 'ConnectorType', 'Enabled', 'IsTransportRuleScoped', 'RecipientDomains', 'RouteAllMessagesViaOnPremises', 'SenderRewritingEnabled', 'SmartHosts', 'TestMode', 'TlsDomain', 'TlsSettings', 'UseMXRecord' + ) + } + else { + @( + 'name', 'SenderDomains', 'ConnectorSource', 'ConnectorType', 'EFSkipIPs', 'EFSkipLastIP', 'EFSkipMailGateway', 'EFTestMode', 'EFUsers', 'Enabled ', 'RequireTls', 'RestrictDomainsToCertificate', 'RestrictDomainsToIPAddresses', 'ScanAndDropRecipients', 'SenderIPAddresses', 'TlsSenderCertificateName', 'TreatMessagesAsInternal', 'TrustedOrganizations' + ) + } + + $JSON = ([pscustomobject]$Request.body | Select-Object $Select) | ForEach-Object { + $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name + $_ | Select-Object -Property $NonEmptyProperties + } + $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, * | ConvertTo-Json -Depth 10) + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$json" + RowKey = "$GUID" + direction = $request.body.cippconnectortype + PartitionKey = 'ExConnectorTemplate' + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Connector Template $($Request.body.name) with GUID $GUID" -Sev 'Debug' + $body = [pscustomobject]@{'Results' = 'Successfully added template' } } - $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, * | ConvertTo-Json -Depth 10) - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$json" - RowKey = "$GUID" - direction = $request.body.cippconnectortype - PartitionKey = "ExConnectorTemplate" + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Connector Template: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Connector Template creation failed: $($_.Exception.Message)" } } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Connector Template $($Request.body.name) with GUID $GUID" -Sev "Debug" - $body = [pscustomobject]@{"Results" = "Successfully added template" } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Connector Template: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Connector Template creation failed: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 index b52d4091b595..358649519572 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddGroup { +Function Invoke-AddGroup { <# .FUNCTIONALITY Entrypoint @@ -8,68 +8,68 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$groupobj = $Request.body -$SelectedTenants = if ($Request.body.selectedTenants) { $request.body.selectedTenants.defaultDomainName } else { $Request.body.tenantid } -if ("AllTenants" -in $SelectedTenants) { $SelectedTenants = (Get-Tenants).defaultDomainName } + $groupobj = $Request.body + $SelectedTenants = if ($Request.body.selectedTenants) { $request.body.selectedTenants.defaultDomainName } else { $Request.body.tenantid } + if ('AllTenants' -in $SelectedTenants) { $SelectedTenants = (Get-Tenants).defaultDomainName } -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -$results = foreach ($tenant in $SelectedTenants) { - try { - $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($tenant)" } - if ($groupobj.groupType -in "Generic", "azurerole", "dynamic") { - - $BodyToship = [pscustomobject] @{ - "displayName" = $groupobj.Displayname - "description" = $groupobj.Description - "mailNickname" = $groupobj.username - mailEnabled = [bool]$false - securityEnabled = [bool]$true - isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ "AzureRole") - } - if ($groupobj.membershipRules) { - $BodyToship | Add-Member -NotePropertyName "membershipRule" -NotePropertyValue ($groupobj.membershipRules) - $BodyToship | Add-Member -NotePropertyName "groupTypes" -NotePropertyValue @("DynamicMembership") - $BodyToship | Add-Member -NotePropertyName "membershipRuleProcessingState" -NotePropertyValue "On" - } - if ($groupobj.AddOwner -AND $groupobj.groupType -in "generic", "azurerole", "security") { - $BodyToship | Add-Member -NotePropertyName "owners@odata.bind" -NotePropertyValue (($groupobj.AddOwner) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + $results = foreach ($tenant in $SelectedTenants) { + try { + $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($tenant)" } + if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { + + $BodyToship = [pscustomobject] @{ + 'displayName' = $groupobj.Displayname + 'description' = $groupobj.Description + 'mailNickname' = $groupobj.username + mailEnabled = [bool]$false + securityEnabled = [bool]$true + isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ 'AzureRole') + } + if ($groupobj.membershipRules) { + $BodyToship | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($groupobj.membershipRules) + $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership') + $BodyToship | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On' + } + if ($groupobj.AddOwner -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') { + $BodyToship | Add-Member -NotePropertyName 'owners@odata.bind' -NotePropertyValue (($groupobj.AddOwner) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + } + if ($groupobj.AddMember -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') { + $BodyToship | Add-Member -NotePropertyName 'members@odata.bind' -NotePropertyValue (($groupobj.AddMember) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + } + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose } - if ($groupobj.AddMember -AND $groupobj.groupType -in "generic", "azurerole", "security") { - $BodyToship | Add-Member -NotePropertyName "members@odata.bind" -NotePropertyValue (($groupobj.AddMember) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + else { + $Params = @{ + Name = $groupobj.Displayname + Alias = $groupobj.username + Description = $groupobj.Description + PrimarySmtpAddress = $email + Type = $groupobj.groupType + RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal + } + $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params + # At some point add logic to use AddOwner/AddMember for New-DistributionGroup, but idk how we're going to brr that - rvdwegen } - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups" -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose + "Successfully created group $($groupobj.displayname) for $($tenant)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id)" -Sev 'Info' + } - else { - $Params = @{ - Name = $groupobj.Displayname - Alias = $groupobj.username - Description = $groupobj.Description - PrimarySmtpAddress = $email - Type = $groupobj.groupType - RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal - } - $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet "New-DistributionGroup" -cmdParams $params - # At some point add logic to use AddOwner/AddMember for New-DistributionGroup, but idk how we're going to brr that - rvdwegen + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error' + "Failed to create group. $($groupobj.displayname) for $($tenant) $($_.Exception.Message)" } - "Successfully created group $($groupobj.displayname) for $($tenant)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev "Info" - - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Group creation API failed. $($_.Exception.Message)" -Sev "Error" - "Failed to create group. $($groupobj.displayname) for $($tenant) $($_.Exception.Message)" } -} -$body = [pscustomobject]@{"Results" = @($results) } + $body = [pscustomobject]@{'Results' = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroupTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroupTemplate.ps1 index 19ec092ca49b..85d10812a9c8 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroupTemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroupTemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddGroupTemplate { +Function Invoke-AddGroupTemplate { <# .FUNCTIONALITY Entrypoint @@ -8,43 +8,43 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" - -$GUID = (New-Guid).GUID -try { - if (!$Request.body.displayname) { throw "You must enter a displayname" } - - $object = [PSCustomObject]@{ - Displayname = $request.body.displayname - Description = $request.body.description - groupType = $request.body.groupType - MembershipRules = $request.body.membershipRule - allowExternal = $request.body.allowExternal - username = $request.body.username - GUID = $GUID - } | ConvertTo-Json - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$object" - RowKey = "$GUID" - PartitionKey = "GroupTemplate" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + $GUID = (New-Guid).GUID + try { + if (!$Request.body.displayname) { throw 'You must enter a displayname' } + + $object = [PSCustomObject]@{ + Displayname = $request.body.displayname + Description = $request.body.description + groupType = $request.body.groupType + MembershipRules = $request.body.membershipRule + allowExternal = $request.body.allowExternal + username = $request.body.username + GUID = $GUID + } | ConvertTo-Json + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$GUID" + PartitionKey = 'GroupTemplate' + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Group template named $($Request.body.displayname) with GUID $GUID" -Sev 'Debug' + + $body = [pscustomobject]@{'Results' = 'Successfully added template' } + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Group Template Creation failed: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Group Template Creation failed: $($_.Exception.Message)" } } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Group template named $($Request.body.displayname) with GUID $GUID" -Sev "Info" - - $body = [pscustomobject]@{"Results" = "Successfully added template" } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Group Template Creation failed: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Group Template Creation failed: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGuest.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGuest.ps1 index 4c94ec4740f9..462ba7df0545 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGuest.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGuest.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddGuest { +Function Invoke-AddGuest { <# .FUNCTIONALITY Entrypoint @@ -8,49 +8,51 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$Results = [System.Collections.ArrayList]@() -$userobj = $Request.body -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -try { -if ($userobj.RedirectURL) { - $BodyToship = [pscustomobject] @{ - "InvitedUserDisplayName" = $userobj.Displayname - "InvitedUserEmailAddress" = $($userobj.mail) - "inviteRedirectUrl" = $($userobj.RedirectURL) - "sendInvitationMessage" = [boolean]$userobj.SendInvite - } -} -else {$BodyToship = [pscustomobject] @{ - "InvitedUserDisplayName" = $userobj.Displayname - "InvitedUserEmailAddress" = $($userobj.mail) - "sendInvitationMessage" = [boolean]$userobj.SendInvite - "inviteRedirectUrl" = "https://myapps.microsoft.com" -} -} - $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/invitations" -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose - if ($Userobj.sendInvite -eq "true") { - $results.add("Invited Guest. Invite Email sent") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Invited Guest $($userobj.displayname) with Email Invite " -Sev "Info" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + $Results = [System.Collections.ArrayList]@() + $userobj = $Request.body + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + try { + if ($userobj.RedirectURL) { + $BodyToship = [pscustomobject] @{ + 'InvitedUserDisplayName' = $userobj.Displayname + 'InvitedUserEmailAddress' = $($userobj.mail) + 'inviteRedirectUrl' = $($userobj.RedirectURL) + 'sendInvitationMessage' = [boolean]$userobj.SendInvite + } + } + else { + $BodyToship = [pscustomobject] @{ + 'InvitedUserDisplayName' = $userobj.Displayname + 'InvitedUserEmailAddress' = $($userobj.mail) + 'sendInvitationMessage' = [boolean]$userobj.SendInvite + 'inviteRedirectUrl' = 'https://myapps.microsoft.com' + } + } + $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/invitations' -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose + if ($Userobj.sendInvite -eq 'true') { + $results.add('Invited Guest. Invite Email sent') + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Invited Guest $($userobj.displayname) with Email Invite " -Sev 'Info' + } + else { + $results.add('Invited Guest. No Invite Email was sent') + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Invited Guest $($userobj.displayname) with no Email Invite " -Sev 'Info' + } } - else { - $results.add("Invited Guest. No Invite Email was sent") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Invited Guest $($userobj.displayname) with no Email Invite " -Sev "Info" + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Guest Invite API failed. $($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Failed to Invite Guest. $($_.Exception.Message)" ) } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Guest Invite API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Failed to Invite Guest. $($_.Exception.Message)" ) -} -$body = @{"Results" = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + $body = @{'Results' = @($results) } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddIntuneTemplate.ps1 index 281c482d4d42..d8e651ae36ad 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddIntuneTemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddIntuneTemplate { +Function Invoke-AddIntuneTemplate { <# .FUNCTIONALITY Entrypoint @@ -8,122 +8,121 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$GUID = (New-Guid).GUID -try { - if ($Request.body.rawJSON) { - if (!$Request.body.displayname) { throw "You must enter a displayname" } - if ($null -eq ($Request.body.Rawjson | ConvertFrom-Json)) { throw "the JSON is invalid" } + $GUID = (New-Guid).GUID + try { + if ($Request.body.rawJSON) { + if (!$Request.body.displayname) { throw 'You must enter a displayname' } + if ($null -eq ($Request.body.Rawjson | ConvertFrom-Json)) { throw 'the JSON is invalid' } - $object = [PSCustomObject]@{ - Displayname = $request.body.displayname - Description = $request.body.description - RAWJson = $request.body.RawJSON - Type = $request.body.TemplateType - GUID = $GUID - } | ConvertTo-Json - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$object" - RowKey = "$GUID" - PartitionKey = "IntuneTemplate" - } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created intune policy template named $($Request.body.displayname) with GUID $GUID" -Sev "Debug" + $object = [PSCustomObject]@{ + Displayname = $request.body.displayname + Description = $request.body.description + RAWJson = $request.body.RawJSON + Type = $request.body.TemplateType + GUID = $GUID + } | ConvertTo-Json + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$GUID" + PartitionKey = 'IntuneTemplate' + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created intune policy template named $($Request.body.displayname) with GUID $GUID" -Sev 'Debug' - $body = [pscustomobject]@{"Results" = "Successfully added template" } - } - else { - $TenantFilter = $request.query.TenantFilter - $URLName = $Request.query.URLName - $ID = $request.query.id - switch ($URLName) { + $body = [pscustomobject]@{'Results' = 'Successfully added template' } + } + else { + $TenantFilter = $request.query.TenantFilter + $URLName = $Request.query.URLName + $ID = $request.query.id + switch ($URLName) { - "configurationPolicies" { - $Type = "Catalog" - $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')?`$expand=settings" -tenantid $tenantfilter | Select-Object name, description, settings, platforms, technologies, templateReference - $TemplateJson = $Template | ConvertTo-Json -Depth 10 - $DisplayName = $template.name + 'configurationPolicies' { + $Type = 'Catalog' + $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')?`$expand=settings" -tenantid $tenantfilter | Select-Object name, description, settings, platforms, technologies, templateReference + $TemplateJson = $Template | ConvertTo-Json -Depth 10 + $DisplayName = $template.name - } - "deviceConfigurations" { - $Type = "Device" - $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)/$($ID)" -tenantid $tenantfilter | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime' - Write-Host ($Template | ConvertTo-Json) - $DisplayName = $template.displayName - $TemplateJson = ConvertTo-Json -InputObject $Template -Depth 10 -Compress - } - "groupPolicyConfigurations" { - $Type = "Admin" - $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')" -tenantid $tenantfilter - $DisplayName = $Template.displayName - $TemplateJsonItems = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')/definitionValues?`$expand=definition" -tenantid $tenantfilter - $TemplateJsonSource = foreach ($TemplateJsonItem in $TemplateJsonItems) { - $presentationValues = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')/definitionValues('$($TemplateJsonItem.id)')/presentationValues?`$expand=presentation" -tenantid $tenantfilter | ForEach-Object { - $obj = $_ - if ($obj.id) { - $PresObj = @{ - id = $obj.id - "presentation@odata.bind" = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$($TemplateJsonItem.definition.id)')/presentations('$($obj.presentation.id)')" + } + 'deviceConfigurations' { + $Type = 'Device' + $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)/$($ID)" -tenantid $tenantfilter | Select-Object * -ExcludeProperty id, lastModifiedDateTime, '@odata.context', 'ScopeTagIds', 'supportsScopeTags', 'createdDateTime' + Write-Host ($Template | ConvertTo-Json) + $DisplayName = $template.displayName + $TemplateJson = ConvertTo-Json -InputObject $Template -Depth 10 -Compress + } + 'groupPolicyConfigurations' { + $Type = 'Admin' + $Template = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')" -tenantid $tenantfilter + $DisplayName = $Template.displayName + $TemplateJsonItems = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')/definitionValues?`$expand=definition" -tenantid $tenantfilter + $TemplateJsonSource = foreach ($TemplateJsonItem in $TemplateJsonItems) { + $presentationValues = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$($urlname)('$($ID)')/definitionValues('$($TemplateJsonItem.id)')/presentationValues?`$expand=presentation" -tenantid $tenantfilter | ForEach-Object { + $obj = $_ + if ($obj.id) { + $PresObj = @{ + id = $obj.id + 'presentation@odata.bind' = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$($TemplateJsonItem.definition.id)')/presentations('$($obj.presentation.id)')" + } + if ($obj.values) { $PresObj['values'] = $obj.values } + if ($obj.value) { $PresObj['value'] = $obj.value } + if ($obj.'@odata.type') { $PresObj['@odata.type'] = $obj.'@odata.type' } + [pscustomobject]$PresObj } - if ($obj.values) { $PresObj['values'] = $obj.values } - if ($obj.value) { $PresObj['value'] = $obj.value } - if ($obj.'@odata.type') { $PresObj['@odata.type'] = $obj.'@odata.type' } - [pscustomobject]$PresObj + } + [PSCustomObject]@{ + 'definition@odata.bind' = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$($TemplateJsonItem.definition.id)')" + enabled = $TemplateJsonItem.enabled + presentationValues = @($presentationValues) } } - [PSCustomObject]@{ - 'definition@odata.bind' = "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('$($TemplateJsonItem.definition.id)')" - enabled = $TemplateJsonItem.enabled - presentationValues = @($presentationValues) + $inputvar = [pscustomobject]@{ + added = @($TemplateJsonSource) + updated = @() + deletedIds = @() + } - } - $inputvar = [pscustomobject]@{ - added = @($TemplateJsonSource) - updated = @() - deletedIds = @() + + $TemplateJson = (ConvertTo-Json -InputObject $inputvar -Depth 15 -Compress) } - + } - $TemplateJson = (ConvertTo-Json -InputObject $inputvar -Depth 15 -Compress) + $object = [PSCustomObject]@{ + Displayname = $DisplayName + Description = $Template.Description + RAWJson = $TemplateJson + Type = $Type + GUID = $GUID + } | ConvertTo-Json + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$GUID" + PartitionKey = 'IntuneTemplate' } - } - + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created intune policy template $($Request.body.displayname) with GUID $GUID using an original policy from a tenant" -Sev 'Debug' - $object = [PSCustomObject]@{ - Displayname = $DisplayName - Description = $Template.Description - RAWJson = $TemplateJson - Type = $Type - GUID = $GUID - } | ConvertTo-Json - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$object" - RowKey = "$GUID" - PartitionKey = "IntuneTemplate" + $body = [pscustomobject]@{'Results' = 'Successfully added template' } } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created intune policy template $($Request.body.displayname) with GUID $GUID using an original policy from a tenant" -Sev "Debug" - - $body = [pscustomobject]@{"Results" = "Successfully added template" } } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Intune Template Deployment failed: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Intune Template Deployment failed: $($_.Exception.Message)" } -} + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Intune Template Deployment failed: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Intune Template Deployment failed: $($_.Exception.Message)" } + } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddMSPApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddMSPApp.ps1 index 85c883333511..5bf0df7bf86d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddMSPApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddMSPApp.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddMSPApp { +Function Invoke-AddMSPApp { <# .FUNCTIONALITY Entrypoint @@ -8,90 +8,90 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -Write-Host 'PowerShell HTTP trigger function processed a request.' -$RMMApp = $request.body -$assignTo = $Request.body.AssignTo -$intuneBody = Get-Content "AddMSPApp\$($RMMApp.RMMName.value).app.json" | ConvertFrom-Json -$intuneBody.displayName = $RMMApp.DisplayName + Write-Host 'PowerShell HTTP trigger function processed a request.' + $RMMApp = $request.body + $assignTo = $Request.body.AssignTo + $intuneBody = Get-Content "AddMSPApp\$($RMMApp.RMMName.value).app.json" | ConvertFrom-Json + $intuneBody.displayName = $RMMApp.DisplayName -$Tenants = $request.body.selectedTenants -$Results = foreach ($Tenant in $tenants) { - $InstallParams = [pscustomobject]$RMMApp.params - switch ($rmmapp.RMMName.value) { - 'datto' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -URL $($InstallParams.DattoURL) -GUID $($InstallParams.DattoGUID["$($tenant.customerId)"])" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + $Tenants = $request.body.selectedTenants + $Results = foreach ($Tenant in $tenants) { + $InstallParams = [pscustomobject]$RMMApp.params + switch ($rmmapp.RMMName.value) { + 'datto' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -URL $($InstallParams.DattoURL) -GUID $($InstallParams.DattoGUID["$($tenant.customerId)"])" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } + 'ninja' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -InstallParam $($RMMApp.PackageName)" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } + 'Huntress' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -OrgKey $($InstallParams.Orgkey["$($tenant.customerId)"]) -acctkey $($InstallParams.AccountKey)" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\install.ps1 -Uninstall' + } + 'Immybot' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -url $($InstallParams.ClientURL["$($tenant.customerId)"])" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } + 'syncro' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -URL $($InstallParams.ClientURL["$($tenant.customerId)"])" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } + 'NCentral' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -InstallParam $($RMMApp.PackageName)" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } + 'automate' { + $installcommandline = "c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -executionpolicy bypass .\install.ps1 -Server $($InstallParams.Server) -InstallerToken $($InstallParams.InstallerToken["$($tenant.customerId)"]) -LocationID $($InstallParams.LocationID["$($tenant.customerId)"])" + $UninstallCommandLine = "c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -executionpolicy bypass .\uninstall.ps1 -Server $($InstallParams.Server)" + $DetectionScript = (Get-Content 'AddMSPApp\automate.detection.ps1' -Raw) -replace '##SERVER##', $InstallParams.Server + $intuneBody.detectionRules[0].scriptContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($DetectionScript)) + } + 'cwcommand' { + $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -Url $($InstallParams.ClientURL["$($tenant.customerId)"])" + $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' + } } - 'ninja' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -InstallParam $($RMMApp.PackageName)" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' - } - 'Huntress' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -OrgKey $($InstallParams.Orgkey["$($tenant.customerId)"]) -acctkey $($InstallParams.AccountKey)" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\install.ps1 -Uninstall' - } - 'Immybot' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -url $($InstallParams.ClientURL["$($tenant.customerId)"])" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' - } - 'syncro' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -URL $($InstallParams.ClientURL["$($tenant.customerId)"])" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' - } - 'NCentral' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -InstallParam $($RMMApp.PackageName)" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' - } - 'automate' { - $installcommandline = "c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -executionpolicy bypass .\install.ps1 -Server $($InstallParams.Server) -InstallerToken $($InstallParams.InstallerToken["$($tenant.customerId)"]) -LocationID $($InstallParams.LocationID["$($tenant.customerId)"])" - $UninstallCommandLine = "c:\windows\sysnative\windowspowershell\v1.0\powershell.exe -executionpolicy bypass .\uninstall.ps1 -Server $($InstallParams.Server)" - $DetectionScript = (Get-Content 'AddMSPApp\automate.detection.ps1' -Raw) -replace '##SERVER##', $InstallParams.Server - $intuneBody.detectionRules[0].scriptContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($DetectionScript)) - } - 'cwcommand' { - $installcommandline = "powershell.exe -executionpolicy bypass .\install.ps1 -Url $($InstallParams.ClientURL["$($tenant.customerId)"])" - $UninstallCommandLine = 'powershell.exe -executionpolicy bypass .\uninstall.ps1' - } - } - $intuneBody.installCommandLine = $installcommandline - $intuneBody.UninstallCommandLine = $UninstallCommandLine + $intuneBody.installCommandLine = $installcommandline + $intuneBody.UninstallCommandLine = $UninstallCommandLine - try { - $CompleteObject = [PSCustomObject]@{ - tenant = $tenant.defaultDomainName - Applicationname = $RMMApp.DisplayName - assignTo = $assignTo - IntuneBody = $intunebody - type = 'MSPApp' - MSPAppName = $RMMApp.RMMName.value - } | ConvertTo-Json -Depth 15 - $Table = Get-CippTable -tablename 'apps' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$CompleteObject" - RowKey = "$((New-Guid).GUID)" - PartitionKey = "apps" - status = "Not Deployed yet" + try { + $CompleteObject = [PSCustomObject]@{ + tenant = $tenant.defaultDomainName + Applicationname = $RMMApp.DisplayName + assignTo = $assignTo + IntuneBody = $intunebody + type = 'MSPApp' + MSPAppName = $RMMApp.RMMName.value + } | ConvertTo-Json -Depth 15 + $Table = Get-CippTable -tablename 'apps' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$CompleteObject" + RowKey = "$((New-Guid).GUID)" + PartitionKey = 'apps' + status = 'Not Deployed yet' + } + "Successfully added MSP App for $($Tenant.defaultDomainName) to queue. " + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant.defaultDomainName -message "MSP Application $($intunebody.Displayname) queued to add" -Sev 'Info' + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant.defaultDomainName -message "Failed to add MSP Application $($intunebody.Displayname) to queue" -Sev 'Error' + "Failed to add MSP app for $($Tenant.defaultDomainName) to queue" } - "Successfully added MSP App for $($Tenant.defaultDomainName) to queue. " - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant.defaultDomainName -message "MSP Application $($intunebody.Displayname) queued to add" -Sev 'Info' - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant.defaultDomainName -message "Failed to add MSP Application $($intunebody.Displayname) to queue" -Sev 'Error' - "Failed to add MSP app for $($Tenant.defaultDomainName) to queue" } -} -$body = [pscustomobject]@{'Results' = $results } + $body = [pscustomobject]@{'Results' = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddNamedLocation.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddNamedLocation.ps1 index 48556531ca75..578b196ed014 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddNamedLocation.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddNamedLocation.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddNamedLocation { +Function Invoke-AddNamedLocation { <# .FUNCTIONALITY Entrypoint @@ -8,57 +8,57 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' -# Input bindings are passed in via param block. -$Tenants = $request.body.selectedTenants.defaultDomainName -Write-Host ($Request.body | ConvertTo-Json) -if ($Tenants -eq "AllTenants") { $Tenants = (Get-Tenants).defaultDomainName } -$results = foreach ($Tenant in $tenants) { - try { - $ObjBody = if ($Request.body.Type -eq "IPLocation") { - $IPRanges = ($Request.body.Ips -split "`n") | ForEach-Object { if ($_ -ne "") { @{cidrAddress = "$_" } } } - if (!$IPRanges) { $IPRanges = @(@{cidrAddress = "$($Request.Body.Ips)" }) } - [pscustomobject]@{ - "@odata.type" = "#microsoft.graph.ipNamedLocation" - displayName = $request.body.policyName - ipRanges = @($IPRanges) - isTrusted = $Request.body.Trusted + # Input bindings are passed in via param block. + $Tenants = $request.body.selectedTenants.defaultDomainName + Write-Host ($Request.body | ConvertTo-Json) + if ($Tenants -eq 'AllTenants') { $Tenants = (Get-Tenants).defaultDomainName } + $results = foreach ($Tenant in $tenants) { + try { + $ObjBody = if ($Request.body.Type -eq 'IPLocation') { + $IPRanges = ($Request.body.Ips -split "`n") | ForEach-Object { if ($_ -ne '') { @{cidrAddress = "$_" } } } + if (!$IPRanges) { $IPRanges = @(@{cidrAddress = "$($Request.Body.Ips)" }) } + [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.ipNamedLocation' + displayName = $request.body.policyName + ipRanges = @($IPRanges) + isTrusted = $Request.body.Trusted + } } - } - else { - [pscustomobject]@{ - "@odata.type" = "#microsoft.graph.countryNamedLocation" - displayName = $request.body.policyName - countriesAndRegions = @($Request.Body.Countries.value) - includeUnknownCountriesAndRegions = $Request.body.includeUnknownCountriesAndRegions + else { + [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.countryNamedLocation' + displayName = $request.body.policyName + countriesAndRegions = @($Request.Body.Countries.value) + includeUnknownCountriesAndRegions = $Request.body.includeUnknownCountriesAndRegions + } } + $Body = ConvertTo-Json -InputObject $ObjBody + $GraphRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -body $body -Type POST -tenantid $tenant + "Successfully added Named Location for $($Tenant)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Added Named Location $($Displayname)" -Sev 'Info' + + } + catch { + "Failed to add Named Location $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed adding Named Location$($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } - $Body = ConvertTo-Json -InputObject $ObjBody - $GraphRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations" -body $body -Type POST -tenantid $tenant - "Successfully added Named Location for $($Tenant)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message " added Named Location $($Displayname)" -Sev "Info" } - catch { - "Failed to add Named Location $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed adding Named Location$($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } -} - -$body = [pscustomobject]@{"Results" = @($results) } + $body = [pscustomobject]@{'Results' = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddOfficeApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddOfficeApp.ps1 index 732aa7dc231a..a5f9ec87c351 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddOfficeApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddOfficeApp.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddOfficeApp { +Function Invoke-AddOfficeApp { <# .FUNCTIONALITY Entrypoint @@ -8,95 +8,95 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' -# Input bindings are passed in via param block. -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -if ("AllTenants" -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } -$AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto } + # Input bindings are passed in via param block. + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } -$results = foreach ($Tenant in $tenants) { - try { - $ExistingO365 = New-graphGetRequest -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps" -tenantid $tenant | Where-Object { $_.displayname -eq "Mifcrosoft 365 Apps for Windows 10 and later" } - if (!$ExistingO365) { - $Arch = if ($request.body.arch) { "x64" } else { "x86" } - $products = @("o365ProPlusRetail") - $ExcludedApps = [pscustomobject]@{ - infoPath = $true - sharePointDesigner = $true - excel = $false - lync = $false - oneNote = $false - outlook = $false - powerPoint = $false - publisher = $false - teams = $false - word = $false - access = $false - bing = $false + $results = foreach ($Tenant in $tenants) { + try { + $ExistingO365 = New-graphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps' -tenantid $tenant | Where-Object { $_.displayname -eq 'Microsoft 365 Apps for Windows 10 and later' } + if (!$ExistingO365) { + $Arch = if ($request.body.arch) { 'x64' } else { 'x86' } + $products = @('o365ProPlusRetail') + $ExcludedApps = [pscustomobject]@{ + infoPath = $true + sharePointDesigner = $true + excel = $false + lync = $false + oneNote = $false + outlook = $false + powerPoint = $false + publisher = $false + teams = $false + word = $false + access = $false + bing = $false + } + foreach ($ExcludedApp in $request.body.excludedApps.value) { + $ExcludedApps.$excludedapp = $true + } + $ObjBody = [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + 'displayName' = 'Microsoft 365 Apps for Windows 10 and later' + 'description' = 'Microsoft 365 Apps for Windows 10 and later' + 'informationUrl' = 'https://products.office.com/en-us/explore-office-for-home' + 'isFeatured' = $true + 'publisher' = 'Microsoft' + 'notes' = '' + 'owner' = 'Microsoft' + 'autoAcceptEula' = [bool]$request.body.AcceptLicense + 'excludedApps' = $ExcludedApps + 'officePlatformArchitecture' = $Arch + 'officeSuiteAppDefaultFileFormat' = 'OfficeOpenXMLFormat' + 'localesToInstall' = @($request.body.languages.value) + 'shouldUninstallOlderVersionsOfOffice' = [bool]$request.body.RemoveVersions + 'updateChannel' = $request.body.updateChannel.value + 'useSharedComputerActivation' = [bool]$request.body.SharedComputerActivation + 'productIds' = $products + 'largeIcon' = @{ + 'type' = 'image/png' + 'value' = 'iVBORw0KGgoAAAANSUhEUgAAAF0AAAAeCAMAAAEOZNKlAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAJhUExURf////7z7/i9qfF1S/KCW/i+qv3q5P/9/PrQwfOMae1RG+s8AOxGDfBtQPWhhPvUx/759/zg1vWgg+9fLu5WIvKFX/rSxP728/nCr/FyR+tBBvOMaO1UH+1RHOs+AvSScP3u6f/+/v3s5vzg1+xFDO9kNPOOa/i7pvzj2/vWyes9Af76+Pzh2PrTxf/6+f7y7vOGYexHDv3t5+1SHfi8qPOIZPvb0O1NFuxDCe9hMPSVdPnFs/3q4/vaz/STcu5VIe5YJPWcfv718v/9/e1MFfF4T/F4TvF2TP3o4exECvF0SexIEPONavzn3/vZze1QGvF3Te5dK+5cKvrPwPrQwvKAWe1OGPexmexKEveulfezm/BxRfamiuxLE/apj/zf1e5YJfSXd/OHYv3r5feznPakiPze1P7x7f739f3w6+xJEfnEsvWdf/Wfge1LFPe1nu9iMvnDsfBqPOs/BPOIY/WZevJ/V/zl3fnIt/vTxuxHD+xEC+9mN+5ZJv749vBpO/KBWvBwRP/8+/SUc/etlPjArP/7+vOLZ/F7UvWae/708e1OF/aihvSWdvi8p+tABfSZefvVyPWihfSVde9lNvami+9jM/zi2fKEXvBuQvOKZvalifF5UPJ/WPSPbe9eLfrKuvvd0uxBB/7w7Pzj2vrRw/rOv+1PGfi/q/eymu5bKf3n4PnJuPBrPf3t6PWfgvWegOxCCO9nOO9oOfaskvSYePi5pPi2oPnGtO5eLPevlvKDXfrNvv739Pzd0/708O9gL+9lNfJ9VfrLu/OPbPnDsPBrPus+A/nArfarkQAAAGr5HKgAAADLdFJOU/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AvuakogAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAz5JREFUOE+tVTtu4zAQHQjppmWzwIJbEVCzpTpjbxD3grQHSOXKRXgCAT6EC7UBVAmp3KwBnmvfzNCyZTmxgeTZJsXx43B+HBHRE34ZkXgkerXFTheeiCkRrbB4UXmp4wSWz5raaQEMTM5TZwuiXoaKgV+6FsmkZQcSy0kA71yMTMGHanX+AzMMGLAQCxU1F/ZwjULPugazl82GM0NEKm/U8EqFwEkO3/EAT4grgl0nucwlk9pcpTTJ4VPA4g/Rb3yIRhhp507e9nTQmZ1OS5RO4sS7nIRPEeHXCHdkw9ZEW2yVE5oIS7peD58Avs7CN+PVCmHh21oOqBdjDzIs+FldPJ74TFESUSJEfVzy9U/dhu+AuOT6eBp6gGKyXEx8euO450ZE4CMfstMFT44broWw/itkYErWXRx+fFArt9Ca9os78TFed0LVIUsmIHrwbwaw3BEOnOk94qVpQ6Ka2HjxewJnfyd6jUtGDQLdWlzmYNYLeKbbGOucJsNabCq1Yub0o92rtR+i30V2dapxYVEePXcOjeCKPnYyit7BtKeNlZqHbr+gt7i+AChWA9RsRs03pxTQc67ouWpxyESvjK5Vs3DVSy3IpkxPm5X+wZoBi+MFHWW69/w8FRhc7VBe6HAhMB2b8Q0XqDzTNZtXUMnKMjwKVaCrB/CSUL7WSx/HsdJC86lFGXwnioTeOMPjV+szlFvrZLA5VMVK4y+41l4e1xfx7Z88o4hkilRUH/qKqwNVlgDgpvYCpH3XwAy5eMCRnezIUxffVXoDql2rTHFDO+pjWnTWzAfrYXn6BFECblUpWGrvPZvBipETjS5ydM7tdXpH41ZCEbBNy/+wFZu71QO2t9pgT+iZEf657Q1vpN94PQNDxUHeKR103LV9nPVOtDikcNKO+2naCw7yKBhOe9Hm79pe8C4/CfC2wDjXnqC94kEeBU3WwN7dt/2UScXas7zDl5GpkY+M8WKv2J7fd4Ib2rGTk+jsC2cleEM7jI9veF7B0MBJrsZqfKd/81q9pR2NZfwJK2JzsmIT1Ns8jUH0UusQBpU8d2JzsHiXg1zXGLqxfitUNTDT/nUUeqDBp2HZVr+Ocqi/Ty3Rf4Jn82xxfSNtAAAAAElFTkSuQmCC' + } + } + Write-Host ($ObjBody | ConvertTo-Json -Compress) + $OfficeAppID = New-graphPostRequest -Uri 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps' -tenantid $tenant -Body (ConvertTo-Json -InputObject $ObjBody -Depth 10) -type POST } - foreach ($ExcludedApp in $request.body.excludedApps.value) { - $ExcludedApps.$excludedapp = $true + else { + "Office deployment already exists for $($Tenant)" + Continue } - $ObjBody = [pscustomobject]@{ - "@odata.type" = "#microsoft.graph.officeSuiteApp" - "displayName" = "Microsoft 365 Apps for Windows 10 and later" - "description" = "Microsoft 365 Apps for Windows 10 and later" - "informationUrl" = "https://products.office.com/en-us/explore-office-for-home" - "isFeatured" = $true - "publisher" = "Microsoft" - "notes" = "" - "owner" = "Microsoft" - "autoAcceptEula" = [bool]$request.body.AcceptLicense - "excludedApps" = $ExcludedApps - "officePlatformArchitecture" = $Arch - "officeSuiteAppDefaultFileFormat" = "OfficeOpenXMLFormat" - "localesToInstall" = @($request.body.languages.value) - "shouldUninstallOlderVersionsOfOffice" = [bool]$request.body.RemoveVersions - "updateChannel" = $request.body.updateChannel.value - "useSharedComputerActivation" = [bool]$request.body.SharedComputerActivation - "productIds" = $products - "largeIcon" = @{ - "type" = "image/png" - "value" = "iVBORw0KGgoAAAANSUhEUgAAAF0AAAAeCAMAAAEOZNKlAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAJhUExURf////7z7/i9qfF1S/KCW/i+qv3q5P/9/PrQwfOMae1RG+s8AOxGDfBtQPWhhPvUx/759/zg1vWgg+9fLu5WIvKFX/rSxP728/nCr/FyR+tBBvOMaO1UH+1RHOs+AvSScP3u6f/+/v3s5vzg1+xFDO9kNPOOa/i7pvzj2/vWyes9Af76+Pzh2PrTxf/6+f7y7vOGYexHDv3t5+1SHfi8qPOIZPvb0O1NFuxDCe9hMPSVdPnFs/3q4/vaz/STcu5VIe5YJPWcfv718v/9/e1MFfF4T/F4TvF2TP3o4exECvF0SexIEPONavzn3/vZze1QGvF3Te5dK+5cKvrPwPrQwvKAWe1OGPexmexKEveulfezm/BxRfamiuxLE/apj/zf1e5YJfSXd/OHYv3r5feznPakiPze1P7x7f739f3w6+xJEfnEsvWdf/Wfge1LFPe1nu9iMvnDsfBqPOs/BPOIY/WZevJ/V/zl3fnIt/vTxuxHD+xEC+9mN+5ZJv749vBpO/KBWvBwRP/8+/SUc/etlPjArP/7+vOLZ/F7UvWae/708e1OF/aihvSWdvi8p+tABfSZefvVyPWihfSVde9lNvami+9jM/zi2fKEXvBuQvOKZvalifF5UPJ/WPSPbe9eLfrKuvvd0uxBB/7w7Pzj2vrRw/rOv+1PGfi/q/eymu5bKf3n4PnJuPBrPf3t6PWfgvWegOxCCO9nOO9oOfaskvSYePi5pPi2oPnGtO5eLPevlvKDXfrNvv739Pzd0/708O9gL+9lNfJ9VfrLu/OPbPnDsPBrPus+A/nArfarkQAAAGr5HKgAAADLdFJOU/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////8AvuakogAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAz5JREFUOE+tVTtu4zAQHQjppmWzwIJbEVCzpTpjbxD3grQHSOXKRXgCAT6EC7UBVAmp3KwBnmvfzNCyZTmxgeTZJsXx43B+HBHRE34ZkXgkerXFTheeiCkRrbB4UXmp4wSWz5raaQEMTM5TZwuiXoaKgV+6FsmkZQcSy0kA71yMTMGHanX+AzMMGLAQCxU1F/ZwjULPugazl82GM0NEKm/U8EqFwEkO3/EAT4grgl0nucwlk9pcpTTJ4VPA4g/Rb3yIRhhp507e9nTQmZ1OS5RO4sS7nIRPEeHXCHdkw9ZEW2yVE5oIS7peD58Avs7CN+PVCmHh21oOqBdjDzIs+FldPJ74TFESUSJEfVzy9U/dhu+AuOT6eBp6gGKyXEx8euO450ZE4CMfstMFT44broWw/itkYErWXRx+fFArt9Ca9os78TFed0LVIUsmIHrwbwaw3BEOnOk94qVpQ6Ka2HjxewJnfyd6jUtGDQLdWlzmYNYLeKbbGOucJsNabCq1Yub0o92rtR+i30V2dapxYVEePXcOjeCKPnYyit7BtKeNlZqHbr+gt7i+AChWA9RsRs03pxTQc67ouWpxyESvjK5Vs3DVSy3IpkxPm5X+wZoBi+MFHWW69/w8FRhc7VBe6HAhMB2b8Q0XqDzTNZtXUMnKMjwKVaCrB/CSUL7WSx/HsdJC86lFGXwnioTeOMPjV+szlFvrZLA5VMVK4y+41l4e1xfx7Z88o4hkilRUH/qKqwNVlgDgpvYCpH3XwAy5eMCRnezIUxffVXoDql2rTHFDO+pjWnTWzAfrYXn6BFECblUpWGrvPZvBipETjS5ydM7tdXpH41ZCEbBNy/+wFZu71QO2t9pgT+iZEf657Q1vpN94PQNDxUHeKR103LV9nPVOtDikcNKO+2naCw7yKBhOe9Hm79pe8C4/CfC2wDjXnqC94kEeBU3WwN7dt/2UScXas7zDl5GpkY+M8WKv2J7fd4Ib2rGTk+jsC2cleEM7jI9veF7B0MBJrsZqfKd/81q9pR2NZfwJK2JzsmIT1Ns8jUH0UusQBpU8d2JzsHiXg1zXGLqxfitUNTDT/nUUeqDBp2HZVr+Ocqi/Ty3Rf4Jn82xxfSNtAAAAAElFTkSuQmCC" - } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Added Office profile to $($tenant)" -Sev 'Info' + if ($AssignTo) { + $AssignO365 = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"},"intent":"Required"}]}' } else { '{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"},"intent":"Required"},{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"},"intent":"Required"}]}' } Write-Host ($AssignO365) + New-graphPostRequest -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($OfficeAppID.id)/assign" -tenantid $tenant -Body $AssignO365 -type POST + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Assigned Office to $AssignTo" -Sev 'Info' } - Write-Host ($ObjBody | ConvertTo-Json -Compress) - $OfficeAppID = New-graphPostRequest -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps" -tenantid $tenant -Body (ConvertTo-Json -InputObject $ObjBody -Depth 10) -type POST - } - else { - "Office deployment already exists for $($Tenant)" - Continue + "Successfully added Office App for $($Tenant)" } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Added Office profile to $($tenant)" -Sev "Info" - if ($AssignTo) { - $AssignO365 = if ($AssignTo -ne "AllDevicesAndUsers") { '{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"},"intent":"Required"}]}' } else { '{"mobileAppAssignments":[{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"},"intent":"Required"},{"@odata.type":"#microsoft.graph.mobileAppAssignment","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"},"intent":"Required"}]}' } Write-Host ($AssignO365) - New-graphPostRequest -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$($OfficeAppID.id)/assign" -tenantid $tenant -Body $AssignO365 -type POST - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Assigned Office to $AssignTo" -Sev "Info" + catch { + "Failed to add Office App for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } - "Successfully added Office Application for $($Tenant)" - } - catch { - "Failed to add Office App for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } -} + } -$body = [pscustomobject]@{"Results" = $results } + $body = [pscustomobject]@{'Results' = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddPolicy.ps1 index 4884caffb04b..34a79bee6b7e 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddPolicy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddPolicy.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddPolicy { +Function Invoke-AddPolicy { <# .FUNCTIONALITY Entrypoint @@ -8,75 +8,75 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -if ("AllTenants" -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } -$displayname = $request.body.Displayname -$description = $request.body.Description -$AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto } -$RawJSON = $Request.body.RawJSON + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants).defaultDomainName } + $displayname = $request.body.Displayname + $description = $request.body.Description + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } + $RawJSON = $Request.body.RawJSON -$results = foreach ($Tenant in $tenants) { - if ($Request.body.replacemap.$tenant) { + $results = foreach ($Tenant in $tenants) { + if ($Request.body.replacemap.$tenant) { ([pscustomobject]$Request.body.replacemap.$tenant).psobject.properties | ForEach-Object { $RawJson = $RawJson -replace $_.name, $_.value } - } - try { - switch ($Request.body.TemplateType) { - "Admin" { - $TemplateTypeURL = "groupPolicyConfigurations" - $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($displayname -in $CheckExististing.displayName) { - Throw "Policy with Display Name $($Displayname) Already exists" - } - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody - $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - } - "Device" { - $TemplateTypeURL = "deviceConfigurations" - $PolicyName = ($RawJSON | ConvertFrom-Json).displayName - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - Write-Host $PolicyName - if ($PolicyName -in $CheckExististing.displayName) { - Throw "Policy with Display Name $($Displayname) Already exists" + } + try { + switch ($Request.body.TemplateType) { + 'Admin' { + $TemplateTypeURL = 'groupPolicyConfigurations' + $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($displayname -in $CheckExististing.displayName) { + Throw "Policy with Display Name $($Displayname) Already exists" + } + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody + $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON } + 'Device' { + $TemplateTypeURL = 'deviceConfigurations' + $PolicyName = ($RawJSON | ConvertFrom-Json).displayName + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + Write-Host $PolicyName + if ($PolicyName -in $CheckExististing.displayName) { + Throw "Policy with Display Name $($Displayname) Already exists" + } - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - } - "Catalog" { - $TemplateTypeURL = "configurationPolicies" - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - $PolicyName = ($RawJSON | ConvertFrom-Json).Name - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($PolicyName -in $CheckExististing.name) { - Throw "Policy with Display Name $($Displayname) Already exists" + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON + } + 'Catalog' { + $TemplateTypeURL = 'configurationPolicies' + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + $PolicyName = ($RawJSON | ConvertFrom-Json).Name + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($PolicyName -in $CheckExististing.name) { + Throw "Policy with Display Name $($Displayname) Already exists" + } + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON } - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - } + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname)" -Sev 'Info' + if ($AssignTo) { + Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenant + } + "Successfully added policy for $($Tenant)" } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname)" -Sev "Error" - if ($AssignTo) { - Set-CIPPAssignedPolicy -GroupName $AssignTo -PolicyId $CreateRequest.id -Type $TemplateTypeURL -TenantFilter $tenant + catch { + "Failed to add policy for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed adding policy $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue } - "Successfully added policy for $($Tenant)" - } - catch { - "Failed to add policy for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed adding policy $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue - } -} + } -$body = [pscustomobject]@{"Results" = @($results) } + $body = [pscustomobject]@{'Results' = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1 index 32596817183b..7c3771c3264f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddSharedMailbox { +Function Invoke-AddSharedMailbox { <# .FUNCTIONALITY Entrypoint @@ -8,40 +8,39 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$groupobj = $Request.body -$user = $request.headers.'x-ms-client-principal' + $groupobj = $Request.body -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -try { + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + try { - $email = "$($groupobj.username)@$($groupobj.domain)" - $BodyToship = [pscustomobject] @{ - "displayName" = $groupobj.Displayname - "name" = $groupobj.username - "primarySMTPAddress" = $email - Shared = $true + $email = "$($groupobj.username)@$($groupobj.domain)" + $BodyToship = [pscustomobject] @{ + 'displayName' = $groupobj.Displayname + 'name' = $groupobj.username + 'primarySMTPAddress' = $email + Shared = $true - } - New-ExoRequest -tenantid $Request.body.tenantid -cmdlet "New-Mailbox" -cmdparams $BodyToship + } + New-ExoRequest -tenantid $Request.body.tenantid -cmdlet 'New-Mailbox' -cmdparams $BodyToship - $body = [pscustomobject]@{"Results" = "Successfully created shared mailbox." } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) for " -Sev "Info" + $body = [pscustomobject]@{'Results' = 'Successfully created shared mailbox.' } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) for " -Sev 'Info' -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Group creation API failed. $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Failed to create group. $($_.Exception.Message)" } + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Failed to create group. $($_.Exception.Message)" } -} + } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilter.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilter.ps1 index e9be0668bd97..789b3eaffe9d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilter.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilter.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddSpamFilter { +Function Invoke-AddSpamFilter { <# .FUNCTIONALITY Entrypoint @@ -9,36 +9,36 @@ param($Request, $TriggerMetadata) -$APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, comments + $RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, comments -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Result = foreach ($Tenantfilter in $tenants) { - try { - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "New-HostedContentFilterPolicy" -cmdParams $RequestParams - $Domains = (New-ExoRequest -tenantid $Tenantfilter -cmdlet "Get-AcceptedDomain").name - $ruleparams = @{ - "name" = "$($RequestParams.name)"; - "hostedcontentfilterpolicy" = "$($RequestParams.name)"; - "recipientdomainis" = @($domains) - "Enabled" = $true + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Result = foreach ($Tenantfilter in $tenants) { + try { + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'New-HostedContentFilterPolicy' -cmdParams $RequestParams + $Domains = (New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-AcceptedDomain').name + $ruleparams = @{ + 'name' = "$($RequestParams.name)" + 'hostedcontentfilterpolicy' = "$($RequestParams.name)" + 'recipientdomainis' = @($domains) + 'Enabled' = $true + } + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'New-HostedContentFilterRule' -cmdParams $ruleparams + "Successfully created spamfilter for $tenantfilter." + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Created spamfilter rule for $($tenantfilter)" -sev Info + } + catch { + "Could not create create spamfilter rule for $($tenantfilter): $($_.Exception.message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Could not create create spamfilter rule for $($tenantfilter): $($_.Exception.message)" -sev Error } - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "New-HostedContentFilterRule" -cmdParams $ruleparams - "Successfully created spamfilter for $tenantfilter." - Write-LogMessage -API $APINAME -tenant $tenantfilter -message "Created spamfilter for $($tenantfilter)" -sev Debug - } - catch { - "Could not create create spamfilter rule for $($tenantfilter): $($_.Exception.message)" } -} - -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @{Results = @($Result) } - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{Results = @($Result) } + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilterTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilterTemplate.ps1 index 45fae4ecbfc0..9aeef51f243c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilterTemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddSpamFilterTemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddSpamFilterTemplate { +Function Invoke-AddSpamFilterTemplate { <# .FUNCTIONALITY Entrypoint @@ -8,44 +8,44 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -Write-Host ($request | ConvertTo-Json -Compress) + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + Write-Host ($request | ConvertTo-Json -Compress) -try { - $GUID = (New-Guid).GUID - $JSON = if ($request.body.PowerShellCommand) { - Write-Host "PowerShellCommand" - $request.body.PowerShellCommand | ConvertFrom-Json - } - else { + try { + $GUID = (New-Guid).GUID + $JSON = if ($request.body.PowerShellCommand) { + Write-Host 'PowerShellCommand' + $request.body.PowerShellCommand | ConvertFrom-Json + } + else { ([pscustomobject]$Request.body | Select-Object name, AddXHeaderValue, AdminDisplayName, AllowedSenderDomains, AllowedSenders, BlockedSenderDomains, BlockedSenders, BulkQuarantineTag, BulkSpamAction, BulkThreshold, Confirm, DownloadLink, EnableEndUserSpamNotifications, EnableLanguageBlockList, EnableRegionBlockList, EndUserSpamNotificationCustomFromAddress, EndUserSpamNotificationCustomFromName, EndUserSpamNotificationCustomSubject, EndUserSpamNotificationFrequency, EndUserSpamNotificationLanguage, EndUserSpamNotificationLimit, HighConfidencePhishAction, HighConfidencePhishQuarantineTag, HighConfidenceSpamAction, HighConfidenceSpamQuarantineTag, IncreaseScoreWithBizOrInfoUrls, IncreaseScoreWithImageLinks, IncreaseScoreWithNumericIps, IncreaseScoreWithRedirectToOtherPort, InlineSafetyTipsEnabled, LanguageBlockList, MarkAsSpamBulkMail, MarkAsSpamEmbedTagsInHtml, MarkAsSpamEmptyMessages, MarkAsSpamFormTagsInHtml, MarkAsSpamFramesInHtml, MarkAsSpamFromAddressAuthFail, MarkAsSpamJavaScriptInHtml, MarkAsSpamNdrBackscatter, MarkAsSpamObjectTagsInHtml, MarkAsSpamSensitiveWordList, MarkAsSpamSpfRecordHardFail, MarkAsSpamWebBugsInHtml, ModifySubjectValue, PhishQuarantineTag, PhishSpamAction, PhishZapEnabled, QuarantineRetentionPeriod, RecommendedPolicyType, RedirectToRecipients, RegionBlockList, SpamAction, SpamQuarantineTag, SpamZapEnabled, TestModeAction, TestModeBccToRecipients ) | ForEach-Object { - $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name - $_ | Select-Object -Property $NonEmptyProperties + $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name + $_ | Select-Object -Property $NonEmptyProperties + } + } + $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, @{n = 'comments'; e = { $_.comments } }, * | ConvertTo-Json -Depth 10) + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$json" + RowKey = "$GUID" + PartitionKey = 'SpamfilterTemplate' } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Spam Filter Template $($Request.body.name) with GUID $GUID" -Sev 'Debug' + $body = [pscustomobject]@{'Results' = 'Successfully added template' } + } - $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, @{n = 'comments'; e = { $_.comments } }, * | ConvertTo-Json -Depth 10) - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$json" - RowKey = "$GUID" - PartitionKey = "SpamfilterTemplate" + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Spam Filter Template: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Spamfilter Template Deployment failed: $($_.Exception.Message)" } } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Spam Filter Template $($Request.body.name) with GUID $GUID" -Sev "Debug" - $body = [pscustomobject]@{"Results" = "Successfully added template" } - -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Spam Filter Template: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Spamfilter Template Deployment failed: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 index fda5dbc33053..b4d186d8285f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddStandardsDeploy { +Function Invoke-AddStandardsDeploy { <# .FUNCTIONALITY Entrypoint @@ -8,43 +8,44 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$user = $request.headers.'x-ms-client-principal' -$username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails + $user = $request.headers.'x-ms-client-principal' + $username = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($user)) | ConvertFrom-Json).userDetails -try { - $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value - $Settings = ($request.body | Select-Object -Property * -ExcludeProperty Select_*, None ) - foreach ($Tenant in $tenants) { + try { + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Settings = ($request.body | Select-Object -Property * -ExcludeProperty Select_*, None ) + foreach ($Tenant in $tenants) { - $object = [PSCustomObject]@{ - Tenant = $tenant - AddedBy = $username - AppliedAt = (Get-Date).ToString('s') - Standards = $Settings - } | ConvertTo-Json -Depth 10 - $Table = Get-CippTable -tablename 'standards' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$object" - RowKey = "$Tenant" - PartitionKey = "standards" + $object = [PSCustomObject]@{ + Tenant = $tenant + AddedBy = $username + AppliedAt = (Get-Date).ToString('s') + Standards = $Settings + } | ConvertTo-Json -Depth 10 + $Table = Get-CippTable -tablename 'standards' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$object" + RowKey = "$Tenant" + PartitionKey = 'standards' + } } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Successfully added standards deployment' -Sev 'Info' + $body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' } + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Standards API failed. $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" } } - $body = [pscustomobject]@{"Results" = "Successfully added standards deployment" } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Standards API failed. $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Failed to add standard: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTeam.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTeam.ps1 index d11998bc4260..34b9bda58208 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTeam.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTeam.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddTeam { +Function Invoke-AddTeam { <# .FUNCTIONALITY Entrypoint @@ -8,51 +8,51 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$userobj = $Request.body + $userobj = $Request.body -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." - -$Owners = ($userobj.owner).Split([Environment]::NewLine) | Where-Object { $_ -ne $null -or $_ -ne "" } -try { + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + + $Owners = ($userobj.owner).Split([Environment]::NewLine) | Where-Object { $_ -ne $null -or $_ -ne '' } + try { - $Owners = $Owners | ForEach-Object { - $OwnerID = "https://graph.microsoft.com/beta/users('" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$_" -tenantid $Userobj.tenantid).id + "')" - @{ - "@odata.type" = "#microsoft.graph.aadUserConversationMember" - "roles" = @("owner") - "user@odata.bind" = $OwnerID + $Owners = $Owners | ForEach-Object { + $OwnerID = "https://graph.microsoft.com/beta/users('" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$_" -tenantid $Userobj.tenantid).id + "')" + @{ + '@odata.type' = '#microsoft.graph.aadUserConversationMember' + 'roles' = @('owner') + 'user@odata.bind' = $OwnerID + } } - } - $TeamsSettings = [PSCustomObject]@{ - "template@odata.bind" = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')" - "visibility" = $userobj.visibility - "displayName" = $userobj.displayname - "description" = $userobj.description - "members" = @($owners) + $TeamsSettings = [PSCustomObject]@{ + 'template@odata.bind' = "https://graph.microsoft.com/v1.0/teamsTemplates('standard')" + 'visibility' = $userobj.visibility + 'displayName' = $userobj.displayname + 'description' = $userobj.description + 'members' = @($owners) - } | ConvertTo-Json -Depth 10 + } | ConvertTo-Json -Depth 10 - Write-Host $TeamsSettings - New-GraphPostRequest -AsApp $true -uri "https://graph.microsoft.com/beta/teams" -tenantid $Userobj.tenantid -type POST -body $TeamsSettings -verbose - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Added Team $($userobj.displayname)" -Sev "Info" - $body = [pscustomobject]@{"Results" = "Success. Team has been added" } + Write-Host $TeamsSettings + New-GraphPostRequest -AsApp $true -uri 'https://graph.microsoft.com/beta/teams' -tenantid $Userobj.tenantid -type POST -body $TeamsSettings -verbose + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Added Team $($userobj.displayname)" -Sev 'Info' + $body = [pscustomobject]@{'Results' = 'Success. Team has been added' } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "$($userobj.tenantid): Add Team failed. $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Failed. Error message: $($_.Exception.Message)" } -} + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Adding Team failed. Error: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Failed. Error message: $($_.Exception.Message)" } + } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportRule.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportRule.ps1 index 4a5ddf22abbc..64c394ee2852 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportRule.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportRule.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddTransportRule { +Function Invoke-AddTransportRule { <# .FUNCTIONALITY Entrypoint @@ -8,39 +8,39 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, Comments, HasSenderOverride, ExceptIfHasSenderOverride, ExceptIfMessageContainsDataClassifications, MessageContainsDataClassifications + $RequestParams = $Request.Body.PowerShellCommand | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty GUID, Comments, HasSenderOverride, ExceptIfHasSenderOverride, ExceptIfMessageContainsDataClassifications, MessageContainsDataClassifications -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Result = foreach ($Tenantfilter in $tenants) { - $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenantfilter -cmdlet "Get-TransportRule" -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name - try { - if ($Existing) { - Write-Host "Found existing" - $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "Set-TransportRule" -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true - "Successfully set transport rule for $tenantfilter." + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Result = foreach ($Tenantfilter in $tenants) { + $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenantfilter -cmdlet 'Get-TransportRule' -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name + try { + if ($Existing) { + Write-Host 'Found existing' + $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true + "Successfully set transport rule for $tenantfilter." + } + else { + Write-Host 'Creating new' + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'New-TransportRule' -cmdParams $RequestParams -useSystemMailbox $true + "Successfully created transport rule for $tenantfilter." + } + + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Created transport rule for $($tenantfilter)" -sev Info } - else { - Write-Host "Creating new" - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "New-TransportRule" -cmdParams $RequestParams -useSystemMailbox $true - "Successfully created transport rule for $tenantfilter." + catch { + "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Could not create transport rule for $($tenantfilter). Error:$($_.Exception.message)" -sev Error } - - Write-LogMessage -API $APINAME -tenant $tenantfilter -message "Created transport rule for $($tenantfilter)" -sev Debug - } - catch { - "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" } -} - -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @{Results = @($Result) } - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{Results = @($Result) } + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportTemplate.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportTemplate.ps1 index 43d8b28b13cd..6028c15578b6 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportTemplate.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddTransportTemplate.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddTransportTemplate { +Function Invoke-AddTransportTemplate { <# .FUNCTIONALITY Entrypoint @@ -8,44 +8,44 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -Write-Host ($request | ConvertTo-Json -Compress) + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + Write-Host ($request | ConvertTo-Json -Compress) -try { - $GUID = (New-Guid).GUID - $JSON = if ($request.body.PowerShellCommand) { - Write-Host "PowerShellCommand" - $request.body.PowerShellCommand | ConvertFrom-Json - } - else { + try { + $GUID = (New-Guid).GUID + $JSON = if ($request.body.PowerShellCommand) { + Write-Host 'PowerShellCommand' + $request.body.PowerShellCommand | ConvertFrom-Json + } + else { ([pscustomobject]$Request.body | Select-Object Name, ActivationDate, ADComparisonAttribute, ADComparisonOperator, AddManagerAsRecipientType, AddToRecipients, AnyOfCcHeader, AnyOfCcHeaderMemberOf, AnyOfRecipientAddressContainsWords, AnyOfRecipientAddressMatchesPatterns, AnyOfToCcHeader, AnyOfToCcHeaderMemberOf, AnyOfToHeader, AnyOfToHeaderMemberOf, ApplyClassification, ApplyHtmlDisclaimerFallbackAction, ApplyHtmlDisclaimerLocation, ApplyHtmlDisclaimerText, ApplyOME, ApplyRightsProtectionCustomizationTemplate, ApplyRightsProtectionTemplate, AttachmentContainsWords, AttachmentExtensionMatchesWords, AttachmentHasExecutableContent, AttachmentIsPasswordProtected, AttachmentIsUnsupported, AttachmentMatchesPatterns, AttachmentNameMatchesPatterns, AttachmentProcessingLimitExceeded, AttachmentPropertyContainsWords, AttachmentSizeOver, BetweenMemberOf1, BetweenMemberOf2, BlindCopyTo, Comments, Confirm, ContentCharacterSetContainsWords, CopyTo, DeleteMessage, DlpPolicy, DomainController, Enabled, ExceptIfADComparisonAttribute, ExceptIfADComparisonOperator, ExceptIfAnyOfCcHeader, ExceptIfAnyOfCcHeaderMemberOf, ExceptIfAnyOfRecipientAddressContainsWords, ExceptIfAnyOfRecipientAddressMatchesPatterns, ExceptIfAnyOfToCcHeader, ExceptIfAnyOfToCcHeaderMemberOf, ExceptIfAnyOfToHeader, ExceptIfAnyOfToHeaderMemberOf, ExceptIfAttachmentContainsWords, ExceptIfAttachmentExtensionMatchesWords, ExceptIfAttachmentHasExecutableContent, ExceptIfAttachmentIsPasswordProtected, ExceptIfAttachmentIsUnsupported, ExceptIfAttachmentMatchesPatterns, ExceptIfAttachmentNameMatchesPatterns, ExceptIfAttachmentProcessingLimitExceeded, ExceptIfAttachmentPropertyContainsWords, ExceptIfAttachmentSizeOver, ExceptIfBetweenMemberOf1, ExceptIfBetweenMemberOf2, ExceptIfContentCharacterSetContainsWords, ExceptIfFrom, ExceptIfFromAddressContainsWords, ExceptIfFromAddressMatchesPatterns, ExceptIfFromMemberOf, ExceptIfFromScope, ExceptIfHasClassification, ExceptIfHasNoClassification, ExceptIfHasSenderOverride, ExceptIfHeaderContainsMessageHeader, ExceptIfHeaderContainsWords, ExceptIfHeaderMatchesMessageHeader, ExceptIfHeaderMatchesPatterns, ExceptIfManagerAddresses, ExceptIfManagerForEvaluatedUser, ExceptIfMessageContainsDataClassifications, ExceptIfMessageSizeOver, ExceptIfMessageTypeMatches, ExceptIfRecipientADAttributeContainsWords, ExceptIfRecipientADAttributeMatchesPatterns, ExceptIfRecipientAddressContainsWords, ExceptIfRecipientAddressMatchesPatterns, ExceptIfRecipientDomainIs, ExceptIfRecipientInSenderList, ExceptIfSCLOver, ExceptIfSenderADAttributeContainsWords, ExceptIfSenderADAttributeMatchesPatterns, ExceptIfSenderDomainIs, ExceptIfSenderInRecipientList, ExceptIfSenderIpRanges, ExceptIfSenderManagementRelationship, ExceptIfSentTo, ExceptIfSentToMemberOf, ExceptIfSentToScope, ExceptIfSubjectContainsWords, ExceptIfSubjectMatchesPatterns, ExceptIfSubjectOrBodyContainsWords, ExceptIfSubjectOrBodyMatchesPatterns, ExceptIfWithImportance, ExpiryDate, From, FromAddressContainsWords, FromAddressMatchesPatterns, FromMemberOf, FromScope, GenerateIncidentReport, GenerateNotification, HasClassification, HasNoClassification, HasSenderOverride, HeaderContainsMessageHeader, HeaderContainsWords, HeaderMatchesMessageHeader, HeaderMatchesPatterns, IncidentReportContent, IncidentReportOriginalMail, LogEventText, ManagerAddresses, ManagerForEvaluatedUser, MessageContainsDataClassifications, MessageSizeOver, MessageTypeMatches, Mode, ModerateMessageByManager, ModerateMessageByUser, NotifySender, PrependSubject, Quarantine, RecipientADAttributeContainsWords, RecipientADAttributeMatchesPatterns, RecipientAddressContainsWords, RecipientAddressMatchesPatterns, RecipientAddressType, RecipientDomainIs, RecipientInSenderList, RedirectMessageTo, RejectMessageEnhancedStatusCode, RejectMessageReasonText, RemoveHeader, RemoveOME, RemoveOMEv2, RemoveRMSAttachmentEncryption, RouteMessageOutboundConnector, RouteMessageOutboundRequireTls, RuleErrorAction, RuleSubType, SCLOver, SenderADAttributeContainsWords, SenderADAttributeMatchesPatterns, SenderAddressLocation, SenderDomainIs, SenderInRecipientList, SenderIpRanges, SenderManagementRelationship, SentTo, SentToMemberOf, SentToScope, SetAuditSeverity, SetHeaderName, SetHeaderValue, SetSCL, SmtpRejectMessageRejectStatusCode, SmtpRejectMessageRejectText, StopRuleProcessing, SubjectContainsWords, SubjectMatchesPatterns, SubjectOrBodyContainsWords, SubjectOrBodyMatchesPatterns, UseLegacyRegex, WithImportance ) | ForEach-Object { - $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name - $_ | Select-Object -Property $NonEmptyProperties + $NonEmptyProperties = $_.psobject.Properties | Where-Object { $null -ne $_.Value } | Select-Object -ExpandProperty Name + $_ | Select-Object -Property $NonEmptyProperties + } + } + $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, @{n = 'comments'; e = { $_.comments } }, * | ConvertTo-Json -Depth 10) + $Table = Get-CippTable -tablename 'templates' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$json" + RowKey = "$GUID" + PartitionKey = 'TransportTemplate' } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Transport Rule Template $($Request.body.name) with GUID $GUID" -Sev 'Debug' + $body = [pscustomobject]@{'Results' = 'Successfully added template' } + } - $JSON = ($JSON | Select-Object @{n = 'name'; e = { $_.name } }, @{n = 'comments'; e = { $_.comments } }, * | ConvertTo-Json -Depth 10) - $Table = Get-CippTable -tablename 'templates' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$json" - RowKey = "$GUID" - PartitionKey = "TransportTemplate" + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Transport Rule Template: $($_.Exception.Message)" -Sev 'Error' + $body = [pscustomobject]@{'Results' = "Intune Template Deployment failed: $($_.Exception.Message)" } } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created Transport Rule Template $($Request.body.name) with GUID $GUID" -Sev "Debug" - $body = [pscustomobject]@{"Results" = "Successfully added template" } - -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create Transport Rule Template: $($_.Exception.Message)" -Sev "Error" - $body = [pscustomobject]@{"Results" = "Intune Template Deployment failed: $($_.Exception.Message)" } -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddUser.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddUser.ps1 index f9eb6ba28546..1e6888622537 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddUser.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddUser.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddUser { +Function Invoke-AddUser { <# .FUNCTIONALITY Entrypoint @@ -8,114 +8,115 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$Results = [System.Collections.ArrayList]@() -$userobj = $Request.body -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." -try { - $license = $userobj.license - $Aliases = ($userobj.AddedAliases).Split([Environment]::NewLine) - $password = if ($userobj.password) { $userobj.password } else { New-passwordString } - $UserprincipalName = "$($UserObj.username)@$($UserObj.domain)" - $BodyToship = [pscustomobject] @{ - "givenName" = $userobj.firstname - "surname" = $userobj.lastname - "accountEnabled" = $true - "displayName" = $UserObj.Displayname - "department" = $userobj.department - "mailNickname" = $UserObj.username - "userPrincipalName" = $UserprincipalName - "usageLocation" = $UserObj.usageLocation - "city" = $userobj.city - "country" = $userobj.country - "jobtitle" = $userObj.jobtitle - "mobilePhone" = $userobj.mobilePhone - "streetAddress" = $userobj.streetAddress - "postalCode" = $userobj.postalCode - "companyName" = $userobj.companyName - "passwordProfile" = @{ - "forceChangePasswordNextSignIn" = [bool]$UserObj.mustchangepass - "password" = $password - } - } - if ($userobj.businessPhone) { $bodytoShip | Add-Member -NotePropertyName businessPhones -NotePropertyValue @($userobj.businessPhone) } - if ($userobj.addedAttributes) { - Write-Host "Found added attribute" - Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)" - $userobj.addedAttributes.getenumerator() | ForEach-Object { - $results.add("Added property $($_.Key) with value $($_.value)") - $bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + $Results = [System.Collections.ArrayList]@() + $userobj = $Request.body + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' + try { + $license = $userobj.license + $Aliases = ($userobj.AddedAliases).Split([Environment]::NewLine) + $password = if ($userobj.password) { $userobj.password } else { New-passwordString } + $UserprincipalName = "$($UserObj.username)@$($UserObj.domain)" + $BodyToship = [pscustomobject] @{ + 'givenName' = $userobj.firstname + 'surname' = $userobj.lastname + 'accountEnabled' = $true + 'displayName' = $UserObj.Displayname + 'department' = $userobj.department + 'mailNickname' = $UserObj.username + 'userPrincipalName' = $UserprincipalName + 'usageLocation' = $UserObj.usageLocation + 'city' = $userobj.city + 'country' = $userobj.country + 'jobtitle' = $userObj.jobtitle + 'mobilePhone' = $userobj.mobilePhone + 'streetAddress' = $userobj.streetAddress + 'postalCode' = $userobj.postalCode + 'companyName' = $userobj.companyName + 'passwordProfile' = @{ + 'forceChangePasswordNextSignIn' = [bool]$UserObj.mustchangepass + 'password' = $password + } + } + if ($userobj.businessPhone) { $bodytoShip | Add-Member -NotePropertyName businessPhones -NotePropertyValue @($userobj.businessPhone) } + if ($userobj.addedAttributes) { + Write-Host 'Found added attribute' + Write-Host "Added attributes: $($userobj.addedAttributes | ConvertTo-Json)" + $userobj.addedAttributes.getenumerator() | ForEach-Object { + $results.add("Added property $($_.Key) with value $($_.value)") + $bodytoShip | Add-Member -NotePropertyName $_.Key -NotePropertyValue $_.Value + } } + $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/users' -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Created user $($userobj.displayname) with id $($GraphRequest.id) " -Sev 'Info' + $results.add('Created user.') + $results.add("Username: $($UserprincipalName)") + $results.add("Password: $password") + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Failed to create user. Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Failed to create user. $($_.Exception.Message)" ) } - $bodyToShip = ConvertTo-Json -Depth 10 -InputObject $BodyToship -Compress - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users" -tenantid $Userobj.tenantid -type POST -body $BodyToship -verbose - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Created user $($userobj.displayname) with id $($GraphRequest.id) " -Sev "Info" - $results.add("Created user.") - $results.add("Username: $($UserprincipalName)") - $results.add("Password: $password") -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "User creation API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Failed to create user. $($_.Exception.Message)" ) -} -try { - if ($license) { - Write-Host ($userobj | ConvertTo-Json) - $licenses = (($userobj | Select-Object "License_*").psobject.properties | Where-Object { $_.value -EQ $true }).name -replace "License_", "" - Write-Host "Lics are: $licences" - $LicenseBody = if ($licenses.count -ge 2) { - $liclist = foreach ($license in $Licenses) { '{"disabledPlans": [],"skuId": "' + $license + '" },' } - '{"addLicenses": [' + $LicList + '], "removeLicenses": [ ] }' + try { + if ($license) { + Write-Host ($userobj | ConvertTo-Json) + $licenses = (($userobj | Select-Object 'License_*').psobject.properties | Where-Object { $_.value -EQ $true }).name -replace 'License_', '' + Write-Host "Lics are: $licences" + $LicenseBody = if ($licenses.count -ge 2) { + $liclist = foreach ($license in $Licenses) { '{"disabledPlans": [],"skuId": "' + $license + '" },' } + '{"addLicenses": [' + $LicList + '], "removeLicenses": [ ] }' + } + else { + '{"addLicenses": [ {"disabledPlans": [],"skuId": "' + $licenses + '" }],"removeLicenses": [ ]}' + } + Write-Host $LicenseBody + $LicRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)/assignlicense" -tenantid $Userobj.tenantid -type POST -body $LicenseBody -verbose + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Assigned user $($userobj.displayname) license $($licences)" -Sev 'Info' + $body = $results.add('Assigned licenses.') } - else { - '{"addLicenses": [ {"disabledPlans": [],"skuId": "' + $licenses + '" }],"removeLicenses": [ ]}' - } - Write-Host $LicenseBody - $LicRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)/assignlicense" -tenantid $Userobj.tenantid -type POST -body $LicenseBody -verbose - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Assigned user $($userobj.displayname) license $($licences)" -Sev "Info" - $body = $results.add("Assigned licenses.") - } -} + } -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "License assign API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("We've failed to assign the license. $($_.Exception.Message)") -} + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Failed to assign the license. Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Failed to assign the license. $($_.Exception.Message)") + } -try { - if ($Aliases) { - foreach ($Alias in $Aliases) { - Write-Host $Alias - New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)" -tenantid $Userobj.tenantid -type "patch" -body "{`"mail`": `"$Alias`"}" -verbose + try { + if ($Aliases) { + foreach ($Alias in $Aliases) { + Write-Host $Alias + New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)" -tenantid $Userobj.tenantid -type 'patch' -body "{`"mail`": `"$Alias`"}" -verbose + } + New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)" -tenantid $Userobj.tenantid -type 'patch' -body "{`"mail`": `"$UserprincipalName`"}" -verbose + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Added alias $($Alias) to $($userobj.displayname)" -Sev 'Info' + $body = $results.add("Added Aliases: $($Aliases -join ',')") } - New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($GraphRequest.id)" -tenantid $Userobj.tenantid -type "patch" -body "{`"mail`": `"$UserprincipalName`"}" -verbose - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Added alias $($Alias) to $($userobj.displayname)" -Sev "Info" - $body = $results.add("Added Aliases: $($Aliases -join ',')") } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Alias API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("We've failed to create the Aliases: $($_.Exception.Message)") -} -if ($Request.body.CopyFrom -ne "") { - $CopyFrom = Set-CIPPCopyGroupMembers -ExecutingUser $request.headers.'x-ms-client-principal' -tenantid $Userobj.tenantid -CopyFromId $Request.body.CopyFrom -UserID $UserprincipalName -TenantFilter $Userobj.tenantid - $results.Add($CopyFrom.Success -join ', ') - $results.Add($CopyFrom.Error -join ', ') -} -$body = [pscustomobject] @{ - "Results" = @($results) - "Username" = $UserprincipalName - "Password" = $password - "CopyFrom" = $CopyFrom -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) - + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($userobj.tenantid) -message "Failed to create the Aliases. Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Failed to create the Aliases: $($_.Exception.Message)") + } + if ($Request.body.CopyFrom -ne '') { + $CopyFrom = Set-CIPPCopyGroupMembers -ExecutingUser $request.headers.'x-ms-client-principal' -tenantid $Userobj.tenantid -CopyFromId $Request.body.CopyFrom -UserID $UserprincipalName -TenantFilter $Userobj.tenantid + $results.Add($CopyFrom.Success -join ', ') + $results.Add($CopyFrom.Error -join ', ') + } + $body = [pscustomobject] @{ + 'Results' = @($results) + 'Username' = $UserprincipalName + 'Password' = $password + 'CopyFrom' = $CopyFrom } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) + +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddWinGetApp.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddWinGetApp.ps1 index be59d93845f4..508484dfeb6c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddWinGetApp.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddWinGetApp.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-AddWinGetApp { +Function Invoke-AddWinGetApp { <# .FUNCTIONALITY Entrypoint @@ -8,58 +8,58 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -Write-Host "PowerShell HTTP trigger function processed a request." -$WinGetApp = $request.body -if ($ChocoApp.InstallAsSystem) { "system" } else { "user" } -$assignTo = $Request.body.AssignTo -$WinGetData = [ordered]@{ - "@odata.type" = "#microsoft.graph.winGetApp" - "displayName" = "$($WinGetApp.ApplicationName)" - "description" = "$($WinGetApp.description)" - "packageIdentifier" = "$($WinGetApp.PackageName)" - "installExperience" = @{ - "@odata.type" = "microsoft.graph.winGetAppInstallExperience" - "runAsAccount" = "user" + Write-Host 'PowerShell HTTP trigger function processed a request.' + $WinGetApp = $request.body + if ($ChocoApp.InstallAsSystem) { 'system' } else { 'user' } + $assignTo = $Request.body.AssignTo + $WinGetData = [ordered]@{ + '@odata.type' = '#microsoft.graph.winGetApp' + 'displayName' = "$($WinGetApp.ApplicationName)" + 'description' = "$($WinGetApp.description)" + 'packageIdentifier' = "$($WinGetApp.PackageName)" + 'installExperience' = @{ + '@odata.type' = 'microsoft.graph.winGetAppInstallExperience' + 'runAsAccount' = 'user' + } } -} -$Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value -$Results = foreach ($Tenant in $tenants) { - try { - $CompleteObject = [PSCustomObject]@{ - tenant = $tenant - Applicationname = $WinGetApp.ApplicationName - assignTo = $assignTo - InstallationIntent = $request.body.InstallationIntent - type = 'WinGet' - IntuneBody = $WinGetData - } | ConvertTo-Json -Depth 15 - $Table = Get-CippTable -tablename 'apps' - $Table.Force = $true - Add-CIPPAzDataTableEntity @Table -Entity @{ - JSON = "$CompleteObject" - RowKey = "$((New-Guid).GUID)" - PartitionKey = "apps" - status = "Not Deployed yet" + $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value + $Results = foreach ($Tenant in $tenants) { + try { + $CompleteObject = [PSCustomObject]@{ + tenant = $tenant + Applicationname = $WinGetApp.ApplicationName + assignTo = $assignTo + InstallationIntent = $request.body.InstallationIntent + type = 'WinGet' + IntuneBody = $WinGetData + } | ConvertTo-Json -Depth 15 + $Table = Get-CippTable -tablename 'apps' + $Table.Force = $true + Add-CIPPAzDataTableEntity @Table -Entity @{ + JSON = "$CompleteObject" + RowKey = "$((New-Guid).GUID)" + PartitionKey = 'apps' + status = 'Not Deployed yet' + } + "Successfully added Store App for $($Tenant) to queue." + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Chocolatey Application $($intunebody.Displayname) queued to add" -Sev 'Info' + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Chocolatey Application $($intunebody.Displayname) to queue" -Sev 'Error' + "Failed added Store App for $($Tenant) to queue" } - "Successfully added Store App for $($Tenant) to queue." - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Chocolatey Application $($intunebody.Displayname) queued to add" -Sev "Info" - } - catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed to add Chocolatey Application $($intunebody.Displayname) to queue" -Sev "Error" - "Failed added Store App for $($Tenant) to queue" } -} -$body = [pscustomobject]@{"Results" = $results } + $body = [pscustomobject]@{'Results' = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} From bf0c680bd242a03ef53b0aec2340f2858756a8a3 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 22:25:09 +0000 Subject: [PATCH 32/78] Secure score bug fix --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index fece930d063d..fc20f4dbba9e 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -1969,12 +1969,12 @@ function Invoke-NinjaOneTenantSync { }, @{ Label = 'Points to Obtain' - Amount = $MaxSecureScoreRank - $CurrentSecureScore.currentScore + Amount = $MaxSecureScore - $CurrentSecureScore.currentScore Colour = '#CCCCCC' } ) - $SecureScoreHTML = Get-NinjaInLineBarGraph -Title "Secure Score - $([System.Math]::Round((($CurrentSecureScore.currentScore / $MaxSecureScoreRank) * 100),2))%" -Data $Data -KeyInLine -NoCount -NoSort + $SecureScoreHTML = Get-NinjaInLineBarGraph -Title "Secure Score - $([System.Math]::Round((($CurrentSecureScore.currentScore / $MaxSecureScore) * 100),2))%" -Data $Data -KeyInLine -NoCount -NoSort # Recommended Actions HTML $RecommendedActionsHTML = $Top5Actions | Select-Object 'Recommended Action', @{n = 'Score Impact'; e = { "+$($_.'Score Impact')%" } }, Category, @{n = 'Link'; e = { '' } } | ConvertTo-Html -As Table -Fragment From 25b2e0751eece6c4b1cd1ebb7f79dc9eec9aaaea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 7 Dec 2023 00:07:05 +0100 Subject: [PATCH 33/78] Logging and formatting --- .../Invoke-BestPracticeAnalyser_List.ps1 | 42 +-- .../Entrypoints/Invoke-EditCAPolicy.ps1 | 7 +- .../Entrypoints/Invoke-EditExConnector.ps1 | 51 ++-- .../Public/Entrypoints/Invoke-EditGroup.ps1 | 284 +++++++++--------- .../Public/Entrypoints/Invoke-EditPolicy.ps1 | 64 ++-- .../Entrypoints/Invoke-EditSpamFilter.ps1 | 48 +-- .../Public/Entrypoints/Invoke-EditTenant.ps1 | 18 +- .../Entrypoints/Invoke-EditTransportRule.ps1 | 6 +- .../Public/Entrypoints/Invoke-EditUser.ps1 | 12 +- 9 files changed, 272 insertions(+), 260 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-BestPracticeAnalyser_List.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-BestPracticeAnalyser_List.ps1 index 82f02778a5f2..e1930a1cbc04 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-BestPracticeAnalyser_List.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-BestPracticeAnalyser_List.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-BestPracticeAnalyser_List { +Function Invoke-BestPracticeAnalyser_List { <# .FUNCTIONALITY Entrypoint @@ -8,26 +8,26 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$Tenants = Get-Tenants -$Table = get-cipptable 'cachebpa' -$Results = (Get-CIPPAzDataTableEntity @Table) | ForEach-Object { - $_.UnusedLicenseList = @(ConvertFrom-Json -ErrorAction silentlycontinue -InputObject $_.UnusedLicenseList) - $_ -} - -if (!$Results) { - $Results = @{ - Tenant = "The BPA has not yet run." + $Tenants = Get-Tenants + $Table = get-cipptable 'cachebpa' + $Results = (Get-CIPPAzDataTableEntity @Table) | ForEach-Object { + $_.UnusedLicenseList = @(ConvertFrom-Json -ErrorAction silentlycontinue -InputObject $_.UnusedLicenseList) + $_ } -} -Write-Host ($Tenants | ConvertTo-Json) -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @(($Results | Where-Object -Property RowKey -In $Tenants.customerId)) - }) + if (!$Results) { + $Results = @{ + Tenant = 'The BPA has not yet run.' + } } + Write-Host ($Tenants | ConvertTo-Json) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @(($Results | Where-Object -Property RowKey -In $Tenants.customerId)) + }) + +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditCAPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditCAPolicy.ps1 index da71838797bc..fb804f8fbfe1 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditCAPolicy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditCAPolicy.ps1 @@ -16,9 +16,10 @@ Function Invoke-EditCAPolicy { $results = try { $EditBody = "{`"state`": `"$($request.query.state)`"}" $Request = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta//identity/conditionalAccess/policies/$($id)" -tenantid $tenant -type PATCH -body $EditBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Edited CA policy $($ID)" -Sev 'Error' - 'Successfully edited CA policy' - } catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Edited CA policy: $($ID)" -Sev 'Info' + "Successfully edited CA policy: $($ID)" + } + catch { "Failed to add CA policy: $($_.Exception.Message)" Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed editing CA policy $($ID). Error: $($_.Exception.Message)" -Sev 'Error' continue diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditExConnector.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditExConnector.ps1 index 89a13dbb80bc..9042e7fdfa0a 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditExConnector.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditExConnector.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-EditExConnector { +Function Invoke-EditExConnector { <# .FUNCTIONALITY Entrypoint @@ -8,30 +8,31 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$Tenantfilter = $request.Query.tenantfilter + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $Tenantfilter = $request.Query.tenantfilter -$Params = @{ - Identity = $request.query.guid -} - -try { - $state = if ($request.query.state -eq "enable") { $true } else { $false } - $Params = @{ Identity = $request.query.GUID; Enabled = $state } - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "Set-$($Request.query.Type)Connector" -cmdParams $params -UseSystemMailbox $true - $Result = "Set transport rule $($Request.query.guid) to $($request.query.State)" - Write-LogMessage -API "TransportRules" -tenant $tenantfilter -message "Set Connector $($Request.query.guid) to $($request.query.State)" -sev Debug -} -catch { - $ErrorMessage = Get-NormalizedError -Message $_.Exception - $Result = $ErrorMessage -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @{Results = $Result } - }) + $Params = @{ + Identity = $request.query.guid + } + try { + $state = if ($request.query.state -eq 'enable') { $true } else { $false } + $Params = @{ Identity = $request.query.GUID; Enabled = $state } + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet "Set-$($Request.query.Type)Connector" -cmdParams $params -UseSystemMailbox $true + $Result = "Set Connector $($Request.query.guid) to $($request.query.State)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Set Connector $($Request.query.guid) to $($request.query.State)" -sev 'Info' + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Failed setting Connector $($Request.query.guid) to $($request.query.State). Error:$($_.Exception.Message)" -Sev 'Error' + $ErrorMessage = Get-NormalizedError -Message $_.Exception + $Result = $ErrorMessage } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{Results = $Result } + }) + +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditGroup.ps1 index 7cce727e5294..3a15a163aaa7 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditGroup.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditGroup.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-EditGroup { +Function Invoke-EditGroup { <# .FUNCTIONALITY Entrypoint @@ -8,180 +8,180 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$Results = [System.Collections.ArrayList]@() + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $Results = [System.Collections.ArrayList]@() + $userobj = $Request.body -$userobj = $Request.body + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request.' -# Write to the Azure Functions log stream. -Write-Host "PowerShell HTTP trigger function processed a request." - -$AddMembers = ($userobj.Addmember).value -if ($AddMembers) { - $AddMembers | ForEach-Object { - try { - $member = $_ - if ($member -like '*#EXT#*') { $member = [System.Web.HttpUtility]::UrlEncode($member) } - $MemberIDs = "https://graph.microsoft.com/v1.0/directoryObjects/" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($member)" -tenantid $Userobj.tenantid).id - $addmemberbody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }" - if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") { - $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-DistributionGroupMember" -cmdParams $params -UseSystemMailbox $true - } - else { - New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)" -tenantid $Userobj.tenantid -type patch -body $addmemberbody -Verbose - } - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info" - $body = $results.add("Success. $member has been added") - } - catch { - $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") - } - } - -} -$AddContacts = ($userobj.AddContacts).value - -if ($AddContacts) { - $AddContacts | ForEach-Object { - try { - $member = $_ - if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") { - $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-DistributionGroupMember" -cmdParams $params -UseSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev "Info" + $AddMembers = ($userobj.Addmember).value + if ($AddMembers) { + $AddMembers | ForEach-Object { + try { + $member = $_ + if ($member -like '*#EXT#*') { $member = [System.Web.HttpUtility]::UrlEncode($member) } + $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($member)" -tenantid $Userobj.tenantid).id + $addmemberbody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }" + if ($userobj.groupType -eq 'Distribution list' -or $userobj.groupType -eq 'Mail-Enabled Security') { + $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Add-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true + } + else { + New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)" -tenantid $Userobj.tenantid -type patch -body $addmemberbody -Verbose + } + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Added $member to $($userobj.groupName) group" -Sev 'Info' $body = $results.add("Success. $member has been added") } - else { - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "You cannot add a contact to a security group" -Sev "Error" - $body = $results.add("You cannot add a contact to a security group") + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to add member $member to $($userobj.groupName). Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") } } - catch { - $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") - } - } - -} -$RemoveMembers = ($userobj.Removemember).value -try { - if ($RemoveMembers) { - $RemoveMembers | ForEach-Object { - $member = $_ - if ($userobj.groupType -eq "Distribution list" -or $userobj.groupType -eq "Mail-Enabled Security") { - $Params = @{ Identity = $userobj.groupid; Member = $member ; BypassSecurityGroupManagerCheck = $true } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Remove-DistributionGroupMember" -cmdParams $params -UseSystemMailbox $true - } - else { - $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) - New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/members/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE - } - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupName) group" -Sev "Info" - $body = $results.add("Success. Member $member has been removed") - } } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") -} + $AddContacts = ($userobj.AddContacts).value -$AddOwners = $userobj.Addowner.value -try { - if ($AddOwners) { - $AddOwners | ForEach-Object { + if ($AddContacts) { + $AddContacts | ForEach-Object { try { - $ID = "https://graph.microsoft.com/beta/users/" + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid).id - Write-Host $ID - $AddOwner = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/`$ref" -tenantid $Userobj.tenantid -type POST -body ('{"@odata.id": "' + $ID + '"}') - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupName) group" -Sev "Info" - $body = $results.add("Success. $_ has been added") + $member = $_ + if ($userobj.groupType -eq 'Distribution list' -or $userobj.groupType -eq 'Mail-Enabled Security') { + $Params = @{ Identity = $userobj.groupid; Member = $member; BypassSecurityGroupManagerCheck = $true } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Add-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added $member to $($userobj.groupName) group" -Sev 'Info' + $body = $results.add("Success. $member has been added") + } + else { + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message 'You cannot add a contact to a security group' -Sev 'Error' + $body = $results.add('You cannot add a contact to a security group') + } } catch { - $body = $results.add("Failed to add owner $_ to $($userobj.groupName): $($_.Exception.Message)") + $body = $results.add("Failed to add member $member to $($userobj.groupName): $($_.Exception.Message)") } } } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -message "Add member API failed. $($_.Exception.Message)" -Sev "Error" -} + $RemoveMembers = ($userobj.Removemember).value + try { + if ($RemoveMembers) { + $RemoveMembers | ForEach-Object { + $member = $_ + if ($userobj.groupType -eq 'Distribution list' -or $userobj.groupType -eq 'Mail-Enabled Security') { + $Params = @{ Identity = $userobj.groupid; Member = $member ; BypassSecurityGroupManagerCheck = $true } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Remove-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true + } + else { + $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) + New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/members/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE + } + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $member from $($userobj.groupName) group" -Sev 'Info' + $body = $results.add("Success. Member $member has been removed") + } + } + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to remove $RemoveMembers from $($userobj.groupName). Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") + } -$RemoveOwners = ($userobj.RemoveOwner).value -try { - if ($RemoveOwners) { - $RemoveOwners | ForEach-Object { - try { - $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) - New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE - Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $($MemberInfo.UserPrincipalname) from $($userobj.displayname) group" -Sev "Info" - $body = $results.add("Success. Member $_ has been removed from $($userobj.groupName)") - } - catch { - $body = $results.add("Failed to remove $_ from $($userobj.groupName): $($_.Exception.Message)") + $AddOwners = $userobj.Addowner.value + try { + if ($AddOwners) { + $AddOwners | ForEach-Object { + try { + $ID = 'https://graph.microsoft.com/beta/users/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid).id + Write-Host $ID + $AddOwner = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/`$ref" -tenantid $Userobj.tenantid -type POST -body ('{"@odata.id": "' + $ID + '"}') + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Added owner $_ to $($userobj.groupName) group" -Sev 'Info' + $body = $results.add("Success. $_ has been added") + } + catch { + $body = $results.add("Failed to add owner $_ to $($userobj.groupName): Error:$($_.Exception.Message)") + } } - } + + } + + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -tenant $Userobj.tenantid -API $APINAME -message "Add member API failed. $($_.Exception.Message)" -Sev 'Error' } -} -catch { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Add member API failed. $($_.Exception.Message)" -Sev "Error" - $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") -} -if ($userobj.allowExternal -eq 'true') { + $RemoveOwners = ($userobj.RemoveOwner).value try { - if ($userobj.groupType -eq "Distribution list") { - $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-DistributionGroup" -cmdParams $params - } - else { - $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-UnifiedGroup" -cmdParams $params + if ($RemoveOwners) { + $RemoveOwners | ForEach-Object { + try { + $MemberInfo = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($_)" -tenantid $Userobj.tenantid) + New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($userobj.groupid)/owners/$($MemberInfo.id)/`$ref" -tenantid $Userobj.tenantid -type DELETE + Write-LogMessage -API $APINAME -tenant $Userobj.tenantid -user $request.headers.'x-ms-client-principal' -message "Removed $($MemberInfo.UserPrincipalname) from $($userobj.displayname) group" -Sev 'Info' + $body = $results.add("Success. Member $_ has been removed from $($userobj.groupName)") + } + catch { + $body = $results.add("Failed to remove $_ from $($userobj.groupName): $($_.Exception.Message)") + } + } } - $body = $results.add("Allowed external senders to send to $($userobj.groupName).") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.groupName)" -Sev "Error" - } catch { - $body = $results.add("Failed to allow external senders to send to $($userobj.groupName).") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.groupName). $($_.Exception.Message)" -Sev "Error" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to remove $RemoveMembers from $($userobj.groupName). Error:$($_.Exception.Message)" -Sev 'Error' + $body = $results.add("Could not remove $RemoveMembers from $($userobj.groupName). $($_.Exception.Message)") } -} + if ($userobj.allowExternal -eq 'true') { + try { + if ($userobj.groupType -eq 'Distribution list') { + $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Set-DistributionGroup' -cmdParams $params + } + else { + $Params = @{ Identity = $userobj.groupid; RequireSenderAuthenticationEnabled = $false } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Set-UnifiedGroup' -cmdParams $params + } + $body = $results.add("Allowed external senders to send to $($userobj.groupName).") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Allowed external senders to send to $($userobj.groupName)" -Sev 'Info' -if ($userobj.sendCopies -eq 'true') { - try { - $Params = @{ Identity = $userobj.Groupid; subscriptionEnabled = $true; AutoSubscribeNewMembers = $true } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Set-UnifiedGroup" -cmdParams $params -useSystemMailbox $true + } + catch { + $body = $results.add("Failed to allow external senders to send to $($userobj.groupName).") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to allow external senders for $($userobj.groupName). Error:$($_.Exception.Message)" -Sev 'Error' + } + + } + + if ($userobj.sendCopies -eq 'true') { + try { + $Params = @{ Identity = $userobj.Groupid; subscriptionEnabled = $true; AutoSubscribeNewMembers = $true } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Set-UnifiedGroup' -cmdParams $params -useSystemMailbox $true - $MemberParams = @{ Identity = $userobj.Groupid; LinkType = "members" } - $Members = New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Get-UnifiedGrouplinks" -cmdParams $MemberParams + $MemberParams = @{ Identity = $userobj.Groupid; LinkType = 'members' } + $Members = New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Get-UnifiedGrouplinks' -cmdParams $MemberParams - $MemberSmtpAddresses = $Members | ForEach-Object { $_.PrimarySmtpAddress } + $MemberSmtpAddresses = $Members | ForEach-Object { $_.PrimarySmtpAddress } - $subscriberParams = @{ Identity = $userobj.Groupid; LinkType = "subscribers"; Links = @($MemberSmtpAddresses) } - New-ExoRequest -tenantid $Userobj.tenantid -cmdlet "Add-UnifiedGrouplinks" -cmdParams $subscriberParams -Anchor $userobj.mail + $subscriberParams = @{ Identity = $userobj.Groupid; LinkType = 'subscribers'; Links = @($MemberSmtpAddresses) } + New-ExoRequest -tenantid $Userobj.tenantid -cmdlet 'Add-UnifiedGrouplinks' -cmdParams $subscriberParams -Anchor $userobj.mail - $body = $results.add("Send Copies of team emails and events to team members inboxes for $($userobj.mail) enabled.") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Send Copies of team emails and events to team members inboxes for $($userobj.mail) enabled." -Sev "Error" - } - catch { - $body = $results.add("Failed to Send Copies of team emails and events to team members inboxes for $($userobj.mail).") - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to Send Copies of team emails and events to team members inboxes for $($userobj.mail). $($_.Exception.Message)" -Sev "Error" + $body = $results.add("Send Copies of team emails and events to team members inboxes for $($userobj.mail) enabled.") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Send Copies of team emails and events to team members inboxes for $($userobj.mail) enabled." -Sev 'Info' + } + catch { + $body = $results.add("Failed to Send Copies of team emails and events to team members inboxes for $($userobj.mail).") + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $Userobj.tenantid -message "Failed to Send Copies of team emails and events to team members inboxes for $($userobj.mail). Error:$($_.Exception.Message)" -Sev 'Error' + } } -} -$body = @{"Results" = @($results) } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Body - }) + $body = @{'Results' = @($results) } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditPolicy.ps1 index 076ecde86889..e30d3971cb00 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditPolicy.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditPolicy.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-EditPolicy { +Function Invoke-EditPolicy { <# .FUNCTIONALITY Entrypoint @@ -8,38 +8,38 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$user = $request.headers.'x-ms-client-principal' -$Tenant = $request.body.tenantid -$ID = $request.body.groupid -$displayname = $request.body.Displayname -$description = $request.body.Description -$AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto } -$results = try { - $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' - $Request = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$ID')" -tenantid $tenant -type PATCH -body $CreateBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Edited policy $($Displayname)" -Sev "Error" - if ($AssignTo) { - $AssignBody = if ($AssignTo -ne "AllDevicesAndUsers") { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$($ID)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev "Info" + $Tenant = $request.body.tenantid + $ID = $request.body.groupid + $displayname = $request.body.Displayname + $description = $request.body.Description + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } + + $results = try { + $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' + $Request = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$ID')" -tenantid $tenant -type PATCH -body $CreateBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Edited policy $($Displayname)" -Sev 'Info' + if ($AssignTo) { + $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations('$($ID)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + } + "Successfully edited policy for $($Tenant)" + } + catch { + "Failed to add policy for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed editing policy $($Displayname). Error:$($_.Exception.Message)" -Sev 'Error' + continue } - "Successfully edited policy for $($Tenant)" -} -catch { - "Failed to add policy for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed editing policy $($Displayname). Error: $($_.Exception.Message)" -Sev "Error" - continue -} -$body = [pscustomobject]@{"Results" = $results } + $body = [pscustomobject]@{'Results' = $results } -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) - } +} diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditSpamFilter.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditSpamFilter.ps1 index 7138186ae76b..9f98d280f511 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditSpamFilter.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditSpamFilter.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-EditSpamFilter { +Function Invoke-EditSpamFilter { <# .FUNCTIONALITY Entrypoint @@ -8,29 +8,29 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug" -$Tenantfilter = $request.Query.tenantfilter + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $Tenantfilter = $request.Query.tenantfilter + $Params = @{ + Identity = $request.query.name + } -$Params = @{ - Identity = $request.query.name -} + try { + $cmdlet = if ($request.query.state -eq 'enable') { 'Enable-HostedContentFilterRule' } else { 'Disable-HostedContentFilterRule' } + $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params + $Result = "Set Spamfilter rule to $($request.query.State)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Set Spamfilter rule $($Request.query.name) to $($request.query.State)" -sev Info + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Failed setting Spamfilter rule $($Request.query.guid) to $($request.query.State). Error:$($_.Exception.Message)" -Sev 'Error' + $ErrorMessage = Get-NormalizedError -Message $_.Exception + $Result = $ErrorMessage + } + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = @{Results = $Result } + }) -try { - $cmdlet = if ($request.query.state -eq "enable") { "Enable-HostedContentFilterRule" } else { "Disable-HostedContentFilterRule" } - $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params - $Result = "Set Spamfilter rule to $($request.query.State)" - Write-LogMessage -API "TransportRules" -tenant $tenantfilter -message "Set transport rule $($Request.query.name) to $($request.query.State)" -sev Debug } -catch { - $ErrorMessage = Get-NormalizedError -Message $_.Exception - $Result = $ErrorMessage -} -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = @{Results = $Result } - }) - - } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTenant.ps1 index 0c10dc387b08..77db47a5ff51 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTenant.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTenant.ps1 @@ -20,9 +20,10 @@ Function Invoke-EditTenant { $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') $allTenantsDetails = (Invoke-RestMethod -Method GET -Uri 'https://graph.windows.net/myorganization/contracts?api-version=1.6' -ContentType 'application/json' -Headers $AADGraphtoken) $tenantObjectId = $allTenantsDetails.value | Where-Object { $_.customerContextId -eq $customerContextId } | Select-Object 'objectId' - } catch { - $Results = "Failed to retrieve list of tenants. Error: $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($tenantDisplayName) -message "Failed to retrieve list of tenants. Error: $($_.Exception.Message)" -Sev 'Error' + } + catch { + $Results = "Failed to retrieve list of tenants. Error: $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($tenantDisplayName) -message "Failed to retrieve list of tenants. Error:$($_.Exception.Message)" -Sev 'Error' } @@ -36,16 +37,19 @@ Function Invoke-EditTenant { $Tenant = Get-CIPPAzDataTableEntity @TenantsTable -Filter $Filter $Tenant.displayName = $tenantDisplayName Update-AzDataTableEntity @TenantsTable -Entity $Tenant - } catch { + } + catch { $AddedText = 'but could not edit the tenant cache. Clear the tenant cache to display the updated details' } Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantDisplayName -message "Edited tenant $tenantDisplayName" -Sev 'Info' $results = "Successfully amended details for $($Tenant.displayName) $AddedText" - } catch { + } + catch { $results = "Failed to amend details for $tenantDisplayName : $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantDisplayName -message "Failed amending details $tenantDisplayName. Error: $($_.Exception.Message)" -Sev 'Error' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantDisplayName -message "Failed amending details $tenantDisplayName. Error:$($_.Exception.Message)" -Sev 'Error' } - } else { + } + else { $Results = 'Could not find the tenant to edit in the contract endpoint. Please ensure you have a reseller relationship with the tenant you are trying to edit.' } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTransportRule.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTransportRule.ps1 index 11c669a95358..20f93fd4014f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTransportRule.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditTransportRule.ps1 @@ -21,8 +21,10 @@ Function Invoke-EditTransportRule { $cmdlet = if ($request.query.state -eq 'enable') { 'Enable-TransportRule' } else { 'Disable-TransportRule' } $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet $cmdlet -cmdParams $params -UseSystemMailbox $true $Result = "Set transport rule $($Request.query.guid) to $($request.query.State)" - Write-LogMessage -API 'TransportRules' -tenant $tenantfilter -message "Set transport rule $($Request.query.guid) to $($request.query.State)" -sev Debug - } catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Set transport rule $($Request.query.guid) to $($request.query.State)" -sev Info + } + catch { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenantfilter -message "Failed setting transport rule $($Request.query.guid) to $($request.query.State). Error:$($_.Exception.Message)" -Sev 'Error' $ErrorMessage = Get-NormalizedError -Message $_.Exception $Result = $ErrorMessage } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 index 996352c449dd..132ccd3af8af 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 @@ -10,6 +10,7 @@ Function Invoke-EditUser { $APIName = $TriggerMetadata.FunctionName Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $userobj = $Request.body $Results = [System.Collections.ArrayList]@() $licenses = ($userobj | Select-Object 'License_*').psobject.properties.value @@ -54,7 +55,8 @@ Function Invoke-EditUser { $results.add("Success. The password has been set to $($userobj.password)") Write-LogMessage -API $APINAME -tenant ($UserObj.tenantid) -user $request.headers.'x-ms-client-principal' -message "Reset $($userobj.displayname)'s Password" -Sev 'Info' } - } catch { + } + catch { Write-LogMessage -API $APINAME -tenant ($UserObj.tenantid) -user $request.headers.'x-ms-client-principal' -message "User edit API failed. $($_.Exception.Message)" -Sev 'Error' $results.add( "Failed to edit user. $($_.Exception.Message)") } @@ -68,7 +70,7 @@ Function Invoke-EditUser { $CurrentLicenses = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($userobj.Userid)" -tenantid $Userobj.tenantid $RemovalList = ($CurrentLicenses.assignedLicenses | Where-Object -Property skuid -NotIn $licenses).skuid $LicensesToRemove = if ($RemovalList) { ConvertTo-Json @( $RemovalList ) } else { '[]' } - + $liclist = foreach ($license in $Licenses) { '{"disabledPlans": [],"skuId": "' + $license + '" },' } $LicenseBody = '{"addLicenses": [' + $LicList + '], "removeLicenses": ' + $LicensesToRemove + '}' if ($userobj.RemoveAllLicenses) { $LicenseBody = '{"addLicenses": [], "removeLicenses": ' + $LicensesToRemove + '}' } @@ -79,7 +81,8 @@ Function Invoke-EditUser { $results.add( 'Success. User license has been edited.' ) } - } catch { + } + catch { Write-LogMessage -API $APINAME -tenant ($UserObj.tenantid) -user $request.headers.'x-ms-client-principal' -message "License assign API failed. $($_.Exception.Message)" -Sev 'Error' $results.add( "We've failed to assign the license. $($_.Exception.Message)") } @@ -95,7 +98,8 @@ Function Invoke-EditUser { $results.add( 'Success. added aliasses to user.') } - } catch { + } + catch { Write-LogMessage -API $APINAME -tenant ($UserObj.tenantid) -user $request.headers.'x-ms-client-principal' -message "Alias API failed. $($_.Exception.Message)" -Sev 'Error' $results.add( "Successfully edited user. The password is $password. We've failed to create the Aliases: $($_.Exception.Message)") } From 959cff2b3e6a5f210245a4ed428cd5ade11e6193 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 23:17:40 +0000 Subject: [PATCH 34/78] Added logging for catchup jobs --- Scheduler_Extensions/run.ps1 | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/Scheduler_Extensions/run.ps1 b/Scheduler_Extensions/run.ps1 index 767e1ec2ece5..0b343d50d5ad 100644 --- a/Scheduler_Extensions/run.ps1 +++ b/Scheduler_Extensions/run.ps1 @@ -58,31 +58,35 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { } Add-AzDataTableEntity @Table -Entity $AddObject -Force - Write-LogMessage -API 'NinjaOneAutoMap_Queue' -user 'CIPP' -message "NinjaOne Synchronization Queued for $(($TenantsToProcess | Measure-Object).count) Tenants" -Sev 'Info' + Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "NinjaOne Daily Synchronization Queued for $(($TenantsToProcess | Measure-Object).count) Tenants" -Sev 'Info' } else { if ($LastRunTime -lt (Get-Date).AddMinutes(-90)) { $TenantsToProcess | ForEach-Object { - if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne ''){ - $_.lastEndTime = (Get-Date($_.lastEndTime)) + if ($Null -ne $_.lastEndTime -and $_.lastEndTime -ne '') { + $_.lastEndTime = (Get-Date($_.lastEndTime)) } else { $_ | Add-Member -NotePropertyName lastEndTime -NotePropertyValue $Null -Force } if ($Null -ne $_.lastStartTime -and $_.lastStartTime -ne '') { - $_.lastStartTime = (Get-Date($_.lastStartTime)) + $_.lastStartTime = (Get-Date($_.lastStartTime)) } else { $_ | Add-Member -NotePropertyName lastStartTime -NotePropertyValue $Null -Force } } - foreach ($Tenant in $TenantsToProcess | where-object { (((($_.lastEndTime -eq $Null) -or ($_.lastStartTime -gt $_.lastEndTime)) -and ($_.lastStartTime -lt (Get-Date).AddMinutes(-30)))) -or ($_.lastStartTime -lt $LastRunTime) }) { - Push-OutputBinding -Name NinjaProcess -Value @{ - 'NinjaAction' = 'SyncTenant' - 'MappedTenant' = $Tenant - } - - } + $CatchupTenants = $TenantsToProcess | where-object { (((($_.lastEndTime -eq $Null) -or ($_.lastStartTime -gt $_.lastEndTime)) -and ($_.lastStartTime -lt (Get-Date).AddMinutes(-30)))) -or ($_.lastStartTime -lt $LastRunTime) } + foreach ($Tenant in $CatchupTenants) { + Push-OutputBinding -Name NinjaProcess -Value @{ + 'NinjaAction' = 'SyncTenant' + 'MappedTenant' = $Tenant + } + } + if (($CatchupTenants | Measure-Object).count -gt 0){ + Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "NinjaOne Synchronization Catchup Queued for $(($CatchupTenants | Measure-Object).count) Tenants" -Sev 'Info' } } - } \ No newline at end of file + + } +} \ No newline at end of file From 8afb04364e19e23db6db6b5cfbd4271026cd99e9 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Wed, 6 Dec 2023 23:50:59 +0000 Subject: [PATCH 35/78] Added set location --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index fc20f4dbba9e..5533c5f8bc6d 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -35,6 +35,8 @@ function Invoke-NinjaOneTenantSync { } Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force + Set-Location (Get-Item $PSScriptRoot).Parent.FullName + # Fetch Custom NinjaOne Settings $Table = Get-CIPPTable -TableName NinjaOneSettings $NinjaSettings = (Get-CIPPAzDataTableEntity @Table) From 471c30cdd773cca51cd230bd6240bed21dd3241c Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 00:35:12 +0000 Subject: [PATCH 36/78] Fixed location staggered start --- .../CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 | 1 + Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 ++-- Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 | 1 - Scheduler_Extensions/run.ps1 | 2 ++ 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 index 38f050341aed..167e4b42c72a 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 @@ -46,6 +46,7 @@ Function Invoke-ExecExtensionSync { 'NinjaAction' = 'SyncTenant' 'MappedTenant' = $Tenant } + Start-Sleep -Seconds 1 } diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 5533c5f8bc6d..c2c3305f8659 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -34,8 +34,7 @@ function Invoke-NinjaOneTenantSync { $CurrentItem.lastEndTime = ([string]$(($CurrentItem.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) } Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force - - Set-Location (Get-Item $PSScriptRoot).Parent.FullName + # Fetch Custom NinjaOne Settings $Table = Get-CIPPTable -TableName NinjaOneSettings @@ -1991,6 +1990,7 @@ function Invoke-NinjaOneTenantSync { ### CIPP Applied Standards Cards Write-Host "Applied Standards" + Set-Location (Get-Item $PSScriptRoot).FullName $StandardsDefinitions = Get-Content 'config/standards.json' | ConvertFrom-Json -Depth 100 $Table = Get-CippTable -tablename 'standards' diff --git a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 index c6ab4abb2fac..069dec362229 100644 --- a/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 +++ b/Modules/CippExtensions/Public/Get-ExtensionRateLimit.ps1 @@ -23,7 +23,6 @@ function Get-ExtensionRateLimit($ExtensionName, $ExtensionPartitionKey, $RateLim $ActiveJobs = 'FirstRun' } if (($ActiveJobs | Measure-Object).count -ge $RateLimit) { - Write-LogMessage -API 'ExtensionRateLimiting' -user 'CIPP' -message "$ExtensionName Rate Limited $($ActiveJobs.count) active jobs" -Sev 'Info' Write-Host "Rate Limiting. Currently $($ActiveJobs.count) Active Jobs" Start-Sleep -Seconds $WaitTime $CurrentMap = Get-ExtensionRateLimit -ExtensionName $ExtensionName -ExtensionPartitionKey $ExtensionPartitionKey -RateLimit $RateLimit -WaitTime $WaitTime diff --git a/Scheduler_Extensions/run.ps1 b/Scheduler_Extensions/run.ps1 index 0b343d50d5ad..c6ce09744cbd 100644 --- a/Scheduler_Extensions/run.ps1 +++ b/Scheduler_Extensions/run.ps1 @@ -48,6 +48,7 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { 'NinjaAction' = 'SyncTenant' 'MappedTenant' = $Tenant } + Start-Sleep -Seconds 1 } @@ -81,6 +82,7 @@ if ($Configuration.NinjaOne.Enabled -eq $True) { 'NinjaAction' = 'SyncTenant' 'MappedTenant' = $Tenant } + Start-Sleep -Seconds 1 } if (($CatchupTenants | Measure-Object).count -gt 0){ Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "NinjaOne Synchronization Catchup Queued for $(($CatchupTenants | Measure-Object).count) Tenants" -Sev 'Info' From f78dd325b237d797868e2866bed01cd68a87c6da Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 00:49:56 +0000 Subject: [PATCH 37/78] Fixed manual queue and improved tenant completion log entry --- .../Public/Entrypoints/Invoke-ExecExtensionSync.ps1 | 6 ++++++ .../NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 10 ++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 index 167e4b42c72a..d79b17ad7806 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 @@ -41,6 +41,12 @@ Function Invoke-ExecExtensionSync { $Filter = "PartitionKey eq 'NinjaOrgsMapping'" $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } + $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queuing $(($TenantsToProcess | Measure-Object).count) Tenants" } + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Results + }) -clobber + foreach ($Tenant in $TenantsToProcess) { Push-OutputBinding -Name NinjaProcess -Value @{ 'NinjaAction' = 'SyncTenant' diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index c2c3305f8659..c84f383b0568 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -4,7 +4,7 @@ function Invoke-NinjaOneTenantSync { $QueueItem ) try { - $StartTime = Get-Date + $StartQueueTime = Get-Date Write-Host "$(Get-Date) - Starting NinjaOne Sync" # Stagger start @@ -12,6 +12,8 @@ function Invoke-NinjaOneTenantSync { # Check Global Rate Limiting $CurrentMap = Get-ExtensionRateLimit -ExtensionName 'NinjaOne' -ExtensionPartitionKey 'NinjaOrgsMapping' -RateLimit 5 -WaitTime 60 + + $StartTime = Get-Date # Parse out the Tenant we are processing $MappedTenant = $QueueItem.MappedTenant @@ -28,13 +30,13 @@ function Invoke-NinjaOneTenantSync { # Set Last Start Time $MappingTable = Get-CIPPTable -TableName CippMapping - $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$(($StartTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force + $CurrentItem | Add-Member -NotePropertyName lastStartTime -NotePropertyValue ([string]$(($StartQueueTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) -Force $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Running' -Force if ($Null -ne $CurrentItem.lastEndTime -and $CurrentItem.lastEndTime -ne '' ) { $CurrentItem.lastEndTime = ([string]$(($CurrentItem.lastEndTime).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ"))) } Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force - + # Fetch Custom NinjaOne Settings $Table = Get-CIPPTable -TableName NinjaOneSettings @@ -2298,7 +2300,7 @@ function Invoke-NinjaOneTenantSync { $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Completed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force - Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Completed NinjaOne Sync for $($Customer.displayName). Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Completed NinjaOne Sync for $($Customer.displayName). Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds) seconds. Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' } catch { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" From 6f7ad781bf3440a69f0116419e4379fc245bb32b Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 00:52:15 +0000 Subject: [PATCH 38/78] Temp script root debug --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index c84f383b0568..32fb8d764451 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -1993,6 +1993,7 @@ function Invoke-NinjaOneTenantSync { ### CIPP Applied Standards Cards Write-Host "Applied Standards" Set-Location (Get-Item $PSScriptRoot).FullName + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Script root debug: $((Get-Item $PSScriptRoot).FullName)" -Sev 'info' $StandardsDefinitions = Get-Content 'config/standards.json' | ConvertFrom-Json -Depth 100 $Table = Get-CippTable -tablename 'standards' From 6f492f8b14f914e27480fdcf9ef0fa42984a7249 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 10:13:14 +0000 Subject: [PATCH 39/78] Additional Graph Logging --- Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 index ab2686655b39..7f63f41de26d 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 @@ -17,7 +17,7 @@ function Invoke-CippGraphWebhookRenewal { Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Renewed Subscription:$($UpdateSub.SubscriptionID)" -Sev "Info" -tenant $TenantFilter } catch { - Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Failed to renew Webhook Subscription: $($UpdateSub.SubscriptionID)" -Sev "Error" -tenant $TenantFilter + Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Failed to renew Webhook Subscription: $($UpdateSub.SubscriptionID). Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev "Error" -tenant $TenantFilter } } } From 4d4a95414bdd7b6393f5d912119415db9315dc26 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 10:22:53 +0000 Subject: [PATCH 40/78] Improved logs --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 32fb8d764451..dbf6f82b469f 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -45,7 +45,7 @@ function Invoke-NinjaOneTenantSync { $Customer = Get-Tenants | where-object { $_.customerId -eq $MappedTenant.RowKey } - Write-Host "Processing: $($Customer.displayName)" + Write-Host "Processing: $($Customer.displayName) - Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds)" Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Processing NinjaOne Synchronization for $($Customer.displayName)" -Sev 'Info' @@ -2301,7 +2301,7 @@ function Invoke-NinjaOneTenantSync { $CurrentItem | Add-Member -NotePropertyName lastStatus -NotePropertyValue 'Completed' -Force Add-CIPPAzDataTableEntity @MappingTable -Entity $CurrentItem -Force - Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Completed NinjaOne Sync for $($Customer.displayName). Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds) seconds. Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Completed NinjaOne Sync for $($Customer.displayName). Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds) seconds. Data fetched in $((New-TimeSpan -Start $StartTime -End $FetchEnd).TotalSeconds) seconds. Total processing time $((New-TimeSpan -Start $StartTime -End (Get-Date)).TotalSeconds) seconds" -Sev 'info' } catch { Write-Error "Failed NinjaOne Processing for $($Customer.displayName) Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" From b06e80620fb7937fe8a75795013d3d337c3c128d Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 10:33:46 +0000 Subject: [PATCH 41/78] Log update --- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index dbf6f82b469f..69f8bb36405b 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -47,7 +47,7 @@ function Invoke-NinjaOneTenantSync { $Customer = Get-Tenants | where-object { $_.customerId -eq $MappedTenant.RowKey } Write-Host "Processing: $($Customer.displayName) - Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds)" - Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Processing NinjaOne Synchronization for $($Customer.displayName)" -Sev 'Info' + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Processing NinjaOne Synchronization for $($Customer.displayName) - Queued for $((New-TimeSpan -Start $StartQueueTime -End $StartTime).TotalSeconds)" -Sev 'Info' if (($Customer | Measure-Object).count -ne 1) { Throw "Unable to match the recieved ID to a tenant QueueItem: $($QueueItem | ConvertTo-Json -Depth 100 | Out-String) Matched Customer: $($Customer| ConvertTo-Json -Depth 100 | Out-String)" @@ -1992,8 +1992,8 @@ function Invoke-NinjaOneTenantSync { ### CIPP Applied Standards Cards Write-Host "Applied Standards" - Set-Location (Get-Item $PSScriptRoot).FullName - Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Script root debug: $((Get-Item $PSScriptRoot).FullName)" -Sev 'info' + Set-Location (Get-Item $PSScriptRoot).Parent.Parent.FullName + Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Script root debug: $((Get-Item $PSScriptRoot).Parent.Parent.FullName)" -Sev 'info' $StandardsDefinitions = Get-Content 'config/standards.json' | ConvertFrom-Json -Depth 100 $Table = Get-CippTable -tablename 'standards' From f5d382e8f4cf04c1ff970f326f0fef2068d31eeb Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:02:32 +0000 Subject: [PATCH 42/78] Graph Subscription Renewal Fixes --- .../Public/Invoke-CIPPGraphWebhookRenewal.ps1 | 27 ++++++++++++++++--- .../Public/New-CIPPGraphSubscription.ps1 | 1 + .../function.json | 2 +- 3 files changed, 25 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 index 7f63f41de26d..eb9bf46a3b94 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 @@ -11,10 +11,29 @@ function Invoke-CippGraphWebhookRenewal { foreach ($UpdateSub in $WebhookData) { try { $TenantFilter = $UpdateSub.PartitionKey - $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/subscriptions/$($UpdateSub.SubscriptionID)" -tenantid $TenantFilter -type PATCH -body $body -Verbose - $UpdateSub.Expiration = $RenewalDate - $null = Add-AzDataTableEntity @WebhookTable -Entity $UpdateSub -Force - Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Renewed Subscription:$($UpdateSub.SubscriptionID)" -Sev "Info" -tenant $TenantFilter + try { + $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/subscriptions/$($UpdateSub.SubscriptionID)" -tenantid $TenantFilter -type PATCH -body $body -Verbose + $UpdateSub.Expiration = $RenewalDate + $null = Add-AzDataTableEntity @WebhookTable -Entity $UpdateSub -Force + Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Renewed Subscription:$($UpdateSub.SubscriptionID)" -Sev "Info" -tenant $TenantFilter + + } catch { + # Rebuild creation parameters + $BaseURL = "$(([uri]($UpdateSub.WebhookNotificationUrl)).Host)" + if ($UpdateSub.TypeofSubscription) { + $TypeofSubscription = "$($UpdateSub.TypeofSubscription)" + } else { + $TypeofSubscription = 'updated' + } + $Resource = "$($UpdateSub.Resource)" + $EventType = "$($UpdateSub.EventType)" + + Remove-AzDataTableEntity @WebhookTable -Entity $UpdateSub + Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Recreating: $($UpdateSub.SubscriptionID) as renewal failed." -Sev "Info" -tenant $TenantFilter + + New-CIPPGraphSubscription -TenantFilter $TenantFilter -TypeofSubscription $TypeofSubscription -BaseURL $BaseURL -Resource $Resource -EventType $EventType -ExecutingUser 'GraphSubscriptionRenewal' + } + } catch { Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Failed to renew Webhook Subscription: $($UpdateSub.SubscriptionID). Linenumber: $($_.InvocationInfo.ScriptLineNumber) Error: $($_.Exception.message)" -Sev "Error" -tenant $TenantFilter diff --git a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 index 18a58945002e..dca394c22254 100644 --- a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 +++ b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 @@ -64,6 +64,7 @@ function New-CIPPGraphSubscription { Resource = [string]$Resource Expiration = [string]$expiredate SubscriptionID = [string]$GraphRequest.id + TypeofSubscription = [string]$TypeofSubscription WebhookNotificationUrl = [string]$GraphRequest.notificationUrl } $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow diff --git a/Scheduler_RenewGraphSubscriptions/function.json b/Scheduler_RenewGraphSubscriptions/function.json index d2e7f34face4..114e4c0f7aab 100644 --- a/Scheduler_RenewGraphSubscriptions/function.json +++ b/Scheduler_RenewGraphSubscriptions/function.json @@ -4,7 +4,7 @@ "name": "Timer", "type": "timerTrigger", "direction": "in", - "schedule": "0 0 0 * * *" + "schedule": "0 10 * * * *" } ] } From bca9590234d0e9d94f4172bb59a959c08b30653b Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:20:02 +0000 Subject: [PATCH 43/78] Fixed location and improved webhook logging --- Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 | 7 +++++-- Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 | 5 ++++- .../CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 3 +-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 index eb9bf46a3b94..241a5e003192 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 @@ -28,10 +28,13 @@ function Invoke-CippGraphWebhookRenewal { $Resource = "$($UpdateSub.Resource)" $EventType = "$($UpdateSub.EventType)" - Remove-AzDataTableEntity @WebhookTable -Entity $UpdateSub Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Recreating: $($UpdateSub.SubscriptionID) as renewal failed." -Sev "Info" -tenant $TenantFilter + $CreateResult = New-CIPPGraphSubscription -TenantFilter $TenantFilter -TypeofSubscription $TypeofSubscription -BaseURL $BaseURL -Resource $Resource -EventType $EventType -ExecutingUser 'GraphSubscriptionRenewal' + + if ($CreateResult -match 'Created Webhook subscription for') { + Remove-AzDataTableEntity @WebhookTable -Entity $UpdateSub + } - New-CIPPGraphSubscription -TenantFilter $TenantFilter -TypeofSubscription $TypeofSubscription -BaseURL $BaseURL -Resource $Resource -EventType $EventType -ExecutingUser 'GraphSubscriptionRenewal' } diff --git a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 index dca394c22254..4c29898be0cf 100644 --- a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 +++ b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 @@ -36,6 +36,7 @@ function New-CIPPGraphSubscription { } $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow + Write-LogMessage -user $ExecutingUser -API $APIName -message "Created Webhook subscription for $($TenantFilter)" -Sev "Info" -tenant $TenantFilter } else { # First check if there is an exsiting Webhook in place @@ -70,9 +71,11 @@ function New-CIPPGraphSubscription { $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow #todo: add remove webhook function, add check webhook function, add list webhooks function #add refresh webhook function based on table. + Write-LogMessage -user $ExecutingUser -API $APIName -message "Created Graph Webhook subscription for $($TenantFilter)" -Sev "Info" -tenant $TenantFilter + } else { + Write-LogMessage -user $ExecutingUser -API $APIName -message "Existing Graph Webhook subscription for $($TenantFilter) found" -Sev "Info" -tenant $TenantFilter } } - Write-LogMessage -user $ExecutingUser -API $APIName -message "Created Webhook subscription for $($TenantFilter)" -Sev "Info" -tenant $TenantFilter return "Created Webhook subscription for $($TenantFilter)" } catch { Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to create Webhook Subscription: $($_.Exception.Message)" -Sev "Error" -tenant $TenantFilter diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 69f8bb36405b..f2d47f924c6a 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -1992,8 +1992,7 @@ function Invoke-NinjaOneTenantSync { ### CIPP Applied Standards Cards Write-Host "Applied Standards" - Set-Location (Get-Item $PSScriptRoot).Parent.Parent.FullName - Write-LogMessage -API 'NinjaOneSync' -user 'NinjaOneSync' -message "Script root debug: $((Get-Item $PSScriptRoot).Parent.Parent.FullName)" -Sev 'info' + Set-Location (Get-Item $PSScriptRoot).Parent.Parent.Parent.FullName $StandardsDefinitions = Get-Content 'config/standards.json' | ConvertFrom-Json -Depth 100 $Table = Get-CippTable -tablename 'standards' From e12f4da0bb88c50c1811e7b57841c28516369af9 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:26:37 +0000 Subject: [PATCH 44/78] Force creation option for webhooks --- Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 | 2 +- Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 index 241a5e003192..e26271907be0 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPGraphWebhookRenewal.ps1 @@ -29,7 +29,7 @@ function Invoke-CippGraphWebhookRenewal { $EventType = "$($UpdateSub.EventType)" Write-LogMessage -user 'CIPP' -API 'Renew_Graph_Subscriptions' -message "Recreating: $($UpdateSub.SubscriptionID) as renewal failed." -Sev "Info" -tenant $TenantFilter - $CreateResult = New-CIPPGraphSubscription -TenantFilter $TenantFilter -TypeofSubscription $TypeofSubscription -BaseURL $BaseURL -Resource $Resource -EventType $EventType -ExecutingUser 'GraphSubscriptionRenewal' + $CreateResult = New-CIPPGraphSubscription -TenantFilter $TenantFilter -TypeofSubscription $TypeofSubscription -BaseURL $BaseURL -Resource $Resource -EventType $EventType -ExecutingUser 'GraphSubscriptionRenewal' -Recreate if ($CreateResult -match 'Created Webhook subscription for') { Remove-AzDataTableEntity @WebhookTable -Entity $UpdateSub diff --git a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 index 4c29898be0cf..649a50c452df 100644 --- a/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 +++ b/Modules/CIPPCore/Public/New-CIPPGraphSubscription.ps1 @@ -10,7 +10,8 @@ function New-CIPPGraphSubscription { $Resource, $EventType, $APIName = "Create Webhook", - $ExecutingUser + $ExecutingUser, + [Switch]$Recreate ) $CIPPID = (New-Guid).GUID $WebhookTable = Get-CIPPTable -TableName webhookTable @@ -43,7 +44,7 @@ function New-CIPPGraphSubscription { $WebhookFilter = "PartitionKey eq '$($TenantFilter)'" $ExistingWebhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter $WebhookFilter $MatchedWebhook = $ExistingWebhooks | Where-Object { $_.Resource -eq $Resource } - if (($MatchedWebhook | Measure-Object).count -eq 0) { + if (($MatchedWebhook | Measure-Object).count -eq 0 -or $Recreate) { $expiredate = (Get-Date).AddDays(1).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") $params = @{ From de951436aa16cca63f5fe31086880dcc071fb332 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:48:47 +0000 Subject: [PATCH 45/78] Added support for forcing a single tenant sync --- .../CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 index d79b17ad7806..cb738d7c919c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 @@ -41,6 +41,10 @@ Function Invoke-ExecExtensionSync { $Filter = "PartitionKey eq 'NinjaOrgsMapping'" $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } + if ($Request.Query.TenantID){ + $TenantsToProcess = $TenantsToProcess | Where-Object {$_.RowKey -eq $Request.Query.TenantID} + } + $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queuing $(($TenantsToProcess | Measure-Object).count) Tenants" } Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ StatusCode = [HttpStatusCode]::OK From 661970469e5ce34e86383152e1145127ed8f7507 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:25:46 +0000 Subject: [PATCH 46/78] Forced Sync Improvements --- ExecExtensionNinjaOneQueue/run.ps1 | 1 + .../Entrypoints/Invoke-ExecExtensionSync.ps1 | 38 +++++++----------- Modules/CippExtensions/CippExtensions.psd1 | Bin 11372 -> 11436 bytes .../NinjaOne/Invoke-NinjaOneOrgMapping.ps1 | 2 + .../NinjaOne/Invoke-NinjaOneSync.ps1 | 32 +++++++++++++++ 5 files changed, 49 insertions(+), 24 deletions(-) create mode 100644 Modules/CippExtensions/NinjaOne/Invoke-NinjaOneSync.ps1 diff --git a/ExecExtensionNinjaOneQueue/run.ps1 b/ExecExtensionNinjaOneQueue/run.ps1 index bcb1695ae15b..21720a79b6a5 100644 --- a/ExecExtensionNinjaOneQueue/run.ps1 +++ b/ExecExtensionNinjaOneQueue/run.ps1 @@ -9,4 +9,5 @@ Switch ($QueueItem.NinjaAction) { 'StartAutoMapping' { Invoke-NinjaOneOrgMapping } 'AutoMapTenant' { Invoke-NinjaOneOrgMappingTenant -QueueItem $QueueItem } 'SyncTenant' { Invoke-NinjaOneTenantSync -QueueItem $QueueItem } + 'SyncTenants' {Invoke-NinjaOneSync} } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 index cb738d7c919c..fffb57377f59 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 @@ -41,36 +41,26 @@ Function Invoke-ExecExtensionSync { $Filter = "PartitionKey eq 'NinjaOrgsMapping'" $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } - if ($Request.Query.TenantID){ - $TenantsToProcess = $TenantsToProcess | Where-Object {$_.RowKey -eq $Request.Query.TenantID} - } - - $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queuing $(($TenantsToProcess | Measure-Object).count) Tenants" } - Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $Results - }) -clobber - - foreach ($Tenant in $TenantsToProcess) { + if ($Request.Query.TenantID) { + foreach ($Tenant in $TenantsToProcess) { + Push-OutputBinding -Name NinjaProcess -Value @{ + 'NinjaAction' = 'SyncTenant' + 'MappedTenant' = $Tenant + } + $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queued for $($Tenant.NinjaOneName)" } + } + + } else { + Push-OutputBinding -Name NinjaProcess -Value @{ - 'NinjaAction' = 'SyncTenant' - 'MappedTenant' = $Tenant + 'NinjaAction' = 'SyncTenants' } - Start-Sleep -Seconds 1 - } + $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queuing $(($TenantsToProcess | Measure-Object).count) Tenants" } - $AddObject = @{ - PartitionKey = 'NinjaConfig' - RowKey = 'NinjaLastRunTime' - 'SettingValue' = (Get-Date).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss.fffK') } - Add-AzDataTableEntity @Table -Entity $AddObject -Force - - Write-LogMessage -API 'NinjaOneAutoMap_Queue' -user 'CIPP' -message "NinjaOne Synchronization Queued for $(($TenantsToProcess | Measure-Object).count) Tenants" -Sev 'Info' - - $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queued for $(($TenantsToProcess | Measure-Object).count) Tenants" } + } catch { $Results = [pscustomobject]@{'Results' = "Could not start NinjaOne Sync: $($_.Exception.Message)" } Write-LogMessage -API 'Scheduler_Billing' -tenant 'none' -message "Could not start NinjaOne Sync $($_.Exception.Message)" -sev Error diff --git a/Modules/CippExtensions/CippExtensions.psd1 b/Modules/CippExtensions/CippExtensions.psd1 index ae659f3753dd6e77c3fd91a055a4b286fe58bd60..437cc32f8661e599f3a75a3a0abb378391030900 100644 GIT binary patch delta 28 kcmaD8u_kiECF#k>BqSzVNyxDWGgLC Date: Thu, 7 Dec 2023 12:52:13 +0000 Subject: [PATCH 47/78] Fixed Force Sync, Improved Device Webhook Messaging --- .../Public/Entrypoints/Invoke-ExecExtensionSync.ps1 | 7 +++++-- .../NinjaOne/Invoke-NinjaOneDeviceWebhook.ps1 | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 index fffb57377f59..effb15af199d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecExtensionSync.ps1 @@ -42,13 +42,16 @@ Function Invoke-ExecExtensionSync { $TenantsToProcess = Get-AzDataTableEntity @CIPPMapping -Filter $Filter | Where-Object { $Null -ne $_.NinjaOne -and $_.NinjaOne -ne '' } if ($Request.Query.TenantID) { - foreach ($Tenant in $TenantsToProcess) { + $Tenant = $TenantsToProcess | Where-Object {$_.RowKey -eq $Request.Query.TenantID} + if (($Tenant | Measure-Object).count -eq 1){ Push-OutputBinding -Name NinjaProcess -Value @{ 'NinjaAction' = 'SyncTenant' 'MappedTenant' = $Tenant } $Results = [pscustomobject]@{'Results' = "NinjaOne Synchronization Queued for $($Tenant.NinjaOneName)" } - } + } else { + $Results = [pscustomobject]@{'Results' = "Tenant was not found." } + } } else { diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneDeviceWebhook.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneDeviceWebhook.ps1 index 508f96eb75b8..903cee63234c 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneDeviceWebhook.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneDeviceWebhook.ps1 @@ -42,7 +42,7 @@ function Invoke-NinjaOneDeviceWebhook { } else { - Throw "Failed to process device." + Write-LogMessage -API 'NinjaOneSync' -user 'CIPP' -message "$($DeviceM365.displayName) ($($M365DeviceID)) was not matched in Ninja for $($tenantfilter)" -Sev 'Info' } } From f6efd01edd32c710dfa48721fb35821c649d4cde Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 7 Dec 2023 22:23:22 +0100 Subject: [PATCH 48/78] updates to use the settings param. --- .../Public/Entrypoints/Push-CIPPStandard.ps1 | 2 +- ...oke-EnableAppConsentRequests-Remediate.ps1 | 11 ++------- .../Invoke-ExcludedfileExt-Remediate.ps1 | 11 +++------ .../Invoke-MailContacts-Remediate.ps1 | 15 +++++------- .../Remediate/Invoke-NudgeMFA-Remediate.ps1 | 12 ++++------ .../Invoke-OauthConsent-Remediate.ps1 | 8 ++----- .../Invoke-OutBoundSpamAlert-Remediate.ps1 | 6 +---- ...e-PWcompanionAppAllowedState-Remediate.ps1 | 6 +---- ...nvoke-SendReceiveLimitTenant-Remediate.ps1 | 6 +---- .../Remediate/Invoke-SpoofWarn-Remediate.ps1 | 9 ++----- .../Remediate/Invoke-TAP-Remediate.ps1 | 6 +---- .../Invoke-UserSubmissions-Remediate.ps1 | 9 ++----- .../Remediate/Invoke-calDefault-Remediate.ps1 | 11 ++------- .../Invoke-fwdAdminAlerts-Remediate.ps1 | 24 +------------------ .../Invoke-intuneDeviceReg-Remediate.ps1 | 12 ++++------ ...e-intuneDeviceRetirementDays-Remediate.ps1 | 9 +------ .../Invoke-sharingCapability-Remediate.ps1 | 12 +++------- Scheduler_Standards/run.ps1 | 12 +++++++++- 18 files changed, 48 insertions(+), 133 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 index fae28db5ebc2..a6284d1f7b52 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 @@ -3,7 +3,7 @@ function Push-CIPPStandard { $QueueItem, $TriggerMetadata ) - Write-Host "Received queue item for $($QueueItem.Tenant) and standard $($QueueItem.Standard)" + Write-Host "Received queue item for $($QueueItem.Tenant) and standard $($QueueItem.Standard). We will be using this as the settings: $($QueueItem.Settings | ConvertTo-Json -Depth 10)" $Tenant = $QueueItem.Tenant $Standard = $QueueItem.Standard $Remediate = $QueueItem.Settings.remediate diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 index 919f8421e6c6..4231d5bb4c81 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 @@ -5,13 +5,6 @@ function Invoke-EnableAppConsentRequests-Remediate { #> param($Tenant, $Settings) try { - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests - if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests - } - # Get current state $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant @@ -22,8 +15,8 @@ function Invoke-EnableAppConsentRequests-Remediate { $CurrentInfo.requestDurationInDays = 30 # Roles from standards table - $RolesToAdd = $Setting.ReviewerRoles.value - $RoleNames = $Setting.ReviewerRoles.label -join ', ' + $RolesToAdd = $Settings.ReviewerRoles.value + $RoleNames = $Settings.ReviewerRoles.label -join ', ' # Set default if no roles are selected if (!$RolesToAdd) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 index 19ffe76cc9b0..a8b1962d4473 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 @@ -4,18 +4,13 @@ function Invoke-ExcludedfileExt-Remediate { Internal #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExcludedfileExt - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExcludedfileExt - } try { - $Exts = $Setting.ext -split ',' + $Exts = $Settings.ext -split ',' $body = ConvertTo-Json -InputObject @{ excludedFileExtensionsForSyncApp = @($Exts) } New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Added $($Setting.ext) to excluded synced files" -sev Info + Write-LogMessage -API 'Standards' -tenant $tenant -message "Added $($Settings.ext) to excluded synced files" -sev Info } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Setting.ext) to excluded synced files: $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Settings.ext) to excluded synced files: $($_.exception.message)" -sev Error } } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 index 75e38daa198a..64cd38b9de2a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 @@ -4,20 +4,17 @@ function Invoke-MailContacts-Remediate { Internal #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.MailContacts - if (!$Contacts) { - $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.MailContacts - } + + $contacts = $settings try { $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) $Body = [pscustomobject]@{} switch ($Contacts) { - { $Contacts.marketingcontact.mail } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.marketingcontact.mail) } - { $Contacts.SecurityContact.Mail } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact.Mail) } - { $Contacts.TechContact.Mail } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact.Mail) } - { $Contacts.GeneralContact.Mail } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact.Mail } } + { $Contacts.MarketingContact } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.MarketingContact) } + { $Contacts.SecurityContact } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact) } + { $Contacts.TechContact } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact) } + { $Contacts.GeneralContact } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact } } } Write-Host (ConvertTo-Json -InputObject $body) New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -Type patch -Body (ConvertTo-Json -InputObject $body) -ContentType 'application/json' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 index 939eee60a120..2460299998f9 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 @@ -5,16 +5,12 @@ function Invoke-NudgeMFA-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.NudgeMFA - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.NudgeMFA - } - Write-Output $setting - $status = if ($Setting.enable -and $Setting.disable) { + Write-Output $Settings + + $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error Exit - } elseif ($setting.enable) { 'enabled' } else { 'disabled' } + } elseif ($Settings.enable) { 'enabled' } else { 'disabled' } Write-Output $status try { $body = '{"registrationEnforcement":{"authenticationMethodsRegistrationCampaign":{"snoozeDurationInDays":0,"state":"' + $status + '","excludeTargets":[],"includeTargets":[{"id":"all_users","targetType":"group","targetedAuthenticationMethod":"microsoftAuthenticator","displayName":"All users"}]}}}' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 index 8f00f81fd93f..423380bcf3e7 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 @@ -3,12 +3,8 @@ function Invoke-OauthConsent-Remediate { .FUNCTIONALITY Internal #> - param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $AllowedAppIdsForTenant = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' - if (!$AllowedAppIdsForTenant) { - $AllowedAppIdsForTenant = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' - } + param($tenant) + $AllowedAppIdsForTenant = $Settings.AllowedApps -split ',' try { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('ManagePermissionGrantsForSelf.cipp-1sent-policy')) { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 index b8fdc0fef213..28f406389862 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 @@ -4,11 +4,7 @@ function Invoke-OutBoundSpamAlert-Remediate { Internal #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert - if (!$Contacts) { - $Contacts = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert - } + $Contacts = $settings.OutboundSpamContact try { New-ExoRequest -tenantid $tenant -cmdlet 'Set-HostedOutboundSpamFilterPolicy' -cmdparams @{ Identity = 'Default'; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 index 9b874f846a95..e2fbd44ed708 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 @@ -5,11 +5,7 @@ function Invoke-PWcompanionAppAllowedState-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState - } + $Setting = $Settings try { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 index 8e9aedac9eda..4ff7af209b4d 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 @@ -5,11 +5,7 @@ function Invoke-SendReceiveLimitTenant-Remediate { #> param($Tenant, $Settings) # Get the tenant standards settings - $ConfigTable = Get-CippTable -tablename 'standards' - $Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' - if (!$Limits) { - $Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' - } + $Limits = $Settings.SendReceiveLimit # Parse the send limits and convert to bytes if ($Limits[0] -like '*MB*') { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 index b55c37008747..8f7b6c8497ee 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 @@ -5,15 +5,10 @@ function Invoke-SpoofWarn-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.spoofwarn - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.spoofwarn - } - $status = if ($Setting.enable -and $Setting.disable) { + $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error Exit - } elseif ($setting.enable) { $true } else { $false } + } elseif ($Settings.enable) { $true } else { $false } try { New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ExternalInOutlook' -cmdParams @{ Enabled = $status; } Write-LogMessage -API 'Standards' -tenant $tenant -message "Spoofing warnings set to $status." -sev Info diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 index 503f843c620b..96a7f881c2e3 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 @@ -4,11 +4,7 @@ function Invoke-TAP-Remediate { Internal #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $TAPConfig = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.TAP.config - if (!$TAPConfig) { - $TAPConfig = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.TAP.config - } + $TAPConfig = $Settings.Config if (!$TAPConfig) { $TAPConfig = 'true' } try { $MinimumLifetime = '60' #Minutes diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 index 359cb578322f..edc815a05c6d 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 @@ -5,15 +5,10 @@ function Invoke-UserSubmissions-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.usersubmissions - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.usersubmissions - } - if ($Setting.enable -and $Setting.disable) { + if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error Exit - } elseif ($setting.enable) { + } elseif ($Settings.enable) { $status = $true try { $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 index 96c74fcf35fc..bca61580fd71 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 @@ -5,19 +5,12 @@ function Invoke-calDefault-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault - } - - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' foreach ($Mailbox in $Mailboxes) { try { New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($setting.permissionlevel)" -sev Error + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $Settings.permissionlevel } -Anchor $Mailbox.UserPrincipalName + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($Settings.permissionlevel)" -sev Error } } catch { diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 index 532e4c753035..5642336fea0e 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 @@ -4,27 +4,5 @@ function Invoke-fwdAdminAlerts-Remediate { Internal #> param($Tenant, $Settings) - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault - } - - - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' - foreach ($Mailbox in $Mailboxes) { - try { - New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($setting.permissionlevel)" -sev Error - - } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set default calendar permissions. Error: $($_.exception.message)" -sev Error - } - - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info - + #This isn't done yet. } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 index 40ff19ef5e80..0cf5fc424e5f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 @@ -5,17 +5,13 @@ function Invoke-intuneDeviceReg-Remediate { #> param($Tenant, $Settings) try { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.intuneDeviceReg - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.intuneDeviceReg - } + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - $PreviousSetting.userDeviceQuota = $Setting.max + $PreviousSetting.userDeviceQuota = $Settings.max $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set user device quota to $($setting.max)" -sev Info + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set user device quota to $($Settings.max)" -sev Info } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($setting.max) : $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($Settings.max) : $($_.exception.message)" -sev Error } } diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 index 1b2bc4cfd9e5..f8b4509a2c36 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 @@ -4,16 +4,9 @@ function Invoke-intuneDeviceRetirementDays-Remediate { Internal #> param($Tenant, $Settings) - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays - } - try { - $body = @{ DeviceInactivityBeforeRetirementInDays = $Setting.days } | ConvertTo-Json + $body = @{ DeviceInactivityBeforeRetirementInDays = $Settings.days } | ConvertTo-Json (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -Type PATCH -Body $body -ContentType 'application/json') diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 index a28bb246c9bf..98759816c914 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 @@ -5,16 +5,10 @@ function Invoke-sharingCapability-Remediate { #> param($Tenant, $Settings) - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.sharingCapability - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.sharingCapability - } - try { - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Setting.Level)`"}" -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Setting.level)" -sev Info + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Settings.level)" -sev Info } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Setting.level): $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Settings.level): $($_.exception.message)" -sev Error } } diff --git a/Scheduler_Standards/run.ps1 b/Scheduler_Standards/run.ps1 index 42122f8f2007..507a2d5aefd8 100644 --- a/Scheduler_Standards/run.ps1 +++ b/Scheduler_Standards/run.ps1 @@ -11,7 +11,17 @@ $Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom $Tenants | Where-Object -Property 'v2' -NE $true | ForEach-Object { $OldStd = $_ $OldStd.standards.psobject.properties.name | ForEach-Object { - $OldStd.Standards.$_ = [pscustomobject]@{ remediate = $true } + if ($_ -eq 'MailContacts') { + $OldStd.Standards.$_ = [pscustomobject]@{ + GeneralContact = $OldStd.Standards.MailContacts.GeneralContact.Mail + SecurityContact = $OldStd.Standards.MailContacts.SecurityContact.Mail + MarketingContact = $OldStd.Standards.MailContacts.MarketingContact.Mail + TechContact = $OldStd.Standards.MailContacts.TechContact.Mail + remediate = $true + } + } else { + $OldStd.Standards.$_ | Add-Member -NotePropertyName 'remediate' -NotePropertyValue $true + } } $OldStd | Add-Member -NotePropertyName 'v2' -NotePropertyValue $true -PassThru -Force $Entity = @{ From 16c15ee30894b3c9273d13f7bfd55d8db4521270 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 7 Dec 2023 22:34:02 +0100 Subject: [PATCH 49/78] allow old and new standard --- .../Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 index 8f7b6c8497ee..ef0cb1ad96e9 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 @@ -8,7 +8,7 @@ function Invoke-SpoofWarn-Remediate { $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error Exit - } elseif ($Settings.enable) { $true } else { $false } + } elseif ($Settings.state -eq 'Enabled' -or $Settings.enable) { $true } else { $false } try { New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ExternalInOutlook' -cmdParams @{ Enabled = $status; } Write-LogMessage -API 'Standards' -tenant $tenant -message "Spoofing warnings set to $status." -sev Info From 834eb162d1253eaddbb031c2d7b51bbd7de16b74 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 7 Dec 2023 22:55:29 +0100 Subject: [PATCH 50/78] move standards over --- .../Public/Invoke-CIPPStandardsRun.ps1 | 75 ++++++++++++++++ Scheduler_Standards/function.json | 2 +- Scheduler_Standards/run.ps1 | 73 +-------------- Standards_ActivityBasedTimeout/function.json | 9 -- Standards_ActivityBasedTimeout/run.ps1 | 18 ---- Standards_AddDKIM/function.json | 9 -- Standards_AddDKIM/run.ps1 | 12 --- Standards_AnonReportDisable/function.json | 9 -- Standards_AnonReportDisable/run.ps1 | 9 -- Standards_AuditLog/function.json | 9 -- Standards_AuditLog/run.ps1 | 27 ------ Standards_AutoExpandArchive/function.json | 9 -- Standards_AutoExpandArchive/run.ps1 | 14 --- Standards_AzurePortal/function.json | 9 -- Standards_AzurePortal/run.ps1 | 3 - Standards_ConditionalAccess/function.json | 9 -- Standards_ConditionalAccess/run.ps1 | 23 ----- Standards_DelegateSentItems/function.json | 9 -- Standards_DelegateSentItems/run.ps1 | 17 ---- Standards_DeletedUserRentention/function.json | 9 -- Standards_DeletedUserRentention/run.ps1 | 11 --- .../function.json | 9 -- .../run.ps1 | 89 ------------------- Standards_DisableBasicAuth/function.json | 9 -- Standards_DisableBasicAuth/run.ps1 | 2 - Standards_DisableBasicAuthSMTP/function.json | 9 -- Standards_DisableBasicAuthSMTP/run.ps1 | 9 -- Standards_DisableGuestDirectory/function.json | 9 -- Standards_DisableGuestDirectory/run.ps1 | 11 --- Standards_DisableGuests/function.json | 9 -- Standards_DisableGuests/run.ps1 | 14 --- Standards_DisableM365GroupUsers/function.json | 9 -- Standards_DisableM365GroupUsers/run.ps1 | 18 ---- Standards_DisableReshare/function.json | 9 -- Standards_DisableReshare/run.ps1 | 11 --- .../function.json | 9 -- Standards_DisableSecurityGroupUsers/run.ps1 | 11 --- .../function.json | 9 -- Standards_DisableSelfServiceLicenses/run.ps1 | 9 -- Standards_DisableSharedMailbox/function.json | 9 -- Standards_DisableSharedMailbox/run.ps1 | 12 --- Standards_DisableTenantCreation/function.json | 9 -- Standards_DisableTenantCreation/run.ps1 | 10 --- Standards_DisableUserSiteCreate/function.json | 9 -- Standards_DisableUserSiteCreate/run.ps1 | 10 --- Standards_DisableViva/function.json | 9 -- Standards_DisableViva/run.ps1 | 12 --- .../function.json | 9 -- Standards_EnableAppConsentRequests/run.ps1 | 66 -------------- Standards_EnableFIDO2/function.json | 9 -- Standards_EnableFIDO2/run.ps1 | 10 --- Standards_EnableOnlineArchiving/function.json | 9 -- Standards_EnableOnlineArchiving/run.ps1 | 12 --- Standards_ExConnector/function.json | 9 -- Standards_ExConnector/run.ps1 | 31 ------- Standards_ExcludedfileExt/function.json | 9 -- Standards_ExcludedfileExt/run.ps1 | 16 ---- Standards_GetQueue/function.json | 9 -- Standards_GetQueue/run.ps1 | 37 -------- Standards_GroupTemplate/function.json | 9 -- Standards_GroupTemplate/run.ps1 | 61 ------------- Standards_IntuneTemplate/function.json | 9 -- Standards_IntuneTemplate/run.ps1 | 88 ------------------ Standards_LegacyMFA/function.json | 9 -- Standards_LegacyMFA/run.ps1 | 24 ----- Standards_LegacyMFACleanup/function.json | 9 -- Standards_LegacyMFACleanup/run.ps1 | 63 ------------- Standards_MailContacts/function.json | 9 -- Standards_MailContacts/run.ps1 | 23 ----- Standards_ModernAuth/function.json | 9 -- Standards_ModernAuth/run.ps1 | 3 - Standards_NudgeMFA/function.json | 9 -- Standards_NudgeMFA/run.ps1 | 24 ----- Standards_OauthConsent/function.json | 9 -- Standards_OauthConsent/run.ps1 | 36 -------- Standards_OauthConsentLowSec/function.json | 9 -- Standards_OauthConsentLowSec/run.ps1 | 13 --- Standards_Orchestration/function.json | 9 -- Standards_Orchestration/run.ps1 | 32 ------- Standards_OrchestrationStarter/function.json | 24 ----- Standards_OrchestrationStarter/run.ps1 | 22 ----- .../function.json | 15 ---- Standards_OrchestrationStarterTimer/run.ps1 | 10 --- Standards_OutBoundSpamAlert/function.json | 9 -- Standards_OutBoundSpamAlert/run.ps1 | 14 --- .../function.json | 9 -- Standards_PWcompanionAppAllowedState/run.ps1 | 41 --------- .../function.json | 9 -- .../run.ps1 | 16 ---- .../function.json | 9 -- .../run.ps1 | 8 -- .../function.json | 9 -- Standards_PasswordExpireDisabled/run.ps1 | 10 --- Standards_RotateDKIM/function.json | 9 -- Standards_RotateDKIM/run.ps1 | 12 --- Standards_SSPR/function.json | 9 -- Standards_SSPR/run.ps1 | 7 -- Standards_SafeSendersDisable/function.json | 9 -- Standards_SafeSendersDisable/run.ps1 | 17 ---- Standards_SecurityDefaults/function.json | 9 -- Standards_SecurityDefaults/run.ps1 | 15 ---- Standards_SendFromAlias/function.json | 9 -- Standards_SendFromAlias/run.ps1 | 13 --- .../function.json | 9 -- Standards_SendReceiveLimitTenant/run.ps1 | 54 ----------- Standards_SpoofWarn/function.json | 9 -- Standards_SpoofWarn/run.ps1 | 20 ----- Standards_TAP/function.json | 9 -- Standards_TAP/run.ps1 | 31 ------- Standards_TransportRuleTemplate/function.json | 9 -- Standards_TransportRuleTemplate/run.ps1 | 35 -------- Standards_UndoOauth/function.json | 9 -- Standards_UndoOauth/run.ps1 | 8 -- Standards_UndoSSPR/function.json | 9 -- Standards_UndoSSPR/run.ps1 | 2 - Standards_UserSubmissions/function.json | 9 -- Standards_UserSubmissions/run.ps1 | 44 --------- Standards_allowOAuthTokens/function.json | 9 -- Standards_allowOAuthTokens/run.ps1 | 14 --- Standards_allowOTPTokens/function.json | 9 -- Standards_allowOTPTokens/run.ps1 | 15 ---- Standards_calDefault/function.json | 9 -- Standards_calDefault/run.ps1 | 23 ----- Standards_disableMacSync/function.json | 9 -- Standards_disableMacSync/run.ps1 | 10 --- Standards_fwdAdminAlerts/function.json | 9 -- Standards_fwdAdminAlerts/run.ps1 | 23 ----- Standards_intuneDeviceReg/function.json | 9 -- Standards_intuneDeviceReg/run.ps1 | 16 ---- .../function.json | 9 -- Standards_intuneDeviceRetirementDays/run.ps1 | 19 ---- Standards_intuneRequireMFA/function.json | 9 -- Standards_intuneRequireMFA/run.ps1 | 11 --- Standards_laps/function.json | 9 -- Standards_laps/run.ps1 | 11 --- Standards_sharingCapability/function.json | 9 -- Standards_sharingCapability/run.ps1 | 15 ---- Standards_unmanagedSync/function.json | 9 -- Standards_unmanagedSync/run.ps1 | 10 --- 139 files changed, 77 insertions(+), 2143 deletions(-) create mode 100644 Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 delete mode 100644 Standards_ActivityBasedTimeout/function.json delete mode 100644 Standards_ActivityBasedTimeout/run.ps1 delete mode 100644 Standards_AddDKIM/function.json delete mode 100644 Standards_AddDKIM/run.ps1 delete mode 100644 Standards_AnonReportDisable/function.json delete mode 100644 Standards_AnonReportDisable/run.ps1 delete mode 100644 Standards_AuditLog/function.json delete mode 100644 Standards_AuditLog/run.ps1 delete mode 100644 Standards_AutoExpandArchive/function.json delete mode 100644 Standards_AutoExpandArchive/run.ps1 delete mode 100644 Standards_AzurePortal/function.json delete mode 100644 Standards_AzurePortal/run.ps1 delete mode 100644 Standards_ConditionalAccess/function.json delete mode 100644 Standards_ConditionalAccess/run.ps1 delete mode 100644 Standards_DelegateSentItems/function.json delete mode 100644 Standards_DelegateSentItems/run.ps1 delete mode 100644 Standards_DeletedUserRentention/function.json delete mode 100644 Standards_DeletedUserRentention/run.ps1 delete mode 100644 Standards_DisableAddShortcutsToOneDrive/function.json delete mode 100644 Standards_DisableAddShortcutsToOneDrive/run.ps1 delete mode 100644 Standards_DisableBasicAuth/function.json delete mode 100644 Standards_DisableBasicAuth/run.ps1 delete mode 100644 Standards_DisableBasicAuthSMTP/function.json delete mode 100644 Standards_DisableBasicAuthSMTP/run.ps1 delete mode 100644 Standards_DisableGuestDirectory/function.json delete mode 100644 Standards_DisableGuestDirectory/run.ps1 delete mode 100644 Standards_DisableGuests/function.json delete mode 100644 Standards_DisableGuests/run.ps1 delete mode 100644 Standards_DisableM365GroupUsers/function.json delete mode 100644 Standards_DisableM365GroupUsers/run.ps1 delete mode 100644 Standards_DisableReshare/function.json delete mode 100644 Standards_DisableReshare/run.ps1 delete mode 100644 Standards_DisableSecurityGroupUsers/function.json delete mode 100644 Standards_DisableSecurityGroupUsers/run.ps1 delete mode 100644 Standards_DisableSelfServiceLicenses/function.json delete mode 100644 Standards_DisableSelfServiceLicenses/run.ps1 delete mode 100644 Standards_DisableSharedMailbox/function.json delete mode 100644 Standards_DisableSharedMailbox/run.ps1 delete mode 100644 Standards_DisableTenantCreation/function.json delete mode 100644 Standards_DisableTenantCreation/run.ps1 delete mode 100644 Standards_DisableUserSiteCreate/function.json delete mode 100644 Standards_DisableUserSiteCreate/run.ps1 delete mode 100644 Standards_DisableViva/function.json delete mode 100644 Standards_DisableViva/run.ps1 delete mode 100644 Standards_EnableAppConsentRequests/function.json delete mode 100644 Standards_EnableAppConsentRequests/run.ps1 delete mode 100644 Standards_EnableFIDO2/function.json delete mode 100644 Standards_EnableFIDO2/run.ps1 delete mode 100644 Standards_EnableOnlineArchiving/function.json delete mode 100644 Standards_EnableOnlineArchiving/run.ps1 delete mode 100644 Standards_ExConnector/function.json delete mode 100644 Standards_ExConnector/run.ps1 delete mode 100644 Standards_ExcludedfileExt/function.json delete mode 100644 Standards_ExcludedfileExt/run.ps1 delete mode 100644 Standards_GetQueue/function.json delete mode 100644 Standards_GetQueue/run.ps1 delete mode 100644 Standards_GroupTemplate/function.json delete mode 100644 Standards_GroupTemplate/run.ps1 delete mode 100644 Standards_IntuneTemplate/function.json delete mode 100644 Standards_IntuneTemplate/run.ps1 delete mode 100644 Standards_LegacyMFA/function.json delete mode 100644 Standards_LegacyMFA/run.ps1 delete mode 100644 Standards_LegacyMFACleanup/function.json delete mode 100644 Standards_LegacyMFACleanup/run.ps1 delete mode 100644 Standards_MailContacts/function.json delete mode 100644 Standards_MailContacts/run.ps1 delete mode 100644 Standards_ModernAuth/function.json delete mode 100644 Standards_ModernAuth/run.ps1 delete mode 100644 Standards_NudgeMFA/function.json delete mode 100644 Standards_NudgeMFA/run.ps1 delete mode 100644 Standards_OauthConsent/function.json delete mode 100644 Standards_OauthConsent/run.ps1 delete mode 100644 Standards_OauthConsentLowSec/function.json delete mode 100644 Standards_OauthConsentLowSec/run.ps1 delete mode 100644 Standards_Orchestration/function.json delete mode 100644 Standards_Orchestration/run.ps1 delete mode 100644 Standards_OrchestrationStarter/function.json delete mode 100644 Standards_OrchestrationStarter/run.ps1 delete mode 100644 Standards_OrchestrationStarterTimer/function.json delete mode 100644 Standards_OrchestrationStarterTimer/run.ps1 delete mode 100644 Standards_OutBoundSpamAlert/function.json delete mode 100644 Standards_OutBoundSpamAlert/run.ps1 delete mode 100644 Standards_PWcompanionAppAllowedState/function.json delete mode 100644 Standards_PWcompanionAppAllowedState/run.ps1 delete mode 100644 Standards_PWdisplayAppInformationRequiredState/function.json delete mode 100644 Standards_PWdisplayAppInformationRequiredState/run.ps1 delete mode 100644 Standards_PWnumberMatchingRequiredState/function.json delete mode 100644 Standards_PWnumberMatchingRequiredState/run.ps1 delete mode 100644 Standards_PasswordExpireDisabled/function.json delete mode 100644 Standards_PasswordExpireDisabled/run.ps1 delete mode 100644 Standards_RotateDKIM/function.json delete mode 100644 Standards_RotateDKIM/run.ps1 delete mode 100644 Standards_SSPR/function.json delete mode 100644 Standards_SSPR/run.ps1 delete mode 100644 Standards_SafeSendersDisable/function.json delete mode 100644 Standards_SafeSendersDisable/run.ps1 delete mode 100644 Standards_SecurityDefaults/function.json delete mode 100644 Standards_SecurityDefaults/run.ps1 delete mode 100644 Standards_SendFromAlias/function.json delete mode 100644 Standards_SendFromAlias/run.ps1 delete mode 100644 Standards_SendReceiveLimitTenant/function.json delete mode 100644 Standards_SendReceiveLimitTenant/run.ps1 delete mode 100644 Standards_SpoofWarn/function.json delete mode 100644 Standards_SpoofWarn/run.ps1 delete mode 100644 Standards_TAP/function.json delete mode 100644 Standards_TAP/run.ps1 delete mode 100644 Standards_TransportRuleTemplate/function.json delete mode 100644 Standards_TransportRuleTemplate/run.ps1 delete mode 100644 Standards_UndoOauth/function.json delete mode 100644 Standards_UndoOauth/run.ps1 delete mode 100644 Standards_UndoSSPR/function.json delete mode 100644 Standards_UndoSSPR/run.ps1 delete mode 100644 Standards_UserSubmissions/function.json delete mode 100644 Standards_UserSubmissions/run.ps1 delete mode 100644 Standards_allowOAuthTokens/function.json delete mode 100644 Standards_allowOAuthTokens/run.ps1 delete mode 100644 Standards_allowOTPTokens/function.json delete mode 100644 Standards_allowOTPTokens/run.ps1 delete mode 100644 Standards_calDefault/function.json delete mode 100644 Standards_calDefault/run.ps1 delete mode 100644 Standards_disableMacSync/function.json delete mode 100644 Standards_disableMacSync/run.ps1 delete mode 100644 Standards_fwdAdminAlerts/function.json delete mode 100644 Standards_fwdAdminAlerts/run.ps1 delete mode 100644 Standards_intuneDeviceReg/function.json delete mode 100644 Standards_intuneDeviceReg/run.ps1 delete mode 100644 Standards_intuneDeviceRetirementDays/function.json delete mode 100644 Standards_intuneDeviceRetirementDays/run.ps1 delete mode 100644 Standards_intuneRequireMFA/function.json delete mode 100644 Standards_intuneRequireMFA/run.ps1 delete mode 100644 Standards_laps/function.json delete mode 100644 Standards_laps/run.ps1 delete mode 100644 Standards_sharingCapability/function.json delete mode 100644 Standards_sharingCapability/run.ps1 delete mode 100644 Standards_unmanagedSync/function.json delete mode 100644 Standards_unmanagedSync/run.ps1 diff --git a/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 new file mode 100644 index 000000000000..d08484abf793 --- /dev/null +++ b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 @@ -0,0 +1,75 @@ + +function Invoke-CIPPStandardsRun { + Write-Host 'Starting process for standards.' + $Table = Get-CippTable -tablename 'standards' + $SkipList = Get-Tenants -SkipList + $Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + + #Migrate from old standards to new standards. + $Tenants | Where-Object -Property 'v2' -NE $true | ForEach-Object { + $OldStd = $_ + $OldStd.standards.psobject.properties.name | ForEach-Object { + if ($_ -eq 'MailContacts') { + $OldStd.Standards.$_ = [pscustomobject]@{ + GeneralContact = $OldStd.Standards.MailContacts.GeneralContact.Mail + SecurityContact = $OldStd.Standards.MailContacts.SecurityContact.Mail + MarketingContact = $OldStd.Standards.MailContacts.MarketingContact.Mail + TechContact = $OldStd.Standards.MailContacts.TechContact.Mail + remediate = $true + } + } else { + $OldStd.Standards.$_ | Add-Member -NotePropertyName 'remediate' -NotePropertyValue $true + } + } + $OldStd | Add-Member -NotePropertyName 'v2' -NotePropertyValue $true -PassThru -Force + $Entity = @{ + PartitionKey = 'standards' + RowKey = "$($OldStd.Tenant)" + JSON = "$($OldStd | ConvertTo-Json -Depth 10)" + } + Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force + } + + #Execute standards + + $object = foreach ($Tenant in $Tenants) { + $Tenant.standards.psobject.properties.name | ForEach-Object { + $Standard = $_ + if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { + if ($Standard -ne 'OverrideAllTenants') { + [pscustomobject]@{ + Tenant = $tenant.Tenant + Standard = $Standard + Settings = $Tenant.standards.$Standard + } + } + } elseif ($Tenant.Tenant -eq 'AllTenants') { + Write-Host "Working on all Tenants Standard. Showing which tasks we'll run below this." + Get-Tenants | ForEach-Object { + $TenantForStandard = $_ + $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } + if ($TenantStandard.standards.OverrideAllTenants.remediate -ne $true) { + Write-Host "$($TenantForStandard.defaultDomainName) - $Standard" + [pscustomobject]@{ + Tenant = $_.defaultDomainName + Standard = $Standard + Settings = $Tenant.standards.$Standard + } + } + } + } + } + } + + #For each item in our object, run the queue. + + foreach ($task in $object | Where-Object -Property Standard -NE 'v2') { + $QueueItem = [pscustomobject]@{ + Tenant = $task.Tenant + Standard = $task.Standard + Settings = $task.Settings + FunctionName = 'CIPPStandard' + } + Push-OutputBinding -Name QueueItem -Value $QueueItem + } +} \ No newline at end of file diff --git a/Scheduler_Standards/function.json b/Scheduler_Standards/function.json index f9f3ccb2d877..88d7d049eb48 100644 --- a/Scheduler_Standards/function.json +++ b/Scheduler_Standards/function.json @@ -2,7 +2,7 @@ "bindings": [ { "name": "Timer", - "schedule": "0 */1 * * * *", + "schedule": "0 0 */3 * * *", "direction": "in", "type": "timerTrigger" }, diff --git a/Scheduler_Standards/run.ps1 b/Scheduler_Standards/run.ps1 index 507a2d5aefd8..a99641cf210b 100644 --- a/Scheduler_Standards/run.ps1 +++ b/Scheduler_Standards/run.ps1 @@ -2,75 +2,4 @@ using namespace System.Net param($Timer) -Write-Host 'Starting process for standards.' -$Table = Get-CippTable -tablename 'standards' -$SkipList = Get-Tenants -SkipList -$Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - -#Migrate from old standards to new standards. -$Tenants | Where-Object -Property 'v2' -NE $true | ForEach-Object { - $OldStd = $_ - $OldStd.standards.psobject.properties.name | ForEach-Object { - if ($_ -eq 'MailContacts') { - $OldStd.Standards.$_ = [pscustomobject]@{ - GeneralContact = $OldStd.Standards.MailContacts.GeneralContact.Mail - SecurityContact = $OldStd.Standards.MailContacts.SecurityContact.Mail - MarketingContact = $OldStd.Standards.MailContacts.MarketingContact.Mail - TechContact = $OldStd.Standards.MailContacts.TechContact.Mail - remediate = $true - } - } else { - $OldStd.Standards.$_ | Add-Member -NotePropertyName 'remediate' -NotePropertyValue $true - } - } - $OldStd | Add-Member -NotePropertyName 'v2' -NotePropertyValue $true -PassThru -Force - $Entity = @{ - PartitionKey = 'standards' - RowKey = "$($OldStd.Tenant)" - JSON = "$($OldStd | ConvertTo-Json -Depth 10)" - } - Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force -} - -#Execute standards - -$object = foreach ($Tenant in $Tenants) { - $Tenant.standards.psobject.properties.name | ForEach-Object { - $Standard = $_ - if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { - if ($Standard -ne 'OverrideAllTenants') { - [pscustomobject]@{ - Tenant = $tenant.Tenant - Standard = $Standard - Settings = $Tenant.standards.$Standard - } - } - } elseif ($Tenant.Tenant -eq 'AllTenants') { - Write-Host "Working on all Tenants Standard. Showing which tasks we'll run below this." - Get-Tenants | ForEach-Object { - $TenantForStandard = $_ - $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } - if ($TenantStandard.standards.OverrideAllTenants.remediate -ne $true) { - Write-Host "$($TenantForStandard.defaultDomainName) - $Standard" - [pscustomobject]@{ - Tenant = $_.defaultDomainName - Standard = $Standard - Settings = $Tenant.standards.$Standard - } - } - } - } - } -} - -#For each item in our object, run the queue. - -foreach ($task in $object | Where-Object -Property Standard -NE 'v2') { - $QueueItem = [pscustomobject]@{ - Tenant = $task.Tenant - Standard = $task.Standard - Settings = $task.Settings - FunctionName = 'CIPPStandard' - } - Push-OutputBinding -Name QueueItem -Value $QueueItem -} \ No newline at end of file +Invoke-CIPPStandardsRun \ No newline at end of file diff --git a/Standards_ActivityBasedTimeout/function.json b/Standards_ActivityBasedTimeout/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_ActivityBasedTimeout/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_ActivityBasedTimeout/run.ps1 b/Standards_ActivityBasedTimeout/run.ps1 deleted file mode 100644 index 158fa444936d..000000000000 --- a/Standards_ActivityBasedTimeout/run.ps1 +++ /dev/null @@ -1,18 +0,0 @@ -param($tenant) -try { - $State = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies" -tenantid $tenant).id - if (!$State) { - $body = @" -{ - "displayName": "DefaultTimeoutPolicy", - "isOrganizationDefault": true, - "definition":["{\"ActivityBasedTimeoutPolicy\":{\"Version\":1,\"ApplicationPolicies\":[{\"ApplicationId\":\"default\",\"WebSessionIdleTimeout\":\"01:00:00\"}]}}"] -} -"@ - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies" -Type POST -Body $body -ContentType "application/json") - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled Activity Based Timeout of one hour" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable Activity Based Timeout $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_AddDKIM/function.json b/Standards_AddDKIM/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_AddDKIM/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_AddDKIM/run.ps1 b/Standards_AddDKIM/run.ps1 deleted file mode 100644 index ec4ec1a841de..000000000000 --- a/Standards_AddDKIM/run.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($tenant) - -try { - $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet "Get-DkimSigningConfig") | Where-Object -Property Enabled -EQ $false | ForEach-Object { - (New-ExoRequest -tenantid $tenant -cmdlet "New-DkimSigningConfig" -cmdparams @{ KeySize = 2048; DomainName = $_.Identity; Enabled = $true } -useSystemMailbox $true) - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled DKIM Setup" -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable DKIM. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_AnonReportDisable/function.json b/Standards_AnonReportDisable/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_AnonReportDisable/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_AnonReportDisable/run.ps1 b/Standards_AnonReportDisable/run.ps1 deleted file mode 100644 index c04f87b957d3..000000000000 --- a/Standards_AnonReportDisable/run.ps1 +++ /dev/null @@ -1,9 +0,0 @@ -param($tenant) - -try { - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/reportSettings" -Type patch -Body '{"displayConcealedNames": false}' -ContentType "application/json" -AsApp $true - Write-LogMessage -API "Standards" -tenant $tenant -message "Anonymous Reports Disabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_AuditLog/function.json b/Standards_AuditLog/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_AuditLog/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_AuditLog/run.ps1 b/Standards_AuditLog/run.ps1 deleted file mode 100644 index b4f77d268247..000000000000 --- a/Standards_AuditLog/run.ps1 +++ /dev/null @@ -1,27 +0,0 @@ -param($tenant) - -$DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-OrganizationConfig").IsDehydrated -if ($DehydratedTenant) { - New-ExoRequest -tenantid $Tenant -cmdlet "Enable-OrganizationCustomization" -} - -try { - - $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-AdminAuditLogConfig").UnifiedAuditLogIngestionEnabled - if ($AuditLogEnabled) { - Write-LogMessage -API "Standards" -tenant $tenant -message "Unified Audit Log already enabled." -sev Info - } - else { - $AdminAuditLogParams = @{ - UnifiedAuditLogIngestionEnabled = $true - } - New-ExoRequest -tenantid $Tenant -cmdlet "Set-AdminAuditLogConfig" -cmdParams $AdminAuditLogParams - Write-LogMessage -API "Standards" -tenant $tenant -message "Unified Audit Log Enabled." -sev Info - } - -} -catch { - - $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error -} \ No newline at end of file diff --git a/Standards_AutoExpandArchive/function.json b/Standards_AutoExpandArchive/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_AutoExpandArchive/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_AutoExpandArchive/run.ps1 b/Standards_AutoExpandArchive/run.ps1 deleted file mode 100644 index 2f7232f981d7..000000000000 --- a/Standards_AutoExpandArchive/run.ps1 +++ /dev/null @@ -1,14 +0,0 @@ -param($tenant) - -try { - - $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet "Get-OrganizationConfig").AutoExpandingArchiveEnabled - if (!$currentstate) { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-OrganizationConfig" -cmdParams @{AutoExpandingArchive = $true } - Write-LogMessage -API "Standards" -tenant $tenant -message "Added Auto Expanding Archive." -sev Info - } - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_AzurePortal/function.json b/Standards_AzurePortal/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_AzurePortal/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_AzurePortal/run.ps1 b/Standards_AzurePortal/run.ps1 deleted file mode 100644 index d047e8c27ae1..000000000000 --- a/Standards_AzurePortal/run.ps1 +++ /dev/null @@ -1,3 +0,0 @@ -param($tenant) - -Write-LogMessage -API "Standards" -tenant $tenant -message "Azure Portal disablement is no longer functional. Please remove this standard." -sev Error diff --git a/Standards_ConditionalAccess/function.json b/Standards_ConditionalAccess/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_ConditionalAccess/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_ConditionalAccess/run.ps1 b/Standards_ConditionalAccess/run.ps1 deleted file mode 100644 index 0730b41371da..000000000000 --- a/Standards_ConditionalAccess/run.ps1 +++ /dev/null @@ -1,23 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ConditionalAccess -} - -$APINAME = "Standards" - -foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Template.value)'" - $JSONObj = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON - $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $JSONObj -Overwrite $true -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)" -sev "Error" - } -} - - diff --git a/Standards_DelegateSentItems/function.json b/Standards_DelegateSentItems/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DelegateSentItems/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DelegateSentItems/run.ps1 b/Standards_DelegateSentItems/run.ps1 deleted file mode 100644 index 55dcb4b3b023..000000000000 --- a/Standards_DelegateSentItems/run.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -param($tenant) - -try { - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet "Get-Mailbox" -cmdParams @{ RecipientTypeDetails = @("UserMailbox", "SharedMailbox") } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } | ForEach-Object { - try { - $username = $_.UserPrincipalName - New-ExoRequest -tenantid $Tenant -cmdlet "set-mailbox" -cmdParams @{Identity = $_.GUID ; MessageCopyForSendOnBehalfEnabled = $True; MessageCopyForSentAsEnabled = $True } -anchor $username - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not enable delegate sent item style for $($username): $($_.Exception.message)" -sev Warn - } - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Delegate Sent Items Style enabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DeletedUserRentention/function.json b/Standards_DeletedUserRentention/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_DeletedUserRentention/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_DeletedUserRentention/run.ps1 b/Standards_DeletedUserRentention/run.ps1 deleted file mode 100644 index e4b6e31f2842..000000000000 --- a/Standards_DeletedUserRentention/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) - -try { - $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type PATCH -Body $body -ContentType "application/json" - - Write-LogMessage -API "Standards" -tenant $tenant -message "Set deleted user rentention of OneDrive to 1 year" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableAddShortcutsToOneDrive/function.json b/Standards_DisableAddShortcutsToOneDrive/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_DisableAddShortcutsToOneDrive/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableAddShortcutsToOneDrive/run.ps1 b/Standards_DisableAddShortcutsToOneDrive/run.ps1 deleted file mode 100644 index 65c215683680..000000000000 --- a/Standards_DisableAddShortcutsToOneDrive/run.ps1 +++ /dev/null @@ -1,89 +0,0 @@ -param($tenant) - -function GetTenantRequestXml { - return @" - - - - - - - - - - - - - -"@ -} - -function GetDisableAddShortcutsToOneDriveXml { - param( - [string]$identity - ) - - # the json object gives us a space and a newline :( - $identity = $identity.Replace(" ", "") - $identity = $identity.Replace("`n", " ") - return @" - - - - true - - - - - - -"@ -} - -$log = @{ - API = "Standards" - tenant = $tenant - message = "" - sev = "Info" -} - -try { - $OnMicrosoft = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenant | - Where-Object -Property isInitial -EQ $true).id.split('.') | Select-Object -First 1 - $AdminUrl = "https://$($OnMicrosoft)-admin.sharepoint.com" - $graphRequest = @{ - "scope" = "$AdminURL/.default" - "tenantid" = $tenant - "uri" = "$AdminURL/_vti_bin/client.svc/ProcessQuery" - "type" = "POST" - "body" = GetTenantRequestXml - "ContentType" = "text/xml" - } - - $response = New-GraphPostRequest @graphRequest - if (!$response.ErrorInfo.ErrorMessage) { - $log.message = "Received Tenant from Sharepoint" - Write-LogMessage @log - } - - $graphRequest.Body = GetDisableAddShortcutsToOneDriveXml -identity $response._ObjectIdentity_ - $response = New-GraphPostRequest @graphRequest - - if (!$response.ErrorInfo.ErrorMessage) { - $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant" - } - else { - $log.message = "Unable to set DisableAddShortcutsToOneDrive to True ` - on $($tenant): $($response.ErrorInfo.ErrorMessage)" - } -} -catch { - $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)" - $log.sev = "Error" -} - -Write-LogMessage @log \ No newline at end of file diff --git a/Standards_DisableBasicAuth/function.json b/Standards_DisableBasicAuth/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableBasicAuth/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableBasicAuth/run.ps1 b/Standards_DisableBasicAuth/run.ps1 deleted file mode 100644 index beab79e449d7..000000000000 --- a/Standards_DisableBasicAuth/run.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -param($tenant) -Write-LogMessage -API "Standards" -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info diff --git a/Standards_DisableBasicAuthSMTP/function.json b/Standards_DisableBasicAuthSMTP/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableBasicAuthSMTP/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableBasicAuthSMTP/run.ps1 b/Standards_DisableBasicAuthSMTP/run.ps1 deleted file mode 100644 index 8bef6658e5cd..000000000000 --- a/Standards_DisableBasicAuthSMTP/run.ps1 +++ /dev/null @@ -1,9 +0,0 @@ -param($tenant) - -try { - $Request = New-ExoRequest -tenantid $Tenant -cmdlet "Set-TransportConfig" -cmdParams @{ SmtpClientAuthenticationDisabled = $true } - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled SMTP Basic Authentication" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableGuestDirectory/function.json b/Standards_DisableGuestDirectory/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableGuestDirectory/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableGuestDirectory/run.ps1 b/Standards_DisableGuestDirectory/run.ps1 deleted file mode 100644 index cc81ded587a3..000000000000 --- a/Standards_DisableGuestDirectory/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) - -try { - $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled Guest access to directory information." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable Guest access to directory information.: $($_.exception.message)" -sev "Error" -} diff --git a/Standards_DisableGuests/function.json b/Standards_DisableGuests/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_DisableGuests/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableGuests/run.ps1 b/Standards_DisableGuests/run.ps1 deleted file mode 100644 index abf43e7bfb11..000000000000 --- a/Standards_DisableGuests/run.ps1 +++ /dev/null @@ -1,14 +0,0 @@ -param($tenant) - -try { - $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') - $GraphRequest = New-GraphgetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastSignInDateTime le $lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope "https://graph.microsoft.com/.default" -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } - foreach ($guest in $GraphRequest) { - New-GraphPostRequest -type Patch -tenantid $tenant -uri "https://graph.microsoft.com/beta/users/$($guest.id)" -body '{"accountEnabled":"false"}' - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabling guest $($guest.UserPrincipalName) ($($guest.id))" -sev Info - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled guests accounts with a login longer than 90 days ago." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableM365GroupUsers/function.json b/Standards_DisableM365GroupUsers/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableM365GroupUsers/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableM365GroupUsers/run.ps1 b/Standards_DisableM365GroupUsers/run.ps1 deleted file mode 100644 index 54dc6199d3fa..000000000000 --- a/Standards_DisableM365GroupUsers/run.ps1 +++ /dev/null @@ -1,18 +0,0 @@ -param($tenant) - -try { - $CurrentState = (New-GraphGetRequest -asApp $true -Uri "https://graph.microsoft.com/beta/settings" -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - if (!$CurrentState) { - #if no current configuration is found, we set it to the default template supplied by MS. - $CurrentState = '{"id":"","displayName":"Group.Unified","templateId":"62375ab9-6b52-47ed-826b-58e47e0e304b","values":[{"name":"NewUnifiedGroupWritebackDefault","value":"true"},{"name":"EnableMIPLabels","value":"false"},{"name":"CustomBlockedWordsList","value":""},{"name":"EnableMSStandardBlockedWords","value":"false"},{"name":"ClassificationDescriptions","value":""},{"name":"DefaultClassification","value":""},{"name":"PrefixSuffixNamingRequirement","value":""},{"name":"AllowGuestsToBeGroupOwner","value":"false"},{"name":"AllowGuestsToAccessGroups","value":"true"},{"name":"GuestUsageGuidelinesUrl","value":""},{"name":"GroupCreationAllowedGroupId","value":""},{"name":"AllowToAddGuests","value":"true"},{"name":"UsageGuidelinesUrl","value":""},{"name":"ClassificationList","value":""},{"name":"EnableGroupCreation","value":"true"}]}' - (New-GraphPostRequest -AsApp $true -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type POST -Body $CurrentState -ContentType "application/json") - $CurrentState = (New-GraphGetRequest -asApp $true -Uri "https://graph.microsoft.com/beta/settings" -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - } - ($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value = "false" - $body = "{values : $($CurrentState.values | ConvertTo-Json -Compress)}" - (New-GraphPostRequest -AsApp $true -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type patch -Body $body -ContentType "application/json") - Write-LogMessage -API "Standards" -tenant $tenant -message "Standards API: Disabled users from creating M365 Groups." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev "Error" -} diff --git a/Standards_DisableReshare/function.json b/Standards_DisableReshare/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_DisableReshare/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableReshare/run.ps1 b/Standards_DisableReshare/run.ps1 deleted file mode 100644 index c1757dee151f..000000000000 --- a/Standards_DisableReshare/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) - -try { - $body = '{"isResharingByExternalUsersEnabled": "False"}' - $Request = New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body $body -ContentType "application/json" - Write-Host ($Request | ConvertTo-Json) - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled guests from resharing files" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableSecurityGroupUsers/function.json b/Standards_DisableSecurityGroupUsers/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableSecurityGroupUsers/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableSecurityGroupUsers/run.ps1 b/Standards_DisableSecurityGroupUsers/run.ps1 deleted file mode 100644 index 459c82c2d72a..000000000000 --- a/Standards_DisableSecurityGroupUsers/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) - -try { - $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Standards API: Disabled users from creating Security Groups." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable users from creating Security Groups: $($_.exception.message)" -sev "Error" -} diff --git a/Standards_DisableSelfServiceLicenses/function.json b/Standards_DisableSelfServiceLicenses/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableSelfServiceLicenses/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableSelfServiceLicenses/run.ps1 b/Standards_DisableSelfServiceLicenses/run.ps1 deleted file mode 100644 index 3a6960cdd678..000000000000 --- a/Standards_DisableSelfServiceLicenses/run.ps1 +++ /dev/null @@ -1,9 +0,0 @@ -param($tenant) - -try { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable License Buy Self Service: $($_.exception.message)" -sev Error - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable License Buy Self Service: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableSharedMailbox/function.json b/Standards_DisableSharedMailbox/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableSharedMailbox/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableSharedMailbox/run.ps1 b/Standards_DisableSharedMailbox/run.ps1 deleted file mode 100644 index 9b4d6083270a..000000000000 --- a/Standards_DisableSharedMailbox/run.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($tenant) - -try { - $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($tenant)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ "SharedMailbox" -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { - New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type "PATCH" -body '{"accountEnabled":"false"}' -tenantid $tenant - } - Write-LogMessage -API "Standards" -tenant $tenant -message "AAD Accounts for shared mailboxes disabled." -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableTenantCreation/function.json b/Standards_DisableTenantCreation/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableTenantCreation/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableTenantCreation/run.ps1 b/Standards_DisableTenantCreation/run.ps1 deleted file mode 100644 index 39e4057fea98..000000000000 --- a/Standards_DisableTenantCreation/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) - -try { - $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type patch -Body $body -ContentType "application/json") - Write-LogMessage -API "Standards" -tenant $tenant -message "Standards API: Disabled users from creating tenants." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev "Error" -} diff --git a/Standards_DisableUserSiteCreate/function.json b/Standards_DisableUserSiteCreate/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_DisableUserSiteCreate/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableUserSiteCreate/run.ps1 b/Standards_DisableUserSiteCreate/run.ps1 deleted file mode 100644 index 3cb87b68e47d..000000000000 --- a/Standards_DisableUserSiteCreate/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) - -try { - $body = '{"isSiteCreationEnabled": false}' - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled standard users from creating sites" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_DisableViva/function.json b/Standards_DisableViva/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_DisableViva/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_DisableViva/run.ps1 b/Standards_DisableViva/run.ps1 deleted file mode 100644 index 89b50ec0dd62..000000000000 --- a/Standards_DisableViva/run.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($tenant) - -try { - $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet "get-mailbox" -cmdparams @{ Filter = 'RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { - (New-ExoRequest -tenantid $tenant -cmdlet "Set-UserBriefingConfig" -cmdparams @{ Identity = $_.UserPrincipalName; Enabled = $false }) - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Disable daily Viva reports" -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_EnableAppConsentRequests/function.json b/Standards_EnableAppConsentRequests/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_EnableAppConsentRequests/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_EnableAppConsentRequests/run.ps1 b/Standards_EnableAppConsentRequests/run.ps1 deleted file mode 100644 index 03d3e12bc621..000000000000 --- a/Standards_EnableAppConsentRequests/run.ps1 +++ /dev/null @@ -1,66 +0,0 @@ -param($tenant) - -try { - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests - if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.EnableAppConsentRequests - } - - # Get current state - $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant - - # Change state to enabled with default settings - $CurrentInfo.isEnabled = 'true' - $CurrentInfo.notifyReviewers = 'true' - $CurrentInfo.remindersEnabled = 'true' - $CurrentInfo.requestDurationInDays = 30 - - # Roles from standards table - $RolesToAdd = $Setting.ReviewerRoles.value - $RoleNames = $Setting.ReviewerRoles.label -join ', ' - - # Set default if no roles are selected - if (!$RolesToAdd) { - $RolesToAdd = @('62e90394-69f5-4237-9190-012177145e10') - $RoleNames = '(Default) Global Administrator' - } - - $NewReviewers = foreach ($Role in $RolesToAdd) { - @{ - query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$Role'" - queryType = 'MicrosoftGraph' - queryRoot = 'null' - } - } - - # Add existing reviewers - $Reviewers = [System.Collections.Generic.List[object]]::new() - foreach ($Reviewer in $CurrentInfo.reviewers) { - $RoleFound = $false - foreach ($Role in $RolesToAdd) { - if ($Reviewer.query -match $Role -or $Reviewers.query -contains $Reviewer.query) { - $RoleFound = $true - } - } - if (!$RoleFound) { - $Reviewers.add($Reviewer) - } - } - - # Add new reviewer roles - foreach ($NewReviewer in $NewReviewers) { - $Reviewers.add($NewReviewer) - } - - # Update reviewer list - $CurrentInfo.reviewers = @($Reviewers) - $body = (ConvertTo-Json -Compress -Depth 10 -InputObject $CurrentInfo) - - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -Type put -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Enabled App consent admin requests for the following roles: $RoleNames" -sev Info - -} catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error -} diff --git a/Standards_EnableFIDO2/function.json b/Standards_EnableFIDO2/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_EnableFIDO2/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_EnableFIDO2/run.ps1 b/Standards_EnableFIDO2/run.ps1 deleted file mode 100644 index 5618871add43..000000000000 --- a/Standards_EnableFIDO2/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) - -try { - $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2" -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled FIDO2 Support" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable FIDO2 Support: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_EnableOnlineArchiving/function.json b/Standards_EnableOnlineArchiving/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_EnableOnlineArchiving/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_EnableOnlineArchiving/run.ps1 b/Standards_EnableOnlineArchiving/run.ps1 deleted file mode 100644 index b8634b7ca07f..000000000000 --- a/Standards_EnableOnlineArchiving/run.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($tenant) - -try { - $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet "get-mailbox" -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { - (New-ExoRequest -tenantid $tenant -cmdlet "enable-Mailbox" -cmdparams @{ Identity = $_.UserPrincipalName; Archive = $true }) - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled Online Archiving for all accounts" -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_ExConnector/function.json b/Standards_ExConnector/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_ExConnector/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_ExConnector/run.ps1 b/Standards_ExConnector/run.ps1 deleted file mode 100644 index 9250918a0279..000000000000 --- a/Standards_ExConnector/run.ps1 +++ /dev/null @@ -1,31 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExConnector -} -$APINAME = "Standards" -foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'ExConnectorTemplate' and RowKey eq '$($Template.value)'" - $connectorType = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).direction - $RequestParams = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet "Get-$($ConnectorType)connector" | Where-Object -Property Identity -EQ $RequestParams.name - if ($Existing) { - $RequestParams | Add-Member -NotePropertyValue $Existing.Identity -NotePropertyName Identity -Force - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant)" -sev info - } - else { - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant)" -sev info - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to create or update Exchange Connector Rule: $($_.exception.message)" -sev "Error" - } - -} - diff --git a/Standards_ExcludedfileExt/function.json b/Standards_ExcludedfileExt/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_ExcludedfileExt/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_ExcludedfileExt/run.ps1 b/Standards_ExcludedfileExt/run.ps1 deleted file mode 100644 index e8620848f04d..000000000000 --- a/Standards_ExcludedfileExt/run.ps1 +++ /dev/null @@ -1,16 +0,0 @@ -param($tenant) -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExcludedfileExt -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExcludedfileExt -} - -try { - $Exts = $Setting.ext -split ',' - $body = ConvertTo-Json -InputObject @{ excludedFileExtensionsForSyncApp = @($Exts) } - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Added $($Setting.ext) to excluded synced files" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to add $($Setting.ext) to excluded synced files: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_GetQueue/function.json b/Standards_GetQueue/function.json deleted file mode 100644 index b31f1ad21352..000000000000 --- a/Standards_GetQueue/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "name", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_GetQueue/run.ps1 b/Standards_GetQueue/run.ps1 deleted file mode 100644 index 24a4f64dc523..000000000000 --- a/Standards_GetQueue/run.ps1 +++ /dev/null @@ -1,37 +0,0 @@ -param($name) - -Write-Host 'QUEUEQUE' -$Table = Get-CippTable -tablename 'standards' -$SkipList = Get-Tenants -SkipList -$Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - -$object = foreach ($Tenant in $Tenants) { - $Tenant.standards.psobject.properties.name | ForEach-Object { - $Standard = $_ - Write-Host "Standard is $Standard" - if ($Tenant.Tenant -ne 'AllTenants' -and $SkipList.defaultDomainName -notcontains $Tenant.Tenant) { - Write-Host 'Not all tenants. Single object' - if ($Standard -ne "OverrideAllTenants") { - [pscustomobject]@{ - Tenant = $tenant.Tenant - Standard = $Standard - } - } - } - elseif ($Tenant.Tenant -eq 'AllTenants') { - Get-Tenants | ForEach-Object { - $TenantForStandard = $_ - $TenantStandard = $Tenants | Where-Object { $_.Tenant -eq $TenantForStandard.defaultDomainName } - Write-Host "Working on all Tenants. Current Tenant is $($Tenant.defaultDomainName) and standard is $Standard" - if ($TenantStandard.standards.OverrideAllTenants -ne $true) { - [pscustomobject]@{ - Tenant = $_.defaultDomainName - Standard = $Standard - } - } - } - } - } -} - -$object \ No newline at end of file diff --git a/Standards_GroupTemplate/function.json b/Standards_GroupTemplate/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_GroupTemplate/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_GroupTemplate/run.ps1 b/Standards_GroupTemplate/run.ps1 deleted file mode 100644 index 4034f513e5ac..000000000000 --- a/Standards_GroupTemplate/run.ps1 +++ /dev/null @@ -1,61 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.GroupTemplate -} - - - -foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" - $groupobj = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($tenant)" } - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/groups" -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname - if (!$CheckExististing) { - if ($groupobj.groupType -in "Generic", "azurerole", "dynamic") { - - $BodyToship = [pscustomobject] @{ - "displayName" = $groupobj.Displayname - "description" = $groupobj.Description - "mailNickname" = $groupobj.username - mailEnabled = [bool]$false - securityEnabled = [bool]$true - isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ "AzureRole") - - } - if ($groupobj.membershipRules) { - $BodyToship | Add-Member -NotePropertyName "membershipRule" -NotePropertyValue ($groupobj.membershipRules) - $BodyToship | Add-Member -NotePropertyName "groupTypes" -NotePropertyValue @("DynamicMembership") - $BodyToship | Add-Member -NotePropertyName "membershipRuleProcessingState" -NotePropertyValue "On" - } - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups" -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose - } - else { - $Params = @{ - Name = $groupobj.Displayname - Alias = $groupobj.username - Description = $groupobj.Description - PrimarySmtpAddress = $email - Type = $groupobj.groupType - RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal - } - $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet "New-DistributionGroup" -cmdParams $params - } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API "Standards" -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev "Info" - - } - else { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API "Standards" -tenant $tenant -message "Group exists $($groupobj.displayname). Did not create" -Sev "Info" - - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to create group: $($_.exception.message)" -sev "Error" - } -} - - diff --git a/Standards_IntuneTemplate/function.json b/Standards_IntuneTemplate/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_IntuneTemplate/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_IntuneTemplate/run.ps1 b/Standards_IntuneTemplate/run.ps1 deleted file mode 100644 index d33febabede5..000000000000 --- a/Standards_IntuneTemplate/run.ps1 +++ /dev/null @@ -1,88 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.IntuneTemplate -} - -$APINAME = "Standards" -foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'IntuneTemplate'" - $Request = @{body = $null } - $Request.body = (Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($template.value)*").JSON | ConvertFrom-Json - $displayname = $request.body.Displayname - $description = $request.body.Description - $AssignTo = if ($request.body.Assignto -ne "on") { $request.body.Assignto } - $RawJSON = $Request.body.RawJSON - - switch ($Request.body.Type) { - "Admin" { - $TemplateTypeURL = "groupPolicyConfigurations" - $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($displayname -in $CheckExististing.displayName) { - $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname - $ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/definitionValues" -tenantid $tenant - $DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10 - $DeleteJson.deletedIds = @($ExistingData.id) - $DeleteJson.added = @() - $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson - $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson - $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($Displayname) to template defaults" -Sev "info" - - } - else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody - $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname) to template defaults" -Sev "info" - - } - } - "Device" { - $TemplateTypeURL = "deviceConfigurations" - $PolicyName = ($RawJSON | ConvertFrom-Json).displayName - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($PolicyName -in $CheckExististing.displayName) { - $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName - $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($PolicyName) to template defaults" -Sev "info" - - } - else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev "info" - - } - } - "Catalog" { - $TemplateTypeURL = "configurationPolicies" - $PolicyName = ($RawJSON | ConvertFrom-Json).Name - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($PolicyName -in $CheckExististing.name) { - $ExistingID = $CheckExististing | Where-Object -Property Name -EQ $PolicyName - $PUTRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON - - } - else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev "info" - - } - } - - } - if ($AssignTo) { - $AssignBody = if ($AssignTo -ne "AllDevicesAndUsers") { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev "Info" - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant)" -sev "Info" - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev "Error" - } -} diff --git a/Standards_LegacyMFA/function.json b/Standards_LegacyMFA/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_LegacyMFA/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_LegacyMFA/run.ps1 b/Standards_LegacyMFA/run.ps1 deleted file mode 100644 index c0bdd2f8501c..000000000000 --- a/Standards_LegacyMFA/run.ps1 +++ /dev/null @@ -1,24 +0,0 @@ -param($tenant) - -try { - $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') - $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId - $TrackingGuid = (New-Guid).GUID - $LogonPost = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 -"@ - $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' - $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -eq $null -and $_.UserPrincipalName -notlike 'Sync_*') } - foreach ($user in $users) { - Write-Host $user.UserPrincipalName - $MSOLXML = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID)*0001-01-01T00:00:00Enabled -"@ - $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled per user MFA.' -sev Info - -} -catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable (legacy) per user MFA: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_LegacyMFACleanup/function.json b/Standards_LegacyMFACleanup/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_LegacyMFACleanup/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_LegacyMFACleanup/run.ps1 b/Standards_LegacyMFACleanup/run.ps1 deleted file mode 100644 index ba87338262d1..000000000000 --- a/Standards_LegacyMFACleanup/run.ps1 +++ /dev/null @@ -1,63 +0,0 @@ -param($tenant) - -try { - $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') - $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant).customerId - - try { - $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) - $SecDefaults = $SecureDefaultsState.IsEnabled - Write-LogMessage -API 'Standards' -tenant $tenant -message "Security default state: $SecDefaults" -sev Debug - } - catch { - $SecDefaults = $false - } - - if ($SecDefaults -eq $false) { - try { - $AllUsersCAPolicy = (New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?`$filter=(grantControls/builtInControls/any(b:b eq 'mfa') or grantControls/customAuthenticationFactors/any(c:c eq 'RequireDuoMfa')) and state eq 'enabled' and conditions/users/includeUsers/any(u:u eq 'All')&`$count=true" -ComplexFilter -tenantid $tenant).displayName - Write-LogMessage -API 'Standards' -tenant $tenant -message "All users CA policy: $AllUsersCAPolicy" -sev Debug - - if ($AllUsersCAPolicy) { - $AADPremiumUsers = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/?`$select=id,userPrincipalName&`$filter=assignedPlans/any(c:c/service eq 'AADPremiumService' and c/capabilityStatus eq 'Enabled')&`$count=true" -tenantid $tenant -ComplexFilter).userPrincipalName - Write-LogMessage -API 'Standards' -tenant $tenant -message "AAD Premium Users: $($AADPremiumUsers -join ', ')" -sev Debug - } - } - catch { - $AllUsersCAPolicy = $false - } - } - - if ($SecDefaults -or $AllUsersCAPolicy) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Tenant meets requirements for Legacy MFA cleanup' -sev Info - $TrackingGuid = (New-Guid).GUID - $LogonPost = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 -"@ - $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' - $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -eq 'Enabled' -or $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -EQ 'Enforced' } - if (($Users | Measure-Object | Select-Object -ExpandProperty Count) -gt 0) { - foreach ($user in $users) { - if ($AllUsersCAPolicy -and $AADPremiumUsers -notcontains $user.UserPrincipalName) { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Skipping user $($user.UserPrincipalName) does not have AAD Premium" -sev Debug - continue - } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling legacy MFA for $($user.UserPrincipalName)" -sev Info - $MSOLXML = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID) -"@ - $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Legacy MFA cleanup complete.' -sev Info - } - else { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'No Legacy MFA to cleanup.' -sev Info - } - } - else { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unable to clean up per user MFA, tenant does not have Security Defaults or an all users CA policy requiring MFA' -sev Error - } -} -catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to clean up (legacy) per user MFA: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_MailContacts/function.json b/Standards_MailContacts/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_MailContacts/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_MailContacts/run.ps1 b/Standards_MailContacts/run.ps1 deleted file mode 100644 index 83cbd4bea699..000000000000 --- a/Standards_MailContacts/run.ps1 +++ /dev/null @@ -1,23 +0,0 @@ -param($tenant) -$ConfigTable = Get-CippTable -tablename 'standards' -$Contacts = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.MailContacts -if (!$Contacts) { - $Contacts = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.MailContacts -} - -try { - $TenantID = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization" -tenantid $tenant) - $Body = [pscustomobject]@{} - switch ($Contacts) { - { $Contacts.marketingcontact.mail } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.marketingcontact.mail) } - { $Contacts.SecurityContact.Mail } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact.Mail) } - { $Contacts.TechContact.Mail } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact.Mail) } - { $Contacts.GeneralContact.Mail } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact.Mail } } - } - Write-Host (ConvertTo-Json -InputObject $body) - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -Type patch -Body (ConvertTo-Json -InputObject $body) -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Contact email's set." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_ModernAuth/function.json b/Standards_ModernAuth/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_ModernAuth/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_ModernAuth/run.ps1 b/Standards_ModernAuth/run.ps1 deleted file mode 100644 index 396045f532bc..000000000000 --- a/Standards_ModernAuth/run.ps1 +++ /dev/null @@ -1,3 +0,0 @@ -param($tenant) - -Write-LogMessage -API "Standards" -tenant $tenant -message "Modern Authentication is enabled by default. This standard is no longer required." -sev Info diff --git a/Standards_NudgeMFA/function.json b/Standards_NudgeMFA/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_NudgeMFA/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_NudgeMFA/run.ps1 b/Standards_NudgeMFA/run.ps1 deleted file mode 100644 index 0ec7b80ef78d..000000000000 --- a/Standards_NudgeMFA/run.ps1 +++ /dev/null @@ -1,24 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.NudgeMFA -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.NudgeMFA -} -Write-Output $setting -$status = if ($Setting.enable -and $Setting.disable) { - Write-LogMessage -API "Standards" -tenant $tenant -message "You cannot both enable and disable the Nudge MFA setting" -sev Error - Exit -} -elseif ($setting.enable) { "enabled" } else { "disabled" } -Write-Output $status -try { - $Body = (New-GraphGetRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy") - $body.registrationEnforcement.authenticationMethodsRegistrationCampaign.state = $status - $body = ConvertTo-Json -Depth 10 -InputObject ($body | Select-Object registrationEnforcement) - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy" -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Authenticator App Nudge/Registration campaign $status." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to $status Authenticator App Nudge/Registration campaign: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_OauthConsent/function.json b/Standards_OauthConsent/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_OauthConsent/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_OauthConsent/run.ps1 b/Standards_OauthConsent/run.ps1 deleted file mode 100644 index 03479b028411..000000000000 --- a/Standards_OauthConsent/run.ps1 +++ /dev/null @@ -1,36 +0,0 @@ -param($tenant) -$ConfigTable = Get-CippTable -tablename 'standards' -$AllowedAppIdsForTenant = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' -if (!$AllowedAppIdsForTenant) { - $AllowedAppIdsForTenant = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.OauthConsent.AllowedApps -split ',' -} -try { - $State = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -tenantid $tenant) - if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @("ManagePermissionGrantsForSelf.cipp-1sent-policy")) { - Write-Host "Going to set" - - $Existing = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/permissionGrantPolicies/" -tenantid $tenant) | Where-Object -Property id -EQ "cipp-consent-policy" - if (!$Existing) { - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/permissionGrantPolicies" -Type POST -Body '{ "id":"cipp-consent-policy", "displayName":"Application Consent Policy", "description":"This policy controls the current application consent policies."}' -ContentType "application/json" - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes" -Type POST -Body '{"permissionClassification":"all","permissionType":"delegated","clientApplicationIds":["d414ee2d-73e5-4e5b-bb16-03ef55fea597"]}' -ContentType "application/json" - } - try { - foreach ($AllowedApp in $AllowedAppIdsForTenant) { - Write-Host "$AllowedApp" - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes" -Type POST -Body ('{"permissionType": "delegated","clientApplicationIds": ["' + $AllowedApp + '"]}') -ContentType "application/json" - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes" -Type POST -Body ('{ "permissionType": "Application", "clientApplicationIds": ["' + $AllowedApp + '"] }') -ContentType "application/json" - } - } - catch { - "Could not add exclusions, probably already exist: $($_)" - } - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.cipp-consent-policy"]}' -ContentType "application/json" - } - if ($AllowedAppIdsForTenant) { - } - - Write-LogMessage -API "Standards" -tenant $tenant -message "Application Consent Mode has been enabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_OauthConsentLowSec/function.json b/Standards_OauthConsentLowSec/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_OauthConsentLowSec/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_OauthConsentLowSec/run.ps1 b/Standards_OauthConsentLowSec/run.ps1 deleted file mode 100644 index 9e4278f153fd..000000000000 --- a/Standards_OauthConsentLowSec/run.ps1 +++ /dev/null @@ -1,13 +0,0 @@ -param($tenant) - -try { - $State = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -tenantid $tenant) - if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @("managePermissionGrantsForSelf.microsoft-user-default-low")) { - Write-Host "Going to set" - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.microsoft-user-default-low"]}' -ContentType "application/json" - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Application Consent Mode(microsoft-user-default-low) has been enabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_Orchestration/function.json b/Standards_Orchestration/function.json deleted file mode 100644 index 7326b39c184d..000000000000 --- a/Standards_Orchestration/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "Context", - "type": "orchestrationTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_Orchestration/run.ps1 b/Standards_Orchestration/run.ps1 deleted file mode 100644 index 5e20d3ed21d4..000000000000 --- a/Standards_Orchestration/run.ps1 +++ /dev/null @@ -1,32 +0,0 @@ -param($Context) - -$DurableRetryOptions = @{ - FirstRetryInterval = (New-TimeSpan -Seconds 5) - MaxNumberOfAttempts = 3 - BackoffCoefficient = 2 -} -$RetryOptions = New-DurableRetryOptions @DurableRetryOptions - -$Batch = Invoke-ActivityFunction -FunctionName 'Standards_GetQueue' -Input 'LetsGo' -ErrorAction Stop -if ($null -ne $Batch -and ($Batch | Measure-Object).Count -gt 0) { - $ParallelTasks = foreach ($Item in $Batch) { - if ($item['Standard']) { - try { - Invoke-DurableActivity -FunctionName "Standards_$($item['Standard'])" -Input "$($item['Tenant'])" -NoWait -RetryOptions $RetryOptions -ErrorAction Stop - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Task error: $($_.Exception.Message)" -sev Error - } - } - } - - if (($ParallelTasks | Measure-Object).Count -gt 0) { - try { - $Outputs = Wait-ActivityFunction -Task $ParallelTasks -ErrorAction Stop - } catch { - Write-Information "Standards Wait-ActivityFunction error: $($_.Exception.Message)" - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deployment finished.' -sev Info - } -} else { - Write-Information 'No Standards to process' -} diff --git a/Standards_OrchestrationStarter/function.json b/Standards_OrchestrationStarter/function.json deleted file mode 100644 index 14c44f4f0217..000000000000 --- a/Standards_OrchestrationStarter/function.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "bindings": [ - { - "authLevel": "anonymous", - "name": "Request", - "type": "httpTrigger", - "direction": "in", - "methods": [ - "post", - "get" - ] - }, - { - "type": "http", - "direction": "out", - "name": "Response" - }, - { - "name": "starter", - "type": "durableClient", - "direction": "in" - } - ] -} diff --git a/Standards_OrchestrationStarter/run.ps1 b/Standards_OrchestrationStarter/run.ps1 deleted file mode 100644 index 514c3edf0980..000000000000 --- a/Standards_OrchestrationStarter/run.ps1 +++ /dev/null @@ -1,22 +0,0 @@ -using namespace System.Net - -param($Request, $TriggerMetadata) -if ($CurrentlyRunning) { - $Results = [pscustomobject]@{"Results" = "Already running. Please wait for the current instance to finish" } - Write-LogMessage -API "StandardsApply" -message "Attempted to Standards but an instance was already running." -sev Info -} -else { - $InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' - Write-Host "Started orchestration with ID = '$InstanceId'" - $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId - Write-Host ($Response | ConvertTo-Json) - Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info - $Results = [pscustomobject]@{"Results" = "Started Applying Standards" } -} -Write-Host ($Orchestrator | ConvertTo-Json) - - -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $results - }) \ No newline at end of file diff --git a/Standards_OrchestrationStarterTimer/function.json b/Standards_OrchestrationStarterTimer/function.json deleted file mode 100644 index 0860d6f56788..000000000000 --- a/Standards_OrchestrationStarterTimer/function.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "bindings": [ - { - "name": "Timer", - "schedule": "0 0 */3 * * *", - "direction": "in", - "type": "timerTrigger" - }, - { - "name": "starter", - "type": "durableClient", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_OrchestrationStarterTimer/run.ps1 b/Standards_OrchestrationStarterTimer/run.ps1 deleted file mode 100644 index 4fa90a9e8720..000000000000 --- a/Standards_OrchestrationStarterTimer/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -using namespace System.Net - -param($Timer) - -$InstanceId = Start-NewOrchestration -FunctionName 'Standards_Orchestration' -Write-Host "Started orchestration with ID = '$InstanceId'" - -$Response = New-OrchestrationCheckStatusResponse -Request $timer -InstanceId $InstanceId -Write-Host ($Response | ConvertTo-Json) -Write-LogMessage -API "Standards" -tenant $tenant -message "Started applying the standard templates to tenants." -sev Info diff --git a/Standards_OutBoundSpamAlert/function.json b/Standards_OutBoundSpamAlert/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_OutBoundSpamAlert/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_OutBoundSpamAlert/run.ps1 b/Standards_OutBoundSpamAlert/run.ps1 deleted file mode 100644 index 68b3b1952e60..000000000000 --- a/Standards_OutBoundSpamAlert/run.ps1 +++ /dev/null @@ -1,14 +0,0 @@ -param($tenant) -$ConfigTable = Get-CippTable -tablename 'standards' -$Contacts = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert -if (!$Contacts) { - $Contacts = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.OutBoundSpamAlert -} - -try { - New-ExoRequest -tenantid $tenant -cmdlet "Set-HostedOutboundSpamFilterPolicy" -cmdparams @{ Identity = "Default"; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true - Write-LogMessage -API "Standards" -tenant $tenant -message "Set outbound spam filter alert to $($Contacts.OutboundSpamContact)" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_PWcompanionAppAllowedState/function.json b/Standards_PWcompanionAppAllowedState/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_PWcompanionAppAllowedState/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_PWcompanionAppAllowedState/run.ps1 b/Standards_PWcompanionAppAllowedState/run.ps1 deleted file mode 100644 index ef0dbd2b255f..000000000000 --- a/Standards_PWcompanionAppAllowedState/run.ps1 +++ /dev/null @@ -1,41 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.PWcompanionAppAllowedState -} - -try { - - # Get current state of microsoftAuthenticator policy - $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type GET) - - # Remove number matching from featureSettings because this is now Microsoft enforced and shipping it returns an error - $authenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') - - # Define feature body - $featureBody = @{ - state = $Setting.state - includeTarget = [PSCustomObject]@{ - targetType = 'group' - id = 'all_users' - } - excludeTarget = [PSCustomObject]@{ - targetType = 'group' - id = '00000000-0000-0000-0000-000000000000' - } - } - - # Set body for companionAppAllowedState - $authenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody - - $body = $authenticatorFeaturesState | ConvertTo-Json -Depth 3 - - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled companionAppAllowedState." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_PWdisplayAppInformationRequiredState/function.json b/Standards_PWdisplayAppInformationRequiredState/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_PWdisplayAppInformationRequiredState/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_PWdisplayAppInformationRequiredState/run.ps1 b/Standards_PWdisplayAppInformationRequiredState/run.ps1 deleted file mode 100644 index 3f59c422019e..000000000000 --- a/Standards_PWdisplayAppInformationRequiredState/run.ps1 +++ /dev/null @@ -1,16 +0,0 @@ -param($tenant) - -try { - - $CurrentInfo = new-graphgetRequest -uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -tenantid $Tenant - $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') - $CurrentInfo.featureSettings.displayAppInformationRequiredState.state = "enabled" - $CurrentInfo.featureSettings.displayLocationInformationRequiredState.state = "enabled" - $body = ($CurrentInfo | ConvertTo-Json -depth 10) - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled passwordless with Information and Number Matching." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_PWnumberMatchingRequiredState/function.json b/Standards_PWnumberMatchingRequiredState/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_PWnumberMatchingRequiredState/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_PWnumberMatchingRequiredState/run.ps1 b/Standards_PWnumberMatchingRequiredState/run.ps1 deleted file mode 100644 index 65f5c3383852..000000000000 --- a/Standards_PWnumberMatchingRequiredState/run.ps1 +++ /dev/null @@ -1,8 +0,0 @@ -param($tenant) - -try { - Write-LogMessage -API "Standards" -tenant $tenant -message "Passwordless with number matching is now enabled by default." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable passwordless with Number Matching. Error: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_PasswordExpireDisabled/function.json b/Standards_PasswordExpireDisabled/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_PasswordExpireDisabled/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_PasswordExpireDisabled/run.ps1 b/Standards_PasswordExpireDisabled/run.ps1 deleted file mode 100644 index 58f5cdb972b7..000000000000 --- a/Standards_PasswordExpireDisabled/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) -try { - $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/domains" -tenantid $Tenant | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { - New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled Password Expiration" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_RotateDKIM/function.json b/Standards_RotateDKIM/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_RotateDKIM/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_RotateDKIM/run.ps1 b/Standards_RotateDKIM/run.ps1 deleted file mode 100644 index 6472d8d055c6..000000000000 --- a/Standards_RotateDKIM/run.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -param($tenant) - -try { - $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet "Get-DkimSigningConfig") | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } | ForEach-Object { - (New-ExoRequest -tenantid $tenant -cmdlet "Rotate-DkimSigningConfig" -cmdparams @{ KeySize = 2048; Identity = $_.Identity } -useSystemMailbox $true) - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Rotated DKIM" -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_SSPR/function.json b/Standards_SSPR/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SSPR/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SSPR/run.ps1 b/Standards_SSPR/run.ps1 deleted file mode 100644 index 3b0bbb7da943..000000000000 --- a/Standards_SSPR/run.ps1 +++ /dev/null @@ -1,7 +0,0 @@ -param($tenant) -try { - Write-LogMessage -API "Standards" -tenant $tenant -message "SSPR standard is no longer available" -sev Error -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable SSPR $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_SafeSendersDisable/function.json b/Standards_SafeSendersDisable/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SafeSendersDisable/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SafeSendersDisable/run.ps1 b/Standards_SafeSendersDisable/run.ps1 deleted file mode 100644 index 1c5cb1d0feb1..000000000000 --- a/Standards_SafeSendersDisable/run.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -param($tenant) - -try { - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet "Get-Mailbox" | ForEach-Object { - try { - $username = $_.UserPrincipalName - New-ExoRequest -tenantid $Tenant -cmdlet "Set-MailboxJunkEmailConfiguration" -cmdParams @{Identity = $_.GUID ; TrustedRecipientsAndDomains = $null } -anchor $username - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not disbale SafeSenders list for $($username): $($_.Exception.message)" -sev Warn - } - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Safe Senders disabled" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable SafeSenders. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_SecurityDefaults/function.json b/Standards_SecurityDefaults/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SecurityDefaults/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SecurityDefaults/run.ps1 b/Standards_SecurityDefaults/run.ps1 deleted file mode 100644 index 09bb20f772e7..000000000000 --- a/Standards_SecurityDefaults/run.ps1 +++ /dev/null @@ -1,15 +0,0 @@ -param($tenant) - -try { - $SecureDefaultsState = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy" -tenantid $tenant) - - if ($SecureDefaultsState.IsEnabled -ne $true) { - Write-Host "Secure Defaults is disabled. Enabling for $tenant" -ForegroundColor Yellow - $body = '{ "isEnabled": true }' - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy" -Type patch -Body $body -ContentType "application/json") - } - Write-LogMessage -API "Standards" -tenant $tenant -message "Standards API: Security Defaults Enabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_SendFromAlias/function.json b/Standards_SendFromAlias/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SendFromAlias/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SendFromAlias/run.ps1 b/Standards_SendFromAlias/run.ps1 deleted file mode 100644 index 1a6e45c06278..000000000000 --- a/Standards_SendFromAlias/run.ps1 +++ /dev/null @@ -1,13 +0,0 @@ -param($tenant) - -try { - $AdminAuditLogParams = @{ - SendFromAliasEnabled = $true - } - New-ExoRequest -tenantid $Tenant -cmdlet "Set-OrganizationConfig" -cmdParams $AdminAuditLogParams - Write-LogMessage -API "Standards" -tenant $tenant -message "Send from alias Enabled." -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_SendReceiveLimitTenant/function.json b/Standards_SendReceiveLimitTenant/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SendReceiveLimitTenant/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SendReceiveLimitTenant/run.ps1 b/Standards_SendReceiveLimitTenant/run.ps1 deleted file mode 100644 index 1b86b0756ddc..000000000000 --- a/Standards_SendReceiveLimitTenant/run.ps1 +++ /dev/null @@ -1,54 +0,0 @@ -param($tenant) -# Get the tenant standards settings -$ConfigTable = Get-CippTable -tablename 'standards' -$Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' -if (!$Limits) { - $Limits = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.SendReceiveLimitTenant.SendReceiveLimit -split ',' -} - -# Parse the send limits and convert to bytes -if ($Limits[0] -like "*MB*") { - $MaxSendSize = [int]($Limits[0] -Replace "[a-zA-Z]", "") * 1MB -} -elseif ($Limits[0] -like "*KB*") { - $MaxSendSize = [int]($Limits[0] -Replace "[a-zA-Z]", "") * 1KB -} # Default to 35MB if invalid input -else { - $MaxSendSize = 35MB -} -# Test if the send limit is larger allowed and correct if needed -if ($MaxSendSize -gt 150MB) { - $MaxSendSize = 150MB -} - -# Parse the receive limits and convert to bytes -if ($Limits[1] -like "*MB*") { - $MaxReceiveSize = [int]($Limits[1] -Replace "[a-zA-Z]", "") * 1MB -} -elseif ($Limits[1] -like "*KB*") { - $MaxReceiveSize = [int]($Limits[1] -Replace "[a-zA-Z]", "") * 1KB -} # Default to 36MB if invalid input -else { - $MaxReceiveSize = 36MB -} -# Test if the receive limit is larger allowed and correct if needed -if ($MaxReceiveSize -gt 150MB) { - $MaxReceiveSize = 150MB -} - -try { - # Get all mailbox plans - $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet "Get-MailboxPlan" | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID - - # Loop through all mailbox plans and set the send and receive limits for each if needed - foreach ($MailboxPlan in $AllMailBoxPlans) { - if ($MailboxPlan.MaxSendSize -ne $MaxSendSize -and $MailboxPlan.MaxReceiveSize -ne $MaxReceiveSize) { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-MailboxPlan" -cmdParams @{Identity = $MailboxPlan.GUID; MaxSendSize = $MaxSendSize; MaxReceiveSize = $MaxReceiveSize } -useSystemMailbox $true - } - } - # Write to log on success - Write-LogMessage -API "Standards" -tenant $tenant -message "Successfully set the tenant send and receive limits " -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_SpoofWarn/function.json b/Standards_SpoofWarn/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_SpoofWarn/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_SpoofWarn/run.ps1 b/Standards_SpoofWarn/run.ps1 deleted file mode 100644 index 1fc970fbe231..000000000000 --- a/Standards_SpoofWarn/run.ps1 +++ /dev/null @@ -1,20 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.spoofwarn -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.spoofwarn -} -$status = if ($Setting.enable -and $Setting.disable) { - Write-LogMessage -API "Standards" -tenant $tenant -message "You cannot both enable and disable the Spoof Warnings setting" -sev Error - Exit -} -elseif ($setting.enable) { $true } else { $false } -try { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-ExternalInOutlook" -cmdParams @{ Enabled = $status; } - Write-LogMessage -API "Standards" -tenant $tenant -message "Spoofing warnings set to $status." -sev Info - -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_TAP/function.json b/Standards_TAP/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_TAP/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_TAP/run.ps1 b/Standards_TAP/run.ps1 deleted file mode 100644 index b7ca0a778c6e..000000000000 --- a/Standards_TAP/run.ps1 +++ /dev/null @@ -1,31 +0,0 @@ -param($tenant) -$ConfigTable = Get-CippTable -tablename 'standards' -$TAPConfig = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).Standards.TAP.config -if (!$TAPConfig) { - $TAPConfig = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).Standards.TAP.config -} -if (!$TAPConfig) { $TAPConfig = 'true' } -try { - $MinimumLifetime = "60" #Minutes - $MaximumLifetime = "480" #minutes - $DefaultLifeTime = "60" #minutes - $DefaultLength = "8" - $body = @" - {"@odata.type":"#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration", - "id":"TemporaryAccessPass", - "includeTargets":[{"id":"all_users", - "isRegistrationRequired":false, - "targetType":"group","displayName":"All users"}], - "defaultLength":$DefaultLength, - "defaultLifetimeInMinutes":$DefaultLifeTime, - "isUsableOnce": $TAPConfig, - "maximumLifetimeInMinutes":$MaximumLifetime, - "minimumLifetimeInMinutes":$MinimumLifetime, - "state":"enabled"} -"@ - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass" -Type patch -asApp $true -Body $body -ContentType "application/json") - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled Temporary Access Passwords." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_TransportRuleTemplate/function.json b/Standards_TransportRuleTemplate/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_TransportRuleTemplate/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_TransportRuleTemplate/run.ps1 b/Standards_TransportRuleTemplate/run.ps1 deleted file mode 100644 index 5b29a2e6934a..000000000000 --- a/Standards_TransportRuleTemplate/run.ps1 +++ /dev/null @@ -1,35 +0,0 @@ -param($tenant) - - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate -} - -foreach ($Template in $Setting.TemplateList) { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'TransportTemplate' and RowKey eq '$($Template.value)'" - $RequestParams = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet "Get-TransportRule" -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name - - - try { - if ($Existing) { - Write-Host "Found existing" - $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-TransportRule" -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true - Write-LogMessage -API "Standards" -tenant $tenant -message "Successfully set transport rule for $tenant" -sev "Info" - } - else { - Write-Host "Creating new" - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-TransportRule" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API "Standards" -tenant $tenant -message "Successfully created transport rule for $tenant" -sev "Info" - } - - Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($tenantfilter)" -sev "Debug" - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" -sev "Error" - } -} \ No newline at end of file diff --git a/Standards_UndoOauth/function.json b/Standards_UndoOauth/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_UndoOauth/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_UndoOauth/run.ps1 b/Standards_UndoOauth/run.ps1 deleted file mode 100644 index cdf054417241..000000000000 --- a/Standards_UndoOauth/run.ps1 +++ /dev/null @@ -1,8 +0,0 @@ -param($tenant) -try { - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy" -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Application Consent Mode has been disabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set Application Consent Mode to disabled Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_UndoSSPR/function.json b/Standards_UndoSSPR/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_UndoSSPR/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_UndoSSPR/run.ps1 b/Standards_UndoSSPR/run.ps1 deleted file mode 100644 index b6c0c198165a..000000000000 --- a/Standards_UndoSSPR/run.ps1 +++ /dev/null @@ -1,2 +0,0 @@ -param($tenant) -Write-LogMessage -API "Standards" -tenant $tenant -message "The standard for SSPR is no longer supported." -sev Error diff --git a/Standards_UserSubmissions/function.json b/Standards_UserSubmissions/function.json deleted file mode 100644 index e498538b37c5..000000000000 --- a/Standards_UserSubmissions/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} diff --git a/Standards_UserSubmissions/run.ps1 b/Standards_UserSubmissions/run.ps1 deleted file mode 100644 index 70b961c87ea6..000000000000 --- a/Standards_UserSubmissions/run.ps1 +++ /dev/null @@ -1,44 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.usersubmissions -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.usersubmissions -} -if ($Setting.enable -and $Setting.disable) { - Write-LogMessage -API "Standards" -tenant $tenant -message "You cannot both enable and disable the User Submission policy" -sev Error - Exit -} -elseif ($setting.enable) { - $status = $true - try { - $Policy = New-ExoRequest -tenantid $Tenant -cmdlet "Get-ReportSubmissionPolicy" - if ($Policy.length -eq 0) { - New-ExoRequest -tenantid $Tenant -cmdlet "New-ReportSubmissionPolicy" - Write-LogMessage -API "Standards" -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - else { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-ReportSubmissionPolicy" -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); } - Write-LogMessage -API "Standards" -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error - } -} -else { - $status = $false - try { - $Policy = New-ExoRequest -tenantid $Tenant -cmdlet "Get-ReportSubmissionPolicy" - if ($Policy.length -eq 0) { - Write-LogMessage -API "Standards" -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - else { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-ReportSubmissionPolicy" -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); EnableThirdPartyAddress = $status; ReportJunkToCustomizedAddress = $status; ReportNotJunkToCustomizedAddress = $status; ReportPhishToCustomizedAddress = $status; } - Write-LogMessage -API "Standards" -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error - } -} \ No newline at end of file diff --git a/Standards_allowOAuthTokens/function.json b/Standards_allowOAuthTokens/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_allowOAuthTokens/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_allowOAuthTokens/run.ps1 b/Standards_allowOAuthTokens/run.ps1 deleted file mode 100644 index 7b18fd438449..000000000000 --- a/Standards_allowOAuthTokens/run.ps1 +++ /dev/null @@ -1,14 +0,0 @@ -param($tenant) - -try { - - $CurrentInfo = new-graphgetRequest -uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath" -tenantid $Tenant - $CurrentInfo.state = "enabled" - $body = ($CurrentInfo | ConvertTo-Json -Depth 10) - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled software OTP/oAuth tokens" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev "Error" -} \ No newline at end of file diff --git a/Standards_allowOTPTokens/function.json b/Standards_allowOTPTokens/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_allowOTPTokens/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_allowOTPTokens/run.ps1 b/Standards_allowOTPTokens/run.ps1 deleted file mode 100644 index 6344508da742..000000000000 --- a/Standards_allowOTPTokens/run.ps1 +++ /dev/null @@ -1,15 +0,0 @@ -param($tenant) - -try { - - $CurrentInfo = new-graphgetRequest -uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -tenantid $Tenant - $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') - $CurrentInfo.isSoftwareOathEnabled = $true - $body = ($CurrentInfo | ConvertTo-Json -Depth 10) - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator" -Type patch -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled MS authenticator OTP/oAuth tokens" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_calDefault/function.json b/Standards_calDefault/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_calDefault/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_calDefault/run.ps1 b/Standards_calDefault/run.ps1 deleted file mode 100644 index f2e54d38773a..000000000000 --- a/Standards_calDefault/run.ps1 +++ /dev/null @@ -1,23 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault -} - - -$Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet "get-mailbox" -foreach ($Mailbox in $Mailboxes) { - try { - New-ExoRequest -tenantid $Tenant -cmdlet "Get-MailboxFolderStatistics" -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | Where-Object { $_.FolderType -eq 'Calendar' } | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-MailboxFolderPermission" -cmdparams @{Identity = "$($Mailbox.UserPrincipalName):$($_.FolderId)"; User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName - Write-LogMessage -API "Standards" -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName):\$($_.Name) to $($setting.permissionlevel)" -sev Info - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set default calendar permissions for $($Mailbox.UserPrincipalName). Error: $($_.exception.message)" -sev Error - } - -} -Write-LogMessage -API "Standards" -tenant $tenant -message "Done setting default calendar permissions." -sev Info \ No newline at end of file diff --git a/Standards_disableMacSync/function.json b/Standards_disableMacSync/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_disableMacSync/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_disableMacSync/run.ps1 b/Standards_disableMacSync/run.ps1 deleted file mode 100644 index 232e6be61387..000000000000 --- a/Standards_disableMacSync/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) - -try { - $body = '{"isMacSyncAppEnabled": false}' - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled Mac OneDrive Sync" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_fwdAdminAlerts/function.json b/Standards_fwdAdminAlerts/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_fwdAdminAlerts/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_fwdAdminAlerts/run.ps1 b/Standards_fwdAdminAlerts/run.ps1 deleted file mode 100644 index fa5add33f029..000000000000 --- a/Standards_fwdAdminAlerts/run.ps1 +++ /dev/null @@ -1,23 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.caldefault -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.caldefault -} - - -$Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet "get-mailbox" -foreach ($Mailbox in $Mailboxes) { - try { - New-ExoRequest -tenantid $Tenant -cmdlet "Get-MailboxFolderStatistics" -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet "Set-MailboxFolderPermission" -cmdparams @{Identity = "$($Mailbox.UserPrincipalName):$($_.FolderId)"; User = 'Default'; AccessRights = $setting.permissionlevel } -Anchor $Mailbox.UserPrincipalName - Write-LogMessage -API "Standards" -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName):\$($_.Name) to $($setting.permissionlevel)" -sev Info - } - } - catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Could not set default calendar permissions for $($Mailbox.UserPrincipalName). Error: $($_.exception.message)" -sev Error - } - -} -Write-LogMessage -API "Standards" -tenant $tenant -message "Done setting default calendar permissions." -sev Info \ No newline at end of file diff --git a/Standards_intuneDeviceReg/function.json b/Standards_intuneDeviceReg/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_intuneDeviceReg/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_intuneDeviceReg/run.ps1 b/Standards_intuneDeviceReg/run.ps1 deleted file mode 100644 index 20cff265909a..000000000000 --- a/Standards_intuneDeviceReg/run.ps1 +++ /dev/null @@ -1,16 +0,0 @@ -param($tenant) -try { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.intuneDeviceReg - if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.intuneDeviceReg - } - $PreviousSetting = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -tenantid $Tenant - $PreviousSetting.userDeviceQuota = $Setting.max - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -Type PUT -Body $NewBody -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Set user device quota to $($setting.max)" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set user device quota to $($setting.max) : $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_intuneDeviceRetirementDays/function.json b/Standards_intuneDeviceRetirementDays/function.json deleted file mode 100644 index 2d4ea9094b24..000000000000 --- a/Standards_intuneDeviceRetirementDays/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "direction": "in", - "type": "activityTrigger" - } - ] -} \ No newline at end of file diff --git a/Standards_intuneDeviceRetirementDays/run.ps1 b/Standards_intuneDeviceRetirementDays/run.ps1 deleted file mode 100644 index 2ff61cc18f3e..000000000000 --- a/Standards_intuneDeviceRetirementDays/run.ps1 +++ /dev/null @@ -1,19 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.DeviceInactivityBeforeRetirementInDays -} - -try { - - $body = @{ DeviceInactivityBeforeRetirementInDays = $Setting.days } | ConvertTo-Json - - (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings" -Type PATCH -Body $body -ContentType "application/json") - - Write-LogMessage -API "Standards" -tenant $tenant -message "Enabled DeviceInactivityBeforeRetirementInDays." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_intuneRequireMFA/function.json b/Standards_intuneRequireMFA/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_intuneRequireMFA/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_intuneRequireMFA/run.ps1 b/Standards_intuneRequireMFA/run.ps1 deleted file mode 100644 index 445ab1fee6ac..000000000000 --- a/Standards_intuneRequireMFA/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) -try { - $PreviousSetting = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -tenantid $Tenant - $PreviousSetting.multiFactorAuthConfiguration = '1' - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -Type PUT -Body $NewBody -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Set required to use MFA when joining Intune Devices" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_laps/function.json b/Standards_laps/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_laps/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_laps/run.ps1 b/Standards_laps/run.ps1 deleted file mode 100644 index 7aeedfe9124f..000000000000 --- a/Standards_laps/run.ps1 +++ /dev/null @@ -1,11 +0,0 @@ -param($tenant) -try { - $PreviousSetting = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -tenantid $Tenant - $previoussetting.localadminpassword.isEnabled = $true - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy" -Type PUT -Body $newBody -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "LAPS has been enabled." -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_sharingCapability/function.json b/Standards_sharingCapability/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_sharingCapability/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_sharingCapability/run.ps1 b/Standards_sharingCapability/run.ps1 deleted file mode 100644 index 746f067723f5..000000000000 --- a/Standards_sharingCapability/run.ps1 +++ /dev/null @@ -1,15 +0,0 @@ -param($tenant) - -$ConfigTable = Get-CippTable -tablename 'standards' -$Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.sharingCapability -if (!$Setting) { - $Setting = ((Get-CIPPAzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.sharingCapability -} - -try { - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Setting.Level)`"}" -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Set sharing level to $($Setting.level)" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to set sharing level to $($Setting.level): $($_.exception.message)" -sev Error -} \ No newline at end of file diff --git a/Standards_unmanagedSync/function.json b/Standards_unmanagedSync/function.json deleted file mode 100644 index ce713ef7d4f6..000000000000 --- a/Standards_unmanagedSync/function.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "bindings": [ - { - "name": "tenant", - "type": "activityTrigger", - "direction": "in" - } - ] -} \ No newline at end of file diff --git a/Standards_unmanagedSync/run.ps1 b/Standards_unmanagedSync/run.ps1 deleted file mode 100644 index a46d1bc146f5..000000000000 --- a/Standards_unmanagedSync/run.ps1 +++ /dev/null @@ -1,10 +0,0 @@ -param($tenant) - -try { - $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/admin/sharepoint/settings" -AsApp $true -Type patch -Body $body -ContentType "application/json" - Write-LogMessage -API "Standards" -tenant $tenant -message "Disabled Sync for unmanaged devices" -sev Info -} -catch { - Write-LogMessage -API "Standards" -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error -} \ No newline at end of file From 696e26e8bf509920ba076e2f3541a125a3fb10e1 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Thu, 7 Dec 2023 23:23:13 +0100 Subject: [PATCH 51/78] more standards rewrite --- .../Entrypoints/Invoke-ExecStandardsRun.ps1 | 28 +++++++++++++++++++ .../Public/Invoke-CIPPStandardsRun.ps1 | 12 +++++++- Scheduler_Standards/run.ps1 | 5 ++-- 3 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ExecStandardsRun.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecStandardsRun.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecStandardsRun.ps1 new file mode 100644 index 000000000000..c205bf24d57b --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecStandardsRun.ps1 @@ -0,0 +1,28 @@ +using namespace System.Net + +Function Invoke-ExecStandardsRun { + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] + param($Request, $TriggerMetadata) + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $tenantfilter = if ($Request.Query.TenantFilter) { $Request.Query.TenantFilter } else { 'allTenants' } + try { + $null = Invoke-CIPPStandardsRun -Tenantfilter $tenantfilter + $Results = "Successfully Started Standards Run for Tenant $tenantfilter" + } catch { + $Results = "Failed to start standards run for $tenantfilter. Error: $($_.Exception.Message)" + } + + $Results = [pscustomobject]@{'Results' = "$results" } + + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $Results + }) + +} diff --git a/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 index d08484abf793..ee6b6939a823 100644 --- a/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 +++ b/Modules/CIPPCore/Public/Invoke-CIPPStandardsRun.ps1 @@ -1,8 +1,18 @@ function Invoke-CIPPStandardsRun { - Write-Host 'Starting process for standards.' + [CmdletBinding()] + param( + [Parameter(Mandatory = $false)] + [string]$TenantFilter = 'allTenants' + ) + Write-Host "Starting process for standards - $($tenantFilter)" $Table = Get-CippTable -tablename 'standards' $SkipList = Get-Tenants -SkipList + if ($tenantfilter -ne 'allTenants') { + $Filter = "PartitionKey eq 'standards' and RowKey eq '$($tenantfilter)'" + } else { + $Filter = "PartitionKey eq 'standards'" + } $Tenants = (Get-CIPPAzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json #Migrate from old standards to new standards. diff --git a/Scheduler_Standards/run.ps1 b/Scheduler_Standards/run.ps1 index a99641cf210b..7466a60f5338 100644 --- a/Scheduler_Standards/run.ps1 +++ b/Scheduler_Standards/run.ps1 @@ -1,5 +1,6 @@ using namespace System.Net param($Timer) - -Invoke-CIPPStandardsRun \ No newline at end of file +Write-LogMessage -API 'Standards' -message 'Starting Standards Schedule' -sev Info +Invoke-CIPPStandardsRun -tenantfilter 'allTenants' +Write-LogMessage -API 'Standards' -message 'Launched all standard jobs' -sev Info \ No newline at end of file From c34c9de07142a2bed767eae0eb4fb95bc1be648a Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Fri, 8 Dec 2023 09:16:32 +0000 Subject: [PATCH 52/78] License Overflow added --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index f2d47f924c6a..68ba93645ce3 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -2029,7 +2029,7 @@ function Invoke-NinjaOneTenantSync { $LicenseTableHTML = ([System.Web.HttpUtility]::HtmlDecode($LicenseTableHTML) -replace '', '') -replace '', '' $TitleLink = "https://$CIPPUrl/tenant/administration/list-licenses?customerId=$($Customer.customerId)" - $LicensesSummaryCardHTML = Get-NinjaOneCard -Title 'Licenses' -Body $LicenseTableHTML -Icon 'fas fa-chart-bar' -TitleLink $TitleLink + $LicensesSummaryCardHTML = '
' + "$(Get-NinjaOneCard -Title 'Licenses' -Body $LicenseTableHTML -Icon 'fas fa-chart-bar' -TitleLink $TitleLink)" + '
' ### Summary Stats From 6119a0b252461b904717841dea8a02f1e3bbc116 Mon Sep 17 00:00:00 2001 From: lwhitelock <79275328+lwhitelock@users.noreply.github.com> Date: Fri, 8 Dec 2023 09:30:12 +0000 Subject: [PATCH 53/78] License Table fix --- Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 index 68ba93645ce3..23c943e5cd26 100644 --- a/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 +++ b/Modules/CippExtensions/NinjaOne/Invoke-NinjaOneTenantSync.ps1 @@ -2026,10 +2026,10 @@ function Invoke-NinjaOneTenantSync { ### License Card Write-Host "License Details" $LicenseTableHTML = $LicensesParsed | Sort-Object 'License Name' | ConvertTo-HTML -As Table -Fragment - $LicenseTableHTML = ([System.Web.HttpUtility]::HtmlDecode($LicenseTableHTML) -replace '', '') -replace '', '' + $LicenseTableHTML = '
' + (([System.Web.HttpUtility]::HtmlDecode($LicenseTableHTML) -replace '', '') -replace '', '') + '
' $TitleLink = "https://$CIPPUrl/tenant/administration/list-licenses?customerId=$($Customer.customerId)" - $LicensesSummaryCardHTML = '
' + "$(Get-NinjaOneCard -Title 'Licenses' -Body $LicenseTableHTML -Icon 'fas fa-chart-bar' -TitleLink $TitleLink)" + '
' + $LicensesSummaryCardHTML = Get-NinjaOneCard -Title 'Licenses' -Body $LicenseTableHTML -Icon 'fas fa-chart-bar' -TitleLink $TitleLink ### Summary Stats From 6d12a401d8626ad8c1c8806424a23e025d722b89 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 8 Dec 2023 12:34:24 +0100 Subject: [PATCH 54/78] improvements --- .../Public/Entrypoints/Push-CIPPStandard.ps1 | 25 ++--------- ...nvoke-CIPPStandardActivityBasedTimeout.ps1 | 26 ++++++++++++ ...ate.ps1 => Invoke-CIPPStandardAddDKIM.ps1} | 5 ++- ... Invoke-CIPPStandardAnonReportDisable.ps1} | 5 ++- .../Standards/Invoke-CIPPStandardAuditLog.ps1 | 31 ++++++++++++++ ... Invoke-CIPPStandardAutoExpandArchive.ps1} | 5 ++- ...ps1 => Invoke-CIPPStandardAzurePortal.ps1} | 5 ++- ... Invoke-CIPPStandardConditionalAccess.ps1} | 5 ++- ... Invoke-CIPPStandardDelegateSentItems.ps1} | 5 ++- ...oke-CIPPStandardDeletedUserRentention.ps1} | 5 ++- ...StandardDisableAddShortcutsToOneDrive.ps1} | 5 ++- ...> Invoke-CIPPStandardDisableBasicAuth.ps1} | 5 ++- ...voke-CIPPStandardDisableBasicAuthSMTP.ps1} | 5 ++- ...oke-CIPPStandardDisableGuestDirectory.ps1} | 5 ++- ...1 => Invoke-CIPPStandardDisableGuests.ps1} | 5 ++- ...oke-CIPPStandardDisableM365GroupUsers.ps1} | 5 ++- .../Invoke-CIPPStandardDisableReshare.ps1 | 19 +++++++++ ...CIPPStandardDisableSecurityGroupUsers.ps1} | 5 ++- ...IPPStandardDisableSelfServiceLicenses.ps1} | 5 ++- ...nvoke-CIPPStandardDisableSharedMailbox.ps1 | 18 ++++++++ ...oke-CIPPStandardDisableTenantCreation.ps1} | 5 ++- ...oke-CIPPStandardDisableUserSiteCreate.ps1} | 5 ++- ...ps1 => Invoke-CIPPStandardDisableViva.ps1} | 5 ++- ...-CIPPStandardEnableAppConsentRequests.ps1} | 7 +++- ...ps1 => Invoke-CIPPStandardEnableFIDO2.ps1} | 5 ++- ...oke-CIPPStandardEnableOnlineArchiving.ps1} | 5 ++- ...ps1 => Invoke-CIPPStandardExConnector.ps1} | 5 ++- ...=> Invoke-CIPPStandardExcludedfileExt.ps1} | 5 ++- ...1 => Invoke-CIPPStandardGroupTemplate.ps1} | 5 ++- ... => Invoke-CIPPStandardIntuneTemplate.ps1} | 5 ++- ...e.ps1 => Invoke-CIPPStandardLegacyMFA.ps1} | 5 ++- ...> Invoke-CIPPStandardLegacyMFACleanup.ps1} | 5 ++- ...s1 => Invoke-CIPPStandardMailContacts.ps1} | 5 ++- ....ps1 => Invoke-CIPPStandardModernAuth.ps1} | 5 ++- ...te.ps1 => Invoke-CIPPStandardNudgeMFA.ps1} | 5 ++- ...s1 => Invoke-CIPPStandardOauthConsent.ps1} | 3 +- ...Invoke-CIPPStandardOauthConsentLowSec.ps1} | 5 ++- ... Invoke-CIPPStandardOutBoundSpamAlert.ps1} | 5 ++- ...IPPStandardPWcompanionAppAllowedState.ps1} | 5 ++- ...dPWdisplayAppInformationRequiredState.ps1} | 5 ++- ...StandardPWnumberMatchingRequiredState.ps1} | 5 ++- ...ke-CIPPStandardPasswordExpireDisabled.ps1} | 5 ++- ....ps1 => Invoke-CIPPStandardRotateDKIM.ps1} | 5 ++- ...ediate.ps1 => Invoke-CIPPStandardSSPR.ps1} | 5 ++- ...Invoke-CIPPStandardSafeSendersDisable.ps1} | 7 +++- ...> Invoke-CIPPStandardSecurityDefaults.ps1} | 5 ++- ...1 => Invoke-CIPPStandardSendFromAlias.ps1} | 5 ++- ...ke-CIPPStandardSendReceiveLimitTenant.ps1} | 7 +++- ...e.ps1 => Invoke-CIPPStandardSpoofWarn.ps1} | 5 ++- ...mediate.ps1 => Invoke-CIPPStandardTAP.ps1} | 5 ++- ...oke-CIPPStandardTransportRuleTemplate.ps1} | 5 ++- ...e.ps1 => Invoke-CIPPStandardUndoOauth.ps1} | 5 ++- ...te.ps1 => Invoke-CIPPStandardUndoSSPR.ps1} | 5 ++- .../Invoke-CIPPStandardUserSubmissions.ps1 | 42 +++++++++++++++++++ ...> Invoke-CIPPStandardallowOAuthTokens.ps1} | 7 +++- ... => Invoke-CIPPStandardallowOTPTokens.ps1} | 7 +++- ....ps1 => Invoke-CIPPStandardcalDefault.ps1} | 5 ++- ... => Invoke-CIPPStandarddisableMacSync.ps1} | 5 ++- ... => Invoke-CIPPStandardfwdAdminAlerts.ps1} | 5 ++- ...=> Invoke-CIPPStandardintuneDeviceReg.ps1} | 5 ++- ...IPPStandardintuneDeviceRetirementDays.ps1} | 5 ++- ...> Invoke-CIPPStandardintuneRequireMFA.ps1} | 7 +++- ...ediate.ps1 => Invoke-CIPPStandardlaps.ps1} | 5 ++- ... Invoke-CIPPStandardsharingCapability.ps1} | 5 ++- ...1 => Invoke-CIPPStandardunmanagedSync.ps1} | 5 ++- .../Invoke-ActivityBasedTimeout-Remediate.ps1 | 23 ---------- .../Remediate/Invoke-AuditLog-Remediate.ps1 | 30 ------------- .../Invoke-DisableReshare-Remediate.ps1 | 16 ------- .../Invoke-DisableSharedMailbox-Remediate.ps1 | 17 -------- .../Invoke-UserSubmissions-Remediate.ps1 | 39 ----------------- 70 files changed, 380 insertions(+), 211 deletions(-) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-AddDKIM-Remediate.ps1 => Invoke-CIPPStandardAddDKIM.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-AnonReportDisable-Remediate.ps1 => Invoke-CIPPStandardAnonReportDisable.ps1} (87%) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-AutoExpandArchive-Remediate.ps1 => Invoke-CIPPStandardAutoExpandArchive.ps1} (89%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-AzurePortal-Remediate.ps1 => Invoke-CIPPStandardAzurePortal.ps1} (77%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-ConditionalAccess-Remediate.ps1 => Invoke-CIPPStandardConditionalAccess.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DelegateSentItems-Remediate.ps1 => Invoke-CIPPStandardDelegateSentItems.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DeletedUserRentention-Remediate.ps1 => Invoke-CIPPStandardDeletedUserRentention.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 => Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1} (97%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableBasicAuth-Remediate.ps1 => Invoke-CIPPStandardDisableBasicAuth.ps1} (80%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 => Invoke-CIPPStandardDisableBasicAuthSMTP.ps1} (86%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 => Invoke-CIPPStandardDisableGuestDirectory.ps1} (89%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableGuests-Remediate.ps1 => Invoke-CIPPStandardDisableGuests.ps1} (94%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 => Invoke-CIPPStandardDisableM365GroupUsers.ps1} (96%) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 => Invoke-CIPPStandardDisableSecurityGroupUsers.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 => Invoke-CIPPStandardDisableSelfServiceLicenses.ps1} (81%) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableTenantCreation-Remediate.ps1 => Invoke-CIPPStandardDisableTenantCreation.ps1} (89%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 => Invoke-CIPPStandardDisableUserSiteCreate.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-DisableViva-Remediate.ps1 => Invoke-CIPPStandardDisableViva.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 => Invoke-CIPPStandardEnableAppConsentRequests.ps1} (96%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-EnableFIDO2-Remediate.ps1 => Invoke-CIPPStandardEnableFIDO2.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 => Invoke-CIPPStandardEnableOnlineArchiving.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-ExConnector-Remediate.ps1 => Invoke-CIPPStandardExConnector.ps1} (96%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-ExcludedfileExt-Remediate.ps1 => Invoke-CIPPStandardExcludedfileExt.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-GroupTemplate-Remediate.ps1 => Invoke-CIPPStandardGroupTemplate.ps1} (97%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-IntuneTemplate-Remediate.ps1 => Invoke-CIPPStandardIntuneTemplate.ps1} (98%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-LegacyMFA-Remediate.ps1 => Invoke-CIPPStandardLegacyMFA.ps1} (98%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 => Invoke-CIPPStandardLegacyMFACleanup.ps1} (99%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-MailContacts-Remediate.ps1 => Invoke-CIPPStandardMailContacts.ps1} (95%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-ModernAuth-Remediate.ps1 => Invoke-CIPPStandardModernAuth.ps1} (77%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-NudgeMFA-Remediate.ps1 => Invoke-CIPPStandardNudgeMFA.ps1} (94%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-OauthConsent-Remediate.ps1 => Invoke-CIPPStandardOauthConsent.ps1} (98%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 => Invoke-CIPPStandardOauthConsentLowSec.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 => Invoke-CIPPStandardOutBoundSpamAlert.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 => Invoke-CIPPStandardPWcompanionAppAllowedState.ps1} (95%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 => Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 => Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1} (82%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 => Invoke-CIPPStandardPasswordExpireDisabled.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-RotateDKIM-Remediate.ps1 => Invoke-CIPPStandardRotateDKIM.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SSPR-Remediate.ps1 => Invoke-CIPPStandardSSPR.ps1} (83%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SafeSendersDisable-Remediate.ps1 => Invoke-CIPPStandardSafeSendersDisable.ps1} (91%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SecurityDefaults-Remediate.ps1 => Invoke-CIPPStandardSecurityDefaults.ps1} (92%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SendFromAlias-Remediate.ps1 => Invoke-CIPPStandardSendFromAlias.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 => Invoke-CIPPStandardSendReceiveLimitTenant.ps1} (96%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-SpoofWarn-Remediate.ps1 => Invoke-CIPPStandardSpoofWarn.ps1} (91%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-TAP-Remediate.ps1 => Invoke-CIPPStandardTAP.ps1} (95%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 => Invoke-CIPPStandardTransportRuleTemplate.ps1} (96%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-UndoOauth-Remediate.ps1 => Invoke-CIPPStandardUndoOauth.ps1} (90%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-UndoSSPR-Remediate.ps1 => Invoke-CIPPStandardUndoSSPR.ps1} (74%) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-allowOAuthTokens-Remediate.ps1 => Invoke-CIPPStandardallowOAuthTokens.ps1} (91%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-allowOTPTokens-Remediate.ps1 => Invoke-CIPPStandardallowOTPTokens.ps1} (93%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-calDefault-Remediate.ps1 => Invoke-CIPPStandardcalDefault.ps1} (94%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-disableMacSync-Remediate.ps1 => Invoke-CIPPStandarddisableMacSync.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 => Invoke-CIPPStandardfwdAdminAlerts.ps1} (58%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-intuneDeviceReg-Remediate.ps1 => Invoke-CIPPStandardintuneDeviceReg.ps1} (91%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 => Invoke-CIPPStandardintuneDeviceRetirementDays.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-intuneRequireMFA-Remediate.ps1 => Invoke-CIPPStandardintuneRequireMFA.ps1} (91%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-laps-Remediate.ps1 => Invoke-CIPPStandardlaps.ps1} (92%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-sharingCapability-Remediate.ps1 => Invoke-CIPPStandardsharingCapability.ps1} (88%) rename Modules/CIPPCore/Public/Standards/{Remediate/Invoke-unmanagedSync-Remediate.ps1 => Invoke-CIPPStandardunmanagedSync.ps1} (89%) delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 delete mode 100644 Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 index a6284d1f7b52..03848da177c9 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPStandard.ps1 @@ -3,27 +3,10 @@ function Push-CIPPStandard { $QueueItem, $TriggerMetadata ) - Write-Host "Received queue item for $($QueueItem.Tenant) and standard $($QueueItem.Standard). We will be using this as the settings: $($QueueItem.Settings | ConvertTo-Json -Depth 10)" + Write-Host "Received queue item for $($QueueItem.Tenant) and standard $($QueueItem.Standard)." $Tenant = $QueueItem.Tenant $Standard = $QueueItem.Standard - $Remediate = $QueueItem.Settings.remediate - $Alert = $QueueItem.Settings.alert - $AlertLevel = $QueueItem.Settings.alertLevel - if ($Remediate) { - $FunctionName = 'Invoke-{0}-Remediate' -f $Standard - $RemediateFeedback = & $FunctionName -Tenant $Tenant -Settings $QueueItem.Settings - if ($RemediateFeedback -eq 'Good') { - $AddedText = 'but we remediated this.' - } else { - $AddedText = 'and we failed to remediate this.' - } - } - - if ($Alert) { - $FunctionName = 'Invoke-{0}-Alert' -f $Standard - $AlertFeedback = & $FunctionName -Tenant $Tenant - $AlertText = "The standard $($Standard) is not in the expected state. The alert was $AlertFeedback. $AddedText" - Write-LogMessage -API "Standards_$($Standard)" -tenant $tenant -message $AlertText -sev $AlertLevel - } - + $FunctionName = 'Invoke-CIPPStandard{0}' -f $Standard + Write-Host "We'll be running $FunctionName" + & $FunctionName -Tenant $Tenant -Settings $QueueItem.Settings } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 new file mode 100644 index 000000000000..dd2448665e6e --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -0,0 +1,26 @@ +function Invoke-ActivityBasedTimeout { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.Remediate) { + try { + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id + if (!$State) { + $body = @' +{ + "displayName": "DefaultTimeoutPolicy", + "isOrganizationDefault": true, + "definition":["{\"ActivityBasedTimeoutPolicy\":{\"Version\":1,\"ApplicationPolicies\":[{\"ApplicationId\":\"default\",\"WebSessionIdleTimeout\":\"01:00:00\"}]}}"] +} +'@ + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -Type POST -Body $body -ContentType 'application/json') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Activity Based Timeout of one hour' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Activity Based Timeout $($_.exception.message)" -sev Error + } + } +} + diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index 9d3788eaf169..6402cbcf5583 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AddDKIM-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -1,9 +1,11 @@ -function Invoke-AddDKIM-Remediate { +function Invoke-AddDKIM { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false | ForEach-Object { @@ -15,3 +17,4 @@ function Invoke-AddDKIM-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DKIM. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 similarity index 87% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 4917c2945492..9eb4888b3128 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AnonReportDisable-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -1,9 +1,11 @@ -function Invoke-AnonReportDisable-Remediate { +function Invoke-AnonReportDisable { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true @@ -12,3 +14,4 @@ function Invoke-AnonReportDisable-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 new file mode 100644 index 000000000000..3ca58bb1929d --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -0,0 +1,31 @@ +function Invoke-AuditLog { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.Remediate) { + $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated + if ($DehydratedTenant) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Enable-OrganizationCustomization' + } + + try { + + $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled + if ($AuditLogEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log already enabled.' -sev Info + } else { + $AdminAuditLogParams = @{ + UnifiedAuditLogIngestionEnabled = $true + } + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AdminAuditLogConfig' -cmdParams $AdminAuditLogParams + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log Enabled.' -sev Info + } + + } catch { + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 similarity index 89% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 23e585dcf6a5..58145a18a838 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AutoExpandArchive-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -1,9 +1,11 @@ -function Invoke-AutoExpandArchive-Remediate { +function Invoke-AutoExpandArchive { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { @@ -17,3 +19,4 @@ function Invoke-AutoExpandArchive-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 similarity index 77% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 index b8a103c1b3f8..fed5f6ab010e 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AzurePortal-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 @@ -1,9 +1,12 @@ -function Invoke-AzurePortal-Remediate { +function Invoke-AzurePortal { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Azure Portal disablement is no longer functional. Please remove this standard.' -sev Error } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 index 15ab90841c5c..5869b4b910ce 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ConditionalAccess-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 @@ -1,9 +1,11 @@ -function Invoke-ConditionalAccess-Remediate { +function Invoke-ConditionalAccess { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess @@ -26,3 +28,4 @@ function Invoke-ConditionalAccess-Remediate { } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index b8e79c535269..a0c4c9558d8b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DelegateSentItems-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -1,9 +1,11 @@ -function Invoke-DelegateSentItems-Remediate { +function Invoke-DelegateSentItems { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } | ForEach-Object { @@ -19,3 +21,4 @@ function Invoke-DelegateSentItems-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index a98e0362516f..ae7ff8d8034c 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DeletedUserRentention-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -1,9 +1,11 @@ -function Invoke-DeletedUserRentention-Remediate { +function Invoke-DeletedUserRentention { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' @@ -14,3 +16,4 @@ function Invoke-DeletedUserRentention-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 similarity index 97% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index e4bb5a012a29..dcb593f6d66a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableAddShortcutsToOneDrive-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableAddShortcutsToOneDrive-Remediate { +function Invoke-DisableAddShortcutsToOneDrive { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + function GetTenantRequestXml { return @' @@ -91,3 +93,4 @@ function Invoke-DisableAddShortcutsToOneDrive-Remediate { Write-LogMessage @log } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 similarity index 80% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 index 93c57ae6167f..cbcaf3fb8e03 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 @@ -1,8 +1,11 @@ -function Invoke-DisableBasicAuth-Remediate { +function Invoke-DisableBasicAuth { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 similarity index 86% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index 569bfc0748f8..8caa06cc3e51 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableBasicAuthSMTP-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableBasicAuthSMTP-Remediate { +function Invoke-DisableBasicAuthSMTP { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } @@ -12,3 +14,4 @@ function Invoke-DisableBasicAuthSMTP-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 similarity index 89% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 777e3e9cfbe3..ec4bf6be093d 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuestDirectory-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableGuestDirectory-Remediate { +function Invoke-DisableGuestDirectory { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' @@ -14,3 +16,4 @@ function Invoke-DisableGuestDirectory-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Guest access to directory information.: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 similarity index 94% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index 20bb39555644..bf434e4f1eca 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableGuests-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableGuests-Remediate { +function Invoke-DisableGuests { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') @@ -17,3 +19,4 @@ function Invoke-DisableGuests-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 similarity index 96% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index f2e2cebfb7ba..75cf98aa7565 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableM365GroupUsers-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableM365GroupUsers-Remediate { +function Invoke-DisableM365GroupUsers { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' @@ -21,3 +23,4 @@ function Invoke-DisableM365GroupUsers-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 new file mode 100644 index 000000000000..547b951e399f --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -0,0 +1,19 @@ +function Invoke-DisableReshare { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.Remediate) { + + + try { + $body = '{"isResharingByExternalUsersEnabled": "False"}' + $Request = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-Host ($Request | ConvertTo-Json) + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests from resharing files' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index 8038dbfa1ada..d15b41960af3 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSecurityGroupUsers-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableSecurityGroupUsers-Remediate { +function Invoke-DisableSecurityGroupUsers { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' @@ -14,3 +16,4 @@ function Invoke-DisableSecurityGroupUsers-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating Security Groups: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 similarity index 81% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 index 5ce67d5778dc..0ec508452d48 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSelfServiceLicenses-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableSelfServiceLicenses-Remediate { +function Invoke-DisableSelfServiceLicenses { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error @@ -12,3 +14,4 @@ function Invoke-DisableSelfServiceLicenses-Remediate { Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 new file mode 100644 index 000000000000..38e1fe42163a --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -0,0 +1,18 @@ +function Invoke-DisableSharedMailbox { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.Remediate) { + try { + $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant, $Settings)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { + New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'AAD Accounts for shared mailboxes disabled.' -sev Info + + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 similarity index 89% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index eef8d1934648..29f3fb2a2933 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableTenantCreation-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableTenantCreation-Remediate { +function Invoke-DisableTenantCreation { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' @@ -13,3 +15,4 @@ function Invoke-DisableTenantCreation-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index 997ae091c58d..7f396db59bed 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableUserSiteCreate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableUserSiteCreate-Remediate { +function Invoke-DisableUserSiteCreate { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"isSiteCreationEnabled": false}' @@ -13,3 +15,4 @@ function Invoke-DisableUserSiteCreate-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index 8b2ab3981b30..4ed120e3696a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableViva-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -1,9 +1,11 @@ -function Invoke-DisableViva-Remediate { +function Invoke-DisableViva { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { @@ -15,3 +17,4 @@ function Invoke-DisableViva-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 similarity index 96% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 4231d5bb4c81..7f1f628da02e 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableAppConsentRequests-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -1,9 +1,11 @@ -function Invoke-EnableAppConsentRequests-Remediate { +function Invoke-EnableAppConsentRequests { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { # Get current state $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant @@ -62,4 +64,5 @@ function Invoke-EnableAppConsentRequests-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index 8861b3f183c1..4118f798ca03 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableFIDO2-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -1,9 +1,11 @@ -function Invoke-EnableFIDO2-Remediate { +function Invoke-EnableFIDO2 { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' @@ -13,3 +15,4 @@ function Invoke-EnableFIDO2-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable FIDO2 Support: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index 26b2d757b49b..a11ef12264a8 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-EnableOnlineArchiving-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -1,9 +1,11 @@ -function Invoke-EnableOnlineArchiving-Remediate { +function Invoke-EnableOnlineArchiving { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { @@ -15,3 +17,4 @@ function Invoke-EnableOnlineArchiving-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 similarity index 96% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index 886304b1b497..5bcece6f1373 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExConnector-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -1,9 +1,11 @@ -function Invoke-ExConnector-Remediate { +function Invoke-ExConnector { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector @@ -33,3 +35,4 @@ function Invoke-ExConnector-Remediate { } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index a8b1962d4473..3c025b242560 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ExcludedfileExt-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -1,9 +1,11 @@ -function Invoke-ExcludedfileExt-Remediate { +function Invoke-ExcludedfileExt { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $Exts = $Settings.ext -split ',' @@ -14,3 +16,4 @@ function Invoke-ExcludedfileExt-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Settings.ext) to excluded synced files: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 similarity index 97% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 index c1170a0a8700..f3c4bad42596 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-GroupTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 @@ -1,9 +1,11 @@ -function Invoke-GroupTemplate-Remediate { +function Invoke-GroupTemplate { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate @@ -62,3 +64,4 @@ function Invoke-GroupTemplate-Remediate { } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 similarity index 98% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index c08098fc654a..1b2963675788 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-IntuneTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -1,9 +1,11 @@ -function Invoke-IntuneTemplate-Remediate { +function Invoke-IntuneTemplate { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate @@ -88,3 +90,4 @@ function Invoke-IntuneTemplate-Remediate { } } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 similarity index 98% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 index b46ca66f2351..430fd5eda5c2 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 @@ -1,9 +1,11 @@ -function Invoke-LegacyMFA-Remediate { +function Invoke-LegacyMFA { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') @@ -27,3 +29,4 @@ function Invoke-LegacyMFA-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable (legacy) per user MFA: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 similarity index 99% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 index 473b8d03ea15..38e9599f7f9b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-LegacyMFACleanup-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 @@ -1,9 +1,11 @@ -function Invoke-LegacyMFACleanup-Remediate { +function Invoke-LegacyMFACleanup { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') @@ -62,3 +64,4 @@ function Invoke-LegacyMFACleanup-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to clean up (legacy) per user MFA: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 similarity index 95% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index 64cd38b9de2a..ca74092ac4af 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-MailContacts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -1,9 +1,11 @@ -function Invoke-MailContacts-Remediate { +function Invoke-MailContacts { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $contacts = $settings @@ -23,3 +25,4 @@ function Invoke-MailContacts-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 similarity index 77% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 index c3c17c205bae..62169c340363 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ModernAuth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 @@ -1,9 +1,12 @@ -function Invoke-ModernAuth-Remediate { +function Invoke-ModernAuth { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Modern Authentication is enabled by default. This standard is no longer required.' -sev Info } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 similarity index 94% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index 2460299998f9..6da92f6f84fd 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-NudgeMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -1,9 +1,11 @@ -function Invoke-NudgeMFA-Remediate { +function Invoke-NudgeMFA { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + Write-Output $Settings @@ -20,3 +22,4 @@ function Invoke-NudgeMFA-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $status Authenticator App Nudge: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 similarity index 98% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 423380bcf3e7..f99ccba2a522 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsent-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -1,4 +1,4 @@ -function Invoke-OauthConsent-Remediate { +function Invoke-OauthConsent { <# .FUNCTIONALITY Internal @@ -34,3 +34,4 @@ function Invoke-OauthConsent-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index 0ccbc7d5f904..44298bed5026 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OauthConsentLowSec-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -1,9 +1,11 @@ -function Invoke-OauthConsentLowSec-Remediate { +function Invoke-OauthConsentLowSec { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) @@ -16,3 +18,4 @@ function Invoke-OauthConsentLowSec-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index 28f406389862..e64248a72487 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-OutBoundSpamAlert-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -1,9 +1,11 @@ -function Invoke-OutBoundSpamAlert-Remediate { +function Invoke-OutBoundSpamAlert { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $Contacts = $settings.OutboundSpamContact try { @@ -13,3 +15,4 @@ function Invoke-OutBoundSpamAlert-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 similarity index 95% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index e2fbd44ed708..cfa4281fb6d8 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWcompanionAppAllowedState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -1,9 +1,11 @@ -function Invoke-PWcompanionAppAllowedState-Remediate { +function Invoke-PWcompanionAppAllowedState { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $Setting = $Settings @@ -40,3 +42,4 @@ function Invoke-PWcompanionAppAllowedState-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index d5abe09d8de7..9b611a7b523a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWdisplayAppInformationRequiredState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -1,9 +1,11 @@ -function Invoke-PWdisplayAppInformationRequiredState-Remediate { +function Invoke-PWdisplayAppInformationRequiredState { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = @' @@ -16,3 +18,4 @@ function Invoke-PWdisplayAppInformationRequiredState-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 similarity index 82% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 index 01de1c538da5..c189ac3041f1 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PWnumberMatchingRequiredState-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 @@ -1,9 +1,11 @@ -function Invoke-PWnumberMatchingRequiredState-Remediate { +function Invoke-PWnumberMatchingRequiredState { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with number matching is now enabled by default.' -sev Info @@ -11,3 +13,4 @@ function Invoke-PWnumberMatchingRequiredState-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Number Matching. Error: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index 2c1040b0fa51..1f4558d4c72b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-PasswordExpireDisabled-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -1,9 +1,11 @@ -function Invoke-PasswordExpireDisabled-Remediate { +function Invoke-PasswordExpireDisabled { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' @@ -13,3 +15,4 @@ function Invoke-PasswordExpireDisabled-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index b947d5dacb01..8208628e9b4b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-RotateDKIM-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -1,9 +1,11 @@ -function Invoke-RotateDKIM-Remediate { +function Invoke-RotateDKIM { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } | ForEach-Object { @@ -15,3 +17,4 @@ function Invoke-RotateDKIM-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 similarity index 83% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 index 06e5d753c1c3..82a4cbaa24d0 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SSPR-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 @@ -1,12 +1,15 @@ -function Invoke-SSPR-Remediate { +function Invoke-SSPR { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SSPR standard is no longer available' -sev Error } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable SSPR $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 similarity index 91% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index 64fcba5c44bc..fc28f1747202 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SafeSendersDisable-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -1,9 +1,11 @@ -function Invoke-SafeSendersDisable-Remediate { +function Invoke-SafeSendersDisable { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' | ForEach-Object { try { @@ -17,4 +19,5 @@ function Invoke-SafeSendersDisable-Remediate { } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SafeSenders. Error: $($_.exception.message)" -sev Error } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 similarity index 92% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index 3ca668a594fc..357470742f8e 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SecurityDefaults-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -1,9 +1,11 @@ -function Invoke-SecurityDefaults-Remediate { +function Invoke-SecurityDefaults { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) @@ -18,3 +20,4 @@ function Invoke-SecurityDefaults-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev 'Error' } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index 41f7962385ed..b67d9115c105 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendFromAlias-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -1,9 +1,11 @@ -function Invoke-SendFromAlias-Remediate { +function Invoke-SendFromAlias { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $AdminAuditLogParams = @{ @@ -16,3 +18,4 @@ function Invoke-SendFromAlias-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 similarity index 96% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 4ff7af209b4d..808c2f55adae 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SendReceiveLimitTenant-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -1,9 +1,11 @@ -function Invoke-SendReceiveLimitTenant-Remediate { +function Invoke-SendReceiveLimitTenant { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + # Get the tenant standards settings $Limits = $Settings.SendReceiveLimit @@ -50,4 +52,5 @@ function Invoke-SendReceiveLimitTenant-Remediate { } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 similarity index 91% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index ef0cb1ad96e9..02f5cee72764 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-SpoofWarn-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -1,9 +1,11 @@ -function Invoke-SpoofWarn-Remediate { +function Invoke-SpoofWarn { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error @@ -17,3 +19,4 @@ function Invoke-SpoofWarn-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 similarity index 95% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index 96a7f881c2e3..dcfa07e61191 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TAP-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -1,9 +1,11 @@ -function Invoke-TAP-Remediate { +function Invoke-TAP { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $TAPConfig = $Settings.Config if (!$TAPConfig) { $TAPConfig = 'true' } try { @@ -30,3 +32,4 @@ function Invoke-TAP-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 similarity index 96% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 index 9a2d1d50530e..8a3ed6b41d78 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-TransportRuleTemplate-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 @@ -1,9 +1,11 @@ -function Invoke-TransportRuleTemplate-Remediate { +function Invoke-TransportRuleTemplate { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' @@ -37,3 +39,4 @@ function Invoke-TransportRuleTemplate-Remediate { } } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 similarity index 90% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index 458205022395..3324d9d1b6b8 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoOauth-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -1,9 +1,11 @@ -function Invoke-UndoOauth-Remediate { +function Invoke-UndoOauth { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been disabled.' -sev Info @@ -11,3 +13,4 @@ function Invoke-UndoOauth-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set Application Consent Mode to disabled Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 similarity index 74% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 index e1d961597176..677e4dde261f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UndoSSPR-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 @@ -1,8 +1,11 @@ -function Invoke-UndoSSPR-Remediate { +function Invoke-UndoSSPR { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error } +} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 new file mode 100644 index 000000000000..4ca79f2c0488 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -0,0 +1,42 @@ +function Invoke-UserSubmissions { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.Remediate) { + + + if ($Settings.enable -and $Settings.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error + Exit + } elseif ($Settings.enable) { + $status = $true + try { + $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' + if ($Policy.length -eq 0) { + New-ExoRequest -tenantid $Tenant -cmdlet 'New-ReportSubmissionPolicy' + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } else { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); } + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error + } + } else { + $status = $false + try { + $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' + if ($Policy.length -eq 0) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } else { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); EnableThirdPartyAddress = $status; ReportJunkToCustomizedAddress = $status; ReportNotJunkToCustomizedAddress = $status; ReportPhishToCustomizedAddress = $status; } + Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error + } + } + } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 similarity index 91% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index b11dac74d53d..76a0aef1f769 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOAuthTokens-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -1,9 +1,11 @@ -function Invoke-allowOAuthTokens-Remediate { +function Invoke-allowOAuthTokens { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant @@ -15,4 +17,5 @@ function Invoke-allowOAuthTokens-Remediate { } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev 'Error' } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 similarity index 93% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 72cd93d9e5f1..6df68e3c72c0 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-allowOTPTokens-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -1,9 +1,11 @@ -function Invoke-allowOTPTokens-Remediate { +function Invoke-allowOTPTokens { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant @@ -16,4 +18,5 @@ function Invoke-allowOTPTokens-Remediate { } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 similarity index 94% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index bca61580fd71..5c4754ab5caf 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-calDefault-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -1,9 +1,11 @@ -function Invoke-calDefault-Remediate { +function Invoke-calDefault { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' foreach ($Mailbox in $Mailboxes) { @@ -21,3 +23,4 @@ function Invoke-calDefault-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index 7e9a846c00d2..8c83e2d66ec7 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-disableMacSync-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -1,9 +1,11 @@ -function Invoke-disableMacSync-Remediate { +function Invoke-disableMacSync { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"isMacSyncAppEnabled": false}' @@ -13,3 +15,4 @@ function Invoke-disableMacSync-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 similarity index 58% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 index 5642336fea0e..ce9c22563d2a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-fwdAdminAlerts-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 @@ -1,8 +1,11 @@ -function Invoke-fwdAdminAlerts-Remediate { +function Invoke-fwdAdminAlerts { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + #This isn't done yet. } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 similarity index 91% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index 0cf5fc424e5f..a476d17eeb2a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceReg-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -1,9 +1,11 @@ -function Invoke-intuneDeviceReg-Remediate { +function Invoke-intuneDeviceReg { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant @@ -15,3 +17,4 @@ function Invoke-intuneDeviceReg-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($Settings.max) : $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index f8b4509a2c36..0f7e0bdd908c 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneDeviceRetirementDays-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -1,9 +1,11 @@ -function Invoke-intuneDeviceRetirementDays-Remediate { +function Invoke-intuneDeviceRetirementDays { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = @{ DeviceInactivityBeforeRetirementInDays = $Settings.days } | ConvertTo-Json @@ -15,3 +17,4 @@ function Invoke-intuneDeviceRetirementDays-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 similarity index 91% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 1decdecc18f2..ef6cb4dcf71f 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-intuneRequireMFA-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -1,9 +1,11 @@ -function Invoke-intuneRequireMFA-Remediate { +function Invoke-intuneRequireMFA { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant $PreviousSetting.multiFactorAuthConfiguration = '1' @@ -13,4 +15,5 @@ } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error } -} \ No newline at end of file +} +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 similarity index 92% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 8599f059bc26..5403f2daef6a 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-laps-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -1,9 +1,11 @@ -function Invoke-laps-Remediate { +function Invoke-laps { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant $previoussetting.localadminpassword.isEnabled = $true @@ -14,3 +16,4 @@ function Invoke-laps-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 similarity index 88% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 98759816c914..d53dfc42023b 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-sharingCapability-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -1,9 +1,11 @@ -function Invoke-sharingCapability-Remediate { +function Invoke-sharingCapability { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' @@ -12,3 +14,4 @@ function Invoke-sharingCapability-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Settings.level): $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 similarity index 89% rename from Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index 0e3ef8c21ed6..833367ba18a0 100644 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-unmanagedSync-Remediate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -1,9 +1,11 @@ -function Invoke-unmanagedSync-Remediate { +function Invoke-unmanagedSync { <# .FUNCTIONALITY Internal #> param($Tenant, $Settings) + If ($Settings.Remediate) { + try { $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' @@ -13,3 +15,4 @@ function Invoke-unmanagedSync-Remediate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error } } +} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 deleted file mode 100644 index d2adef1a6085..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-ActivityBasedTimeout-Remediate.ps1 +++ /dev/null @@ -1,23 +0,0 @@ -function Invoke-ActivityBasedTimeout-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Tenant, $Settings) - try { - $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id - if (!$State) { - $body = @' -{ - "displayName": "DefaultTimeoutPolicy", - "isOrganizationDefault": true, - "definition":["{\"ActivityBasedTimeoutPolicy\":{\"Version\":1,\"ApplicationPolicies\":[{\"ApplicationId\":\"default\",\"WebSessionIdleTimeout\":\"01:00:00\"}]}}"] -} -'@ - (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -Type POST -Body $body -ContentType 'application/json') - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Activity Based Timeout of one hour' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Activity Based Timeout $($_.exception.message)" -sev Error - } -} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 deleted file mode 100644 index 8cf0f1913094..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-AuditLog-Remediate.ps1 +++ /dev/null @@ -1,30 +0,0 @@ -function Invoke-AuditLog-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Tenant, $Settings) - - $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated - if ($DehydratedTenant) { - New-ExoRequest -tenantid $Tenant -cmdlet 'Enable-OrganizationCustomization' - } - - try { - - $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled - if ($AuditLogEnabled) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log already enabled.' -sev Info - } else { - $AdminAuditLogParams = @{ - UnifiedAuditLogIngestionEnabled = $true - } - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AdminAuditLogConfig' -cmdParams $AdminAuditLogParams - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log Enabled.' -sev Info - } - - } catch { - $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error - } -} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 deleted file mode 100644 index a681764d9186..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableReshare-Remediate.ps1 +++ /dev/null @@ -1,16 +0,0 @@ -function Invoke-DisableReshare-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Tenant, $Settings) - - try { - $body = '{"isResharingByExternalUsersEnabled": "False"}' - $Request = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-Host ($Request | ConvertTo-Json) - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests from resharing files' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error - } -} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 deleted file mode 100644 index b904828f6117..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-DisableSharedMailbox-Remediate.ps1 +++ /dev/null @@ -1,17 +0,0 @@ -function Invoke-DisableSharedMailbox-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Tenant, $Settings) - - try { - $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant, $Settings)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { - New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'AAD Accounts for shared mailboxes disabled.' -sev Info - - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error - } -} diff --git a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 b/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 deleted file mode 100644 index edc815a05c6d..000000000000 --- a/Modules/CIPPCore/Public/Standards/Remediate/Invoke-UserSubmissions-Remediate.ps1 +++ /dev/null @@ -1,39 +0,0 @@ -function Invoke-UserSubmissions-Remediate { - <# - .FUNCTIONALITY - Internal - #> - param($Tenant, $Settings) - - if ($Settings.enable -and $Settings.disable) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error - Exit - } elseif ($Settings.enable) { - $status = $true - try { - $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' - if ($Policy.length -eq 0) { - New-ExoRequest -tenantid $Tenant -cmdlet 'New-ReportSubmissionPolicy' - Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info - } else { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); } - Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error - } - } else { - $status = $false - try { - $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' - if ($Policy.length -eq 0) { - Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info - } else { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ReportSubmissionPolicy' -cmdParams @{ EnableReportToMicrosoft = $status; Identity = $($Policy.Identity); EnableThirdPartyAddress = $status; ReportJunkToCustomizedAddress = $status; ReportNotJunkToCustomizedAddress = $status; ReportPhishToCustomizedAddress = $status; } - Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info - } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set User Submission policy to $status. Error: $($_.exception.message)" -sev Error - } - } -} From f34aeb83262fb094ba1f29672790d10d823242c2 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 8 Dec 2023 14:50:41 +0100 Subject: [PATCH 55/78] Standards Add Alerts --- ...nvoke-CIPPStandardActivityBasedTimeout.ps1 | 12 +- .../Standards/Invoke-CIPPStandardAddDKIM.ps1 | 25 ++-- .../Invoke-CIPPStandardAnonReportDisable.ps1 | 22 ++- .../Standards/Invoke-CIPPStandardAuditLog.ps1 | 15 +- .../Invoke-CIPPStandardAutoExpandArchive.ps1 | 27 ++-- .../Invoke-CIPPStandardAzurePortal.ps1 | 8 +- .../Invoke-CIPPStandardConditionalAccess.ps1 | 36 +++-- .../Invoke-CIPPStandardDelegateSentItems.ps1 | 37 +++-- ...voke-CIPPStandardDeletedUserRentention.ps1 | 24 +-- ...PStandardDisableAddShortcutsToOneDrive.ps1 | 96 ++++++------ .../Invoke-CIPPStandardDisableBasicAuth.ps1 | 9 +- ...nvoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 22 ++- ...voke-CIPPStandardDisableGuestDirectory.ps1 | 21 ++- .../Invoke-CIPPStandardDisableGuests.ps1 | 30 ++-- ...voke-CIPPStandardDisableM365GroupUsers.ps1 | 39 +++-- .../Invoke-CIPPStandardDisableReshare.ps1 | 8 + ...-CIPPStandardDisableSecurityGroupUsers.ps1 | 21 ++- ...CIPPStandardDisableSelfServiceLicenses.ps1 | 11 +- ...nvoke-CIPPStandardDisableSharedMailbox.ps1 | 11 +- ...voke-CIPPStandardDisableTenantCreation.ps1 | 22 ++- ...voke-CIPPStandardDisableUserSiteCreate.ps1 | 26 ++-- .../Invoke-CIPPStandardDisableViva.ps1 | 24 +-- ...e-CIPPStandardEnableAppConsentRequests.ps1 | 100 +++++++------ .../Invoke-CIPPStandardEnableFIDO2.ps1 | 23 ++- ...voke-CIPPStandardEnableOnlineArchiving.ps1 | 22 ++- .../Invoke-CIPPStandardExConnector.ps1 | 50 +++---- .../Invoke-CIPPStandardExcludedfileExt.ps1 | 24 ++- .../Invoke-CIPPStandardGroupTemplate.ps1 | 94 ++++++------ .../Invoke-CIPPStandardIntuneTemplate.ps1 | 138 +++++++++--------- .../Invoke-CIPPStandardLegacyMFA.ps1 | 25 +--- .../Invoke-CIPPStandardLegacyMFACleanup.ps1 | 60 +------- .../Invoke-CIPPStandardMailContacts.ps1 | 58 +++++--- .../Invoke-CIPPStandardModernAuth.ps1 | 8 +- .../Standards/Invoke-CIPPStandardNudgeMFA.ps1 | 36 +++-- .../Invoke-CIPPStandardOauthConsent.ps1 | 56 ++++--- .../Invoke-CIPPStandardOauthConsentLowSec.ps1 | 25 ++-- .../Invoke-CIPPStandardOutBoundSpamAlert.ps1 | 24 +-- ...CIPPStandardPWcompanionAppAllowedState.ps1 | 64 ++++---- ...rdPWdisplayAppInformationRequiredState.ps1 | 23 +-- ...PStandardPWnumberMatchingRequiredState.ps1 | 10 +- ...oke-CIPPStandardPasswordExpireDisabled.ps1 | 21 ++- .../Invoke-CIPPStandardRotateDKIM.ps1 | 22 +-- .../Standards/Invoke-CIPPStandardSSPR.ps1 | 11 +- .../Invoke-CIPPStandardSafeSendersDisable.ps1 | 28 ++-- .../Invoke-CIPPStandardSecurityDefaults.ps1 | 30 ++-- .../Invoke-CIPPStandardSendFromAlias.ps1 | 26 ++-- ...oke-CIPPStandardSendReceiveLimitTenant.ps1 | 75 +++++----- .../Invoke-CIPPStandardSpoofWarn.ps1 | 30 ++-- .../Standards/Invoke-CIPPStandardTAP.ps1 | 32 ++-- ...voke-CIPPStandardTransportRuleTemplate.ps1 | 52 +++---- .../Invoke-CIPPStandardUndoOauth.ps1 | 13 +- .../Invoke-CIPPStandardUserSubmissions.ps1 | 16 +- .../Invoke-CIPPStandardallowOAuthTokens.ps1 | 24 +-- .../Invoke-CIPPStandardallowOTPTokens.ps1 | 27 ++-- .../Invoke-CIPPStandardcalDefault.ps1 | 23 ++- .../Invoke-CIPPStandarddisableMacSync.ps1 | 24 ++- .../Invoke-CIPPStandardfwdAdminAlerts.ps1 | 4 +- .../Invoke-CIPPStandardintuneDeviceReg.ps1 | 28 ++-- ...CIPPStandardintuneDeviceRetirementDays.ps1 | 25 ++-- .../Invoke-CIPPStandardintuneRequireMFA.ps1 | 27 ++-- .../Standards/Invoke-CIPPStandardlaps.ps1 | 26 ++-- .../Invoke-CIPPStandardsharingCapability.ps1 | 22 ++- .../Invoke-CIPPStandardunmanagedSync.ps1 | 24 +-- 63 files changed, 1088 insertions(+), 908 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index dd2448665e6e..4f3913213485 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -4,9 +4,10 @@ function Invoke-ActivityBasedTimeout { Internal #> param($Tenant, $Settings) + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id + If ($Settings.Remediate) { try { - $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id if (!$State) { $body = @' { @@ -22,5 +23,14 @@ function Invoke-ActivityBasedTimeout { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Activity Based Timeout $($_.exception.message)" -sev Error } } + + if ($Settings.Alert) { + if ($State) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Activity Based Timeout is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Activity Based Timeout is not enabled' -sev Alert + } + } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index 6402cbcf5583..f11fe54b342d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -4,17 +4,24 @@ function Invoke-AddDKIM { Internal #> param($Tenant, $Settings) + $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false If ($Settings.Remediate) { - - - try { - $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false | ForEach-Object { + try { + $DKIM | ForEach-Object { (New-ExoRequest -tenantid $tenant -cmdlet 'New-DkimSigningConfig' -cmdparams @{ KeySize = 2048; DomainName = $_.Identity; Enabled = $true } -useSystemMailbox $true) - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DKIM Setup' -sev Info + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DKIM Setup' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DKIM. Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DKIM. Error: $($_.exception.message)" -sev Error + } + } + + if ($Settings.Alert) { + if ($DKIM) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'DKIM is enabled for all available domains' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'DKIM is not enabled for all available domains' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 9eb4888b3128..4e796b5c5586 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -4,14 +4,20 @@ function Invoke-AnonReportDisable { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true If ($Settings.Remediate) { - - - try { - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports Disabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports Disabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($CurrentInfo.displayConcealedNames -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports is not disabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index 3ca58bb1929d..3f045b4b1584 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -4,15 +4,17 @@ function Invoke-AuditLog { Internal #> param($Tenant, $Settings) + + $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled + If ($Settings.Remediate) { + $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated if ($DehydratedTenant) { New-ExoRequest -tenantid $Tenant -cmdlet 'Enable-OrganizationCustomization' } - - try { - $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled + try { if ($AuditLogEnabled) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log already enabled.' -sev Info } else { @@ -28,4 +30,11 @@ function Invoke-AuditLog { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error } } + if ($Settings.Alert) { + if ($AuditLogEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log is not enabled' -sev Alert + } + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 58145a18a838..22947f9f0a4e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -4,19 +4,22 @@ function Invoke-AutoExpandArchive { Internal #> param($Tenant, $Settings) + $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled If ($Settings.Remediate) { - - - try { - - $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled - if (!$currentstate) { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{AutoExpandingArchive = $true } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Added Auto Expanding Archive.' -sev Info + try { + if (!$currentstate) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{AutoExpandingArchive = $true } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Added Auto Expanding Archive.' -sev Info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($AuditLogEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Auto Expanding Archives is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Auto Expanding Archives is not enabled' -sev Alert } - - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 index fed5f6ab010e..cb02d62bb5c7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 @@ -1,12 +1,10 @@ function Invoke-AzurePortal { - <# + <# .FUNCTIONALITY Internal #> - param($Tenant, $Settings) + param($Tenant, $Settings) If ($Settings.Remediate) { - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Azure Portal disablement is no longer functional. Please remove this standard.' -sev Error -} + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 index 5869b4b910ce..8650a4451e8a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 @@ -4,28 +4,26 @@ function Invoke-ConditionalAccess { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ConditionalAccess - } + If ($Settings.Remediate) { + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ConditionalAccess + } - $APINAME = 'Standards' + $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Template.value)'" - $JSONObj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON - $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $JSONObj -Overwrite $true -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)" -sev 'Error' + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Template.value)'" + $JSONObj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON + $CAPolicy = New-CIPPCAPolicy -TenantFilter $tenant -state $request.body.NewState -RawJSON $JSONObj -Overwrite $true -APIName $APIName -ExecutingUser $request.headers.'x-ms-client-principal' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($_.exception.message)" -sev 'Error' + } } - } -} + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index a0c4c9558d8b..e0fc3e63d2da 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -4,21 +4,28 @@ function Invoke-DelegateSentItems { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } - try { - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } | ForEach-Object { - try { - $username = $_.UserPrincipalName - New-ExoRequest -tenantid $Tenant -cmdlet 'set-mailbox' -cmdParams @{Identity = $_.GUID ; MessageCopyForSendOnBehalfEnabled = $True; MessageCopyForSentAsEnabled = $True } -anchor $username - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not enable delegate sent item style for $($username): $($_.Exception.message)" -sev Warn - } - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style enabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error + If ($Settings.Remediate) { + try { + $Mailboxes | ForEach-Object { + try { + $username = $_.UserPrincipalName + New-ExoRequest -tenantid $Tenant -cmdlet 'set-mailbox' -cmdParams @{Identity = $_.GUID ; MessageCopyForSendOnBehalfEnabled = $True; MessageCopyForSentAsEnabled = $True } -anchor $username + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not enable delegate sent item style for $($username): $($_.Exception.message)" -sev Warn + } + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($Mailboxes) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Delegate Sent Items Style is not enabled for $($mailboxes.count) users" -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style is enabled' -sev Info + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index ae7ff8d8034c..743da5010f15 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -5,15 +5,21 @@ function Invoke-DeletedUserRentention { #> param($Tenant, $Settings) If ($Settings.Remediate) { - + try { + $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type PATCH -Body $body -ContentType 'application/json' - try { - $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type PATCH -Body $body -ContentType 'application/json' - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set deleted user rentention of OneDrive to 1 year' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set deleted user rentention of OneDrive to 1 year' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is set to 1 year' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is not set to 1 year' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index dcb593f6d66a..413bc84ef307 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -5,10 +5,8 @@ function Invoke-DisableAddShortcutsToOneDrive { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - function GetTenantRequestXml { - return @' + function GetTenantRequestXml { + return @' @@ -25,17 +23,17 @@ function Invoke-DisableAddShortcutsToOneDrive { '@ - } + } - function GetDisableAddShortcutsToOneDriveXml { - param( - [string]$identity - ) + function GetDisableAddShortcutsToOneDriveXml { + param( + [string]$identity + ) - # the json object gives us a space and a newline :( - $identity = $identity.Replace(' ', '') - $identity = $identity.Replace("`n", ' ') - return @" + # the json object gives us a space and a newline :( + $identity = $identity.Replace(' ', '') + $identity = $identity.Replace("`n", ' ') + return @" @@ -49,48 +47,48 @@ function Invoke-DisableAddShortcutsToOneDrive { "@ - } - - $log = @{ - API = 'Standards' - tenant = $tenant - message = '' - sev = 'Info' - } - - try { - $OnMicrosoft = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenant | - Where-Object -Property isInitial -EQ $true).id.split('.') | Select-Object -First 1 - $AdminUrl = "https://$($OnMicrosoft)-admin.sharepoint.com" - $graphRequest = @{ - 'scope' = "$AdminURL/.default" - 'tenantid' = $tenant - 'uri' = "$AdminURL/_vti_bin/client.svc/ProcessQuery" - 'type' = 'POST' - 'body' = GetTenantRequestXml - 'ContentType' = 'text/xml' } - $response = New-GraphPostRequest @graphRequest - if (!$response.ErrorInfo.ErrorMessage) { - $log.message = 'Received Tenant from Sharepoint' - Write-LogMessage @log + $log = @{ + API = 'Standards' + tenant = $tenant + message = '' + sev = 'Info' } - $graphRequest.Body = GetDisableAddShortcutsToOneDriveXml -identity $response._ObjectIdentity_ - $response = New-GraphPostRequest @graphRequest + try { + $OnMicrosoft = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains?$top=999' -tenantid $tenant | + Where-Object -Property isInitial -EQ $true).id.split('.') | Select-Object -First 1 + $AdminUrl = "https://$($OnMicrosoft)-admin.sharepoint.com" + $graphRequest = @{ + 'scope' = "$AdminURL/.default" + 'tenantid' = $tenant + 'uri' = "$AdminURL/_vti_bin/client.svc/ProcessQuery" + 'type' = 'POST' + 'body' = GetTenantRequestXml + 'ContentType' = 'text/xml' + } + + $response = New-GraphPostRequest @graphRequest + if (!$response.ErrorInfo.ErrorMessage) { + $log.message = 'Received Tenant from Sharepoint' + Write-LogMessage @log + } + + $graphRequest.Body = GetDisableAddShortcutsToOneDriveXml -identity $response._ObjectIdentity_ + $response = New-GraphPostRequest @graphRequest - if (!$response.ErrorInfo.ErrorMessage) { - $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant" - } else { - $log.message = "Unable to set DisableAddShortcutsToOneDrive to True ` + if (!$response.ErrorInfo.ErrorMessage) { + $log.message = "Set DisableAddShortcutsToOneDrive to True on $tenant" + } else { + $log.message = "Unable to set DisableAddShortcutsToOneDrive to True ` on $($Tenant, $Settings): $($response.ErrorInfo.ErrorMessage)" + } + } catch { + $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)" + $log.sev = 'Error' } - } catch { - $log.message = "Failed to set OneDrive shortcut: $($_.Exception.Message)" - $log.sev = 'Error' - } - Write-LogMessage @log -} + Write-LogMessage @log + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 index cbcaf3fb8e03..86e879172545 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 @@ -1,11 +1,8 @@ function Invoke-DisableBasicAuth { - <# + <# .FUNCTIONALITY Internal #> - param($Tenant, $Settings) - If ($Settings.Remediate) { - - Write-LogMessage -API 'Standards' -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info -} + param($Tenant, $Settings) + Write-LogMessage -API 'Standards' -tenant $tenant -message "Basic Authentication is disabled by default. SMTP authentication is still allowed. Please use the standard 'Disable SMTP Basic Authentication' to disable" -sev Info } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index 8caa06cc3e51..4eed13b071bd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -5,13 +5,19 @@ function Invoke-DisableBasicAuthSMTP { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error + try { + $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' + if ($CurrentInfo.SmtpClientAuthenticationDisabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is not disabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index ec4bf6be093d..00a9d5e21177 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -7,13 +7,22 @@ function Invoke-DisableGuestDirectory { If ($Settings.Remediate) { - try { - $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' + try { + $body = '{guestUserRoleId: "2af84b1e-32c8-42b7-82bc-daa82404023b"}' (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Guest access to directory information.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Guest access to directory information.: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Guest access to directory information.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Guest access to directory information.: $($_.exception.message)" -sev 'Error' + } + } + + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant + if ($CurrentInfo.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is disabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is not disabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index bf434e4f1eca..31de4720c7df 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -4,19 +4,25 @@ function Invoke-DisableGuests { Internal #> param($Tenant, $Settings) + $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') + $GraphRequest = New-GraphgetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastSignInDateTime le $lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } + If ($Settings.Remediate) { - - - try { - $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') - $GraphRequest = New-GraphgetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastSignInDateTime le $lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } - foreach ($guest in $GraphRequest) { - New-GraphPostRequest -type Patch -tenantid $tenant -uri "https://graph.microsoft.com/beta/users/$($guest.id)" -body '{"accountEnabled":"false"}' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling guest $($guest.UserPrincipalName) ($($guest.id))" -sev Info + try { + foreach ($guest in $GraphRequest) { + New-GraphPostRequest -type Patch -tenantid $tenant -uri "https://graph.microsoft.com/beta/users/$($guest.id)" -body '{"accountEnabled":"false"}' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling guest $($guest.UserPrincipalName) ($($guest.id))" -sev Info + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests accounts with a login longer than 90 days ago.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($GraphRequest) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Guests accounts with a login longer than 90 days ago: $($GraphRequest.count)" -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'No guests accounts with a login longer than 90 days ago.' -sev Info } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled guests accounts with a login longer than 90 days ago.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index 75cf98aa7565..5696ff218071 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -4,23 +4,34 @@ function Invoke-DisableM365GroupUsers { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - + $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - try { - $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - if (!$CurrentState) { - #if no current configuration is found, we set it to the default template supplied by MS. - $CurrentState = '{"id":"","displayName":"Group.Unified","templateId":"62375ab9-6b52-47ed-826b-58e47e0e304b","values":[{"name":"NewUnifiedGroupWritebackDefault","value":"true"},{"name":"EnableMIPLabels","value":"false"},{"name":"CustomBlockedWordsList","value":""},{"name":"EnableMSStandardBlockedWords","value":"false"},{"name":"ClassificationDescriptions","value":""},{"name":"DefaultClassification","value":""},{"name":"PrefixSuffixNamingRequirement","value":""},{"name":"AllowGuestsToBeGroupOwner","value":"false"},{"name":"AllowGuestsToAccessGroups","value":"true"},{"name":"GuestUsageGuidelinesUrl","value":""},{"name":"GroupCreationAllowedGroupId","value":""},{"name":"AllowToAddGuests","value":"true"},{"name":"UsageGuidelinesUrl","value":""},{"name":"ClassificationList","value":""},{"name":"EnableGroupCreation","value":"true"}]}' + If ($Settings.Remediate) { + try { + if (!$CurrentState) { + #if no current configuration is found, we set it to the default template supplied by MS. + $CurrentState = '{"id":"","displayName":"Group.Unified","templateId":"62375ab9-6b52-47ed-826b-58e47e0e304b","values":[{"name":"NewUnifiedGroupWritebackDefault","value":"true"},{"name":"EnableMIPLabels","value":"false"},{"name":"CustomBlockedWordsList","value":""},{"name":"EnableMSStandardBlockedWords","value":"false"},{"name":"ClassificationDescriptions","value":""},{"name":"DefaultClassification","value":""},{"name":"PrefixSuffixNamingRequirement","value":""},{"name":"AllowGuestsToBeGroupOwner","value":"false"},{"name":"AllowGuestsToAccessGroups","value":"true"},{"name":"GuestUsageGuidelinesUrl","value":""},{"name":"GroupCreationAllowedGroupId","value":""},{"name":"AllowToAddGuests","value":"true"},{"name":"UsageGuidelinesUrl","value":""},{"name":"ClassificationList","value":""},{"name":"EnableGroupCreation","value":"true"}]}' (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type POST -Body $CurrentState -ContentType 'application/json') - $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - } + $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' + } ($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value = 'false' - $body = "{values : $($CurrentState.values | ConvertTo-Json -Compress)}" + $body = "{values : $($CurrentState.values | ConvertTo-Json -Compress)}" (New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/settings/$($CurrentState.id)" -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating M365 Groups.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating M365 Groups.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev 'Error' + } } -} + if ($Settings.Alert) { + if ($CurrentState) { + if (($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value -eq 'false') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are disabled from creating M365 Groups.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not disabled from creating M365 Groups.' -sev Alert + } + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not disabled from creating M365 Groups.' -sev Alert + } + } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index 547b951e399f..2caabfcc7842 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -16,4 +16,12 @@ function Invoke-DisableReshare { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error } } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.isResharingByExternalUsersEnabled -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guests are not allowed to reshare files' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guests are allowed to reshare files' -sev Alert + } + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index d15b41960af3..530c6972793c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -7,13 +7,22 @@ function Invoke-DisableSecurityGroupUsers { If ($Settings.Remediate) { - try { - $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' + try { + $body = '{"defaultUserRolePermissions":{"allowedToCreateSecurityGroups":false}}' (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating Security Groups.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating Security Groups: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating Security Groups.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating Security Groups: $($_.exception.message)" -sev 'Error' + } + } + + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant + if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not allowed to create Security Groups.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create Security Groups.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 index 0ec508452d48..3da962665d0d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 @@ -3,15 +3,8 @@ function Invoke-DisableSelfServiceLicenses { .FUNCTIONALITY Internal #> - param($Tenant, $Settings) - If ($Settings.Remediate) { - + param($Tenant, $Settings) - try { - Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Self Service Licenses cannot be disabled' -sev Error - } catch { - Write-LogMessage "Standards API: $($Tenant, $Settings) failed to disable License Buy Self Service: $($exception.message)" -sev Error - } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index 38e1fe42163a..b8e8adbc9e4a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -4,15 +4,22 @@ function Invoke-DisableSharedMailbox { Internal #> param($Tenant, $Settings) + $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant)/Mailbox?`$filter=ExchangeUserAccountControl ne 'accountdisabled'" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) If ($Settings.Remediate) { try { - $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant, $Settings)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) | ForEach-Object { + $SharedMailboxList | ForEach-Object { New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant } Write-LogMessage -API 'Standards' -tenant $tenant -message 'AAD Accounts for shared mailboxes disabled.' -sev Info - } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error } } + if ($Settings.Alert) { + if ($SharedMailboxList) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Shared mailboxes with enabled accounts: $($SharedMailboxList.count)" -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'No AAD accounts enables for shared mailboxes.' -sev Info + } + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index 29f3fb2a2933..87f99399cda5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -5,14 +5,20 @@ function Invoke-DisableTenantCreation { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' + try { + $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating tenants.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Disabled users from creating tenants.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev 'Error' + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant + if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not allowed to create tenants.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create tenants.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index 7f396db59bed..3b2082fe8c7d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -5,14 +5,20 @@ function Invoke-DisableUserSiteCreate { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - $body = '{"isSiteCreationEnabled": false}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled standard users from creating sites' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error + try { + $body = '{"isSiteCreationEnabled": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled standard users from creating sites' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error + } } -} -} + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.isSiteCreationEnabled -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are not allowed to create sites' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are allowed to create sites' -sev Alert + } + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index 4ed120e3696a..70f12cfb134e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -4,17 +4,21 @@ function Invoke-DisableViva { Internal #> param($Tenant, $Settings) + $currentsetting = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$tenant/settings/peopleInsights" -tenantid $Tenant -AsApp $true If ($Settings.Remediate) { - - - try { - $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { - (New-ExoRequest -tenantid $tenant -cmdlet 'Set-UserBriefingConfig' -cmdparams @{ Identity = $_.UserPrincipalName; Enabled = $false }) - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disable daily Viva reports' -sev Info + try { + New-GraphPOSTRequest -Uri "https://graph.microsoft.com/beta/organization/$tenant/settings/peopleInsights" -tenantid $Tenant -AsApp $true -Type PATCH -Body '{"isEnabledInOrganization": false}' -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Viva insights' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($currentsetting.isEnabled -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Viva is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Viva is not disabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 7f1f628da02e..871aa39cd811 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -4,65 +4,71 @@ function Invoke-EnableAppConsentRequests { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - try { - # Get current state - $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant + $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant - # Change state to enabled with default settings - $CurrentInfo.isEnabled = 'true' - $CurrentInfo.notifyReviewers = 'true' - $CurrentInfo.remindersEnabled = 'true' - $CurrentInfo.requestDurationInDays = 30 + If ($Settings.Remediate) { + try { + # Get current state - # Roles from standards table - $RolesToAdd = $Settings.ReviewerRoles.value - $RoleNames = $Settings.ReviewerRoles.label -join ', ' + # Change state to enabled with default settings + $CurrentInfo.isEnabled = 'true' + $CurrentInfo.notifyReviewers = 'true' + $CurrentInfo.remindersEnabled = 'true' + $CurrentInfo.requestDurationInDays = 30 - # Set default if no roles are selected - if (!$RolesToAdd) { - $RolesToAdd = @('62e90394-69f5-4237-9190-012177145e10') - $RoleNames = '(Default) Global Administrator' - } + # Roles from standards table + $RolesToAdd = $Settings.ReviewerRoles.value + $RoleNames = $Settings.ReviewerRoles.label -join ', ' - $NewReviewers = foreach ($Role in $RolesToAdd) { - @{ - query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$Role'" - queryType = 'MicrosoftGraph' - queryRoot = 'null' + # Set default if no roles are selected + if (!$RolesToAdd) { + $RolesToAdd = @('62e90394-69f5-4237-9190-012177145e10') + $RoleNames = '(Default) Global Administrator' } - } - # Add existing reviewers - $Reviewers = [System.Collections.Generic.List[object]]::new() - foreach ($Reviewer in $CurrentInfo.reviewers) { - $RoleFound = $false - foreach ($Role in $RolesToAdd) { - if ($Reviewer.query -match $Role -or $Reviewers.query -contains $Reviewer.query) { - $RoleFound = $true + $NewReviewers = foreach ($Role in $RolesToAdd) { + @{ + query = "/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '$Role'" + queryType = 'MicrosoftGraph' + queryRoot = 'null' } } - if (!$RoleFound) { - $Reviewers.add($Reviewer) + + # Add existing reviewers + $Reviewers = [System.Collections.Generic.List[object]]::new() + foreach ($Reviewer in $CurrentInfo.reviewers) { + $RoleFound = $false + foreach ($Role in $RolesToAdd) { + if ($Reviewer.query -match $Role -or $Reviewers.query -contains $Reviewer.query) { + $RoleFound = $true + } + } + if (!$RoleFound) { + $Reviewers.add($Reviewer) + } } - } - # Add new reviewer roles - foreach ($NewReviewer in $NewReviewers) { - $Reviewers.add($NewReviewer) - } + # Add new reviewer roles + foreach ($NewReviewer in $NewReviewers) { + $Reviewers.add($NewReviewer) + } - # Update reviewer list - $CurrentInfo.reviewers = @($Reviewers) - $body = (ConvertTo-Json -Compress -Depth 10 -InputObject $CurrentInfo) + # Update reviewer list + $CurrentInfo.reviewers = @($Reviewers) + $body = (ConvertTo-Json -Compress -Depth 10 -InputObject $CurrentInfo) - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -Type put -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Enabled App consent admin requests for the following roles: $RoleNames" -sev Info + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -Type put -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Enabled App consent admin requests for the following roles: $RoleNames" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($CurrentInfo.isEnabled -eq 'true') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'App consent admin requests are enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'App consent admin requests are disabled' -sev Alert + } } - -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index 4118f798ca03..acbe12694677 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -7,12 +7,21 @@ function Invoke-EnableFIDO2 { If ($Settings.Remediate) { - try { - $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled FIDO2 Support' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable FIDO2 Support: $($_.exception.message)" -sev Error + try { + $body = '{"@odata.type":"#microsoft.graph.fido2AuthenticationMethodConfiguration","id":"Fido2","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","displayName":"All users"}],"excludeTargets":[],"isAttestationEnforced":true,"isSelfServiceRegistrationAllowed":true,"keyRestrictions":{"aaGuids":[],"enforcementType":"block","isEnforced":false},"state":"enabled"}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled FIDO2 Support' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable FIDO2 Support: $($_.exception.message)" -sev Error + } + } + + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -tenantid $Tenant + if ($CurrentInfo.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'FIDO2 Support is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'FIDO2 Support is not enabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index a11ef12264a8..429bb5f226cf 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -4,17 +4,25 @@ function Invoke-EnableOnlineArchiving { Internal #> param($Tenant, $Settings) + $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) If ($Settings.Remediate) { - try { - $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) | ForEach-Object { + try { + $MailboxesNoArchive | ForEach-Object { (New-ExoRequest -tenantid $tenant -cmdlet 'enable-Mailbox' -cmdparams @{ Identity = $_.UserPrincipalName; Archive = $true }) - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Online Archiving for all accounts' -sev Info + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Online Archiving for all accounts' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($MailboxesNoArchive) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Mailboxes without Online Archiving: $($MailboxesNoArchive.count)" -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'All mailboxes have Online Archiving enabled' -sev Info + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index 5bcece6f1373..5907a089cd28 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -4,35 +4,35 @@ function Invoke-ExConnector { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.Remediate) { - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExConnector - } - $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'ExConnectorTemplate' and RowKey eq '$($Template.value)'" - $connectorType = (Get-AzDataTableEntity @Table -Filter $Filter).direction - $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet "Get-$($ConnectorType)connector" | Where-Object -Property Identity -EQ $RequestParams.name - if ($Existing) { - $RequestParams | Add-Member -NotePropertyValue $Existing.Identity -NotePropertyName Identity -Force - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant, $Settings)" -sev info - } else { - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant, $Settings)" -sev info + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExConnector + } + $APINAME = 'Standards' + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'ExConnectorTemplate' and RowKey eq '$($Template.value)'" + $connectorType = (Get-AzDataTableEntity @Table -Filter $Filter).direction + $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet "Get-$($ConnectorType)connector" | Where-Object -Property Identity -EQ $RequestParams.name + if ($Existing) { + $RequestParams | Add-Member -NotePropertyValue $Existing.Identity -NotePropertyName Identity -Force + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "Set-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API $APINAME -tenant $Tenant -message "Updated transport rule for $($Tenant, $Settings)" -sev info + } else { + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet "New-$($ConnectorType)connector" -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($Tenant, $Settings)" -sev info + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Exchange Connector Rule: $($_.exception.message)" -sev 'Error' } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Exchange Connector Rule: $($_.exception.message)" -sev 'Error' + } } } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index 3c025b242560..0cbad0d88604 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -4,16 +4,24 @@ function Invoke-ExcludedfileExt { Internal #> param($Tenant, $Settings) + $Exts = $Settings.ext -split ',' If ($Settings.Remediate) { - try { - $Exts = $Settings.ext -split ',' - $body = ConvertTo-Json -InputObject @{ excludedFileExtensionsForSyncApp = @($Exts) } - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Added $($Settings.ext) to excluded synced files" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Settings.ext) to excluded synced files: $($_.exception.message)" -sev Error + try { + $body = ConvertTo-Json -InputObject @{ excludedFileExtensionsForSyncApp = @($Exts) } + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Added $($Settings.ext) to excluded synced files" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Settings.ext) to excluded synced files: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.excludedFileExtensionsForSyncApp -contains $Exts) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Excluded synced files contains $($Settings.ext)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Excluded synced files does not contain $($Settings.ext)" -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 index f3c4bad42596..d0ed809a6b15 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 @@ -4,64 +4,62 @@ function Invoke-GroupTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.Remediate) { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.GroupTemplate - } - - + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.GroupTemplate + } - foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" - $groupobj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($Tenant, $Settings)" } - $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname - if (!$CheckExististing) { - if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" + $groupobj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($Tenant, $Settings)" } + $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname + if (!$CheckExististing) { + if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { - $BodyToship = [pscustomobject] @{ - 'displayName' = $groupobj.Displayname - 'description' = $groupobj.Description - 'mailNickname' = $groupobj.username - mailEnabled = [bool]$false - securityEnabled = [bool]$true - isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ 'AzureRole') + $BodyToship = [pscustomobject] @{ + 'displayName' = $groupobj.Displayname + 'description' = $groupobj.Description + 'mailNickname' = $groupobj.username + mailEnabled = [bool]$false + securityEnabled = [bool]$true + isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ 'AzureRole') - } - if ($groupobj.membershipRules) { - $BodyToship | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($groupobj.membershipRules) - $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership') - $BodyToship | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On' - } - $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose - } else { - $Params = @{ - Name = $groupobj.Displayname - Alias = $groupobj.username - Description = $groupobj.Description - PrimarySmtpAddress = $email - Type = $groupobj.groupType - RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal + } + if ($groupobj.membershipRules) { + $BodyToship | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($groupobj.membershipRules) + $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership') + $BodyToship | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On' + } + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose + } else { + $Params = @{ + Name = $groupobj.Displayname + Alias = $groupobj.username + Description = $groupobj.Description + PrimarySmtpAddress = $email + Type = $groupobj.groupType + RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal + } + $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params } - $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params - } - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev 'Info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id) " -Sev 'Info' - } else { - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Group exists $($groupobj.displayname). Did not create" -Sev 'Info' + } else { + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -tenant $tenant -message "Group exists $($groupobj.displayname). Did not create" -Sev 'Info' + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create group: $($_.exception.message)" -sev 'Error' } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create group: $($_.exception.message)" -sev 'Error' } - } -} + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 1b2963675788..3f3c2271e520 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -4,90 +4,90 @@ function Invoke-IntuneTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.Remediate) { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.IntuneTemplate - } + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.IntuneTemplate + } - $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { - try { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'IntuneTemplate'" - $Request = @{body = $null } - $Request.body = (Get-AzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($template.value)*").JSON | ConvertFrom-Json - $displayname = $request.body.Displayname - $description = $request.body.Description - $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } - $RawJSON = $Request.body.RawJSON + $APINAME = 'Standards' + foreach ($Template in $Setting.TemplateList) { + try { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'IntuneTemplate'" + $Request = @{body = $null } + $Request.body = (Get-AzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($template.value)*").JSON | ConvertFrom-Json + $displayname = $request.body.Displayname + $description = $request.body.Description + $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } + $RawJSON = $Request.body.RawJSON - switch ($Request.body.Type) { - 'Admin' { - $TemplateTypeURL = 'groupPolicyConfigurations' - $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($displayname -in $CheckExististing.displayName) { - $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname - $ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/definitionValues" -tenantid $tenant - $DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10 - $DeleteJson.deletedIds = @($ExistingData.id) - $DeleteJson.added = @() - $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson - $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson - $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' + switch ($Request.body.Type) { + 'Admin' { + $TemplateTypeURL = 'groupPolicyConfigurations' + $CreateBody = '{"description":"' + $description + '","displayName":"' + $displayname + '","roleScopeTagIds":["0"]}' + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($displayname -in $CheckExististing.displayName) { + $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $displayname + $ExistingData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/definitionValues" -tenantid $tenant + $DeleteJson = $RawJSON | ConvertFrom-Json -Depth 10 + $DeleteJson.deletedIds = @($ExistingData.id) + $DeleteJson.added = @() + $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson + $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson + $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' - } else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody - $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($Displayname) to template defaults" -Sev 'info' + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody + $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($Displayname) to template defaults" -Sev 'info' + } } - } - 'Device' { - $TemplateTypeURL = 'deviceConfigurations' - $PolicyName = ($RawJSON | ConvertFrom-Json).displayName - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($PolicyName -in $CheckExististing.displayName) { - $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName - $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' + 'Device' { + $TemplateTypeURL = 'deviceConfigurations' + $PolicyName = ($RawJSON | ConvertFrom-Json).displayName + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($PolicyName -in $CheckExististing.displayName) { + $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName + $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' - } else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' + } } - } - 'Catalog' { - $TemplateTypeURL = 'configurationPolicies' - $PolicyName = ($RawJSON | ConvertFrom-Json).Name - $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant - if ($PolicyName -in $CheckExististing.name) { - $ExistingID = $CheckExististing | Where-Object -Property Name -EQ $PolicyName - $PUTRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON + 'Catalog' { + $TemplateTypeURL = 'configurationPolicies' + $PolicyName = ($RawJSON | ConvertFrom-Json).Name + $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant + if ($PolicyName -in $CheckExististing.name) { + $ExistingID = $CheckExististing | Where-Object -Property Name -EQ $PolicyName + $PUTRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON - } else { - $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' + } else { + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' + } } - } + } + if ($AssignTo) { + $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant, $Settings)" -sev 'Info' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev 'Error' } - if ($AssignTo) { - $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' - } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant, $Settings)" -sev 'Info' - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev 'Error' } } } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 index 430fd5eda5c2..60134bd5d4d5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 @@ -4,29 +4,6 @@ function Invoke-LegacyMFA { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Per user MFA APIs have been disabled.' -sev Info - try { - $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') - $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant).customerId - $TrackingGuid = (New-Guid).GUID - $LogonPost = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 -"@ - $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' - $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { ($_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.state -eq $null -and $_.UserPrincipalName -notlike 'Sync_*') } - foreach ($user in $users) { - Write-Host $user.UserPrincipalName - $MSOLXML = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID)*0001-01-01T00:00:00Enabled -"@ - $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled per user MFA.' -sev Info - - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable (legacy) per user MFA: $($_.exception.message)" -sev 'Error' - } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 index 38e9599f7f9b..ed591fffdf03 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 @@ -4,64 +4,6 @@ function Invoke-LegacyMFACleanup { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Per User MFA APIs have been disabled.' -sev Info - try { - $AADGraphtoken = (Get-GraphToken -scope 'https://graph.windows.net/.default') - $tenantid = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant).customerId - - try { - $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) - $SecDefaults = $SecureDefaultsState.IsEnabled - Write-LogMessage -API 'Standards' -tenant $tenant -message "Security default state: $SecDefaults" -sev Debug - } catch { - $SecDefaults = $false - } - - if ($SecDefaults -eq $false) { - try { - $AllUsersCAPolicy = (New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?`$filter=(grantControls/builtInControls/any(b:b eq 'mfa') or grantControls/customAuthenticationFactors/any(c:c eq 'RequireDuoMfa')) and state eq 'enabled' and conditions/users/includeUsers/any(u:u eq 'All')&`$count=true" -ComplexFilter -tenantid $tenant).displayName - Write-LogMessage -API 'Standards' -tenant $tenant -message "All users CA policy: $AllUsersCAPolicy" -sev Debug - - if ($AllUsersCAPolicy) { - $AADPremiumUsers = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/?`$select=id,userPrincipalName&`$filter=assignedPlans/any(c:c/service eq 'AADPremiumService' and c/capabilityStatus eq 'Enabled')&`$count=true" -tenantid $tenant -ComplexFilter).userPrincipalName - Write-LogMessage -API 'Standards' -tenant $tenant -message "AAD Premium Users: $($AADPremiumUsers -join ', ')" -sev Debug - } - } catch { - $AllUsersCAPolicy = $false - } - } - - if ($SecDefaults -or $AllUsersCAPolicy) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Tenant meets requirements for Legacy MFA cleanup' -sev Info - $TrackingGuid = (New-Guid).GUID - $LogonPost = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/MsolConnecturn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])50afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$($TrackingGuid)https://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion4 -"@ - $DataBlob = (Invoke-RestMethod -Method POST -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -ContentType 'application/soap+xml; charset=utf-8' -Body $LogonPost).envelope.header.BecContext.DataBlob.'#text' - $Users = Get-CIPPMSolUsers -tenant $tenant | Where-Object { $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -eq 'Enabled' -or $_.StrongAuthenticationRequirements.StrongAuthenticationRequirement.State -EQ 'Enforced' } - if (($Users | Measure-Object | Select-Object -ExpandProperty Count) -gt 0) { - foreach ($user in $users) { - if ($AllUsersCAPolicy -and $AADPremiumUsers -notcontains $user.UserPrincipalName) { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Skipping user $($user.UserPrincipalName) does not have AAD Premium" -sev Debug - continue - } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabling legacy MFA for $($user.UserPrincipalName)" -sev Info - $MSOLXML = @" -http://provisioning.microsoftonline.com/IProvisioningWebService/SetUserurn:uuid:$TrackingGuidhttp://www.w3.org/2005/08/addressing/anonymous$($AADGraphtoken['Authorization'])$($DataBlob)9450afce61-c917-435b-8c6d-60aa5a8b8aa71.2.183.57Version47$TrackingGuidhttps://provisioningapi.microsoftonline.com/provisioningwebservice.svcVersion16$($tenantid)$($User.ObjectID) -"@ - $SetMFA = (Invoke-RestMethod -Uri 'https://provisioningapi.microsoftonline.com/provisioningwebservice.svc' -Method post -Body $MSOLXML -ContentType 'application/soap+xml; charset=utf-8') - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Legacy MFA cleanup complete.' -sev Info - } else { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'No Legacy MFA to cleanup.' -sev Info - } - } else { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unable to clean up per user MFA, tenant does not have Security Defaults or an all users CA policy requiring MFA' -sev Error - } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to clean up (legacy) per user MFA: $($_.exception.message)" -sev 'Error' - } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index ca74092ac4af..6df9cd79f472 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -4,25 +4,47 @@ function Invoke-MailContacts { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - - $contacts = $settings + $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) - try { - $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) - $Body = [pscustomobject]@{} - switch ($Contacts) { - { $Contacts.MarketingContact } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.MarketingContact) } - { $Contacts.SecurityContact } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact) } - { $Contacts.TechContact } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact) } - { $Contacts.GeneralContact } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact } } + If ($Settings.Remediate) { + + $contacts = $settings + try { + $Body = [pscustomobject]@{} + switch ($Contacts) { + { $Contacts.MarketingContact } { $body | Add-Member -NotePropertyName marketingNotificationEmails -NotePropertyValue @($Contacts.MarketingContact) } + { $Contacts.SecurityContact } { $body | Add-Member -NotePropertyName securityComplianceNotificationMails -NotePropertyValue @($Contacts.SecurityContact) } + { $Contacts.TechContact } { $body | Add-Member -NotePropertyName technicalNotificationMails -NotePropertyValue @($Contacts.TechContact) } + { $Contacts.GeneralContact } { $body | Add-Member -NotePropertyName privacyProfile -NotePropertyValue @{contactEmail = $Contacts.GeneralContact } } + } + Write-Host (ConvertTo-Json -InputObject $body) + New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -Type patch -Body (ConvertTo-Json -InputObject $body) -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Contact email's set." -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -tenantid $Tenant + if ($CurrentInfo.marketingNotificationEmails -eq $Contacts.MarketingContact) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Marketing contact email is set to $($Contacts.MarketingContact)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Marketing contact email is not set to $($Contacts.MarketingContact)" -sev Alert + } + if ($CurrentInfo.securityComplianceNotificationMails -eq $Contacts.SecurityContact) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Security contact email is set to $($Contacts.SecurityContact)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Security contact email is not set to $($Contacts.SecurityContact)" -sev Alert + } + if ($CurrentInfo.technicalNotificationMails -eq $Contacts.TechContact) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Technical contact email is set to $($Contacts.TechContact)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Technical contact email is not set to $($Contacts.TechContact)" -sev Alert + } + if ($CurrentInfo.privacyProfile.contactEmail -eq $Contacts.GeneralContact) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "General contact email is set to $($Contacts.GeneralContact)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "General contact email is not set to $($Contacts.GeneralContact)" -sev Alert } - Write-Host (ConvertTo-Json -InputObject $body) - New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -Type patch -Body (ConvertTo-Json -InputObject $body) -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Contact email's set." -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 index 62169c340363..dff45dc2a542 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 @@ -1,12 +1,10 @@ function Invoke-ModernAuth { - <# + <# .FUNCTIONALITY Internal #> - param($Tenant, $Settings) + param($Tenant, $Settings) If ($Settings.Remediate) { - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Modern Authentication is enabled by default. This standard is no longer required.' -sev Info -} + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index 6da92f6f84fd..17c0355ce1a2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -5,21 +5,25 @@ function Invoke-NudgeMFA { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - Write-Output $Settings - - $status = if ($Settings.enable -and $Settings.disable) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error - Exit - } elseif ($Settings.enable) { 'enabled' } else { 'disabled' } - Write-Output $status - try { - $body = '{"registrationEnforcement":{"authenticationMethodsRegistrationCampaign":{"snoozeDurationInDays":0,"state":"' + $status + '","excludeTargets":[],"includeTargets":[{"id":"all_users","targetType":"group","targetedAuthenticationMethod":"microsoftAuthenticator","displayName":"All users"}]}}}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "$status Authenticator App Nudge" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $status Authenticator App Nudge: $($_.exception.message)" -sev Error + $status = if ($Settings.enable -and $Settings.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error + Exit + } elseif ($Settings.enable) { 'enabled' } else { 'disabled' } + Write-Output $status + try { + $body = '{"registrationEnforcement":{"authenticationMethodsRegistrationCampaign":{"snoozeDurationInDays":0,"state":"' + $status + '","excludeTargets":[],"includeTargets":[{"id":"all_users","targetType":"group","targetedAuthenticationMethod":"microsoftAuthenticator","displayName":"All users"}]}}}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "$status Authenticator App Nudge" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $status Authenticator App Nudge: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant + if ($CurrentInfo.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is not enabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index f99ccba2a522..560be8625312 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -3,35 +3,43 @@ function Invoke-OauthConsent { .FUNCTIONALITY Internal #> - param($tenant) - $AllowedAppIdsForTenant = $Settings.AllowedApps -split ',' - try { + param($tenant, $settings) { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) - if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('ManagePermissionGrantsForSelf.cipp-1sent-policy')) { - Write-Host 'Going to set' - - $Existing = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/' -tenantid $tenant) | Where-Object -Property id -EQ 'cipp-consent-policy' - if (!$Existing) { - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies' -Type POST -Body '{ "id":"cipp-consent-policy", "displayName":"Application Consent Policy", "description":"This policy controls the current application consent policies."}' -ContentType 'application/json' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body '{"permissionClassification":"all","permissionType":"delegated","clientApplicationIds":["d414ee2d-73e5-4e5b-bb16-03ef55fea597"]}' -ContentType 'application/json' - } + + If ($Settings.Remediate) { + $AllowedAppIdsForTenant = $Settings.AllowedApps -split ',' try { - foreach ($AllowedApp in $AllowedAppIdsForTenant) { - Write-Host "$AllowedApp" - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{"permissionType": "delegated","clientApplicationIds": ["' + $AllowedApp + '"]}') -ContentType 'application/json' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{ "permissionType": "Application", "clientApplicationIds": ["' + $AllowedApp + '"] }') -ContentType 'application/json' + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('ManagePermissionGrantsForSelf.cipp-1sent-policy')) { + $Existing = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/' -tenantid $tenant) | Where-Object -Property id -EQ 'cipp-consent-policy' + if (!$Existing) { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies' -Type POST -Body '{ "id":"cipp-consent-policy", "displayName":"Application Consent Policy", "description":"This policy controls the current application consent policies."}' -ContentType 'application/json' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body '{"permissionClassification":"all","permissionType":"delegated","clientApplicationIds":["d414ee2d-73e5-4e5b-bb16-03ef55fea597"]}' -ContentType 'application/json' + } + try { + foreach ($AllowedApp in $AllowedAppIdsForTenant) { + Write-Host "$AllowedApp" + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{"permissionType": "delegated","clientApplicationIds": ["' + $AllowedApp + '"]}') -ContentType 'application/json' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/permissionGrantPolicies/cipp-consent-policy/includes' -Type POST -Body ('{ "permissionType": "Application", "clientApplicationIds": ["' + $AllowedApp + '"] }') -ContentType 'application/json' + } + } catch { + "Could not add exclusions, probably already exist: $($_)" + } + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.cipp-consent-policy"]}' -ContentType 'application/json' + } + if ($AllowedAppIdsForTenant) { } + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been enabled.' -sev Info } catch { - "Could not add exclusions, probably already exist: $($_)" + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error } - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.cipp-consent-policy"]}' -ContentType 'application/json' } - if ($AllowedAppIdsForTenant) { + if ($Settings.Alert) { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is not enabled.' -sev Alert + } } - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been enabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error } -} -} +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index 44298bed5026..14c4b3ded717 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -4,18 +4,23 @@ function Invoke-OauthConsentLowSec { Internal #> param($Tenant, $Settings) + $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) If ($Settings.Remediate) { - - - try { - $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) + try { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { + Write-Host 'Going to set' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.microsoft-user-default-low"]}' -ContentType 'application/json' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { - Write-Host 'Going to set' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["managePermissionGrantsForSelf.microsoft-user-default-low"]}' -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is not enabled.' -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) has been enabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error } } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index e64248a72487..7457f547722f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -5,14 +5,20 @@ function Invoke-OutBoundSpamAlert { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - $Contacts = $settings.OutboundSpamContact - - try { - New-ExoRequest -tenantid $tenant -cmdlet 'Set-HostedOutboundSpamFilterPolicy' -cmdparams @{ Identity = 'Default'; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set outbound spam filter alert to $($Contacts.OutboundSpamContact)" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error + $Contacts = $settings.OutboundSpamContact + try { + New-ExoRequest -tenantid $tenant -cmdlet 'Set-HostedOutboundSpamFilterPolicy' -cmdparams @{ Identity = 'Default'; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set outbound spam filter alert to $($Contacts.OutboundSpamContact)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-HostedOutboundSpamFilterPolicy' -useSystemMailbox $true + if ($CurrentInfo.NotifyOutboundSpam -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Outbound spam filter alert is set to $($CurrentInfo.NotifyOutboundSpamRecipients)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Outbound spam filter alert is not set' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index cfa4281fb6d8..f178c89bc04c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -4,42 +4,38 @@ function Invoke-PWcompanionAppAllowedState { Internal #> param($Tenant, $Settings) + $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) If ($Settings.Remediate) { - - - $Setting = $Settings - - try { - - # Get current state of microsoftAuthenticator policy - $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) - - # Remove number matching from featureSettings because this is now Microsoft enforced and shipping it returns an error - $authenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') - - # Define feature body - $featureBody = @{ - state = $Setting.state - includeTarget = [PSCustomObject]@{ - targetType = 'group' - id = 'all_users' - } - excludeTarget = [PSCustomObject]@{ - targetType = 'group' - id = '00000000-0000-0000-0000-000000000000' + $Setting = $Settings + try { + # Get current state of microsoftAuthenticator policy + # Remove number matching from featureSettings because this is now Microsoft enforced and shipping it returns an error + $authenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') + # Define feature body + $featureBody = @{ + state = $Setting.state + includeTarget = [PSCustomObject]@{ + targetType = 'group' + id = 'all_users' + } + excludeTarget = [PSCustomObject]@{ + targetType = 'group' + id = '00000000-0000-0000-0000-000000000000' + } } + $authenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody + $body = $authenticatorFeaturesState | ConvertTo-Json -Depth 3 + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled companionAppAllowedState.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'companionAppAllowedState is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'companionAppAllowedState is not enabled.' -sev Alert } - - # Set body for companionAppAllowedState - $authenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody - - $body = $authenticatorFeaturesState | ConvertTo-Json -Depth 3 - - (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled companionAppAllowedState.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index 9b611a7b523a..d3aec75aeb9f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -5,17 +5,22 @@ function Invoke-PWdisplayAppInformationRequiredState { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - $body = @' + try { + $body = @' {"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","authenticationMode":"any"}],"excludeTargets":[],"state":"enabled","isSoftwareOathEnabled":false,"featureSettings":{"displayLocationInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"displayAppInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"companionAppAllowedState":{"state":"default","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}}}} '@ (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled passwordless with Information and Number Matching.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled passwordless with Information and Number Matching.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev 'Error' + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant + if ($CurrentInfo.featureSettings.displayAppInformationRequiredState.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 index c189ac3041f1..2aa6ed8d9913 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 @@ -4,13 +4,5 @@ function Invoke-PWnumberMatchingRequiredState { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - - try { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with number matching is now enabled by default.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Number Matching. Error: $($_.exception.message)" -sev 'Error' - } -} + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with number matching is now enabled by default.' -sev Info } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index 1f4558d4c72b..895879b29f9f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -4,15 +4,20 @@ function Invoke-PasswordExpireDisabled { Internal #> param($Tenant, $Settings) + $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant If ($Settings.Remediate) { - - try { - $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { - New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' + try { + $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { + New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Password Expiration' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Password Expiration is not disabled for $($_.name)" -sev Alert } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Password Expiration' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index 8208628e9b4b..c3209ce9ca32 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -4,17 +4,21 @@ function Invoke-RotateDKIM { Internal #> param($Tenant, $Settings) + $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } If ($Settings.Remediate) { - - - try { - $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } | ForEach-Object { + try { + $DKIM | ForEach-Object { (New-ExoRequest -tenantid $tenant -cmdlet 'Rotate-DkimSigningConfig' -cmdparams @{ KeySize = 2048; Identity = $_.Identity } -useSystemMailbox $true) - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Rotated DKIM' -sev Info + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Rotated DKIM' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $DKIM | ForEach-Object { + Write-LogMessage -API 'Standards' -tenant $tenant -message "DKIM is not rotated for $($_.Identity)" -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 index 82a4cbaa24d0..b976431f0d19 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 @@ -4,12 +4,7 @@ function Invoke-SSPR { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - try { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'SSPR standard is no longer available' -sev Error - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable SSPR $($_.exception.message)" -sev 'Error' - } -} + + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SSPR standard is no longer available' -sev Error + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index fc28f1747202..7584aa6cad07 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -5,19 +5,19 @@ function Invoke-SafeSendersDisable { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - try { - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' | ForEach-Object { - try { - $username = $_.UserPrincipalName - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxJunkEmailConfiguration' -cmdParams @{Identity = $_.GUID ; TrustedRecipientsAndDomains = $null } -anchor $username - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not disbale SafeSenders list for $($username): $($_.Exception.message)" -sev Warn - } - } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Safe Senders disabled' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SafeSenders. Error: $($_.exception.message)" -sev Error + try { + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' | ForEach-Object { + try { + $username = $_.UserPrincipalName + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxJunkEmailConfiguration' -cmdParams @{Identity = $_.GUID ; TrustedRecipientsAndDomains = $null } -anchor $username + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not disbale SafeSenders list for $($username): $($_.Exception.message)" -sev Warn + } + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Safe Senders disabled' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SafeSenders. Error: $($_.exception.message)" -sev Error + } } -} + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index 357470742f8e..78869dafb67f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -4,20 +4,24 @@ function Invoke-SecurityDefaults { Internal #> param($Tenant, $Settings) + $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) If ($Settings.Remediate) { - - - try { - $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) - - if ($SecureDefaultsState.IsEnabled -ne $true) { - Write-Host "Secure Defaults is disabled. Enabling for $tenant" -ForegroundColor Yellow - $body = '{ "isEnabled": true }' - (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -ContentType 'application/json') + try { + if ($SecureDefaultsState.IsEnabled -ne $true) { + Write-Host "Secure Defaults is disabled. Enabling for $tenant" -ForegroundColor Yellow + $body = '{ "isEnabled": true }' + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -ContentType 'application/json') + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Security Defaults Enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev 'Error' + } + } + if ($Settings.Alert) { + if ($SecureDefaultsState.IsEnabled -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Security Defaults is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Security Defaults is not enabled.' -sev Alert } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standards API: Security Defaults Enabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev 'Error' } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index b67d9115c105..67a29fae0819 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -5,17 +5,23 @@ function Invoke-SendFromAlias { #> param($Tenant, $Settings) If ($Settings.Remediate) { - + try { + $AdminAuditLogParams = @{ + SendFromAliasEnabled = $true + } + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams $AdminAuditLogParams + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias Enabled.' -sev Info - try { - $AdminAuditLogParams = @{ - SendFromAliasEnabled = $true + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig') + if ($CurrentInfo.SendFromAliasEnabled -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias is not enabled.' -sev Alert } - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams $AdminAuditLogParams - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias Enabled.' -sev Info - - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 808c2f55adae..25fd6aa79ab5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -4,53 +4,48 @@ function Invoke-SendReceiveLimitTenant { Internal #> param($Tenant, $Settings) + $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxPlan' | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID If ($Settings.Remediate) { - - # Get the tenant standards settings - $Limits = $Settings.SendReceiveLimit + $Limits = $Settings.SendReceiveLimit + if ($Limits[0] -like '*MB*') { + $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1MB + } elseif ($Limits[0] -like '*KB*') { + $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1KB + } # Default to 35MB if invalid input + else { + $MaxSendSize = 35MB + } + if ($MaxSendSize -gt 150MB) { + $MaxSendSize = 150MB + } + if ($Limits[1] -like '*MB*') { + $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1MB + } elseif ($Limits[1] -like '*KB*') { + $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1KB + } else { + $MaxReceiveSize = 36MB + } - # Parse the send limits and convert to bytes - if ($Limits[0] -like '*MB*') { - $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1MB - } elseif ($Limits[0] -like '*KB*') { - $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1KB - } # Default to 35MB if invalid input - else { - $MaxSendSize = 35MB - } - # Test if the send limit is larger allowed and correct if needed - if ($MaxSendSize -gt 150MB) { - $MaxSendSize = 150MB - } + if ($MaxReceiveSize -gt 150MB) { + $MaxReceiveSize = 150MB + } - # Parse the receive limits and convert to bytes - if ($Limits[1] -like '*MB*') { - $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1MB - } elseif ($Limits[1] -like '*KB*') { - $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1KB - } # Default to 36MB if invalid input - else { - $MaxReceiveSize = 36MB - } - # Test if the receive limit is larger allowed and correct if needed - if ($MaxReceiveSize -gt 150MB) { - $MaxReceiveSize = 150MB + try { + foreach ($MailboxPlan in $AllMailBoxPlans) { + if ($MailboxPlan.MaxSendSize -ne $MaxSendSize -and $MailboxPlan.MaxReceiveSize -ne $MaxReceiveSize) { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxPlan' -cmdParams @{Identity = $MailboxPlan.GUID; MaxSendSize = $MaxSendSize; MaxReceiveSize = $MaxReceiveSize } -useSystemMailbox $true + } + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully set the tenant send and receive limits ' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error + } } - - try { - # Get all mailbox plans - $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxPlan' | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID - - # Loop through all mailbox plans and set the send and receive limits for each if needed + if ($Settings.Alert) { foreach ($MailboxPlan in $AllMailBoxPlans) { if ($MailboxPlan.MaxSendSize -ne $MaxSendSize -and $MailboxPlan.MaxReceiveSize -ne $MaxReceiveSize) { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxPlan' -cmdParams @{Identity = $MailboxPlan.GUID; MaxSendSize = $MaxSendSize; MaxReceiveSize = $MaxReceiveSize } -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "The tenant send and receive limits are not set correctly for $($MailboxPlan.DisplayName)" -sev Alert } } - # Write to log on success - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully set the tenant send and receive limits ' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error } } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index 02f5cee72764..bf9442f58d87 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -5,18 +5,24 @@ function Invoke-SpoofWarn { #> param($Tenant, $Settings) If ($Settings.Remediate) { - + $status = if ($Settings.enable -and $Settings.disable) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error + Exit + } elseif ($Settings.state -eq 'Enabled' -or $Settings.enable) { $true } else { $false } + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ExternalInOutlook' -cmdParams @{ Enabled = $status; } + Write-LogMessage -API 'Standards' -tenant $tenant -message "Spoofing warnings set to $status." -sev Info - $status = if ($Settings.enable -and $Settings.disable) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error - Exit - } elseif ($Settings.state -eq 'Enabled' -or $Settings.enable) { $true } else { $false } - try { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-ExternalInOutlook' -cmdParams @{ Enabled = $status; } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Spoofing warnings set to $status." -sev Info - - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook') + if ($CurrentInfo.Enabled -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Spoofing warnings are enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Spoofing warnings are not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index dcfa07e61191..624422b0d935 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -6,14 +6,14 @@ function Invoke-TAP { param($Tenant, $Settings) If ($Settings.Remediate) { - $TAPConfig = $Settings.Config - if (!$TAPConfig) { $TAPConfig = 'true' } - try { - $MinimumLifetime = '60' #Minutes - $MaximumLifetime = '480' #minutes - $DefaultLifeTime = '60' #minutes - $DefaultLength = '8' - $body = @" + $TAPConfig = $Settings.Config + if (!$TAPConfig) { $TAPConfig = 'true' } + try { + $MinimumLifetime = '60' #Minutes + $MaximumLifetime = '480' #minutes + $DefaultLifeTime = '60' #minutes + $DefaultLength = '8' + $body = @" {"@odata.type":"#microsoft.graph.temporaryAccessPassAuthenticationMethodConfiguration", "id":"TemporaryAccessPass", "includeTargets":[{"id":"all_users", @@ -27,9 +27,17 @@ function Invoke-TAP { "state":"enabled"} "@ (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -Type patch -asApp $true -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Temporary Access Passwords.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Temporary Access Passwords.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant) + if ($CurrentInfo.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 index 8a3ed6b41d78..5b8f3f8bb549 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 @@ -4,39 +4,39 @@ function Invoke-TransportRuleTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.Remediate) { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate - } + $ConfigTable = Get-CippTable -tablename 'standards' + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate + if (!$Setting) { + $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate + } - foreach ($Template in $Setting.TemplateList) { - $Table = Get-CippTable -tablename 'templates' - $Filter = "PartitionKey eq 'TransportTemplate' and RowKey eq '$($Template.value)'" - $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet 'Get-TransportRule' -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name + foreach ($Template in $Setting.TemplateList) { + $Table = Get-CippTable -tablename 'templates' + $Filter = "PartitionKey eq 'TransportTemplate' and RowKey eq '$($Template.value)'" + $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json + $Existing = New-ExoRequest -ErrorAction SilentlyContinue -tenantid $Tenant -cmdlet 'Get-TransportRule' -useSystemMailbox $true | Where-Object -Property Identity -EQ $RequestParams.name - try { - if ($Existing) { - Write-Host 'Found existing' - $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully set transport rule for $tenant" -sev 'Info' - } else { - Write-Host 'Creating new' - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-TransportRule' -cmdParams $RequestParams -useSystemMailbox $true - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully created transport rule for $tenant" -sev 'Info' - } + try { + if ($Existing) { + Write-Host 'Found existing' + $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully set transport rule for $tenant" -sev 'Info' + } else { + Write-Host 'Creating new' + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-TransportRule' -cmdParams $RequestParams -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully created transport rule for $tenant" -sev 'Info' + } - Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($tenantfilter)" -sev 'Debug' - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" -sev 'Error' + Write-LogMessage -API $APINAME -tenant $Tenant -message "Created transport rule for $($tenantfilter)" -sev 'Debug' + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not create transport rule for $($tenantfilter): $($_.Exception.message)" -sev 'Error' + } } } } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index 3324d9d1b6b8..74bf488c2991 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -6,11 +6,12 @@ function Invoke-UndoOauth { param($Tenant, $Settings) If ($Settings.Remediate) { - try { - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been disabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set Application Consent Mode to disabled Error: $($_.exception.message)" -sev Error + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode has been disabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set Application Consent Mode to disabled Error: $($_.exception.message)" -sev Error + } } -} + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index 4ca79f2c0488..e3c71adf13e5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -4,16 +4,15 @@ function Invoke-UserSubmissions { Internal #> param($Tenant, $Settings) + $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' If ($Settings.Remediate) { - - if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error Exit } elseif ($Settings.enable) { $status = $true try { - $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' + if ($Policy.length -eq 0) { New-ExoRequest -tenantid $Tenant -cmdlet 'New-ReportSubmissionPolicy' Write-LogMessage -API 'Standards' -tenant $tenant -message "User Submission policy set to $status." -sev Info @@ -39,4 +38,15 @@ function Invoke-UserSubmissions { } } } + if ($Settings.Alert) { + if ($Policy.length -eq 0) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'User Submission policy is not set.' -sev Alert + } else { + if ($Policy.EnableReportToMicrosoft -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'User Submission policy is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'User Submission policy is disabled.' -sev Alert + } + } + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index 76a0aef1f769..faeda9dfcacd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -4,18 +4,24 @@ function Invoke-allowOAuthTokens { Internal #> param($Tenant, $Settings) + $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant If ($Settings.Remediate) { - try { - - $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant - $CurrentInfo.state = 'enabled' - $body = ($CurrentInfo | ConvertTo-Json -Depth 10) + try { + $CurrentInfo.state = 'enabled' + $body = ($CurrentInfo | ConvertTo-Json -Depth 10) (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled software OTP/oAuth tokens' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev 'Error' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled software OTP/oAuth tokens' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev 'Error' + } + } + if ($Settings.Alert) { + if ($CurrentInfo.state -eq 'enabled') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'software OTP/oAuth tokens is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'software OTP/oAuth tokens is not enabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 6df68e3c72c0..63b107b22f3c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -4,19 +4,26 @@ function Invoke-allowOTPTokens { Internal #> param($Tenant, $Settings) + $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant + If ($Settings.Remediate) { - try { - - $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant - $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') - $CurrentInfo.isSoftwareOathEnabled = $true - $body = ($CurrentInfo | ConvertTo-Json -Depth 10) + try { + $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') + $CurrentInfo.isSoftwareOathEnabled = $true + $body = ($CurrentInfo | ConvertTo-Json -Depth 10) (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json') - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled MS authenticator OTP/oAuth tokens' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled MS authenticator OTP/oAuth tokens' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($CurrentInfo.isSoftwareOathEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'MS authenticator OTP/oAuth tokens is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'MS authenticator OTP/oAuth tokens is not enabled' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index 5c4754ab5caf..47713fe16a31 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -5,22 +5,21 @@ function Invoke-calDefault { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' - foreach ($Mailbox in $Mailboxes) { - try { - New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $Settings.permissionlevel } -Anchor $Mailbox.UserPrincipalName - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($Settings.permissionlevel)" -sev Error + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' + foreach ($Mailbox in $Mailboxes) { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | ForEach-Object { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = ($_.identity).replace('\', ':\'); User = 'Default'; AccessRights = $Settings.permissionlevel } -Anchor $Mailbox.UserPrincipalName + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName) to $($Settings.permissionlevel)" -sev Error + } + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set default calendar permissions. Error: $($_.exception.message)" -sev Error } - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set default calendar permissions. Error: $($_.exception.message)" -sev Error + } + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info } - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Done setting default calendar permissions.' -sev Info } -} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index 8c83e2d66ec7..ee2e0880eb6e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -7,12 +7,20 @@ function Invoke-disableMacSync { If ($Settings.Remediate) { - try { - $body = '{"isMacSyncAppEnabled": false}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Mac OneDrive Sync' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error + try { + $body = '{"isMacSyncAppEnabled": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Mac OneDrive Sync' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error + } } -} -} + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.isMacSyncAppEnabled -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Mac OneDrive Sync is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Mac OneDrive Sync is not disabled' -sev Alert + } + } +} \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 index ce9c22563d2a..0d7b817fb5aa 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 @@ -6,6 +6,6 @@ function Invoke-fwdAdminAlerts { param($Tenant, $Settings) If ($Settings.Remediate) { - #This isn't done yet. -} + #This isn't done yet. + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index a476d17eeb2a..214659acd9c2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -4,17 +4,23 @@ function Invoke-intuneDeviceReg { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { - - try { + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - $PreviousSetting.userDeviceQuota = $Settings.max - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set user device quota to $($Settings.max)" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($Settings.max) : $($_.exception.message)" -sev Error + If ($Settings.Remediate) { + try { + $PreviousSetting.userDeviceQuota = $Settings.max + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set user device quota to $($Settings.max)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($Settings.max) : $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "User device quota is set to $($Settings.max)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "User device quota is not set to $($Settings.max)" -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index 0f7e0bdd908c..91a30fe90c29 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -6,15 +6,20 @@ function Invoke-intuneDeviceRetirementDays { param($Tenant, $Settings) If ($Settings.Remediate) { - try { - - $body = @{ DeviceInactivityBeforeRetirementInDays = $Settings.days } | ConvertTo-Json - - (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -Type PATCH -Body $body -ContentType 'application/json') - - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DeviceInactivityBeforeRetirementInDays.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error + try { + $body = @{ DeviceInactivityBeforeRetirementInDays = $Settings.days } | ConvertTo-Json + (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -Type PATCH -Body $body -ContentType 'application/json') + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled DeviceInactivityBeforeRetirementInDays.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -tenantid $Tenant) + if ($CurrentInfo.DeviceInactivityBeforeRetirementInDays -eq $Settings.days) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'DeviceInactivityBeforeRetirementInDays is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'DeviceInactivityBeforeRetirementInDays is not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index ef6cb4dcf71f..2da93b3f43a1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -4,16 +4,23 @@ function Invoke-intuneRequireMFA { Internal #> param($Tenant, $Settings) + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant + If ($Settings.Remediate) { - - try { - $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - $PreviousSetting.multiFactorAuthConfiguration = '1' - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set required to use MFA when joining Intune Devices' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error + try { + $PreviousSetting.multiFactorAuthConfiguration = '1' + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set required to use MFA when joining Intune Devices' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($PreviousSetting.multiFactorAuthConfiguration -eq 'required') { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Require to use MFA when joining Intune Devices is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Require to use MFA when joining Intune Devices is not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 5403f2daef6a..79fe33e5eb07 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -4,16 +4,24 @@ function Invoke-laps { Internal #> param($Tenant, $Settings) + $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant + If ($Settings.Remediate) { - try { - $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - $previoussetting.localadminpassword.isEnabled = $true - $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $newBody -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS has been enabled.' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error + try { + $previoussetting.localadminpassword.isEnabled = $true + $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $newBody -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS has been enabled.' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + if ($PreviousSetting.localadminpassword.isEnabled -eq $true) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS is enabled.' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS is not enabled.' -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index d53dfc42023b..96ec039445f2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -5,13 +5,19 @@ function Invoke-sharingCapability { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Settings.level)" -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Settings.level): $($_.exception.message)" -sev Error + try { + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Settings.level)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Settings.level): $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.sharingCapability -eq $Settings.level) { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is set to $($Settings.level)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is not set to $($Settings.level)" -sev Alert + } } -} } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index 833367ba18a0..53823cd97c81 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -5,14 +5,20 @@ function Invoke-unmanagedSync { #> param($Tenant, $Settings) If ($Settings.Remediate) { - - - try { - $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' - New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' - Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Sync for unmanaged devices' -sev Info - } catch { - Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error + try { + $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' + New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Sync for unmanaged devices' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error + } + } + if ($Settings.Alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + if ($CurrentInfo.isUnmanagedSyncAppForTenantRestricted -eq $false) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sync for unmanaged devices is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sync for unmanaged devices is not disabled' -sev Alert + } } -} } From e68a002a821da89c37873892024bad1129eae720 Mon Sep 17 00:00:00 2001 From: Roel van der Wegen Date: Fri, 8 Dec 2023 15:48:07 +0100 Subject: [PATCH 56/78] Clean up profile file imports --- profile.ps1 | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/profile.ps1 b/profile.ps1 index 66e78cec4b1c..5b932cfda949 100644 --- a/profile.ps1 +++ b/profile.ps1 @@ -11,15 +11,16 @@ # Authenticate with Azure PowerShell using MSI. # Remove this if you are not planning on using MSI or Azure PowerShell. -Import-Module CippCore -try { - Import-Module Az.KeyVault -ErrorAction Stop -} catch { $_.Exception.Message } -try { - Import-Module Az.Accounts -} catch { $_.Exception.Message } -Import-Module CippExtensions +# Import modules +@('CippCore','CippExtensions','Az.KeyVault','Az.Accounts') | ForEach-Object { + try { + Import-Module -Name $_ -ErrorAction Stop + } catch { + Write-LogMessage -message "Failed to import module $($_): $_.Exception.Message" -Sev 'CRITICAL' + $_.Exception.Message + } +} try { Disable-AzContextAutosave -Scope Process | Out-Null @@ -37,4 +38,4 @@ try { # Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. # Enable-AzureRmAlias -# You can also define functions or aliases that can be referenced in any of your PowerShell functions. \ No newline at end of file +# You can also define functions or aliases that can be referenced in any of your PowerShell functions. From 683b94697a8aa59ba4d4307217296563afd7e7e0 Mon Sep 17 00:00:00 2001 From: Jr7468 Date: Fri, 8 Dec 2023 14:51:04 +0000 Subject: [PATCH 57/78] Fixed browser compatibility issues --- Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 b/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 index 925faa8f6c49..79b6222f5c37 100644 --- a/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPOutOfoffice.ps1 @@ -14,7 +14,7 @@ function Set-CIPPOutOfOffice { try { if (-not $StartTime) { - $StartTime = (Get-Date).ToString("yyyy-MM-dd HH:mm") + $StartTime = (Get-Date).ToString() } if (-not $EndTime) { $EndTime = (Get-Date $StartTime).AddDays(7) @@ -27,7 +27,7 @@ function Set-CIPPOutOfOffice { else { $OutOfOffice = New-ExoRequest -tenantid $TenantFilter -cmdlet "Set-MailboxAutoReplyConfiguration" -cmdParams @{Identity = $userid; AutoReplyState = $State; InternalMessage = $InternalMessage; ExternalMessage = $ExternalMessage; StartTime = $StartTime; EndTime = $EndTime } -Anchor $userid Write-LogMessage -user $ExecutingUser -API $APIName -message "Scheduled Out-of-office for $($userid) between $StartTime and $EndTime" -Sev "Info" -tenant $TenantFilter - return "Scheduled Out-of-office for $($userid) between $($StartTime.toString("yyyy-MM-dd HH:mm")) and $($EndTime.toString("yyyy-MM-dd HH:mm"))" + return "Scheduled Out-of-office for $($userid) between $($StartTime.toString()) and $($EndTime.toString())" } } catch { From 65f16731af9fef1da28ad0dfc1d2894a0c0368c3 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 8 Dec 2023 19:46:29 +0100 Subject: [PATCH 58/78] add bpafield command --- .../Public/Add-CIPPAzDataTableEntity.ps1 | 15 +++--- Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 | 46 +++++++++++++++++++ 2 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 diff --git a/Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1 b/Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1 index ee53c68020d8..6f03e28b64e2 100644 --- a/Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1 +++ b/Modules/CIPPCore/Public/Add-CIPPAzDataTableEntity.ps1 @@ -10,9 +10,8 @@ function Add-CIPPAzDataTableEntity { foreach ($SingleEnt in $Entity) { try { Add-AzDataTableEntity -context $Context -force:$Force -CreateTableIfNotExists:$CreateTableIfNotExists -Entity $SingleEnt - } - catch [System.Exception] { - if ($_.Exception.ErrorCode -eq "PropertyValueTooLarge" -or $_.Exception.ErrorCode -eq "EntityTooLarge") { + } catch [System.Exception] { + if ($_.Exception.ErrorCode -eq 'PropertyValueTooLarge' -or $_.Exception.ErrorCode -eq 'EntityTooLarge') { try { $MaxSize = 30kb $largePropertyName = $null @@ -36,10 +35,10 @@ function Add-CIPPAzDataTableEntity { } $splitInfo = @{ - OriginalHeader = $largePropertyName; + OriginalHeader = $largePropertyName SplitHeaders = $splitPropertyNames } - $SingleEnt["SplitOverProps"] = ($splitInfo | ConvertTo-Json).ToString() + $SingleEnt['SplitOverProps'] = ($splitInfo | ConvertTo-Json).ToString() $SingleEnt.Remove($largePropertyName) for ($i = 0; $i -lt $splitData.Count; $i++) { @@ -49,12 +48,10 @@ function Add-CIPPAzDataTableEntity { Add-AzDataTableEntity -context $Context -force:$Force -CreateTableIfNotExists:$CreateTableIfNotExists -Entity $SingleEnt } - } - catch { + } catch { throw "Error processing entity: $($_.Exception.Message)." } - } - else { + } else { throw $_ } } diff --git a/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 new file mode 100644 index 000000000000..f4905eba8a15 --- /dev/null +++ b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 @@ -0,0 +1,46 @@ +function Add-CIPPBPAField { + param ( + $BPAName = 'Standards Report V1.0', + $FieldName, + $FieldValue, + $StoreAs, + $Tenant + ) + $Table = Get-CippTable -tablename 'cachebpav2' + $TenantName = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant + + $CurrentContentsObject = (Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq 'Standards Report V1.0' and PartitionKey eq '$($TenantName.customerId)'") + Write-Host "Adding $FieldName to $BPAName for $Tenant. content is $($CurrentContents.RowKey)" + if ($CurrentContentsObject.RowKey) { + $CurrentContents = @{} + $CurrentContentsObject.PSObject.Properties | ForEach-Object { + $CurrentContents[$_.Name] = $_.Value + } + $Result = $CurrentContents + } else { + $Result = @{ + Tenant = "$($TenantName.displayName)" + GUID = "$($TenantName.customerId)" + RowKey = 'Standards Report V1.0' + PartitionKey = "$($TenantName.customerId)" + LastRefresh = [string]$(Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z') + } + } + switch -Wildcard ($StoreAs) { + '*bool' { + $Result["$fieldName"] = [bool]$FieldValue + } + 'JSON' { + + if ($FieldValue -eq $null) { $JsonString = '{}' } else { $JsonString = (ConvertTo-Json -Depth 15 -InputObject $FieldValue -Compress) } + $Result[$fieldName] = [string]$JsonString + } + 'string' { + $Result[$fieldName], [string]$FieldValue + } + 'percentage' { + + } + } + Add-CIPPAzDataTableEntity @Table -Entity $Result -Force +} \ No newline at end of file From 286887fae49bd962725f4b6552c4db7a950924b1 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 8 Dec 2023 20:37:00 +0100 Subject: [PATCH 59/78] added reporting --- .../Invoke-CIPPStandardActivityBasedTimeout.ps1 | 4 ++++ .../Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 | 3 +++ .../Invoke-CIPPStandardAnonReportDisable.ps1 | 3 +++ .../Public/Standards/Invoke-CIPPStandardAuditLog.ps1 | 3 +++ .../Invoke-CIPPStandardAutoExpandArchive.ps1 | 3 +++ .../Invoke-CIPPStandardDelegateSentItems.ps1 | 3 +++ .../Invoke-CIPPStandardDeletedUserRentention.ps1 | 8 ++++++++ .../Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 3 +++ .../Invoke-CIPPStandardDisableGuestDirectory.ps1 | 8 ++++++++ .../Standards/Invoke-CIPPStandardDisableGuests.ps1 | 3 +++ .../Invoke-CIPPStandardDisableM365GroupUsers.ps1 | 12 ++++++++++++ .../Standards/Invoke-CIPPStandardDisableReshare.ps1 | 3 +++ .../Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 | 3 +++ .../Invoke-CIPPStandardDisableSharedMailbox.ps1 | 3 +++ .../Invoke-CIPPStandardDisableTenantCreation.ps1 | 3 +++ .../Invoke-CIPPStandardDisableUserSiteCreate.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardDisableViva.ps1 | 4 ++++ .../Invoke-CIPPStandardEnableAppConsentRequests.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardEnableFIDO2.ps1 | 3 +++ .../Invoke-CIPPStandardEnableOnlineArchiving.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardExConnector.ps1 | 1 + .../Standards/Invoke-CIPPStandardExcludedfileExt.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardMailContacts.ps1 | 3 +++ .../Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 | 7 ++++++- .../Standards/Invoke-CIPPStandardOauthConsent.ps1 | 4 ++++ .../Invoke-CIPPStandardOauthConsentLowSec.ps1 | 8 ++++++++ .../Invoke-CIPPStandardOutBoundSpamAlert.ps1 | 3 +++ ...Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 | 4 ++++ ...PStandardPWdisplayAppInformationRequiredState.ps1 | 7 ++++++- .../Invoke-CIPPStandardPasswordExpireDisabled.ps1 | 5 +++++ .../Standards/Invoke-CIPPStandardRotateDKIM.ps1 | 3 +++ .../Invoke-CIPPStandardSecurityDefaults.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardSendFromAlias.ps1 | 3 +++ .../Invoke-CIPPStandardSendReceiveLimitTenant.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardSpoofWarn.ps1 | 3 +++ .../Public/Standards/Invoke-CIPPStandardTAP.ps1 | 12 +++++++++++- .../Standards/Invoke-CIPPStandardUserSubmissions.ps1 | 7 +++++++ .../Invoke-CIPPStandardallowOAuthTokens.ps1 | 8 ++++++++ .../Standards/Invoke-CIPPStandardallowOTPTokens.ps1 | 3 +++ .../Standards/Invoke-CIPPStandarddisableMacSync.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 | 4 ++++ ...Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 | 5 +++++ .../Invoke-CIPPStandardintuneRequireMFA.ps1 | 4 ++++ .../Public/Standards/Invoke-CIPPStandardlaps.ps1 | 3 +++ .../Invoke-CIPPStandardsharingCapability.ps1 | 3 +++ .../Standards/Invoke-CIPPStandardunmanagedSync.ps1 | 8 ++++++++ 46 files changed, 198 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index 4f3913213485..0d1074a7ba6c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -32,5 +32,9 @@ function Invoke-ActivityBasedTimeout { } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'ActivityBasedTimeout' -FieldValue [bool]$state -StoreAs bool -Tenant $tenant + } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index f11fe54b342d..041541c38f59 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -24,4 +24,7 @@ function Invoke-AddDKIM { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DKIM is not enabled for all available domains' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DKIM' -FieldValue [bool]$DKIM -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 4e796b5c5586..2eaa786e5c15 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -20,4 +20,7 @@ function Invoke-AnonReportDisable { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports is not disabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue [bool]$CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index 3f045b4b1584..5bc180712708 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -37,4 +37,7 @@ function Invoke-AuditLog { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log is not enabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'AuditLog' -FieldValue [bool]$AuditLogEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 22947f9f0a4e..fc750da3f413 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -22,4 +22,7 @@ function Invoke-AutoExpandArchive { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Auto Expanding Archives is not enabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'AutoExpandingArchive' -FieldValue [bool]$CurrentState.AutoExpandingArchiveEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index e0fc3e63d2da..bc23efb3be7f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -28,4 +28,7 @@ function Invoke-DelegateSentItems { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style is enabled' -sev Info } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Mailboxes -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index 743da5010f15..cb3f8de260c6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -22,4 +22,12 @@ function Invoke-DeletedUserRentention { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is not set to 1 year' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { + $CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays = $true + } else { + $CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays = $false + } + Add-CIPPBPAField -FieldName 'DeletedUserRentention' -FieldValue [bool]$CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index 4eed13b071bd..c9fed06a04a8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -20,4 +20,7 @@ function Invoke-DisableBasicAuthSMTP { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is not disabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTP' -FieldValue [bool]$CurrentInfo.SmtpClientAuthenticationDisabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 00a9d5e21177..2c2dd8ad0c93 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -25,4 +25,12 @@ function Invoke-DisableGuestDirectory { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is not disabled.' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b') { + $CurrentInfo.guestUserRoleId = $true + } else { + $CurrentInfo.guestUserRoleId = $false + } + Add-CIPPBPAField -FieldName 'DisableGuestDirectory' -FieldValue [bool]$CurrentInfo.guestUserRoleId -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index 31de4720c7df..47b5f6a1948e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -25,4 +25,7 @@ function Invoke-DisableGuests { Write-LogMessage -API 'Standards' -tenant $tenant -message 'No guests accounts with a login longer than 90 days ago.' -sev Info } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $GraphRequest -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index 5696ff218071..3e2e579ab1aa 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -33,5 +33,17 @@ function Invoke-DisableM365GroupUsers { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not disabled from creating M365 Groups.' -sev Alert } } + if ($Settings.Report) { + if ($CurrentState) { + if (($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value -eq 'false') { + $CurrentState = $true + } else { + $CurrentState = $false + } + } else { + $CurrentState = $false + } + Add-CIPPBPAField -FieldName 'DisableM365GroupUsers' -FieldValue [bool]$CurrentState -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index 2caabfcc7842..efc106b20c0f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -24,4 +24,7 @@ function Invoke-DisableReshare { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guests are allowed to reshare files' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableReshare' -FieldValue [bool]$CurrentInfo.isResharingByExternalUsersEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index 530c6972793c..198d539b3c12 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -25,4 +25,7 @@ function Invoke-DisableSecurityGroupUsers { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create Security Groups.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableSecurityGroupUsers' -FieldValue [bool]$CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index b8e8adbc9e4a..815651c4216f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -22,4 +22,7 @@ function Invoke-DisableSharedMailbox { Write-LogMessage -API 'Standards' -tenant $tenant -message 'No AAD accounts enables for shared mailboxes.' -sev Info } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableSharedMailbox' -FieldValue $SharedMailboxList -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index 87f99399cda5..5a9936d40eb8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -21,4 +21,7 @@ function Invoke-DisableTenantCreation { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create tenants.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableTenantCreation' -FieldValue [bool]$CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index 3b2082fe8c7d..3f11a485603a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -21,4 +21,7 @@ function Invoke-DisableUserSiteCreate { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are allowed to create sites' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableUserSiteCreate' -FieldValue [bool]$CurrentInfo.isSiteCreationEnabled -StoreAs bool -Tenant $tenant + } } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index 70f12cfb134e..59d7f7c9f61d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -21,4 +21,8 @@ function Invoke-DisableViva { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Viva is not disabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DisableViva' -FieldValue [bool]$currentsetting.isEnabled -StoreAs bool -Tenant $tenant + } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 871aa39cd811..7616f3789aa4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -71,4 +71,7 @@ function Invoke-EnableAppConsentRequests { Write-LogMessage -API 'Standards' -tenant $tenant -message 'App consent admin requests are disabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'EnableAppConsentAdminRequests' -FieldValue [bool]$CurrentInfo.isEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index acbe12694677..614cb0c3c063 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -24,4 +24,7 @@ function Invoke-EnableFIDO2 { Write-LogMessage -API 'Standards' -tenant $tenant -message 'FIDO2 Support is not enabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'EnableFIDO2' -FieldValue [bool]$CurrentInfo.state -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index 429bb5f226cf..9e9b8333f585 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -25,4 +25,7 @@ function Invoke-EnableOnlineArchiving { Write-LogMessage -API 'Standards' -tenant $tenant -message 'All mailboxes have Online Archiving enabled' -sev Info } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'EnableOnlineArchiving' -FieldValue $MailboxesNoArchive -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index 5907a089cd28..bb1f17079647 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -34,5 +34,6 @@ function Invoke-ExConnector { } } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index 0cbad0d88604..dc29a1fb8bb2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -24,4 +24,7 @@ function Invoke-ExcludedfileExt { Write-LogMessage -API 'Standards' -tenant $tenant -message "Excluded synced files does not contain $($Settings.ext)" -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'ExcludedfileExt' -FieldValue $CurrentInfo.excludedFileExtensionsForSyncApp -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index 6df9cd79f472..1511b345a177 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -47,4 +47,7 @@ function Invoke-MailContacts { Write-LogMessage -API 'Standards' -tenant $tenant -message "General contact email is not set to $($Contacts.GeneralContact)" -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'MailContacts' -FieldValue $CurrentInfo -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index 17c0355ce1a2..e83083f25a19 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -4,6 +4,8 @@ function Invoke-NudgeMFA { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant + If ($Settings.Remediate) { $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error @@ -19,11 +21,14 @@ function Invoke-NudgeMFA { } } if ($Settings.Alert) { - $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant if ($CurrentInfo.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is not enabled' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'enabled') { $actualstate = $true } else { $actualstate = $false } + Add-CIPPBPAField -FieldName 'NudgeMFA' -FieldValue [bool]$actualstate -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 560be8625312..5cc265831a6c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -41,5 +41,9 @@ function Invoke-OauthConsent { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { $UserQuota = $true } else { $UserQuota = $false } + Add-CIPPBPAField -FieldName 'OauthConsent' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant + } } } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index 14c4b3ded717..bb9d3c43e9e4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -23,4 +23,12 @@ function Invoke-OauthConsentLowSec { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info } } + if ($Settings.Report) { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { + $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $false + } else { + $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $true + } + Add-CIPPBPAField -FieldName 'OauthConsentLowSec' -FieldValue [bool]$State.permissionGrantPolicyIdsAssignedToDefaultUserRole -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index 7457f547722f..00220f6c1470 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -21,4 +21,7 @@ function Invoke-OutBoundSpamAlert { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Outbound spam filter alert is not set' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue [bool]$CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index f178c89bc04c..1f22be6567d2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -38,4 +38,8 @@ function Invoke-PWcompanionAppAllowedState { Write-LogMessage -API 'Standards' -tenant $tenant -message 'companionAppAllowedState is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { $authstate = $true } else { $authstate = $false } + Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue [bool]$authstate -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index d3aec75aeb9f..2cc20281ffb8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -4,6 +4,8 @@ function Invoke-PWdisplayAppInformationRequiredState { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant + If ($Settings.Remediate) { try { $body = @' @@ -16,11 +18,14 @@ function Invoke-PWdisplayAppInformationRequiredState { } } if ($Settings.Alert) { - $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant if ($CurrentInfo.featureSettings.displayAppInformationRequiredState.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.featureSettings.displayAppInformationRequiredState.state -eq 'enabled') { $authstate = $true } else { $authstate = $false } + Add-CIPPBPAField -FieldName 'PWdisplayAppInformationRequiredState' -FieldValue [bool]$authstate -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index 895879b29f9f..2a3662b4fc9b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -20,4 +20,9 @@ function Invoke-PasswordExpireDisabled { Write-LogMessage -API 'Standards' -tenant $tenant -message "Password Expiration is not disabled for $($_.name)" -sev Alert } } + if ($Settings.Report) { + $DomainswithoutPassExpire = $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' + Add-CIPPBPAField -FieldName 'PasswordExpireDisabled' -FieldValue $DomainswithoutPassExpire -StoreAs json -Tenant $tenant + + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index c3209ce9ca32..4b97cef1b9df 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -21,4 +21,7 @@ function Invoke-RotateDKIM { Write-LogMessage -API 'Standards' -tenant $tenant -message "DKIM is not rotated for $($_.Identity)" -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIM -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index 78869dafb67f..437862d75f35 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -24,4 +24,7 @@ function Invoke-SecurityDefaults { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Security Defaults is not enabled.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'SecurityDefaults' -FieldValue [bool]$SecureDefaultsState.IsEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index 67a29fae0819..0ae1e23b188a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -24,4 +24,7 @@ function Invoke-SendFromAlias { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias is not enabled.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'SendFromAlias' -FieldValue [bool]$CurrentInfo.SendFromAliasEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 25fd6aa79ab5..0f4e469f76b6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -48,4 +48,7 @@ function Invoke-SendReceiveLimitTenant { } } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'SendReceiveLimit' -FieldValue $AllMailBoxPlans -StoreAs json -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index bf9442f58d87..c529d2c7a78e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -25,4 +25,7 @@ function Invoke-SpoofWarn { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Spoofing warnings are not enabled.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'SpoofingWarnings' -FieldValue [bool]$CurrentInfo.Enabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index 624422b0d935..793d91a46094 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -4,6 +4,8 @@ function Invoke-TAP { Internal #> param($Tenant, $Settings) + $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant) + If ($Settings.Remediate) { $TAPConfig = $Settings.Config @@ -33,11 +35,19 @@ function Invoke-TAP { } } if ($Settings.Alert) { - $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant) if ($CurrentInfo.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.state -eq 'enabled') { + $CurrentInfo.state = $true + } else { + $CurrentInfo.state = $false + } + Add-CIPPBPAField -FieldName 'TemporaryAccessPass' -FieldValue [bool]$CurrentInfo.state -StoreAs bool -Tenant $tenant + } + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index e3c71adf13e5..ec81dbada33e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -49,4 +49,11 @@ function Invoke-UserSubmissions { } } } + if ($Settings.Report) { + if ($Policy.length -eq 0) { + Add-CIPPBPAField -FieldName 'UserSubmissionPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant + } else { + Add-CIPPBPAField -FieldName 'UserSubmissionPolicy' -FieldValue [bool]$Policy.EnableReportToMicrosoft -StoreAs bool -Tenant $tenant + } + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index faeda9dfcacd..e5634b5ee726 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -24,4 +24,12 @@ function Invoke-allowOAuthTokens { Write-LogMessage -API 'Standards' -tenant $tenant -message 'software OTP/oAuth tokens is not enabled' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.state -eq 'enabled') { + $CurrentInfo.state = $true + } else { + $CurrentInfo.state = $false + } + Add-CIPPBPAField -FieldName 'softwareOath' -FieldValue [bool]$CurrentInfo.state -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 63b107b22f3c..26bf7e8b0987 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -26,4 +26,7 @@ function Invoke-allowOTPTokens { Write-LogMessage -API 'Standards' -tenant $tenant -message 'MS authenticator OTP/oAuth tokens is not enabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'MSAuthenticator' -FieldValue [bool]$CurrentInfo.isSoftwareOathEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index ee2e0880eb6e..a54d150e6fd5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -23,4 +23,7 @@ function Invoke-disableMacSync { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Mac OneDrive Sync is not disabled' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'MacSync' -FieldValue [bool]$CurrentInfo.isMacSyncAppEnabled -StoreAs bool -Tenant $tenant + } } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index 214659acd9c2..3c307f1d40bf 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -23,4 +23,8 @@ function Invoke-intuneDeviceReg { Write-LogMessage -API 'Standards' -tenant $tenant -message "User device quota is not set to $($Settings.max)" -sev Alert } } + if ($Settings.Report) { + if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { $UserQuota = $true } else { $UserQuota = $false } + Add-CIPPBPAField -FieldName 'intuneDeviceReg' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index 91a30fe90c29..1d42ea0ca0ee 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -22,4 +22,9 @@ function Invoke-intuneDeviceRetirementDays { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DeviceInactivityBeforeRetirementInDays is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($PreviousSetting.DeviceInactivityBeforeRetirementInDays -eq $Settings.days) { $UserQuota = $true } else { $UserQuota = $false } + + Add-CIPPBPAField -FieldName 'intuneDeviceRetirementDays' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 2da93b3f43a1..23aea55b07ff 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -23,4 +23,8 @@ function Invoke-intuneRequireMFA { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Require to use MFA when joining Intune Devices is not enabled.' -sev Alert } } + if ($Settings.Report) { + if ($PreviousSetting.multiFactorAuthConfiguration -eq 'required') { $UserQuota = $true } else { $UserQuota = $false } + Add-CIPPBPAField -FieldName 'intuneRequireMFA' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 79fe33e5eb07..302345101e59 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -24,4 +24,7 @@ function Invoke-laps { Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS is not enabled.' -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'laps' -FieldValue [bool]$PreviousSetting.localadminpassword.isEnabled -StoreAs bool -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 96ec039445f2..34c9e0775d9e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -20,4 +20,7 @@ function Invoke-sharingCapability { Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is not set to $($Settings.level)" -sev Alert } } + if ($Settings.Report) { + Add-CIPPBPAField -FieldName 'sharingCapability' -FieldValue $CurrentInfo.sharingCapability -StoreAs string -Tenant $tenant + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index 53823cd97c81..12952980c659 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -21,4 +21,12 @@ function Invoke-unmanagedSync { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sync for unmanaged devices is not disabled' -sev Alert } } + if ($Settings.Report) { + if ($CurrentInfo.isUnmanagedSyncAppForTenantRestricted -eq $false) { + $CurrentInfo.isUnmanagedSyncAppForTenantRestricted = $true + } else { + $CurrentInfo.isUnmanagedSyncAppForTenantRestricted = $false + } + Add-CIPPBPAField -FieldName 'unmanagedSync' -FieldValue [bool]$CurrentInfo.isUnmanagedSyncAppForTenantRestricted -StoreAs bool -Tenant $tenant + } } From 3d83333079351a9d411825509268a0c0c11ee5b5 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 8 Dec 2023 20:39:04 +0100 Subject: [PATCH 60/78] corrected standards names --- .../Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 | 2 +- .../Standards/Invoke-CIPPStandardAnonReportDisable.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardAuditLog.ps1 | 2 +- .../Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 | 2 +- .../Standards/Invoke-CIPPStandardConditionalAccess.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDelegateSentItems.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 | 2 +- .../Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 | 2 +- .../Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 | 2 +- .../Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 | 2 +- .../Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardDisableViva.ps1 | 2 +- .../Invoke-CIPPStandardEnableAppConsentRequests.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 | 2 +- .../Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardExConnector.ps1 | 4 ++-- .../Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 | 2 +- .../Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardMailContacts.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardModernAuth.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 | 2 +- .../Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 | 2 +- .../Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 | 2 +- .../Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 | 2 +- ...oke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 | 2 +- .../Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 | 2 +- .../Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 | 2 +- .../CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 | 2 +- .../Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 | 2 +- .../Standards/Invoke-CIPPStandardSecurityDefaults.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 | 2 +- .../Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 | 2 +- .../CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 | 2 +- .../Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 | 6 +++--- .../Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 | 2 +- .../Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardcalDefault.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 | 2 +- .../Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 | 2 +- .../Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 | 2 +- .../CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 | 2 +- .../Standards/Invoke-CIPPStandardsharingCapability.ps1 | 2 +- .../Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 | 2 +- 64 files changed, 67 insertions(+), 67 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index 0d1074a7ba6c..2339b632cd7c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -1,4 +1,4 @@ -function Invoke-ActivityBasedTimeout { +function Invoke-CIPPStandardActivityBasedTimeout { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index 041541c38f59..5135e0589e9f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -1,4 +1,4 @@ -function Invoke-AddDKIM { +function Invoke-CIPPStandardAddDKIM { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 2eaa786e5c15..6fb70aab7f00 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -1,4 +1,4 @@ -function Invoke-AnonReportDisable { +function Invoke-CIPPStandardAnonReportDisable { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index 5bc180712708..092d28914372 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -1,4 +1,4 @@ -function Invoke-AuditLog { +function Invoke-CIPPStandardAuditLog { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index fc750da3f413..59be5258bf5e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -1,4 +1,4 @@ -function Invoke-AutoExpandArchive { +function Invoke-CIPPStandardAutoExpandArchive { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 index cb02d62bb5c7..c53587da6dc1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 @@ -1,4 +1,4 @@ -function Invoke-AzurePortal { +function Invoke-CIPPStandardAzurePortal { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 index 8650a4451e8a..4b6ca04003a5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 @@ -1,4 +1,4 @@ -function Invoke-ConditionalAccess { +function Invoke-CIPPStandardConditionalAccess { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index bc23efb3be7f..3eac42cf521f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -1,4 +1,4 @@ -function Invoke-DelegateSentItems { +function Invoke-CIPPStandardDelegateSentItems { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index cb3f8de260c6..d589ea706b9d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -1,4 +1,4 @@ -function Invoke-DeletedUserRentention { +function Invoke-CIPPStandardDeletedUserRentention { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index 413bc84ef307..54098dc07098 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableAddShortcutsToOneDrive { +function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 index 86e879172545..b4bb0e779681 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuth.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableBasicAuth { +function Invoke-CIPPStandardDisableBasicAuth { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index c9fed06a04a8..027ebf597cb6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableBasicAuthSMTP { +function Invoke-CIPPStandardDisableBasicAuthSMTP { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 2c2dd8ad0c93..d1cd1304933f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableGuestDirectory { +function Invoke-CIPPStandardDisableGuestDirectory { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index 47b5f6a1948e..6bd48adc9d24 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableGuests { +function Invoke-CIPPStandardDisableGuests { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index 3e2e579ab1aa..c8931dbdc03c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableM365GroupUsers { +function Invoke-CIPPStandardDisableM365GroupUsers { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index efc106b20c0f..35805fb90a77 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableReshare { +function Invoke-CIPPStandardDisableReshare { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index 198d539b3c12..5b2869860f4e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableSecurityGroupUsers { +function Invoke-CIPPStandardDisableSecurityGroupUsers { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 index 3da962665d0d..c90b55962a58 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableSelfServiceLicenses { +function Invoke-CIPPStandardDisableSelfServiceLicenses { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index 815651c4216f..63e7bf8d949e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableSharedMailbox { +function Invoke-CIPPStandardDisableSharedMailbox { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index 5a9936d40eb8..d53ff9bae502 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableTenantCreation { +function Invoke-CIPPStandardDisableTenantCreation { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index 3f11a485603a..f62fe9e589cb 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableUserSiteCreate { +function Invoke-CIPPStandardDisableUserSiteCreate { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index 59d7f7c9f61d..fafb3c26f4a9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -1,4 +1,4 @@ -function Invoke-DisableViva { +function Invoke-CIPPStandardDisableViva { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 7616f3789aa4..9175281de0ef 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -1,4 +1,4 @@ -function Invoke-EnableAppConsentRequests { +function Invoke-CIPPStandardEnableAppConsentRequests { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index 614cb0c3c063..e22b4bc475c7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -1,4 +1,4 @@ -function Invoke-EnableFIDO2 { +function Invoke-CIPPStandardEnableFIDO2 { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index 9e9b8333f585..e044d233a0e2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -1,4 +1,4 @@ -function Invoke-EnableOnlineArchiving { +function Invoke-CIPPStandardEnableOnlineArchiving { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index bb1f17079647..b03b0ba33275 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -1,4 +1,4 @@ -function Invoke-ExConnector { +function Invoke-CIPPStandardExConnector { <# .FUNCTIONALITY Internal @@ -34,6 +34,6 @@ function Invoke-ExConnector { } } - + } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index dc29a1fb8bb2..535459832a0c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -1,4 +1,4 @@ -function Invoke-ExcludedfileExt { +function Invoke-CIPPStandardExcludedfileExt { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 index d0ed809a6b15..84ccd587db0e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 @@ -1,4 +1,4 @@ -function Invoke-GroupTemplate { +function Invoke-CIPPStandardGroupTemplate { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 3f3c2271e520..86665c271868 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -1,4 +1,4 @@ -function Invoke-IntuneTemplate { +function Invoke-CIPPStandardIntuneTemplate { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 index 60134bd5d4d5..32158bf5de70 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFA.ps1 @@ -1,4 +1,4 @@ -function Invoke-LegacyMFA { +function Invoke-CIPPStandardLegacyMFA { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 index ed591fffdf03..08f43267469f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 @@ -1,4 +1,4 @@ -function Invoke-LegacyMFACleanup { +function Invoke-CIPPStandardLegacyMFACleanup { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index 1511b345a177..e37b4818038c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -1,4 +1,4 @@ -function Invoke-MailContacts { +function Invoke-CIPPStandardMailContacts { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 index dff45dc2a542..7816ac5bfddc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 @@ -1,4 +1,4 @@ -function Invoke-ModernAuth { +function Invoke-CIPPStandardModernAuth { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index e83083f25a19..c841dbad5b89 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -1,4 +1,4 @@ -function Invoke-NudgeMFA { +function Invoke-CIPPStandardNudgeMFA { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 5cc265831a6c..265a334c1de3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -1,4 +1,4 @@ -function Invoke-OauthConsent { +function Invoke-CIPPStandardOauthConsent { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index bb9d3c43e9e4..dbfe864a9fe4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -1,4 +1,4 @@ -function Invoke-OauthConsentLowSec { +function Invoke-CIPPStandardOauthConsentLowSec { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index 00220f6c1470..294d5be40f17 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -1,4 +1,4 @@ -function Invoke-OutBoundSpamAlert { +function Invoke-CIPPStandardOutBoundSpamAlert { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index 1f22be6567d2..28fcadaa1bef 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -1,4 +1,4 @@ -function Invoke-PWcompanionAppAllowedState { +function Invoke-CIPPStandardPWcompanionAppAllowedState { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index 2cc20281ffb8..e79f6b35b9fe 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -1,4 +1,4 @@ -function Invoke-PWdisplayAppInformationRequiredState { +function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 index 2aa6ed8d9913..48b5e602afcb 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWnumberMatchingRequiredState.ps1 @@ -1,4 +1,4 @@ -function Invoke-PWnumberMatchingRequiredState { +function Invoke-CIPPStandardPWnumberMatchingRequiredState { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index 2a3662b4fc9b..e043c04b45bd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -1,4 +1,4 @@ -function Invoke-PasswordExpireDisabled { +function Invoke-CIPPStandardPasswordExpireDisabled { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index 4b97cef1b9df..bfeecddf752a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -1,4 +1,4 @@ -function Invoke-RotateDKIM { +function Invoke-CIPPStandardRotateDKIM { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 index b976431f0d19..e6fbdd3181f6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSSPR.ps1 @@ -1,4 +1,4 @@ -function Invoke-SSPR { +function Invoke-CIPPStandardSSPR { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index 7584aa6cad07..c08b6b0f0200 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -1,4 +1,4 @@ -function Invoke-SafeSendersDisable { +function Invoke-CIPPStandardSafeSendersDisable { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index 437862d75f35..fe092608e3aa 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -1,4 +1,4 @@ -function Invoke-SecurityDefaults { +function Invoke-CIPPStandardSecurityDefaults { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index 0ae1e23b188a..15a3f40a0d78 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -1,4 +1,4 @@ -function Invoke-SendFromAlias { +function Invoke-CIPPStandardSendFromAlias { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 0f4e469f76b6..15f299afeeac 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -1,4 +1,4 @@ -function Invoke-SendReceiveLimitTenant { +function Invoke-CIPPStandardSendReceiveLimitTenant { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index c529d2c7a78e..647083276cc4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -1,4 +1,4 @@ -function Invoke-SpoofWarn { +function Invoke-CIPPStandardSpoofWarn { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index 793d91a46094..3257cd5b7b92 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -1,4 +1,4 @@ -function Invoke-TAP { +function Invoke-CIPPStandardTAP { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 index 5b8f3f8bb549..062b64cb8f55 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 @@ -1,4 +1,4 @@ -function Invoke-TransportRuleTemplate { +function Invoke-CIPPStandardTransportRuleTemplate { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index 74bf488c2991..b97dd6850339 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -1,4 +1,4 @@ -function Invoke-UndoOauth { +function Invoke-CIPPStandardUndoOauth { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 index 677e4dde261f..819742a0031b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 @@ -1,4 +1,4 @@ -function Invoke-UndoSSPR { +function Invoke-CIPPStandardUndoSSPR { <# .FUNCTIONALITY Internal @@ -6,6 +6,6 @@ function Invoke-UndoSSPR { param($Tenant, $Settings) If ($Settings.Remediate) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error -} + Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error + } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index ec81dbada33e..80cba1b41c4b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -1,4 +1,4 @@ -function Invoke-UserSubmissions { +function Invoke-CIPPStandardUserSubmissions { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index e5634b5ee726..faf65b90fbf4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -1,4 +1,4 @@ -function Invoke-allowOAuthTokens { +function Invoke-CIPPStandardallowOAuthTokens { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 26bf7e8b0987..780eaf6ebd80 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -1,4 +1,4 @@ -function Invoke-allowOTPTokens { +function Invoke-CIPPStandardallowOTPTokens { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index 47713fe16a31..3609bef5b474 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -1,4 +1,4 @@ -function Invoke-calDefault { +function Invoke-CIPPStandardcalDefault { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index a54d150e6fd5..37d459dc4028 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -1,4 +1,4 @@ -function Invoke-disableMacSync { +function Invoke-CIPPStandarddisableMacSync { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 index 0d7b817fb5aa..28506c97a53b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 @@ -1,4 +1,4 @@ -function Invoke-fwdAdminAlerts { +function Invoke-CIPPStandardfwdAdminAlerts { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index 3c307f1d40bf..8d773b83e9e0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -1,4 +1,4 @@ -function Invoke-intuneDeviceReg { +function Invoke-CIPPStandardintuneDeviceReg { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index 1d42ea0ca0ee..9f5159fc2cdb 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -1,4 +1,4 @@ -function Invoke-intuneDeviceRetirementDays { +function Invoke-CIPPStandardintuneDeviceRetirementDays { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 23aea55b07ff..19986a31a363 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -1,4 +1,4 @@ -function Invoke-intuneRequireMFA { +function Invoke-CIPPStandardintuneRequireMFA { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 302345101e59..3c2235aba183 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -1,4 +1,4 @@ -function Invoke-laps { +function Invoke-CIPPStandardlaps { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 34c9e0775d9e..10dd2a7c43fc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -1,4 +1,4 @@ -function Invoke-sharingCapability { +function Invoke-CIPPStandardsharingCapability { <# .FUNCTIONALITY Internal diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index 12952980c659..eaf811fbc967 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -1,4 +1,4 @@ -function Invoke-unmanagedSync { +function Invoke-CIPPStandardunmanagedSync { <# .FUNCTIONALITY Internal From 3b98e72df2e8075fbfa79f8a4c10ec827cca6b18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sat, 9 Dec 2023 23:15:16 +0100 Subject: [PATCH 61/78] Add id as a return value for the found users --- .../Invoke-ListSharedMailboxAccountEnabled.ps1 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharedMailboxAccountEnabled.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharedMailboxAccountEnabled.ps1 index f40095596f18..4f5bffce19f1 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharedMailboxAccountEnabled.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharedMailboxAccountEnabled.ps1 @@ -20,21 +20,23 @@ Function Invoke-ListSharedMailboxAccountEnabled { # Get Shared Mailbox Stuff try { $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($TenantFilter)/Mailbox?`$filter=RecipientTypeDetails eq 'SharedMailbox'" -Tenantid $TenantFilter -scope ExchangeOnline) - $AllUsersAccountState = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?select=userPrincipalName,accountEnabled,displayName,givenName,surname' -tenantid $Tenantfilter + $AllUsersAccountState = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?select=id,userPrincipalName,accountEnabled,displayName,givenName,surname' -tenantid $Tenantfilter $EnabledUsersWithSharedMailbox = foreach ($SharedMailbox in $SharedMailboxList) { # Match the User - $User = $AllUsersAccountState | Where-Object { $_.userPrincipalName -eq $SharedMailbox.userPrincipalName } | Select-Object -Property userPrincipalName, accountEnabled, displayName, givenName, surname -First 1 + $User = $AllUsersAccountState | Where-Object { $_.userPrincipalName -eq $SharedMailbox.userPrincipalName } | Select-Object -Property id, userPrincipalName, accountEnabled, displayName, givenName, surname -First 1 if ($User.accountEnabled) { $User | Select-Object ` @{Name = 'UserPrincipalName'; Expression = { $User.UserPrincipalName } }, ` @{Name = 'displayName'; Expression = { $User.displayName } }, @{Name = 'givenName'; Expression = { $User.givenName } }, @{Name = 'surname'; Expression = { $User.surname } }, - @{Name = 'accountEnabled'; Expression = { $User.accountEnabled } } + @{Name = 'accountEnabled'; Expression = { $User.accountEnabled } }, + @{Name = 'id'; Expression = { $User.id } } } } - } catch { + } + catch { Write-LogMessage -API 'Tenant' -tenant $tenantfilter -message "Shared Mailbox Enabled Accounts on $($tenantfilter). Error: $($_.exception.message)" -sev 'Error' } From 07981ba11f0b8d8031cbd315a0c9760c365799b6 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 10 Dec 2023 02:06:58 +0100 Subject: [PATCH 62/78] case sensitiveity --- Config/StandardsTable.BPATemplate.json | 591 ++++++++++++++++++ Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 | 1 - ...nvoke-CIPPStandardActivityBasedTimeout.ps1 | 7 +- .../Standards/Invoke-CIPPStandardAddDKIM.ps1 | 7 +- .../Invoke-CIPPStandardAnonReportDisable.ps1 | 7 +- .../Standards/Invoke-CIPPStandardAuditLog.ps1 | 10 +- .../Invoke-CIPPStandardAutoExpandArchive.ps1 | 7 +- .../Invoke-CIPPStandardAzurePortal.ps1 | 2 +- .../Invoke-CIPPStandardConditionalAccess.ps1 | 2 +- .../Invoke-CIPPStandardDelegateSentItems.ps1 | 7 +- ...voke-CIPPStandardDeletedUserRentention.ps1 | 7 +- ...PStandardDisableAddShortcutsToOneDrive.ps1 | 2 +- ...nvoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 7 +- ...voke-CIPPStandardDisableGuestDirectory.ps1 | 7 +- .../Invoke-CIPPStandardDisableGuests.ps1 | 7 +- ...voke-CIPPStandardDisableM365GroupUsers.ps1 | 7 +- .../Invoke-CIPPStandardDisableReshare.ps1 | 7 +- ...-CIPPStandardDisableSecurityGroupUsers.ps1 | 7 +- ...nvoke-CIPPStandardDisableSharedMailbox.ps1 | 7 +- ...voke-CIPPStandardDisableTenantCreation.ps1 | 7 +- ...voke-CIPPStandardDisableUserSiteCreate.ps1 | 7 +- .../Invoke-CIPPStandardDisableViva.ps1 | 7 +- ...e-CIPPStandardEnableAppConsentRequests.ps1 | 7 +- .../Invoke-CIPPStandardEnableFIDO2.ps1 | 7 +- ...voke-CIPPStandardEnableOnlineArchiving.ps1 | 7 +- .../Invoke-CIPPStandardExConnector.ps1 | 2 +- .../Invoke-CIPPStandardExcludedfileExt.ps1 | 7 +- .../Invoke-CIPPStandardGroupTemplate.ps1 | 2 +- .../Invoke-CIPPStandardIntuneTemplate.ps1 | 2 +- .../Invoke-CIPPStandardMailContacts.ps1 | 7 +- .../Invoke-CIPPStandardModernAuth.ps1 | 2 +- .../Standards/Invoke-CIPPStandardNudgeMFA.ps1 | 7 +- .../Invoke-CIPPStandardOauthConsent.ps1 | 7 +- .../Invoke-CIPPStandardOauthConsentLowSec.ps1 | 7 +- .../Invoke-CIPPStandardOutBoundSpamAlert.ps1 | 7 +- ...CIPPStandardPWcompanionAppAllowedState.ps1 | 7 +- ...rdPWdisplayAppInformationRequiredState.ps1 | 7 +- ...oke-CIPPStandardPasswordExpireDisabled.ps1 | 7 +- .../Invoke-CIPPStandardRotateDKIM.ps1 | 7 +- .../Invoke-CIPPStandardSafeSendersDisable.ps1 | 2 +- .../Invoke-CIPPStandardSecurityDefaults.ps1 | 7 +- .../Invoke-CIPPStandardSendFromAlias.ps1 | 7 +- ...oke-CIPPStandardSendReceiveLimitTenant.ps1 | 7 +- .../Invoke-CIPPStandardSpoofWarn.ps1 | 7 +- .../Standards/Invoke-CIPPStandardTAP.ps1 | 7 +- ...voke-CIPPStandardTransportRuleTemplate.ps1 | 2 +- .../Invoke-CIPPStandardUndoOauth.ps1 | 2 +- .../Standards/Invoke-CIPPStandardUndoSSPR.ps1 | 2 +- .../Invoke-CIPPStandardUserSubmissions.ps1 | 7 +- .../Invoke-CIPPStandardallowOAuthTokens.ps1 | 7 +- .../Invoke-CIPPStandardallowOTPTokens.ps1 | 7 +- .../Invoke-CIPPStandardcalDefault.ps1 | 2 +- .../Invoke-CIPPStandarddisableMacSync.ps1 | 7 +- .../Invoke-CIPPStandardfwdAdminAlerts.ps1 | 2 +- .../Invoke-CIPPStandardintuneDeviceReg.ps1 | 7 +- ...CIPPStandardintuneDeviceRetirementDays.ps1 | 7 +- .../Invoke-CIPPStandardintuneRequireMFA.ps1 | 7 +- .../Standards/Invoke-CIPPStandardlaps.ps1 | 7 +- .../Invoke-CIPPStandardsharingCapability.ps1 | 7 +- .../Invoke-CIPPStandardunmanagedSync.ps1 | 7 +- 60 files changed, 786 insertions(+), 150 deletions(-) create mode 100644 Config/StandardsTable.BPATemplate.json diff --git a/Config/StandardsTable.BPATemplate.json b/Config/StandardsTable.BPATemplate.json new file mode 100644 index 000000000000..e55b284d84b5 --- /dev/null +++ b/Config/StandardsTable.BPATemplate.json @@ -0,0 +1,591 @@ +{ + "name": "CIPP Standards v1.0 - Table view", + "style": "Table", + "Fields": [ + { + "name": "ActivityBasedTimeout", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "ActivityBasedTimeout", + "desc": "YesYes", + "value": "ActivityBasedTimeout" + } + ] + }, + { + "name": "softwareOath", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "softwareOath", + "desc": "YesYes", + "value": "softwareOath" + } + ] + }, + { + "name": "MSAuthenticator", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "MSAuthenticator", + "desc": "YesYes", + "value": "MSAuthenticator" + } + ] + }, + { + "name": "AnonReport", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "AnonReport", + "desc": "YesYes", + "value": "AnonReport" + } + ] + }, + { + "name": "AuditLog", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "AuditLog", + "desc": "YesYes", + "value": "AuditLog" + } + ] + }, + { + "name": "AutoExpandingArchive", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "AutoExpandingArchive", + "desc": "YesYes", + "value": "AutoExpandingArchive" + } + ] + }, + { + "name": "DelegateSentItems", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "DelegateSentItems", + "desc": "YesYes", + "value": "DelegateSentItems" + } + ] + }, + { + "name": "DeletedUserRentention", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DeletedUserRentention", + "desc": "YesYes", + "value": "DeletedUserRentention" + } + ] + }, + { + "name": "DisableBasicAuthSMTP", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableBasicAuthSMTP", + "desc": "YesYes", + "value": "DisableBasicAuthSMTP" + } + ] + }, + { + "name": "DisableGuestDirectory", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableGuestDirectory", + "desc": "YesYes", + "value": "DisableGuestDirectory" + } + ] + }, + { + "name": "DisableGuests", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "DisableGuests", + "desc": "YesYes", + "value": "DisableGuests" + } + ] + }, + { + "name": "DisableM365GroupUsers", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableM365GroupUsers", + "desc": "YesYes", + "value": "DisableM365GroupUsers" + } + ] + }, + { + "name": "MacSync", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "MacSync", + "desc": "YesYes", + "value": "MacSync" + } + ] + }, + { + "name": "DisableReshare", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableReshare", + "desc": "YesYes", + "value": "DisableReshare" + } + ] + }, + { + "name": "DisableSecurityGroupUsers", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableSecurityGroupUsers", + "desc": "YesYes", + "value": "DisableSecurityGroupUsers" + } + ] + }, + { + "name": "DisableSharedMailbox", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "DisableSharedMailbox", + "desc": "YesYes", + "value": "DisableSharedMailbox" + } + ] + }, + { + "name": "DisableTenantCreation", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableTenantCreation", + "desc": "YesYes", + "value": "DisableTenantCreation" + } + ] + }, + { + "name": "DisableUserSiteCreate", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableUserSiteCreate", + "desc": "YesYes", + "value": "DisableUserSiteCreate" + } + ] + }, + { + "name": "DisableViva", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "DisableViva", + "desc": "YesYes", + "value": "DisableViva" + } + ] + }, + { + "name": "EnableAppConsentAdminRequests", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "EnableAppConsentAdminRequests", + "desc": "YesYes", + "value": "EnableAppConsentAdminRequests" + } + ] + }, + { + "name": "EnableFIDO2", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "EnableFIDO2", + "desc": "YesYes", + "value": "EnableFIDO2" + } + ] + }, + { + "name": "EnableOnlineArchiving", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "EnableOnlineArchiving", + "desc": "YesYes", + "value": "EnableOnlineArchiving" + } + ] + }, + { + "name": "ExcludedfileExt", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "ExcludedfileExt", + "desc": "YesYes", + "value": "ExcludedfileExt" + } + ] + }, + { + "name": "intuneDeviceReg", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "intuneDeviceReg", + "desc": "YesYes", + "value": "intuneDeviceReg" + } + ] + }, + { + "name": "intuneDeviceRetirementDays", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "intuneDeviceRetirementDays", + "desc": "YesYes", + "value": "intuneDeviceRetirementDays" + } + ] + }, + { + "name": "intuneRequireMFA", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "intuneRequireMFA", + "desc": "YesYes", + "value": "intuneRequireMFA" + } + ] + }, + { + "name": "laps", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "laps", + "desc": "YesYes", + "value": "laps" + } + ] + }, + { + "name": "MailContacts", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "MailContacts", + "desc": "YesYes", + "value": "MailContacts" + } + ] + }, + { + "name": "NudgeMFA", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "NudgeMFA", + "desc": "YesYes", + "value": "NudgeMFA" + } + ] + }, + { + "name": "OauthConsent", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "OauthConsent", + "desc": "YesYes", + "value": "OauthConsent" + } + ] + }, + { + "name": "OauthConsentLowSec", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "OauthConsentLowSec", + "desc": "YesYes", + "value": "OauthConsentLowSec" + } + ] + }, + { + "name": "OutboundSpamAlert", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "OutboundSpamAlert", + "desc": "YesYes", + "value": "OutboundSpamAlert" + } + ] + }, + { + "name": "PasswordExpireDisabled", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "PasswordExpireDisabled", + "desc": "YesYes", + "value": "PasswordExpireDisabled" + } + ] + }, + { + "name": "companionAppAllowedState", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "companionAppAllowedState", + "desc": "YesYes", + "value": "companionAppAllowedState" + } + ] + }, + { + "name": "PWdisplayAppInformationRequiredState", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "PWdisplayAppInformationRequiredState", + "desc": "YesYes", + "value": "PWdisplayAppInformationRequiredState" + } + ] + }, + { + "name": "DKIM", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "DKIM", + "desc": "YesYes", + "value": "DKIM" + } + ] + }, + { + "name": "SecurityDefaults", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "SecurityDefaults", + "desc": "YesYes", + "value": "SecurityDefaults" + } + ] + }, + { + "name": "SendFromAlias", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "SendFromAlias", + "desc": "YesYes", + "value": "SendFromAlias" + } + ] + }, + { + "name": "SendReceiveLimit", + "store": "json", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "json", + "name": "SendReceiveLimit", + "desc": "YesYes", + "value": "SendReceiveLimit" + } + ] + }, + { + "name": "sharingCapability", + "store": "string", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "string", + "name": "sharingCapability", + "desc": "YesYes", + "value": "sharingCapability" + } + ] + }, + { + "name": "SpoofingWarnings", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "SpoofingWarnings", + "desc": "YesYes", + "value": "SpoofingWarnings" + } + ] + }, + { + "name": "TemporaryAccessPass", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "TemporaryAccessPass", + "desc": "YesYes", + "value": "TemporaryAccessPass" + } + ] + }, + { + "name": "unmanagedSync", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "unmanagedSync", + "desc": "YesYes", + "value": "unmanagedSync" + } + ] + }, + { + "name": "UserSubmissionPolicy", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "UserSubmissionPolicy", + "desc": "YesYes", + "value": "UserSubmissionPolicy" + } + ] + }, + { + "name": "UserSubmissionPolicy", + "store": "bool", + "UseExistingInfo": true, + "FrontendFields": [ + { + "formatter": "bool", + "name": "UserSubmissionPolicy", + "desc": "YesYes", + "value": "UserSubmissionPolicy" + } + ] + } + ] +} diff --git a/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 index f4905eba8a15..8a87334367ac 100644 --- a/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 +++ b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 @@ -8,7 +8,6 @@ function Add-CIPPBPAField { ) $Table = Get-CippTable -tablename 'cachebpav2' $TenantName = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant - $CurrentContentsObject = (Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq 'Standards Report V1.0' and PartitionKey eq '$($TenantName.customerId)'") Write-Host "Adding $FieldName to $BPAName for $Tenant. content is $($CurrentContents.RowKey)" if ($CurrentContentsObject.RowKey) { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index 2339b632cd7c..e61c9bd9e75e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardActivityBasedTimeout { param($Tenant, $Settings) $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/activityBasedTimeoutPolicies' -tenantid $tenant).id - If ($Settings.Remediate) { + If ($Settings.remediate) { try { if (!$State) { $body = @' @@ -24,7 +24,8 @@ function Invoke-CIPPStandardActivityBasedTimeout { } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($State) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Activity Based Timeout is enabled' -sev Info } else { @@ -32,7 +33,7 @@ function Invoke-CIPPStandardActivityBasedTimeout { } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'ActivityBasedTimeout' -FieldValue [bool]$state -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index 5135e0589e9f..ecf181d8497a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardAddDKIM { #> param($Tenant, $Settings) $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object -Property Enabled -EQ $false - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $DKIM | ForEach-Object { (New-ExoRequest -tenantid $tenant -cmdlet 'New-DkimSigningConfig' -cmdparams @{ KeySize = 2048; DomainName = $_.Identity; Enabled = $true } -useSystemMailbox $true) @@ -17,14 +17,15 @@ function Invoke-CIPPStandardAddDKIM { } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($DKIM) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DKIM is enabled for all available domains' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DKIM is not enabled for all available domains' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue [bool]$DKIM -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 6fb70aab7f00..b17bccf7290c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardAnonReportDisable { #> param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true - If ($Settings.Remediate) { + If ($Settings.remediate) { try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -Type patch -Body '{"displayConcealedNames": false}' -ContentType 'application/json' -AsApp $true Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports Disabled.' -sev Info @@ -13,14 +13,15 @@ function Invoke-CIPPStandardAnonReportDisable { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable anonymous reports. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.displayConcealedNames -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports is disabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Anonymous Reports is not disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue [bool]$CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index 092d28914372..63bbdafe4269 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -7,8 +7,8 @@ function Invoke-CIPPStandardAuditLog { $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled - If ($Settings.Remediate) { - + If ($Settings.remediate) { + Write-Host 'Time to remediate' $DehydratedTenant = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').IsDehydrated if ($DehydratedTenant) { New-ExoRequest -tenantid $Tenant -cmdlet 'Enable-OrganizationCustomization' @@ -30,14 +30,16 @@ function Invoke-CIPPStandardAuditLog { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Unified Audit Log. Error: $ErrorMessage" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($AuditLogEnabled) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Unified Audit Log is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { + Add-CIPPBPAField -FieldName 'AuditLog' -FieldValue [bool]$AuditLogEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 59be5258bf5e..429466241b5c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardAutoExpandArchive { #> param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled - If ($Settings.Remediate) { + If ($Settings.remediate) { try { if (!$currentstate) { New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{AutoExpandingArchive = $true } @@ -15,14 +15,15 @@ function Invoke-CIPPStandardAutoExpandArchive { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Auto Expanding Archives Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($AuditLogEnabled) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Auto Expanding Archives is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Auto Expanding Archives is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'AutoExpandingArchive' -FieldValue [bool]$CurrentState.AutoExpandingArchiveEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 index c53587da6dc1..f0c5622b80e7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAzurePortal.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardAzurePortal { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Azure Portal disablement is no longer functional. Please remove this standard.' -sev Error } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 index 4b6ca04003a5..7b2512866db8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardConditionalAccess { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess if (!$Setting) { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index 3eac42cf521f..a0ffb45c8572 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardDelegateSentItems { param($Tenant, $Settings) $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $Mailboxes | ForEach-Object { try { @@ -21,14 +21,15 @@ function Invoke-CIPPStandardDelegateSentItems { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Delegate Sent Items Style. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($Mailboxes) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Delegate Sent Items Style is not enabled for $($mailboxes.count) users" -sev Alert } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Delegate Sent Items Style is enabled' -sev Info } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Mailboxes -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index d589ea706b9d..0e034eec9ee3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDeletedUserRentention { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type PATCH -Body $body -ContentType 'application/json' @@ -14,7 +14,8 @@ function Invoke-CIPPStandardDeletedUserRentention { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set deleted user rentention of OneDrive to 1 year: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is set to 1 year' -sev Info @@ -22,7 +23,7 @@ function Invoke-CIPPStandardDeletedUserRentention { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is not set to 1 year' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { $CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays = $true } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index 54098dc07098..1037a1ba6a20 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { function GetTenantRequestXml { return @' param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info @@ -12,7 +12,8 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' if ($CurrentInfo.SmtpClientAuthenticationDisabled) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is disabled' -sev Info @@ -20,7 +21,7 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is not disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTP' -FieldValue [bool]$CurrentInfo.SmtpClientAuthenticationDisabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index d1cd1304933f..10d0db61dc70 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableGuestDirectory { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -17,7 +17,8 @@ function Invoke-CIPPStandardDisableGuestDirectory { } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant if ($CurrentInfo.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is disabled.' -sev Info @@ -25,7 +26,7 @@ function Invoke-CIPPStandardDisableGuestDirectory { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is not disabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b') { $CurrentInfo.guestUserRoleId = $true } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index 6bd48adc9d24..cf2b7e82da55 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -7,7 +7,7 @@ function Invoke-CIPPStandardDisableGuests { $lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') $GraphRequest = New-GraphgetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastSignInDateTime le $lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } - If ($Settings.Remediate) { + If ($Settings.remediate) { try { foreach ($guest in $GraphRequest) { New-GraphPostRequest -type Patch -tenantid $tenant -uri "https://graph.microsoft.com/beta/users/$($guest.id)" -body '{"accountEnabled":"false"}' @@ -18,14 +18,15 @@ function Invoke-CIPPStandardDisableGuests { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests older than 90 days: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($GraphRequest) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Guests accounts with a login longer than 90 days ago: $($GraphRequest.count)" -sev Alert } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'No guests accounts with a login longer than 90 days ago.' -sev Info } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $GraphRequest -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index c8931dbdc03c..125025a40b83 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardDisableM365GroupUsers { param($Tenant, $Settings) $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' - If ($Settings.Remediate) { + If ($Settings.remediate) { try { if (!$CurrentState) { #if no current configuration is found, we set it to the default template supplied by MS. @@ -22,7 +22,8 @@ function Invoke-CIPPStandardDisableM365GroupUsers { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating M365 Groups: $($_.exception.message)" -sev 'Error' } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentState) { if (($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value -eq 'false') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are disabled from creating M365 Groups.' -sev Info @@ -33,7 +34,7 @@ function Invoke-CIPPStandardDisableM365GroupUsers { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not disabled from creating M365 Groups.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentState) { if (($CurrentState.values | Where-Object { $_.name -eq 'EnableGroupCreation' }).value -eq 'false') { $CurrentState = $true diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index 35805fb90a77..2f438e417605 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableReshare { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -16,7 +16,8 @@ function Invoke-CIPPStandardDisableReshare { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable guests from resharing files: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.isResharingByExternalUsersEnabled -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guests are not allowed to reshare files' -sev Info @@ -24,7 +25,7 @@ function Invoke-CIPPStandardDisableReshare { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guests are allowed to reshare files' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableReshare' -FieldValue [bool]$CurrentInfo.isResharingByExternalUsersEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index 5b2869860f4e..75facbab7757 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -17,7 +17,8 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not allowed to create Security Groups.' -sev Info @@ -25,7 +26,7 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create Security Groups.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableSecurityGroupUsers' -FieldValue [bool]$CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index 63e7bf8d949e..77e7295aaca8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardDisableSharedMailbox { #> param($Tenant, $Settings) $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant)/Mailbox?`$filter=ExchangeUserAccountControl ne 'accountdisabled'" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' }) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $SharedMailboxList | ForEach-Object { New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/users/$($_.ObjectKey)" -type 'PATCH' -body '{"accountEnabled":"false"}' -tenantid $tenant @@ -15,14 +15,15 @@ function Invoke-CIPPStandardDisableSharedMailbox { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable AAD accounts for shared mailboxes. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($SharedMailboxList) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Shared mailboxes with enabled accounts: $($SharedMailboxList.count)" -sev Alert } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'No AAD accounts enables for shared mailboxes.' -sev Info } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableSharedMailbox' -FieldValue $SharedMailboxList -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index d53ff9bae502..55cde0260efc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableTenantCreation { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = '{"defaultUserRolePermissions":{"allowedToCreateTenants":false}}' (New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $body -ContentType 'application/json') @@ -13,7 +13,8 @@ function Invoke-CIPPStandardDisableTenantCreation { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from creating tenants: $($_.exception.message)" -sev 'Error' } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant if ($CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not allowed to create tenants.' -sev Info @@ -21,7 +22,7 @@ function Invoke-CIPPStandardDisableTenantCreation { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are allowed to create tenants.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableTenantCreation' -FieldValue [bool]$CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index f62fe9e589cb..3943cbc38d43 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardDisableUserSiteCreate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = '{"isSiteCreationEnabled": false}' New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' @@ -13,7 +13,8 @@ function Invoke-CIPPStandardDisableUserSiteCreate { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.isSiteCreationEnabled -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are not allowed to create sites' -sev Info @@ -21,7 +22,7 @@ function Invoke-CIPPStandardDisableUserSiteCreate { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are allowed to create sites' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableUserSiteCreate' -FieldValue [bool]$CurrentInfo.isSiteCreationEnabled -StoreAs bool -Tenant $tenant } } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index fafb3c26f4a9..3c7332d68d7c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardDisableViva { #> param($Tenant, $Settings) $currentsetting = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$tenant/settings/peopleInsights" -tenantid $Tenant -AsApp $true - If ($Settings.Remediate) { + If ($Settings.remediate) { try { New-GraphPOSTRequest -Uri "https://graph.microsoft.com/beta/organization/$tenant/settings/peopleInsights" -tenantid $Tenant -AsApp $true -Type PATCH -Body '{"isEnabledInOrganization": false}' -ContentType 'application/json' Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled Viva insights' -sev Info @@ -14,14 +14,15 @@ function Invoke-CIPPStandardDisableViva { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Viva for all users Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($currentsetting.isEnabled -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Viva is disabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Viva is not disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DisableViva' -FieldValue [bool]$currentsetting.isEnabled -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 9175281de0ef..229db4b77171 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardEnableAppConsentRequests { param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { # Get current state @@ -64,14 +64,15 @@ function Invoke-CIPPStandardEnableAppConsentRequests { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable App consent admin requests. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.isEnabled -eq 'true') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'App consent admin requests are enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'App consent admin requests are disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'EnableAppConsentAdminRequests' -FieldValue [bool]$CurrentInfo.isEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index e22b4bc475c7..1c7ff1337f4e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardEnableFIDO2 { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -16,7 +16,8 @@ function Invoke-CIPPStandardEnableFIDO2 { } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -tenantid $Tenant if ($CurrentInfo.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'FIDO2 Support is enabled' -sev Info @@ -24,7 +25,7 @@ function Invoke-CIPPStandardEnableFIDO2 { Write-LogMessage -API 'Standards' -tenant $tenant -message 'FIDO2 Support is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'EnableFIDO2' -FieldValue [bool]$CurrentInfo.state -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index e044d233a0e2..fef78e2521a7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardEnableOnlineArchiving { #> param($Tenant, $Settings) $MailboxesNoArchive = (New-ExoRequest -tenantid $tenant -cmdlet 'get-mailbox' -cmdparams @{ Filter = 'ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND RecipientTypeDetails -Eq "UserMailbox"' }) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -18,14 +18,15 @@ function Invoke-CIPPStandardEnableOnlineArchiving { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Online Archiving for all accounts Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($MailboxesNoArchive) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Mailboxes without Online Archiving: $($MailboxesNoArchive.count)" -sev Alert } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'All mailboxes have Online Archiving enabled' -sev Info } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'EnableOnlineArchiving' -FieldValue $MailboxesNoArchive -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index b03b0ba33275..066dbf59af17 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardExConnector { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $ConfigTable = Get-CippTable -tablename 'standards' $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index 535459832a0c..7d52d6c4eb74 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardExcludedfileExt { #> param($Tenant, $Settings) $Exts = $Settings.ext -split ',' - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -16,7 +16,8 @@ function Invoke-CIPPStandardExcludedfileExt { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to add $($Settings.ext) to excluded synced files: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.excludedFileExtensionsForSyncApp -contains $Exts) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Excluded synced files contains $($Settings.ext)" -sev Info @@ -24,7 +25,7 @@ function Invoke-CIPPStandardExcludedfileExt { Write-LogMessage -API 'Standards' -tenant $tenant -message "Excluded synced files does not contain $($Settings.ext)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'ExcludedfileExt' -FieldValue $CurrentInfo.excludedFileExtensionsForSyncApp -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 index 84ccd587db0e..e7b31b2cb288 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardGroupTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $ConfigTable = Get-CippTable -tablename 'standards' diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 86665c271868..40a9d962dd4a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardIntuneTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $ConfigTable = Get-CippTable -tablename 'standards' diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index e37b4818038c..73e59b351a78 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardMailContacts { param($Tenant, $Settings) $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) - If ($Settings.Remediate) { + If ($Settings.remediate) { $contacts = $settings try { @@ -24,7 +24,8 @@ function Invoke-CIPPStandardMailContacts { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set contact emails: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -tenantid $Tenant if ($CurrentInfo.marketingNotificationEmails -eq $Contacts.MarketingContact) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Marketing contact email is set to $($Contacts.MarketingContact)" -sev Info @@ -47,7 +48,7 @@ function Invoke-CIPPStandardMailContacts { Write-LogMessage -API 'Standards' -tenant $tenant -message "General contact email is not set to $($Contacts.GeneralContact)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'MailContacts' -FieldValue $CurrentInfo -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 index 7816ac5bfddc..51c25c4da8b9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardModernAuth.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardModernAuth { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Modern Authentication is enabled by default. This standard is no longer required.' -sev Info } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index c841dbad5b89..63a60fcad31d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardNudgeMFA { param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Nudge MFA setting' -sev Error Exit @@ -20,14 +20,15 @@ function Invoke-CIPPStandardNudgeMFA { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $status Authenticator App Nudge: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Authenticator App Nudge is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.registrationEnforcement.authenticationMethodsRegistrationCampaign.state -eq 'enabled') { $actualstate = $true } else { $actualstate = $false } Add-CIPPBPAField -FieldName 'NudgeMFA' -FieldValue [bool]$actualstate -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 265a334c1de3..a3ecdb371327 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardOauthConsent { param($tenant, $settings) { $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) - If ($Settings.Remediate) { + If ($Settings.remediate) { $AllowedAppIdsForTenant = $Settings.AllowedApps -split ',' try { if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('ManagePermissionGrantsForSelf.cipp-1sent-policy')) { @@ -34,14 +34,15 @@ function Invoke-CIPPStandardOauthConsent { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { $UserQuota = $true } else { $UserQuota = $false } Add-CIPPBPAField -FieldName 'OauthConsent' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index dbfe864a9fe4..e0f627a41ddc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardOauthConsentLowSec { #> param($Tenant, $Settings) $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { Write-Host 'Going to set' @@ -16,14 +16,15 @@ function Invoke-CIPPStandardOauthConsentLowSec { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Application Consent Mode (microsoft-user-default-low) Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is not enabled.' -sev Alert } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info } } - if ($Settings.Report) { + if ($Settings.report) { if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) { $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $false } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index 294d5be40f17..307ebdfada1c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardOutBoundSpamAlert { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $Contacts = $settings.OutboundSpamContact try { New-ExoRequest -tenantid $tenant -cmdlet 'Set-HostedOutboundSpamFilterPolicy' -cmdparams @{ Identity = 'Default'; NotifyOutboundSpam = $true; NotifyOutboundSpamRecipients = $Contacts.OutboundSpamContact } -useSystemMailbox $true @@ -13,7 +13,8 @@ function Invoke-CIPPStandardOutBoundSpamAlert { Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set outbound spam contact to $($Contacts.OutboundSpamContact). $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-HostedOutboundSpamFilterPolicy' -useSystemMailbox $true if ($CurrentInfo.NotifyOutboundSpam -eq $true) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Outbound spam filter alert is set to $($CurrentInfo.NotifyOutboundSpamRecipients)" -sev Info @@ -21,7 +22,7 @@ function Invoke-CIPPStandardOutBoundSpamAlert { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Outbound spam filter alert is not set' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue [bool]$CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index 28fcadaa1bef..2cd6cb851ba7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { #> param($Tenant, $Settings) $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) - If ($Settings.Remediate) { + If ($Settings.remediate) { $Setting = $Settings try { # Get current state of microsoftAuthenticator policy @@ -31,14 +31,15 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable companionAppAllowedState. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'companionAppAllowedState is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'companionAppAllowedState is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { $authstate = $true } else { $authstate = $false } Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue [bool]$authstate -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index e79f6b35b9fe..aecda655774b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = @' {"@odata.type":"#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration","id":"MicrosoftAuthenticator","includeTargets":[{"id":"all_users","isRegistrationRequired":false,"targetType":"group","authenticationMode":"any"}],"excludeTargets":[],"state":"enabled","isSoftwareOathEnabled":false,"featureSettings":{"displayLocationInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"displayAppInformationRequiredState":{"state":"enabled","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}},"companionAppAllowedState":{"state":"default","includeTarget":{"id":"all_users","targetType":"group","displayName":"All users"}}}} @@ -17,14 +17,15 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable passwordless with Information and Number Matching. Error: $($_.exception.message)" -sev 'Error' } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.featureSettings.displayAppInformationRequiredState.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.featureSettings.displayAppInformationRequiredState.state -eq 'enabled') { $authstate = $true } else { $authstate = $false } Add-CIPPBPAField -FieldName 'PWdisplayAppInformationRequiredState' -FieldValue [bool]$authstate -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index e043c04b45bd..3788a12d72b9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardPasswordExpireDisabled { #> param($Tenant, $Settings) $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { New-GraphPostRequest -type Patch -tenantid $Tenant -uri "https://graph.microsoft.com/beta/domains/$($_.id)" -body '{"passwordValidityPeriodInDays": 2147483647 }' @@ -15,12 +15,13 @@ function Invoke-CIPPStandardPasswordExpireDisabled { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Password Expiration. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' | ForEach-Object { Write-LogMessage -API 'Standards' -tenant $tenant -message "Password Expiration is not disabled for $($_.name)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { $DomainswithoutPassExpire = $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' Add-CIPPBPAField -FieldName 'PasswordExpireDisabled' -FieldValue $DomainswithoutPassExpire -StoreAs json -Tenant $tenant diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index bfeecddf752a..2ce2937ab173 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardRotateDKIM { #> param($Tenant, $Settings) $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -EQ 1024 -and $_.Enabled -eq $true } - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $DKIM | ForEach-Object { (New-ExoRequest -tenantid $tenant -cmdlet 'Rotate-DkimSigningConfig' -cmdparams @{ KeySize = 2048; Identity = $_.Identity } -useSystemMailbox $true) @@ -16,12 +16,13 @@ function Invoke-CIPPStandardRotateDKIM { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to rotate DKIM Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $DKIM | ForEach-Object { Write-LogMessage -API 'Standards' -tenant $tenant -message "DKIM is not rotated for $($_.Identity)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIM -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index c08b6b0f0200..a0cb61fa8e64 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardSafeSendersDisable { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' | ForEach-Object { try { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index fe092608e3aa..5d2c0c9c26f7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSecurityDefaults { #> param($Tenant, $Settings) $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { if ($SecureDefaultsState.IsEnabled -ne $true) { Write-Host "Secure Defaults is disabled. Enabling for $tenant" -ForegroundColor Yellow @@ -17,14 +17,15 @@ function Invoke-CIPPStandardSecurityDefaults { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Security Defaults Error: $($_.exception.message)" -sev 'Error' } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($SecureDefaultsState.IsEnabled -eq $true) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Security Defaults is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Security Defaults is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'SecurityDefaults' -FieldValue [bool]$SecureDefaultsState.IsEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index 15a3f40a0d78..cd4972866185 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardSendFromAlias { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $AdminAuditLogParams = @{ SendFromAliasEnabled = $true @@ -16,7 +16,8 @@ function Invoke-CIPPStandardSendFromAlias { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to apply Send from Alias Standard. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig') if ($CurrentInfo.SendFromAliasEnabled -eq $true) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias is enabled.' -sev Info @@ -24,7 +25,7 @@ function Invoke-CIPPStandardSendFromAlias { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Send from alias is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'SendFromAlias' -FieldValue [bool]$CurrentInfo.SendFromAliasEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 15f299afeeac..1bd675bbfc71 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { #> param($Tenant, $Settings) $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxPlan' | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID - If ($Settings.Remediate) { + If ($Settings.remediate) { $Limits = $Settings.SendReceiveLimit if ($Limits[0] -like '*MB*') { $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1MB @@ -41,14 +41,15 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set the tenant send and receive limits. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + foreach ($MailboxPlan in $AllMailBoxPlans) { if ($MailboxPlan.MaxSendSize -ne $MaxSendSize -and $MailboxPlan.MaxReceiveSize -ne $MaxReceiveSize) { Write-LogMessage -API 'Standards' -tenant $tenant -message "The tenant send and receive limits are not set correctly for $($MailboxPlan.DisplayName)" -sev Alert } } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'SendReceiveLimit' -FieldValue $AllMailBoxPlans -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index 647083276cc4..4b8d790f7dcf 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardSpoofWarn { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $status = if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the Spoof Warnings setting' -sev Error Exit @@ -17,7 +17,8 @@ function Invoke-CIPPStandardSpoofWarn { Write-LogMessage -API 'Standards' -tenant $tenant -message "Could not set spoofing warnings to $status. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook') if ($CurrentInfo.Enabled -eq $true) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Spoofing warnings are enabled.' -sev Info @@ -25,7 +26,7 @@ function Invoke-CIPPStandardSpoofWarn { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Spoofing warnings are not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'SpoofingWarnings' -FieldValue [bool]$CurrentInfo.Enabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index 3257cd5b7b92..b8af7edcd5a6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardTAP { param($Tenant, $Settings) $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant) - If ($Settings.Remediate) { + If ($Settings.remediate) { $TAPConfig = $Settings.Config if (!$TAPConfig) { $TAPConfig = 'true' } @@ -34,14 +34,15 @@ function Invoke-CIPPStandardTAP { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable TAP. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Temporary Access Passwords is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.state -eq 'enabled') { $CurrentInfo.state = $true } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 index 062b64cb8f55..6cc02551e5f3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardTransportRuleTemplate { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index b97dd6850339..1098903a7c74 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardUndoOauth { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type PATCH -Body '{"permissionGrantPolicyIdsAssignedToDefaultUserRole":["ManagePermissionGrantsForSelf.microsoft-user-default-legacy"]}' -ContentType 'application/json' diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 index 819742a0031b..8c89559e8c23 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoSSPR.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardUndoSSPR { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'The standard for SSPR is no longer supported.' -sev Error } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index 80cba1b41c4b..f7a5ff7aa040 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardUserSubmissions { #> param($Tenant, $Settings) $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' - If ($Settings.Remediate) { + If ($Settings.remediate) { if ($Settings.enable -and $Settings.disable) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'You cannot both enable and disable the User Submission policy' -sev Error Exit @@ -38,7 +38,8 @@ function Invoke-CIPPStandardUserSubmissions { } } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($Policy.length -eq 0) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'User Submission policy is not set.' -sev Alert } else { @@ -49,7 +50,7 @@ function Invoke-CIPPStandardUserSubmissions { } } } - if ($Settings.Report) { + if ($Settings.report) { if ($Policy.length -eq 0) { Add-CIPPBPAField -FieldName 'UserSubmissionPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index faf65b90fbf4..00be3942e2db 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardallowOAuthTokens { #> param($Tenant, $Settings) $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $CurrentInfo.state = 'enabled' @@ -17,14 +17,15 @@ function Invoke-CIPPStandardallowOAuthTokens { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable software OTP/oAuth tokens. Error: $($_.exception.message)" -sev 'Error' } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.state -eq 'enabled') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'software OTP/oAuth tokens is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'software OTP/oAuth tokens is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.state -eq 'enabled') { $CurrentInfo.state = $true } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 780eaf6ebd80..c7a5958a45d8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardallowOTPTokens { param($Tenant, $Settings) $CurrentInfo = new-graphgetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $CurrentInfo.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState') @@ -19,14 +19,15 @@ function Invoke-CIPPStandardallowOTPTokens { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable MS authenticator OTP/oAuth tokens. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($CurrentInfo.isSoftwareOathEnabled) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'MS authenticator OTP/oAuth tokens is enabled' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'MS authenticator OTP/oAuth tokens is not enabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'MSAuthenticator' -FieldValue [bool]$CurrentInfo.isSoftwareOathEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index 3609bef5b474..f78abc26cb36 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardcalDefault { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'get-mailbox' foreach ($Mailbox in $Mailboxes) { try { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index 37d459dc4028..41cd85e43c53 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandarddisableMacSync { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { @@ -15,7 +15,8 @@ function Invoke-CIPPStandarddisableMacSync { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Mac OneDrive Sync: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.isMacSyncAppEnabled -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Mac OneDrive Sync is disabled' -sev Info @@ -23,7 +24,7 @@ function Invoke-CIPPStandarddisableMacSync { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Mac OneDrive Sync is not disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'MacSync' -FieldValue [bool]$CurrentInfo.isMacSyncAppEnabled -StoreAs bool -Tenant $tenant } } \ No newline at end of file diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 index 28506c97a53b..3ccf767f2525 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardfwdAdminAlerts.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardfwdAdminAlerts { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { #This isn't done yet. } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index 8d773b83e9e0..6d2ece082f77 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardintuneDeviceReg { param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $PreviousSetting.userDeviceQuota = $Settings.max $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting @@ -16,14 +16,15 @@ function Invoke-CIPPStandardintuneDeviceReg { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set user device quota to $($Settings.max) : $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { Write-LogMessage -API 'Standards' -tenant $tenant -message "User device quota is set to $($Settings.max)" -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message "User device quota is not set to $($Settings.max)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { $UserQuota = $true } else { $UserQuota = $false } Add-CIPPBPAField -FieldName 'intuneDeviceReg' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index 9f5159fc2cdb..502be8862b12 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = @{ DeviceInactivityBeforeRetirementInDays = $Settings.days } | ConvertTo-Json @@ -14,7 +14,8 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable DeviceInactivityBeforeRetirementInDays. Error: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -tenantid $Tenant) if ($CurrentInfo.DeviceInactivityBeforeRetirementInDays -eq $Settings.days) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DeviceInactivityBeforeRetirementInDays is enabled.' -sev Info @@ -22,7 +23,7 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { Write-LogMessage -API 'Standards' -tenant $tenant -message 'DeviceInactivityBeforeRetirementInDays is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($PreviousSetting.DeviceInactivityBeforeRetirementInDays -eq $Settings.days) { $UserQuota = $true } else { $UserQuota = $false } Add-CIPPBPAField -FieldName 'intuneDeviceRetirementDays' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 19986a31a363..b4a51c61d070 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardintuneRequireMFA { param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $PreviousSetting.multiFactorAuthConfiguration = '1' $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting @@ -16,14 +16,15 @@ function Invoke-CIPPStandardintuneRequireMFA { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set require to use MFA when joining Intune Devices: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($PreviousSetting.multiFactorAuthConfiguration -eq 'required') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Require to use MFA when joining Intune Devices is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Require to use MFA when joining Intune Devices is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($PreviousSetting.multiFactorAuthConfiguration -eq 'required') { $UserQuota = $true } else { $UserQuota = $false } Add-CIPPBPAField -FieldName 'intuneRequireMFA' -FieldValue [bool]$UserQuota -StoreAs bool -Tenant $tenant } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 3c2235aba183..7ae60c772a41 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -6,7 +6,7 @@ function Invoke-CIPPStandardlaps { param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $previoussetting.localadminpassword.isEnabled = $true @@ -17,14 +17,15 @@ function Invoke-CIPPStandardlaps { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set LAPS: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + if ($PreviousSetting.localadminpassword.isEnabled -eq $true) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS is enabled.' -sev Info } else { Write-LogMessage -API 'Standards' -tenant $tenant -message 'LAPS is not enabled.' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'laps' -FieldValue [bool]$PreviousSetting.localadminpassword.isEnabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 10dd2a7c43fc..02be3ce67a98 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardsharingCapability { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' Write-LogMessage -API 'Standards' -tenant $tenant -message "Set sharing level to $($Settings.level)" -sev Info @@ -12,7 +12,8 @@ function Invoke-CIPPStandardsharingCapability { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set sharing level to $($Settings.level): $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.sharingCapability -eq $Settings.level) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is set to $($Settings.level)" -sev Info @@ -20,7 +21,7 @@ function Invoke-CIPPStandardsharingCapability { Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is not set to $($Settings.level)" -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { Add-CIPPBPAField -FieldName 'sharingCapability' -FieldValue $CurrentInfo.sharingCapability -StoreAs string -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index eaf811fbc967..42261e2b2d86 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -4,7 +4,7 @@ function Invoke-CIPPStandardunmanagedSync { Internal #> param($Tenant, $Settings) - If ($Settings.Remediate) { + If ($Settings.remediate) { try { $body = '{"isUnmanagedSyncAppForTenantRestricted": false}' New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json' @@ -13,7 +13,8 @@ function Invoke-CIPPStandardunmanagedSync { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Sync for unmanaged devices: $($_.exception.message)" -sev Error } } - if ($Settings.Alert) { + if ($Settings.alert) { + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.isUnmanagedSyncAppForTenantRestricted -eq $false) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sync for unmanaged devices is disabled' -sev Info @@ -21,7 +22,7 @@ function Invoke-CIPPStandardunmanagedSync { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sync for unmanaged devices is not disabled' -sev Alert } } - if ($Settings.Report) { + if ($Settings.report) { if ($CurrentInfo.isUnmanagedSyncAppForTenantRestricted -eq $false) { $CurrentInfo.isUnmanagedSyncAppForTenantRestricted = $true } else { From 77b81fc9dbf8fc7c8035f67c1a00a1796a20f83b Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 10 Dec 2023 02:33:33 +0100 Subject: [PATCH 63/78] Fixed rare issue with data --- Config/StandardsTable.BPATemplate.json | 90 +++++++++---------- Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 | 6 +- .../Public/Entrypoints/Invoke-ListBPA.ps1 | 2 +- 3 files changed, 49 insertions(+), 49 deletions(-) diff --git a/Config/StandardsTable.BPATemplate.json b/Config/StandardsTable.BPATemplate.json index e55b284d84b5..e565bd9fa347 100644 --- a/Config/StandardsTable.BPATemplate.json +++ b/Config/StandardsTable.BPATemplate.json @@ -4,7 +4,7 @@ "Fields": [ { "name": "ActivityBasedTimeout", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -17,7 +17,7 @@ }, { "name": "softwareOath", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -30,7 +30,7 @@ }, { "name": "MSAuthenticator", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -43,7 +43,7 @@ }, { "name": "AnonReport", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -56,7 +56,7 @@ }, { "name": "AuditLog", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -69,7 +69,7 @@ }, { "name": "AutoExpandingArchive", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -82,7 +82,7 @@ }, { "name": "DelegateSentItems", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -95,7 +95,7 @@ }, { "name": "DeletedUserRentention", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -108,7 +108,7 @@ }, { "name": "DisableBasicAuthSMTP", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -121,7 +121,7 @@ }, { "name": "DisableGuestDirectory", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -134,7 +134,7 @@ }, { "name": "DisableGuests", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -147,7 +147,7 @@ }, { "name": "DisableM365GroupUsers", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -160,7 +160,7 @@ }, { "name": "MacSync", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -173,7 +173,7 @@ }, { "name": "DisableReshare", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -186,7 +186,7 @@ }, { "name": "DisableSecurityGroupUsers", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -199,7 +199,7 @@ }, { "name": "DisableSharedMailbox", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -212,7 +212,7 @@ }, { "name": "DisableTenantCreation", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -225,7 +225,7 @@ }, { "name": "DisableUserSiteCreate", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -238,7 +238,7 @@ }, { "name": "DisableViva", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -251,7 +251,7 @@ }, { "name": "EnableAppConsentAdminRequests", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -264,7 +264,7 @@ }, { "name": "EnableFIDO2", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -277,7 +277,7 @@ }, { "name": "EnableOnlineArchiving", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -290,7 +290,7 @@ }, { "name": "ExcludedfileExt", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -303,7 +303,7 @@ }, { "name": "intuneDeviceReg", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -316,7 +316,7 @@ }, { "name": "intuneDeviceRetirementDays", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -329,7 +329,7 @@ }, { "name": "intuneRequireMFA", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -342,7 +342,7 @@ }, { "name": "laps", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -355,7 +355,7 @@ }, { "name": "MailContacts", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -368,7 +368,7 @@ }, { "name": "NudgeMFA", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -381,7 +381,7 @@ }, { "name": "OauthConsent", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -394,7 +394,7 @@ }, { "name": "OauthConsentLowSec", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -407,7 +407,7 @@ }, { "name": "OutboundSpamAlert", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -420,7 +420,7 @@ }, { "name": "PasswordExpireDisabled", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -433,7 +433,7 @@ }, { "name": "companionAppAllowedState", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -446,7 +446,7 @@ }, { "name": "PWdisplayAppInformationRequiredState", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -459,7 +459,7 @@ }, { "name": "DKIM", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -472,7 +472,7 @@ }, { "name": "SecurityDefaults", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -485,7 +485,7 @@ }, { "name": "SendFromAlias", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -498,7 +498,7 @@ }, { "name": "SendReceiveLimit", - "store": "json", + "StoreAs": "json", "UseExistingInfo": true, "FrontendFields": [ { @@ -511,7 +511,7 @@ }, { "name": "sharingCapability", - "store": "string", + "StoreAs": "string", "UseExistingInfo": true, "FrontendFields": [ { @@ -524,7 +524,7 @@ }, { "name": "SpoofingWarnings", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -537,7 +537,7 @@ }, { "name": "TemporaryAccessPass", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -550,7 +550,7 @@ }, { "name": "unmanagedSync", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -563,7 +563,7 @@ }, { "name": "UserSubmissionPolicy", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { @@ -576,7 +576,7 @@ }, { "name": "UserSubmissionPolicy", - "store": "bool", + "StoreAs": "bool", "UseExistingInfo": true, "FrontendFields": [ { diff --git a/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 index 8a87334367ac..1dd0b8c9d867 100644 --- a/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 +++ b/Modules/CIPPCore/Public/Add-CIPPBPAField.ps1 @@ -1,6 +1,6 @@ function Add-CIPPBPAField { param ( - $BPAName = 'Standards Report V1.0', + $BPAName = 'CIPP Standards v1.0 - Table view', $FieldName, $FieldValue, $StoreAs, @@ -8,7 +8,7 @@ function Add-CIPPBPAField { ) $Table = Get-CippTable -tablename 'cachebpav2' $TenantName = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant - $CurrentContentsObject = (Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq 'Standards Report V1.0' and PartitionKey eq '$($TenantName.customerId)'") + $CurrentContentsObject = (Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$BPAName' and PartitionKey eq '$($TenantName.customerId)'") Write-Host "Adding $FieldName to $BPAName for $Tenant. content is $($CurrentContents.RowKey)" if ($CurrentContentsObject.RowKey) { $CurrentContents = @{} @@ -20,7 +20,7 @@ function Add-CIPPBPAField { $Result = @{ Tenant = "$($TenantName.displayName)" GUID = "$($TenantName.customerId)" - RowKey = 'Standards Report V1.0' + RowKey = $BPAName PartitionKey = "$($TenantName.customerId)" LastRefresh = [string]$(Get-Date (Get-Date).ToUniversalTime() -UFormat '+%Y-%m-%dT%H:%M:%S.000Z') } diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBPA.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBPA.ps1 index eea73a9c4b9e..e9f9f9a1fbf4 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBPA.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListBPA.ps1 @@ -62,7 +62,7 @@ Function Invoke-ListBPA { } $Results = [PSCustomObject]@{ - Data = $Data + Data = @($Data) Columns = $Columns Style = $Style } From 11db1d6916204ea5576b2eab80a8e019f51e7cdc Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 10 Dec 2023 04:06:13 +0100 Subject: [PATCH 64/78] default --- Config/StandardsTable.BPATemplate.json | 85 +++---------------- .../Invoke-CIPPStandardDelegateSentItems.ps1 | 3 +- ...voke-CIPPStandardDeletedUserRentention.ps1 | 4 +- ...voke-CIPPStandardDisableGuestDirectory.ps1 | 3 +- .../Invoke-CIPPStandardDisableGuests.ps1 | 3 +- ...voke-CIPPStandardEnableOnlineArchiving.ps1 | 1 + .../Invoke-CIPPStandardsharingCapability.ps1 | 3 +- 7 files changed, 25 insertions(+), 77 deletions(-) diff --git a/Config/StandardsTable.BPATemplate.json b/Config/StandardsTable.BPATemplate.json index e565bd9fa347..858b1b462fca 100644 --- a/Config/StandardsTable.BPATemplate.json +++ b/Config/StandardsTable.BPATemplate.json @@ -10,7 +10,6 @@ { "formatter": "bool", "name": "ActivityBasedTimeout", - "desc": "YesYes", "value": "ActivityBasedTimeout" } ] @@ -23,7 +22,6 @@ { "formatter": "bool", "name": "softwareOath", - "desc": "YesYes", "value": "softwareOath" } ] @@ -36,7 +34,6 @@ { "formatter": "bool", "name": "MSAuthenticator", - "desc": "YesYes", "value": "MSAuthenticator" } ] @@ -49,7 +46,6 @@ { "formatter": "bool", "name": "AnonReport", - "desc": "YesYes", "value": "AnonReport" } ] @@ -62,7 +58,6 @@ { "formatter": "bool", "name": "AuditLog", - "desc": "YesYes", "value": "AuditLog" } ] @@ -75,7 +70,6 @@ { "formatter": "bool", "name": "AutoExpandingArchive", - "desc": "YesYes", "value": "AutoExpandingArchive" } ] @@ -86,9 +80,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "DelegateSentItems", - "desc": "YesYes", "value": "DelegateSentItems" } ] @@ -101,7 +94,6 @@ { "formatter": "bool", "name": "DeletedUserRentention", - "desc": "YesYes", "value": "DeletedUserRentention" } ] @@ -114,7 +106,6 @@ { "formatter": "bool", "name": "DisableBasicAuthSMTP", - "desc": "YesYes", "value": "DisableBasicAuthSMTP" } ] @@ -127,7 +118,6 @@ { "formatter": "bool", "name": "DisableGuestDirectory", - "desc": "YesYes", "value": "DisableGuestDirectory" } ] @@ -138,9 +128,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "DisableGuests", - "desc": "YesYes", "value": "DisableGuests" } ] @@ -153,7 +142,6 @@ { "formatter": "bool", "name": "DisableM365GroupUsers", - "desc": "YesYes", "value": "DisableM365GroupUsers" } ] @@ -166,7 +154,6 @@ { "formatter": "bool", "name": "MacSync", - "desc": "YesYes", "value": "MacSync" } ] @@ -179,7 +166,6 @@ { "formatter": "bool", "name": "DisableReshare", - "desc": "YesYes", "value": "DisableReshare" } ] @@ -192,7 +178,6 @@ { "formatter": "bool", "name": "DisableSecurityGroupUsers", - "desc": "YesYes", "value": "DisableSecurityGroupUsers" } ] @@ -203,9 +188,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "DisableSharedMailbox", - "desc": "YesYes", "value": "DisableSharedMailbox" } ] @@ -218,7 +202,6 @@ { "formatter": "bool", "name": "DisableTenantCreation", - "desc": "YesYes", "value": "DisableTenantCreation" } ] @@ -231,7 +214,6 @@ { "formatter": "bool", "name": "DisableUserSiteCreate", - "desc": "YesYes", "value": "DisableUserSiteCreate" } ] @@ -244,7 +226,6 @@ { "formatter": "bool", "name": "DisableViva", - "desc": "YesYes", "value": "DisableViva" } ] @@ -257,7 +238,6 @@ { "formatter": "bool", "name": "EnableAppConsentAdminRequests", - "desc": "YesYes", "value": "EnableAppConsentAdminRequests" } ] @@ -270,7 +250,6 @@ { "formatter": "bool", "name": "EnableFIDO2", - "desc": "YesYes", "value": "EnableFIDO2" } ] @@ -281,9 +260,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "EnableOnlineArchiving", - "desc": "YesYes", "value": "EnableOnlineArchiving" } ] @@ -294,9 +272,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "ExcludedfileExt", - "desc": "YesYes", "value": "ExcludedfileExt" } ] @@ -309,7 +286,6 @@ { "formatter": "bool", "name": "intuneDeviceReg", - "desc": "YesYes", "value": "intuneDeviceReg" } ] @@ -322,7 +298,6 @@ { "formatter": "bool", "name": "intuneDeviceRetirementDays", - "desc": "YesYes", "value": "intuneDeviceRetirementDays" } ] @@ -335,7 +310,6 @@ { "formatter": "bool", "name": "intuneRequireMFA", - "desc": "YesYes", "value": "intuneRequireMFA" } ] @@ -348,7 +322,6 @@ { "formatter": "bool", "name": "laps", - "desc": "YesYes", "value": "laps" } ] @@ -359,9 +332,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "MailContacts", - "desc": "YesYes", "value": "MailContacts" } ] @@ -374,7 +346,6 @@ { "formatter": "bool", "name": "NudgeMFA", - "desc": "YesYes", "value": "NudgeMFA" } ] @@ -387,7 +358,6 @@ { "formatter": "bool", "name": "OauthConsent", - "desc": "YesYes", "value": "OauthConsent" } ] @@ -400,7 +370,6 @@ { "formatter": "bool", "name": "OauthConsentLowSec", - "desc": "YesYes", "value": "OauthConsentLowSec" } ] @@ -413,7 +382,6 @@ { "formatter": "bool", "name": "OutboundSpamAlert", - "desc": "YesYes", "value": "OutboundSpamAlert" } ] @@ -424,9 +392,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "PasswordExpireDisabled", - "desc": "YesYes", "value": "PasswordExpireDisabled" } ] @@ -439,7 +406,6 @@ { "formatter": "bool", "name": "companionAppAllowedState", - "desc": "YesYes", "value": "companionAppAllowedState" } ] @@ -452,7 +418,6 @@ { "formatter": "bool", "name": "PWdisplayAppInformationRequiredState", - "desc": "YesYes", "value": "PWdisplayAppInformationRequiredState" } ] @@ -463,9 +428,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "DKIM", - "desc": "YesYes", "value": "DKIM" } ] @@ -476,9 +440,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "bool", + "formatter": "warnBool", "name": "SecurityDefaults", - "desc": "YesYes", "value": "SecurityDefaults" } ] @@ -491,7 +454,6 @@ { "formatter": "bool", "name": "SendFromAlias", - "desc": "YesYes", "value": "SendFromAlias" } ] @@ -502,9 +464,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "json", + "formatter": "table", "name": "SendReceiveLimit", - "desc": "YesYes", "value": "SendReceiveLimit" } ] @@ -517,7 +478,6 @@ { "formatter": "string", "name": "sharingCapability", - "desc": "YesYes", "value": "sharingCapability" } ] @@ -528,9 +488,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "bool", + "formatter": "warnBool", "name": "SpoofingWarnings", - "desc": "YesYes", "value": "SpoofingWarnings" } ] @@ -541,9 +500,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "bool", + "formatter": "warnBool", "name": "TemporaryAccessPass", - "desc": "YesYes", "value": "TemporaryAccessPass" } ] @@ -554,9 +512,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "bool", + "formatter": "warnBool", "name": "unmanagedSync", - "desc": "YesYes", "value": "unmanagedSync" } ] @@ -567,22 +524,8 @@ "UseExistingInfo": true, "FrontendFields": [ { - "formatter": "bool", - "name": "UserSubmissionPolicy", - "desc": "YesYes", - "value": "UserSubmissionPolicy" - } - ] - }, - { - "name": "UserSubmissionPolicy", - "StoreAs": "bool", - "UseExistingInfo": true, - "FrontendFields": [ - { - "formatter": "bool", + "formatter": "warnBool", "name": "UserSubmissionPolicy", - "desc": "YesYes", "value": "UserSubmissionPolicy" } ] diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index a0ffb45c8572..4c219d329ba6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -30,6 +30,7 @@ function Invoke-CIPPStandardDelegateSentItems { } } if ($Settings.report) { - Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Mailboxes -StoreAs json -Tenant $tenant + $Filtered = $Mailboxes | Select-Object -Property UserPrincipalName, MessageCopyForSendOnBehalfEnabled, MessageCopyForSentAsEnabled + Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Filtered -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index 0e034eec9ee3..975368668560 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -4,6 +4,8 @@ function Invoke-CIPPStandardDeletedUserRentention { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + If ($Settings.remediate) { try { $body = '{"deletedUserPersonalSiteRetentionPeriodInDays": 365}' @@ -15,8 +17,6 @@ function Invoke-CIPPStandardDeletedUserRentention { } } if ($Settings.alert) { - - $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Deleted user rentention of OneDrive is set to 1 year' -sev Info } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 10d0db61dc70..9729b4b163a7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -4,6 +4,8 @@ function Invoke-CIPPStandardDisableGuestDirectory { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant + If ($Settings.remediate) { @@ -19,7 +21,6 @@ function Invoke-CIPPStandardDisableGuestDirectory { if ($Settings.alert) { - $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant if ($CurrentInfo.guestUserRoleId -eq '2af84b1e-32c8-42b7-82bc-daa82404023b') { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest access to directory information is disabled.' -sev Info } else { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index cf2b7e82da55..bcb286cc7677 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -27,6 +27,7 @@ function Invoke-CIPPStandardDisableGuests { } } if ($Settings.report) { - Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $GraphRequest -StoreAs json -Tenant $tenant + $filtered = $GraphRequest | Select-Object -Property UserPrincipalName, id, signInActivity, mail, userType, accountEnabled + Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $filtered -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index fef78e2521a7..92bfc8b7a6db 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -27,6 +27,7 @@ function Invoke-CIPPStandardEnableOnlineArchiving { } } if ($Settings.report) { + $filtered = $MailboxesNoArchive | Select-Object -Property UserPrincipalName, Archive Add-CIPPBPAField -FieldName 'EnableOnlineArchiving' -FieldValue $MailboxesNoArchive -StoreAs json -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 02be3ce67a98..e7e177a3cdce 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -4,6 +4,8 @@ function Invoke-CIPPStandardsharingCapability { Internal #> param($Tenant, $Settings) + $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true + If ($Settings.remediate) { try { New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body "{`"sharingCapability`":`"$($Settings.Level)`"}" -ContentType 'application/json' @@ -14,7 +16,6 @@ function Invoke-CIPPStandardsharingCapability { } if ($Settings.alert) { - $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true if ($CurrentInfo.sharingCapability -eq $Settings.level) { Write-LogMessage -API 'Standards' -tenant $tenant -message "Sharing level is set to $($Settings.level)" -sev Info } else { From 59402d67b5df8dff49a204cbf51353e92f6dc126 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 10 Dec 2023 04:23:27 +0100 Subject: [PATCH 65/78] fixes bug with owners at single item --- Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 index 358649519572..9794b0d51f3c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddGroup.ps1 @@ -37,13 +37,14 @@ Function Invoke-AddGroup { } if ($groupobj.AddOwner -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') { $BodyToship | Add-Member -NotePropertyName 'owners@odata.bind' -NotePropertyValue (($groupobj.AddOwner) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + $bodytoship.'owners@odata.bind' = @($bodytoship.'owners@odata.bind') } if ($groupobj.AddMember -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') { $BodyToship | Add-Member -NotePropertyName 'members@odata.bind' -NotePropertyValue (($groupobj.AddMember) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" }) + $BodyToship.'members@odata.bind' = @($BodyToship.'members@odata.bind') } $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose - } - else { + } else { $Params = @{ Name = $groupobj.Displayname Alias = $groupobj.username @@ -58,8 +59,7 @@ Function Invoke-AddGroup { "Successfully created group $($groupobj.displayname) for $($tenant)" Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id)" -Sev 'Info' - } - catch { + } catch { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error' "Failed to create group. $($groupobj.displayname) for $($tenant) $($_.Exception.Message)" } From 2a3d8482bb7ba02219557f744fa8d21378387a93 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Sun, 10 Dec 2023 16:18:59 +0100 Subject: [PATCH 66/78] add number option --- ...oke-CIPPStandardSendReceiveLimitTenant.ps1 | 26 +++---------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 1bd675bbfc71..640cea2d18f0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -6,29 +6,9 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { param($Tenant, $Settings) $AllMailBoxPlans = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxPlan' | Select-Object DisplayName, MaxSendSize, MaxReceiveSize, GUID If ($Settings.remediate) { - $Limits = $Settings.SendReceiveLimit - if ($Limits[0] -like '*MB*') { - $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1MB - } elseif ($Limits[0] -like '*KB*') { - $MaxSendSize = [int]($Limits[0] -Replace '[a-zA-Z]', '') * 1KB - } # Default to 35MB if invalid input - else { - $MaxSendSize = 35MB - } - if ($MaxSendSize -gt 150MB) { - $MaxSendSize = 150MB - } - if ($Limits[1] -like '*MB*') { - $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1MB - } elseif ($Limits[1] -like '*KB*') { - $MaxReceiveSize = [int]($Limits[1] -Replace '[a-zA-Z]', '') * 1KB - } else { - $MaxReceiveSize = 36MB - } - - if ($MaxReceiveSize -gt 150MB) { - $MaxReceiveSize = 150MB - } + Write-Host "Time to remediate. Our Settings are $($Settings.SendLimit)MB and $($Settings.ReceiveLimit)MB" + $MaxReceiveSize = [int64]"$($Settings.SendLimit)MB" + $MaxSendSize = [int64]"$($Settings.ReceiveLimit)MB" try { foreach ($MailboxPlan in $AllMailBoxPlans) { From 9b435536844a550128928be79116777e081751cf Mon Sep 17 00:00:00 2001 From: John Duprey Date: Sun, 10 Dec 2023 11:47:59 -0500 Subject: [PATCH 67/78] Update Invoke-ExecGDAPInvite.ps1 --- .../Entrypoints/Invoke-ExecGDAPInvite.ps1 | 123 +++++++++--------- 1 file changed, 59 insertions(+), 64 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecGDAPInvite.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecGDAPInvite.ps1 index 050a162ebd6f..8eb97c978ce5 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecGDAPInvite.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecGDAPInvite.ps1 @@ -1,6 +1,5 @@ - using namespace System.Net - - Function Invoke-ExecGDAPInvite { +using namespace System.Net +Function Invoke-ExecGDAPInvite { <# .FUNCTIONALITY Entrypoint @@ -8,78 +7,74 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -$RoleMappings = $Request.body.gdapRoles -$Results = [System.Collections.Generic.List[string]]::new() -$InviteUrls = [System.Collections.Generic.List[string]]::new() + $RoleMappings = $Request.body.gdapRoles + $Results = [System.Collections.Generic.List[string]]::new() + if ($RoleMappings.roleDefinitionId -contains '62e90394-69f5-4237-9190-012177145e10') { + $AutoExtendDuration = 'PT0S' + } else { + $AutoExtendDuration = 'P180D' + } -if ($RoleMappings.roleDefinitionId -contains '62e90394-69f5-4237-9190-012177145e10') { - $AutoExtendDuration = 'PT0S' -} else { - $AutoExtendDuration = 'P180D' -} + $Table = Get-CIPPTable -TableName 'GDAPInvites' + try { + $JSONBody = @{ + 'displayName' = "$((New-Guid).GUID)" + 'accessDetails' = @{ + 'unifiedRoles' = @($RoleMappings | Select-Object roleDefinitionId) + } + 'autoExtendDuration' = $AutoExtendDuration + 'duration' = 'P730D' + } | ConvertTo-Json -Depth 5 -Compress -$Table = Get-CIPPTable -TableName 'GDAPInvites' -try { - $JSONBody = @{ - 'displayName' = "$((New-Guid).GUID)" - 'accessDetails' = @{ - 'unifiedRoles' = @($RoleMappings | Select-Object roleDefinitionId) - } - 'autoExtendDuration' = $AutoExtendDuration - 'duration' = 'P730D' - } | ConvertTo-Json -Depth 5 -Compress + $NewRelationship = New-GraphPostRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships' -type POST -body $JSONBody -verbose -tenantid $env:TenantID + Start-Sleep -Milliseconds 100 + $Count = 0 + do { + $CheckActive = New-GraphGetRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($NewRelationship.id)" -tenantid $env:TenantID + Start-Sleep -Milliseconds 200 + $Count++ + } until ($CheckActive.status -eq 'created' -or $Count -gt 5) - $NewRelationship = New-GraphPostRequest -NoAuthCheck $True -uri 'https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships' -type POST -body $JSONBody -verbose -tenantid $env:TenantID - Start-Sleep -Milliseconds 100 - $Count = 0 - do { - $CheckActive = New-GraphGetRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($NewRelationship.id)" -tenantid $env:TenantID - Start-Sleep -Milliseconds 200 - $Count++ - } until ($CheckActive.status -eq 'created' -or $Count -gt 5) + if ($CheckActive.status -eq 'created') { + # Lock for approval + $JSONBody = @{ + 'action' = 'lockForApproval' + } | ConvertTo-Json + $NewRelationshipRequest = New-GraphPostRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($NewRelationship.id)/requests" -type POST -body $JSONBody -verbose -tenantid $env:TenantID - if ($CheckActive.status -eq 'created') { - # Lock for approval - $JSONBody = @{ - 'action' = 'lockForApproval' - } | ConvertTo-Json - $NewRelationshipRequest = New-GraphPostRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($NewRelationship.id)/requests" -type POST -body $JSONBody -verbose -tenantid $env:TenantID + if ($NewRelationshipRequest.action -eq 'lockForApproval') { + $InviteUrl = "https://admin.microsoft.com/AdminPortal/Home#/partners/invitation/granularAdminRelationships/$($NewRelationship.id)" - if ($NewRelationshipRequest.action -eq 'lockForApproval') { - $InviteUrl = "https://admin.microsoft.com/AdminPortal/Home#/partners/invitation/granularAdminRelationships/$($NewRelationship.id)" - $InviteUrls.Add($InviteUrl) + $InviteEntity = [PSCustomObject]@{ + 'PartitionKey' = 'invite' + 'RowKey' = $NewRelationship.id + 'InviteUrl' = $InviteUrl + 'RoleMappings' = [string](@($RoleMappings) | ConvertTo-Json -Depth 10 -Compress) + } + Add-CIPPAzDataTableEntity @Table -Entity $InviteEntity - $InviteEntity = [PSCustomObject]@{ - 'PartitionKey' = 'invite' - 'RowKey' = $NewRelationship.id - 'InviteUrl' = $InviteUrl - 'RoleMappings' = [string](@($RoleMappings) | ConvertTo-Json -Depth 10) + $Results.add('GDAP relationship invite created. Copy the URL below and log in as a Global Admin for the new tenant to approve the invite.') + } else { + $Results.add('Error creating GDAP relationship request') } - Add-CIPPAzDataTableEntity @Table -Entity $InviteEntity - - $Results.add("Relationship created - Invite URL: $InviteUrl") - } else { - $Results.add('Error creating GDAP relationship request') } + } catch { + $Results.add('Error creating GDAP relationship') + Write-Host "GDAP ERROR: $($_.Exception.Message)" } -} catch { - $Results.add('Error creating GDAP relationship') - Write-Host "GDAP ERROR: $($_.Exception.Message)" -} -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created GDAP Invite - $InviteUrl" -Sev 'Info' - -$body = @{ - Results = @($Results) - InviteUrls = @($InviteUrls) -} -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK - Body = $body - }) + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Created GDAP Invite - $InviteUrl" -Sev 'Info' + $body = @{ + Results = @($Results) + Invite = $InviteEntity } + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) +} From 2303d353521651b28919a1d7b088d7fbbe977d2d Mon Sep 17 00:00:00 2001 From: John Duprey Date: Sun, 10 Dec 2023 12:14:46 -0500 Subject: [PATCH 68/78] GDAP Invite fixes Fix output binding for timer trigger Adjust output for GDAP invite Fix logging --- ExecGDAPInviteApproved_Timer/function.json | 2 +- ExecGDAPInviteQueue/run.ps1 | 12 +++++------- Modules/CIPPCore/Public/Set-CIPPGDAPInviteGroups.ps1 | 6 ++---- 3 files changed, 8 insertions(+), 12 deletions(-) diff --git a/ExecGDAPInviteApproved_Timer/function.json b/ExecGDAPInviteApproved_Timer/function.json index 6b68992375e9..32b454a2a015 100644 --- a/ExecGDAPInviteApproved_Timer/function.json +++ b/ExecGDAPInviteApproved_Timer/function.json @@ -9,7 +9,7 @@ { "type": "queue", "direction": "out", - "name": "Msg", + "name": "gdapinvitequeue", "queueName": "gdapinvitequeue" } ] diff --git a/ExecGDAPInviteQueue/run.ps1 b/ExecGDAPInviteQueue/run.ps1 index 78e43c118449..87fd14236b3c 100644 --- a/ExecGDAPInviteQueue/run.ps1 +++ b/ExecGDAPInviteQueue/run.ps1 @@ -2,14 +2,12 @@ param( $QueueItem, $TriggerMetadata) # Write out the queue message and metadata to the information log. -Write-Host "PowerShell queue trigger function processed work item: $QueueItem" -#$TenantFilter = $env:TenantID +Write-Host "PowerShell queue trigger function processed work item: $($QueueItem.customer.displayName)" $Table = Get-CIPPTable -TableName 'GDAPInvites' -$Invite = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$QueueItem'" +$Invite = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($QueueItem.id)'" $APINAME = 'GDAPInvites' $RoleMappings = $Invite.RoleMappings | ConvertFrom-Json -Write-Host ($Invite | ConvertTo-Json -Compress) foreach ($role in $RoleMappings) { try { @@ -24,12 +22,12 @@ foreach ($role in $RoleMappings) { }) } } - New-GraphPostRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($QueueItem)/accessAssignments" -tenantid $env:TenantID -type POST -body $MappingBody -verbose + New-GraphPostRequest -NoAuthCheck $True -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$($QueueItem.id)/accessAssignments" -tenantid $env:TenantID -type POST -body $MappingBody -verbose Start-Sleep -Milliseconds 100 } catch { - Write-LogMessage -API $APINAME -message "GDAP Group mapping failed - $($role.GroupId): $($_.Exception.Message)" -Sev Error + Write-LogMessage -API $APINAME -message "GDAP Group mapping failed for $($QueueItem.customer.displayName) - Group: $($role.GroupId) - Exception: $($_.Exception.Message)" -Sev Error exit 1 } - Write-LogMessage -API $APINAME -message "Groups mapped for GDAP Relationship: $($GdapInvite.RowKey)" -Sev Info } +Write-LogMessage -API $APINAME -message "Groups mapped for GDAP Relationship: $($QueueItem.customer.displayName) - $($QueueItem.displayName)" -Sev Info Remove-AzDataTableEntity @Table -Entity $Invite diff --git a/Modules/CIPPCore/Public/Set-CIPPGDAPInviteGroups.ps1 b/Modules/CIPPCore/Public/Set-CIPPGDAPInviteGroups.ps1 index ca159b6611d5..a868f5573d16 100644 --- a/Modules/CIPPCore/Public/Set-CIPPGDAPInviteGroups.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPGDAPInviteGroups.ps1 @@ -4,14 +4,12 @@ function Set-CIPPGDAPInviteGroups { $InviteList = Get-CIPPAzDataTableEntity @Table if (($InviteList | Measure-Object).Count -gt 0) { - #$LastDay = Get-Date (Get-Date).AddHours(-26) -UFormat '+%Y-%m-%dT%H:%M:%S.000Z' - #$NewActivations = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=((status eq 'active') and (activatedDateTime gt $LastDay))" $Activations = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships?`$filter=status eq 'active'" foreach ($Activation in $Activations) { if ($InviteList.RowKey -contains $Activation.id) { - Write-Host "Mapping groups for GDAP relationship: $($Activation.id)" - Push-OutputBinding -Name gdapinvitequeue -Value $Activation.id + Write-Host "Mapping groups for GDAP relationship: $($Activation.customer.displayName) - $($Activation.id)" + Push-OutputBinding -Name gdapinvitequeue -Value $Activation } } } From 404a806a2220dada87d370f885fe284572c17085 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 00:27:55 +0100 Subject: [PATCH 69/78] add assign templates --- .../Public/Set-CIPPAssignedPolicy.ps1 | 35 ++++++++---------- .../Invoke-CIPPStandardIntuneTemplate.ps1 | 37 ++++++++----------- 2 files changed, 30 insertions(+), 42 deletions(-) diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 index 1303cd72a9bb..19e1f7975818 100644 --- a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 @@ -5,53 +5,49 @@ function Set-CIPPAssignedPolicy { $PolicyId, $Type, $TenantFilter, - $APIName = "Assign Application", + $APIName = 'Assign Policy', $ExecutingUser ) try { $assignmentsObject = switch ($GroupName) { - "allLicensedUsers" { + 'allLicensedUsers' { @( @{ - id = "" target = @{ - "@odata.type" = "#microsoft.graph.allLicensedUsersAssignmentTarget" + '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget' } } ) break } - "AllDevices" { + 'AllDevices' { @( @{ - id = "" target = @{ - "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" + '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget' } } ) break } - "AllDevicesAndUsers" { + 'AllDevicesAndUsers' { @( @{ - id = "" target = @{ - "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" + '@odata.type' = '#microsoft.graph.allDevicesAssignmentTarget' } }, @{ - id = "" target = @{ - "@odata.type" = "#microsoft.graph.allLicensedUsersAssignmentTarget" + '@odata.type' = '#microsoft.graph.allLicensedUsersAssignmentTarget' } } ) } default { - $GroupNames = $GroupName.Split(",") - $GroupIds = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/groups" -tenantid $TenantFilter | ForEach-Object { + $GroupNames = $GroupName.Split(',') + $GroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $TenantFilter | ForEach-Object { $Group = $_ foreach ($SingleName in $GroupNames) { if ($_.displayname -like $SingleName) { @@ -62,7 +58,7 @@ function Set-CIPPAssignedPolicy { foreach ($Group in $GroupIds) { @{ target = @{ - "@odata.type" = "#microsoft.graph.groupAssignmentTarget" + '@odata.type' = '#microsoft.graph.groupAssignmentTarget' groupId = $Group } } @@ -72,12 +68,11 @@ function Set-CIPPAssignedPolicy { $assignmentsObject = [PSCustomObject]@{ assignments = @($assignmentsObject) } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$Type('$($PolicyId)')/assign" -tenantid $tenantFilter -type POST -body ($assignmentsObject | ConvertTo-Json -Depth 10) - Write-LogMessage -user $ExecutingUser -API $APIName -message "Assigned Policy to $($GroupName)" -Sev "Info" -tenant $TenantFilter + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$Type('$($PolicyId)')/assign" -tenantid $tenantFilter -type POST -body ($assignmentsObject | ConvertTo-Json -Depth 10) + Write-LogMessage -user $ExecutingUser -API $APIName -message "Assigned Policy to $($GroupName)" -Sev 'Info' -tenant $TenantFilter return "Assigned policy to $($GroupName)" - } - catch { - Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to assign Policy to $GroupName" -Sev "Error" -tenant $TenantFilter + } catch { + Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to assign Policy to $GroupName" -Sev 'Error' -tenant $TenantFilter return "Could not assign policy to $GroupName. Error: $($_.Exception.Message)" } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 index 40a9d962dd4a..d6676fc437ec 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 @@ -6,15 +6,10 @@ function Invoke-CIPPStandardIntuneTemplate { param($Tenant, $Settings) If ($Settings.remediate) { - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.IntuneTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.IntuneTemplate - } - + Write-Host 'starting template deploy' $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { + foreach ($Template in $Settings.TemplateList) { + Write-Host 'working on template deploy' try { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'IntuneTemplate'" @@ -22,7 +17,6 @@ function Invoke-CIPPStandardIntuneTemplate { $Request.body = (Get-AzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($template.value)*").JSON | ConvertFrom-Json $displayname = $request.body.Displayname $description = $request.body.Description - $AssignTo = if ($request.body.Assignto -ne 'on') { $request.body.Assignto } $RawJSON = $Request.body.RawJSON switch ($Request.body.Type) { @@ -39,12 +33,12 @@ function Invoke-CIPPStandardIntuneTemplate { $DeleteJson = ConvertTo-Json -Depth 10 -InputObject $DeleteJson $DeleteRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $DeleteJson $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($existingId.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($Displayname) to template defaults" -Sev 'info' } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $CreateBody $UpdateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/updateDefinitionValues" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($Displayname) to template defaults" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($Displayname) to template defaults" -Sev 'info' } } @@ -54,12 +48,12 @@ function Invoke-CIPPStandardIntuneTemplate { $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant if ($PolicyName -in $CheckExististing.displayName) { $ExistingID = $CheckExististing | Where-Object -Property displayName -EQ $PolicyName - $PatchRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PATCH -body $RawJSON + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Updated policy $($PolicyName) to template defaults" -Sev 'info' } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' } } @@ -69,22 +63,21 @@ function Invoke-CIPPStandardIntuneTemplate { $CheckExististing = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant if ($PolicyName -in $CheckExististing.name) { $ExistingID = $CheckExististing | Where-Object -Property Name -EQ $PolicyName - $PUTRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON + $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL/$($ExistingID.Id)" -tenantid $tenant -type PUT -body $RawJSON } else { $CreateRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL" -tenantid $tenant -type POST -body $RawJSON - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Added policy $($PolicyName) via template" -Sev 'info' - + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Added policy $($PolicyName) via template" -Sev 'info' } } } - if ($AssignTo) { - $AssignBody = if ($AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' } - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/$TemplateTypeURL('$($CreateRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant, $Settings) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + + if ($Settings.AssignTo) { + Write-Host "Assigning Policy to $($Settings.AssignTo) the create ID is $($CreateRequest)" + Set-CIPPAssignedPolicy -PolicyId $CreateRequest.id -TenantFilter $tenant -GroupName $Settings.AssignTo -Type $TemplateTypeURL } - Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant, $Settings)" -sev 'Info' + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully added Intune Template policy for $($Tenant)" -sev 'Info' } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template: $($_.exception.message)" -sev 'Error' } From fe41e2ff01d774b091d96c0d784733d950e8436e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 00:42:21 +0100 Subject: [PATCH 70/78] deployment --- .../Invoke-CIPPStandardTransportRuleTemplate.ps1 | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 index 6cc02551e5f3..794f74f31c8f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 @@ -6,15 +6,8 @@ function Invoke-CIPPStandardTransportRuleTemplate { param($Tenant, $Settings) If ($Settings.remediate) { - - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.TransportRuleTemplate - } - - foreach ($Template in $Setting.TemplateList) { + foreach ($Template in $Settings.TemplateList) { + Write-Host "working on $($Template.value)" $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'TransportTemplate' and RowKey eq '$($Template.value)'" $RequestParams = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json @@ -25,11 +18,11 @@ function Invoke-CIPPStandardTransportRuleTemplate { if ($Existing) { Write-Host 'Found existing' $RequestParams | Add-Member -NotePropertyValue $RequestParams.name -NotePropertyName Identity - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty UseLegacyRegex) -useSystemMailbox $true + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty GUID, Comments, HasSenderOverride, ExceptIfHasSenderOverride, ExceptIfMessageContainsDataClassifications, MessageContainsDataClassifications) -useSystemMailbox $true Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully set transport rule for $tenant" -sev 'Info' } else { Write-Host 'Creating new' - $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-TransportRule' -cmdParams $RequestParams -useSystemMailbox $true + $GraphRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-TransportRule' -cmdParams ($RequestParams | Select-Object -Property * -ExcludeProperty GUID, Comments, HasSenderOverride, ExceptIfHasSenderOverride, ExceptIfMessageContainsDataClassifications, MessageContainsDataClassifications) -useSystemMailbox $true Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully created transport rule for $tenant" -sev 'Info' } From 03c5c8f4d6e777829acd5367b67e9ffd671d86a6 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 01:16:34 +0100 Subject: [PATCH 71/78] fixes for new standards --- .../Invoke-CIPPStandardConditionalAccess.ps1 | 8 ++------ .../Standards/Invoke-CIPPStandardExConnector.ps1 | 7 +------ .../Standards/Invoke-CIPPStandardGroupTemplate.ps1 | 11 ++--------- 3 files changed, 5 insertions(+), 21 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 index 7b2512866db8..838a3c0efbbc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccess.ps1 @@ -5,15 +5,11 @@ function Invoke-CIPPStandardConditionalAccess { #> param($Tenant, $Settings) If ($Settings.remediate) { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ConditionalAccess - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ConditionalAccess - } + $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { + foreach ($Template in $Settings.TemplateList) { try { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Template.value)'" diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 index 066dbf59af17..9182323cda87 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExConnector.ps1 @@ -6,13 +6,8 @@ function Invoke-CIPPStandardExConnector { param($Tenant, $Settings) If ($Settings.remediate) { - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.ExConnector - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.ExConnector - } $APINAME = 'Standards' - foreach ($Template in $Setting.TemplateList) { + foreach ($Template in $Settings.TemplateList) { try { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'ExConnectorTemplate' and RowKey eq '$($Template.value)'" diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 index e7b31b2cb288..f07e54320d72 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 @@ -6,19 +6,12 @@ function Invoke-CIPPStandardGroupTemplate { param($Tenant, $Settings) If ($Settings.remediate) { - - $ConfigTable = Get-CippTable -tablename 'standards' - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq '$tenant'").JSON | ConvertFrom-Json).standards.GroupTemplate - if (!$Setting) { - $Setting = ((Get-AzDataTableEntity @ConfigTable -Filter "PartitionKey eq 'standards' and RowKey eq 'AllTenants'").JSON | ConvertFrom-Json).standards.GroupTemplate - } - - foreach ($Template in $Setting.TemplateList) { + foreach ($Template in $Settings.TemplateList) { try { $Table = Get-CippTable -tablename 'templates' $Filter = "PartitionKey eq 'GroupTemplate' and RowKey eq '$($Template.value)'" $groupobj = (Get-AzDataTableEntity @Table -Filter $Filter).JSON | ConvertFrom-Json - $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($Tenant, $Settings)" } + $email = if ($groupobj.domain) { "$($groupobj.username)@$($groupobj.domain)" } else { "$($groupobj.username)@$($Tenant)" } $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant | Where-Object -Property displayName -EQ $groupobj.displayname if (!$CheckExististing) { if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic') { From 9853f9dba8c16d6bbd0572931c7795c083ed39d8 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 01:58:17 +0100 Subject: [PATCH 72/78] fix assign policies --- .../Entrypoints/Invoke-ExecAssignPolicy.ps1 | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignPolicy.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignPolicy.ps1 new file mode 100644 index 000000000000..ae866ed3f485 --- /dev/null +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignPolicy.ps1 @@ -0,0 +1,39 @@ +using namespace System.Net + +Function Invoke-ExecAssignPolicy { + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] + param($Request, $TriggerMetadata) + + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + + $Tenant = $request.query.tenantfilter + $ID = $request.query.id + $displayname = $request.query.Displayname + $AssignTo = if ($request.query.Assignto -ne 'on') { $request.query.Assignto } + + $results = try { + if ($AssignTo) { + $assign = Set-CIPPAssignedPolicy -PolicyId $ID -TenantFilter $tenant -GroupName $AssignTo -Type $Request.query.Type + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Assigned policy $($Displayname) to $AssignTo" -Sev 'Info' + } + "Successfully edited policy for $($Tenant)" + } catch { + "Failed to add policy for $($Tenant): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($Tenant) -message "Failed editing policy $($Displayname). Error:$($_.Exception.Message)" -Sev 'Error' + continue + } + + $body = [pscustomobject]@{'Results' = $results } + + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::OK + Body = $body + }) + +} From cc4d8c8c4f4a2a7d4e8b1fb62212077b3c1a7b93 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 12:31:18 +0100 Subject: [PATCH 73/78] try catch for sharepoint --- .../Invoke-ListSharepointQuota.ps1 | 68 ++++++++++--------- 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharepointQuota.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharepointQuota.ps1 index 6efbb47e7e96..b1a7dc2236ab 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharepointQuota.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSharepointQuota.ps1 @@ -1,6 +1,6 @@ - using namespace System.Net +using namespace System.Net - Function Invoke-ListSharepointQuota { +Function Invoke-ListSharepointQuota { <# .FUNCTIONALITY Entrypoint @@ -8,43 +8,47 @@ [CmdletBinding()] param($Request, $TriggerMetadata) - $APIName = $TriggerMetadata.FunctionName -Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $APIName = $TriggerMetadata.FunctionName + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' -# Write to the Azure Functions log stream. -Write-Host 'PowerShell HTTP trigger function processed a request' + # Write to the Azure Functions log stream. + Write-Host 'PowerShell HTTP trigger function processed a request' -# Interact with query parameters or the body of the request. -$TenantFilter = $Request.Query.TenantFilter + # Interact with query parameters or the body of the request. + $TenantFilter = $Request.Query.TenantFilter -if ($Request.Query.TenantFilter -eq 'AllTenants') { - $UsedStoragePercentage = 'Not Supported' -} else { - $tenantName = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Where-Object { $_.isInitial -eq $true }).id.Split('.')[0] + if ($Request.Query.TenantFilter -eq 'AllTenants') { + $UsedStoragePercentage = 'Not Supported' + } else { + try { + $tenantName = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Where-Object { $_.isInitial -eq $true }).id.Split('.')[0] - $sharepointToken = (Get-GraphToken -scope "https://$($tenantName)-admin.sharepoint.com/.default" -tenantid $TenantFilter) - $sharepointToken.Add('accept', 'application/json') - # Implement a try catch later to deal with sharepoint guest user settings - $sharepointQuota = (Invoke-RestMethod -Method 'GET' -Headers $sharepointToken -Uri "https://$($tenantName)-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2" -ErrorAction Stop).value | Sort-Object -Property GeoUsedStorageMB -Descending | Select-Object -First 1 + $sharepointToken = (Get-GraphToken -scope "https://$($tenantName)-admin.sharepoint.com/.default" -tenantid $TenantFilter) + $sharepointToken.Add('accept', 'application/json') + # Implement a try catch later to deal with sharepoint guest user settings + $sharepointQuota = (Invoke-RestMethod -Method 'GET' -Headers $sharepointToken -Uri "https://$($tenantName)-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2" -ErrorAction Stop).value | Sort-Object -Property GeoUsedStorageMB -Descending | Select-Object -First 1 - if ($sharepointQuota) { - $UsedStoragePercentage = [int](($sharepointQuota.GeoUsedStorageMB / $sharepointQuota.TenantStorageMB) * 100) + if ($sharepointQuota) { + $UsedStoragePercentage = [int](($sharepointQuota.GeoUsedStorageMB / $sharepointQuota.TenantStorageMB) * 100) + } + } catch { + $UsedStoragePercentage = 'Not available' + } } -} -$sharepointQuotaDetails = @{ - GeoUsedStorageMB = $sharepointQuota.GeoUsedStorageMB - TenantStorageMB = $sharepointQuota.TenantStorageMB - Percentage = $UsedStoragePercentage - Dashboard = "$($UsedStoragePercentage) / 100" -} + $sharepointQuotaDetails = @{ + GeoUsedStorageMB = $sharepointQuota.GeoUsedStorageMB + TenantStorageMB = $sharepointQuota.TenantStorageMB + Percentage = $UsedStoragePercentage + Dashboard = "$($UsedStoragePercentage) / 100" + } -$StatusCode = [HttpStatusCode]::OK + $StatusCode = [HttpStatusCode]::OK -# Associate values to output bindings by calling 'Push-OutputBinding'. -Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = $StatusCode - Body = $sharepointQuotaDetails - }) + # Associate values to output bindings by calling 'Push-OutputBinding'. + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = $StatusCode + Body = $sharepointQuotaDetails + }) - } +} From a0c83e49ca27322938ddcd3511ec43add6144623 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 12:33:52 +0100 Subject: [PATCH 74/78] add try catch to dashboard to prevent errors --- .../CIPPCore/Public/Entrypoints/Invoke-ListUserCounts.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserCounts.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserCounts.ps1 index f94a0a79027c..137a9c8cc902 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserCounts.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListUserCounts.ps1 @@ -23,10 +23,10 @@ Function Invoke-ListUserCounts { $GAs = 'Not Supported' $Guests = 'Not Supported' } else { - $Users = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1" -CountOnly -ComplexFilter -tenantid $TenantFilter - $LicUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1&`$filter=assignedLicenses/`$count ne 0" -CountOnly -ComplexFilter -tenantid $TenantFilter - $GAs = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members?`$count=true" -CountOnly -ComplexFilter -tenantid $TenantFilter - $guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1&`$filter=userType eq 'Guest'" -CountOnly -ComplexFilter -tenantid $TenantFilter + try { $Users = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1" -CountOnly -ComplexFilter -tenantid $TenantFilter } catch { $Users = 'Not available' } + try { $LicUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1&`$filter=assignedLicenses/`$count ne 0" -CountOnly -ComplexFilter -tenantid $TenantFilter } catch { $Licusers = 'Not available' } + try { $GAs = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members?`$count=true" -CountOnly -ComplexFilter -tenantid $TenantFilter } catch { $Gas = 'Not available' } + try { $guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$count=true&`$top=1&`$filter=userType eq 'Guest'" -CountOnly -ComplexFilter -tenantid $TenantFilter } catch { $Guests = 'Not available' } } $StatusCode = [HttpStatusCode]::OK $Counts = @{ From 572aeaf1b993ee759e4023e849b9f380d645f361 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 12:55:36 +0100 Subject: [PATCH 75/78] created new apenrollment function --- .../Entrypoints/Invoke-AddEnrollment.ps1 | 33 +------------- .../Public/Set-CIPPDefaultAPEnrollment.ps1 | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+), 32 deletions(-) create mode 100644 Modules/CIPPCore/Public/Set-CIPPDefaultAPEnrollment.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 index 196c0e1dca26..f74ce07857d1 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddEnrollment.ps1 @@ -19,38 +19,7 @@ Function Invoke-AddEnrollment { $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value $Profbod = $Request.body $results = foreach ($Tenant in $tenants) { - try { - $ObjBody = [pscustomobject]@{ - '@odata.type' = '#microsoft.graph.windows10EnrollmentCompletionPageConfiguration' - 'id' = 'DefaultWindows10EnrollmentCompletionPageConfiguration' - 'displayName' = 'All users and all devices' - 'description' = 'This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership.' - 'showInstallationProgress' = [bool]$Profbod.ShowProgress - 'blockDeviceSetupRetryByUser' = [bool]$Profbod.blockDevice - 'allowDeviceResetOnInstallFailure' = [bool]$Profbod.AllowReset - 'allowLogCollectionOnInstallFailure' = [bool]$Profbod.EnableLog - 'customErrorMessage' = $Profbod.ErrorMessage - 'installProgressTimeoutInMinutes' = $Profbod.TimeOutInMinutes - 'allowDeviceUseOnInstallFailure' = [bool]$Profbod.AllowFail - 'selectedMobileAppIds' = @() - 'trackInstallProgressForAutopilotOnly' = [bool]$Profbod.OBEEOnly - 'disableUserStatusTrackingAfterFirstUser' = $true - 'roleScopeTagIds' = @() - } - $Body = ConvertTo-Json -InputObject $ObjBody - Write-Host $body - $ExistingStatusPage = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations' -tenantid $Tenant) | Where-Object { $_.id -like '*DefaultWindows10EnrollmentCompletionPageConfiguration' } - $GraphRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($ExistingStatusPage.ID)" -body $body -Type PATCH -tenantid $tenant - "Successfully changed default enrollment status page for $($Tenant)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Added Autopilot Enrollment Status Page $($Displayname)" -Sev 'Info' - - } - catch { - "Failed to change default enrollment status page for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message "Failed adding Autopilot Enrollment Status Page $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' - continue - } - + Set-CIPPDefaultAPEnrollment -TenantFilter $Tenant -ShowProgress $Profbod.ShowProgress -BlockDevice $Profbod.blockDevice -AllowReset $Profbod.AllowReset -EnableLog $Profbod.EnableLog -ErrorMessage $Profbod.ErrorMessage -TimeOutInMinutes $Profbod.TimeOutInMinutes -AllowFail $Profbod.AllowFail -OBEEOnly $Profbod.OBEEOnly } $body = [pscustomobject]@{'Results' = $results } diff --git a/Modules/CIPPCore/Public/Set-CIPPDefaultAPEnrollment.ps1 b/Modules/CIPPCore/Public/Set-CIPPDefaultAPEnrollment.ps1 new file mode 100644 index 000000000000..3c3f21eeceab --- /dev/null +++ b/Modules/CIPPCore/Public/Set-CIPPDefaultAPEnrollment.ps1 @@ -0,0 +1,45 @@ +function Set-CIPPDefaultAPEnrollment { + [CmdletBinding()] + param( + $TenantFilter, + $ShowProgress, + $BlockDevice, + $AllowReset, + $EnableLog, + $ErrorMessage, + $TimeOutInMinutes, + $AllowFail, + $OBEEOnly, + $ExecutingUser, + $APIName = 'Add Default Enrollment Status Page' + ) + try { + $ObjBody = [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.windows10EnrollmentCompletionPageConfiguration' + 'id' = 'DefaultWindows10EnrollmentCompletionPageConfiguration' + 'displayName' = 'All users and all devices' + 'description' = 'This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership.' + 'showInstallationProgress' = [bool]$ShowProgress + 'blockDeviceSetupRetryByUser' = [bool]$blockDevice + 'allowDeviceResetOnInstallFailure' = [bool]$AllowReset + 'allowLogCollectionOnInstallFailure' = [bool]$EnableLog + 'customErrorMessage' = "$ErrorMessage" + 'installProgressTimeoutInMinutes' = $TimeOutInMinutes + 'allowDeviceUseOnInstallFailure' = [bool]$AllowFail + 'selectedMobileAppIds' = @() + 'trackInstallProgressForAutopilotOnly' = [bool]$OBEEOnly + 'disableUserStatusTrackingAfterFirstUser' = $true + 'roleScopeTagIds' = @() + } + $Body = ConvertTo-Json -InputObject $ObjBody + $ExistingStatusPage = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations' -tenantid $($TenantFilter)) | Where-Object { $_.id -like '*DefaultWindows10EnrollmentCompletionPageConfiguration' } + $GraphRequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($ExistingStatusPage.ID)" -body $body -Type PATCH -tenantid $($TenantFilter) + "Successfully changed default enrollment status page for $($($TenantFilter))" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message "Added Autopilot Enrollment Status Page $($Displayname)" -Sev 'Info' + + } catch { + "Failed to change default enrollment status page for $($($TenantFilter)): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($TenantFilter) -message "Failed adding Autopilot Enrollment Status Page $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue + } +} From 4c8972f8c57d45e11652335b204b3de761666a34 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 13:06:59 +0100 Subject: [PATCH 76/78] add function for autopilotconfig --- .../Entrypoints/Invoke-AddAutopilotConfig.ps1 | 38 +------------ .../Set-CIPPDefaultAPDeploymentProfile.ps1 | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+), 37 deletions(-) create mode 100644 Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 index cb50e36fc054..96208b3674f8 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-AddAutopilotConfig.ps1 @@ -24,43 +24,7 @@ Function Invoke-AddAutopilotConfig { $usertype = if ($Profbod.NotLocalAdmin -eq 'true') { 'standard' } else { 'administrator' } $DeploymentMode = if ($profbod.DeploymentMode -eq 'true') { 'shared' } else { 'singleUser' } $results = foreach ($Tenant in $tenants) { - try { - $ObjBody = [pscustomobject]@{ - '@odata.type' = '#microsoft.graph.azureADWindowsAutopilotDeploymentProfile' - 'displayName' = "$($displayname)" - 'description' = "$($description)" - 'deviceNameTemplate' = "$($profbod.DeviceNameTemplate)" - 'language' = 'os-default' - 'enableWhiteGlove' = $([bool]($profbod.allowWhiteGlove)) - 'deviceType' = 'windowsPc' - 'extractHardwareHash' = $([bool]($profbod.CollectHash)) - 'roleScopeTagIds' = @() - 'hybridAzureADJoinSkipConnectivityCheck' = $false - 'outOfBoxExperienceSettings' = @{ - 'deviceUsageType' = "$DeploymentMode" - 'hideEscapeLink' = $([bool]($Profbod.hideChangeAccount)) - 'hidePrivacySettings' = $([bool]($Profbod.hidePrivacy)) - 'hideEULA' = $([bool]($Profbod.hideTerms)) - 'userType' = "$usertype" - 'skipKeyboardSelectionPage' = $([bool]($Profbod.Autokeyboard)) - } - } - $Body = ConvertTo-Json -InputObject $ObjBody - $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles' -body $body -tenantid $Tenant - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Added Autopilot profile $($Displayname)" -Sev 'Info' - if ($AssignTo) { - $AssignBody = '{"target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}}' - $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($GraphRequest.id)/assignments" -tenantid $Tenant -type POST -body $AssignBody - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Assigned autopilot profile $($Displayname) to $AssignTo" -Sev 'Info' - } - "Successfully added profile for $($Tenant)" - } - catch { - "Failed to add profile for $($Tenant): $($_.Exception.Message)" - Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenant) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' - continue - } - + Set-CIPPDefaultAPDeploymentProfile -tenantFilter $tenant -displayname $displayname -description $description -usertype $usertype -DeploymentMode $DeploymentMode -assignto $AssignTo -devicenameTemplate $Profbod.deviceNameTemplate -allowWhiteGlove $Profbod.allowWhiteGlove -CollectHash $Profbod.collectHash -hideChangeAccount $Profbod.hideChangeAccount -hidePrivacy $Profbod.hidePrivacy -hideTerms $Profbod.hideTerms -Autokeyboard $Profbod.Autokeyboard } $body = [pscustomobject]@{'Results' = $results } diff --git a/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 b/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 new file mode 100644 index 000000000000..61c83df49175 --- /dev/null +++ b/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 @@ -0,0 +1,55 @@ +function Set-CIPPDefaultAPDeploymentProfile { + [CmdletBinding()] + param( + $tenantFilter, + $displayname, + $description, + $devicenameTemplate, + $allowWhiteGlove, + $CollectHash, + $usertype, + $DeploymentMode, + $hideChangeAccount, + $assignTo, + $hidePrivacy, + $hideTerms, + $Autokeyboard, + $ExecutingUser, + $APIName = 'Add Default Enrollment Status Page' + ) + try { + $ObjBody = [pscustomobject]@{ + '@odata.type' = '#microsoft.graph.azureADWindowsAutopilotDeploymentProfile' + 'displayName' = "$($displayname)" + 'description' = "$($description)" + 'deviceNameTemplate' = "$($DeviceNameTemplate)" + 'language' = 'os-default' + 'enableWhiteGlove' = $([bool]($allowWhiteGlove)) + 'deviceType' = 'windowsPc' + 'extractHardwareHash' = $([bool]($CollectHash)) + 'roleScopeTagIds' = @() + 'hybridAzureADJoinSkipConnectivityCheck' = $false + 'outOfBoxExperienceSettings' = @{ + 'deviceUsageType' = "$DeploymentMode" + 'hideEscapeLink' = $([bool]($hideChangeAccount)) + 'hidePrivacySettings' = $([bool]($hidePrivacy)) + 'hideEULA' = $([bool]($hideTerms)) + 'userType' = "$usertype" + 'skipKeyboardSelectionPage' = $([bool]($Autokeyboard)) + } + } + $Body = ConvertTo-Json -InputObject $ObjBody + $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles' -body $body -tenantid $tenantfilter + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenantfilter) -message "Added Autopilot profile $($Displayname)" -Sev 'Info' + if ($AssignTo) { + $AssignBody = '{"target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}}' + $assign = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($GraphRequest.id)/assignments" -tenantid $tenantfilter -type POST -body $AssignBody + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenantfilter) -message "Assigned autopilot profile $($Displayname) to $AssignTo" -Sev 'Info' + } + "Successfully added profile for $($tenantfilter)" + } catch { + "Failed to add profile for $($tenantfilter): $($_.Exception.Message)" + Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenantfilter) -message "Failed adding Autopilot Profile $($Displayname). Error: $($_.Exception.Message)" -Sev 'Error' + continue + } +} From 9841756857dee0c8efd0ec483d00790f62027c0d Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 13:33:44 +0100 Subject: [PATCH 77/78] add standards --- .../Set-CIPPDefaultAPDeploymentProfile.ps1 | 1 + .../Standards/Invoke-CIPPStandardAPConfig.ps1 | 21 +++++++++++++++++++ .../Standards/Invoke-CIPPStandardAPESP.ps1 | 17 +++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1 create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1 diff --git a/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 b/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 index 61c83df49175..f3c488a4e805 100644 --- a/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPDefaultAPDeploymentProfile.ps1 @@ -39,6 +39,7 @@ function Set-CIPPDefaultAPDeploymentProfile { } } $Body = ConvertTo-Json -InputObject $ObjBody + Write-Host $Body $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles' -body $body -tenantid $tenantfilter Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APIName -tenant $($tenantfilter) -message "Added Autopilot profile $($Displayname)" -Sev 'Info' if ($AssignTo) { diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1 new file mode 100644 index 000000000000..652c5611b5f8 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPConfig.ps1 @@ -0,0 +1,21 @@ +function Invoke-CIPPStandardAPConfig { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.remediate) { + + + $APINAME = 'Standards' + try { + Write-Host $($settings | ConvertTo-Json -Depth 100) + if ($settings.NotLocalAdmin -eq $true) { $usertype = 'Standard' } else { $usertype = 'Administrator' } + $DeploymentMode = if ($settings.DeploymentMode -eq 'true') { 'shared' } else { 'singleUser' } + Set-CIPPDefaultAPDeploymentProfile -tenantFilter $tenant -displayname $settings.DisplayName -description $settings.Description -usertype $usertype -DeploymentMode $DeploymentMode -assignto $settings.AssignTo -devicenameTemplate $Settings.DeviceNameTemplate -allowWhiteGlove $Settings.allowWhiteGlove -CollectHash $Settings.CollectHash -hideChangeAccount $Settings.HideChangeAccount -hidePrivacy $Settings.HidePrivacy -hideTerms $Settings.HideTerms -Autokeyboard $Settings.Autokeyboard + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create Default Autopilot config: $($_.exception.message)" -sev 'Error' + } + + } +} diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1 new file mode 100644 index 000000000000..8eba3f5ffa1d --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAPESP.ps1 @@ -0,0 +1,17 @@ +function Invoke-CIPPStandardAPESP { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + If ($Settings.remediate) { + $APINAME = 'Standards' + try { + Set-CIPPDefaultAPEnrollment -TenantFilter $Tenant -ShowProgress $Settings.ShowProgress -BlockDevice $Settings.blockDevice -AllowReset $Settings.AllowReset -EnableLog $Settings.EnableLog -ErrorMessage $Settings.ErrorMessage -TimeOutInMinutes $Settings.TimeOutInMinutes -AllowFail $Settings.AllowFail -OBEEOnly $Settings.OBEEOnly + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create default Autopilot Enrollment: $($_.exception.message)" -sev 'Error' + } + } + + +} \ No newline at end of file From 67f9d532d82f22a15c56d4187dbfef4f3c0f320e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 11 Dec 2023 13:45:53 +0100 Subject: [PATCH 78/78] version up --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index 5ca7df98c441..6ca6df113f09 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.7.4 \ No newline at end of file +4.8.0 \ No newline at end of file