Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

KelvinTegelaar · KelvinTegelaar · commit 187b2e18c3c1 · 2026-03-09T14:45:38.000+01:00
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1
@@ -18,31 +18,63 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
-                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $MFAReport = try { Get-CIPPMFAStateReport -TenantFilter $TenantFilter } catch { $null }
+            $IncludeDisabled = [System.Convert]::ToBoolean($InputValue)
 
-            # Filter out JIT admins if any users were found
-            if ($Users) {
+            # Check 1: Admins with no MFA registered — prefer cache, fall back to live Graph
+            $Users = if ($MFAReport) {
+                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
+            } else {
+                New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                    Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' } |
+                    Select-Object @{n = 'ID'; e = { $_.id } }, @{n = 'UPN'; e = { $_.userPrincipalName } }, @{n = 'DisplayName'; e = { $_.userDisplayName } }
+            }
+
+            # Check 2: Admins with MFA registered but no enforcement.
+            # I hate how this ended up looking, but I couldn't think of a better way to do it ¯\_(ツ)_/¯
+            $UnenforcedAdmins = $MFAReport | Where-Object {
+                $_.IsAdmin -eq $true -and
+                $_.MFARegistration -eq $true -and
+                ($IncludeDisabled -or $_.AccountEnabled -eq $true) -and
+                $_.PerUser -notin @('Enforced', 'Enabled') -and
+                $null -ne $_.CoveredBySD -and
+                $_.CoveredBySD -ne $true -and
+                $_.CoveredByCA -notlike 'Enforced*'
+            }
+
+            # Filter out JIT admins
+            if ($Users -or $UnenforcedAdmins) {
                 $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
                 $JITAdmins = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true" -tenantid $TenantFilter -ComplexFilter
                 $JITAdminIds = $JITAdmins.id
-                $Users = $Users | Where-Object { $_.id -notin $JITAdminIds }
+                $Users = $Users | Where-Object { $_.ID -notin $JITAdminIds }
+                $UnenforcedAdmins = $UnenforcedAdmins | Where-Object { $_.ID -notin $JITAdminIds }
+            }
+
+            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+            foreach ($user in $Users) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) does not have MFA registered."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
+                        Tenant            = $TenantFilter
+                    })
             }
 
-            if ($Users.UserPrincipalName) {
-                $AlertData = foreach ($user in $Users) {
-                    [PSCustomObject]@{
-                        Message           = "Admin user $($user.userDisplayName) ($($user.userPrincipalName)) does not have MFA registered."
-                        UserPrincipalName = $user.userPrincipalName
-                        DisplayName       = $user.userDisplayName
-                        Id                = $user.id
-                        LastUpdated       = $user.lastUpdatedDateTime
+            foreach ($user in $UnenforcedAdmins) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) has MFA registered but no enforcement method (Per-User MFA, Security Defaults, or Conditional Access) is active."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
                         Tenant            = $TenantFilter
-                    }
-                }
+                    })
+            }
 
+            if ($AlertData.Count -gt 0) {
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
             }
         } else {
             Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $TenantFilter -sev Info
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1
@@ -108,15 +108,15 @@ function Invoke-CIPPStandardAddDKIM {
     }
 
     # List of domains for each way to enable DKIM
-    $NewDomains = [string[]]@($AllDomains | Where-Object { $DKIM.Domain -notcontains $_ })
-    $SetDomains = [string[]]@($DKIM | Where-Object { $AllDomains -contains $_.Domain -and $_.Enabled -eq $false })
+    $NewDomains = $AllDomains | Where-Object { $DKIM.Domain -notcontains $_ }
+    $SetDomains = $DKIM | Where-Object { $AllDomains -contains $_.Domain -and $_.Enabled -eq $false }
 
     $MissingDKIM = [System.Collections.Generic.List[string]]::new()
     if ($null -ne $NewDomains) {
-        $MissingDKIM.AddRange($NewDomains)
+        $MissingDKIM.AddRange(@($NewDomains))
     }
     if ($null -ne $SetDomains) {
-        $MissingDKIM.AddRange($SetDomains.Domain)
+        $MissingDKIM.AddRange(@($SetDomains.Domain))
     }
 
     $CurrentValue = if ($MissingDKIM.Count -eq 0) { [PSCustomObject]@{'state' = 'Configured correctly' } } else { [PSCustomObject]@{'MissingDKIM' = $MissingDKIM } }

Original file line number	Diff line number	Diff line change
`@@ -108,15 +108,15 @@ function Invoke-CIPPStandardAddDKIM {`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`# List of domains for each way to enable DKIM`
`111`		`- $NewDomains = [string[]]@($AllDomains \| Where-Object { $DKIM.Domain -notcontains $_ })`
`112`		`- $SetDomains = [string[]]@($DKIM \| Where-Object { $AllDomains -contains $_.Domain -and $_.Enabled -eq $false })`
	`111`	`+ $NewDomains = $AllDomains \| Where-Object { $DKIM.Domain -notcontains $_ }`
	`112`	`+ $SetDomains = $DKIM \| Where-Object { $AllDomains -contains $_.Domain -and $_.Enabled -eq $false }`
`113`	`113`
`114`	`114`	`$MissingDKIM = [System.Collections.Generic.List[string]]::new()`
`115`	`115`	`if ($null -ne $NewDomains) {`
`116`		`- $MissingDKIM.AddRange($NewDomains)`
	`116`	`+ $MissingDKIM.AddRange(@($NewDomains))`
`117`	`117`	`}`
`118`	`118`	`if ($null -ne $SetDomains) {`
`119`		`- $MissingDKIM.AddRange($SetDomains.Domain)`
	`119`	`+ $MissingDKIM.AddRange(@($SetDomains.Domain))`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`$CurrentValue = if ($MissingDKIM.Count -eq 0) { [PSCustomObject]@{'state' = 'Configured correctly' } } else { [PSCustomObject]@{'MissingDKIM' = $MissingDKIM } }`