Merge remote-tracking branch 'upstream/dev' into dev

Author: JohnDuprey

Cache_SAMSetup/SAMManifest.json

@@ -11,6 +11,12 @@
     ]
   },
   "requiredResourceAccess": [
+    {
+			"resourceAppId": "aeb86249-8ea3-49e2-900b-54cc8e308f85",
+			"resourceAccess": [
+				{ "id": "fc946a4f-bc4d-413b-a090-b2c86113ec4f", "type": "Scope" }
+			]
+		},
     {
       "resourceAppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd",
       "resourceAccess": [

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-ListScheduledItems.ps1

@@ -19,6 +19,11 @@ Function Invoke-ListScheduledItems {
         $HiddenTasks = $true
     }
     $Tasks = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'ScheduledTask'" | Where-Object { $_.Hidden -ne $HiddenTasks }
+    if ($Request.Query.Type) {
+        $tasks.Command
+        $Tasks = $Tasks | Where-Object { $_.command -eq $Request.Query.Type }
+    }
+    
     $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
     if ($AllowedTenants -notcontains 'AllTenants') {
         $Tasks = $Tasks | Where-Object -Property TenantId -In $AllowedTenants

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroupSenderAuthentication.ps1

@@ -0,0 +1,46 @@
+using namespace System.Net
+
+Function Invoke-ListGroupSenderAuthentication {
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    # Write to the Azure Functions log stream.
+    Write-Host 'PowerShell HTTP trigger function processed a request.'
+
+    # Interact with query parameters or the body of the request.
+
+    $TenantFilter = $Request.Query.TenantFilter
+    $groupid = $Request.query.groupid
+    $GroupType = $Request.query.Type
+
+    $params = @{
+        Identity = $groupid
+    }
+
+  
+    try {
+        switch ($GroupType) {
+            'Distribution List' {
+                Write-Host 'Checking DL'
+                $State = (New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-DistributionGroup' -cmdParams $params -UseSystemMailbox $true).RequireSenderAuthenticationEnabled 
+            }
+            'Microsoft 365' {
+                Write-Host 'Checking M365 Group'
+                $State = (New-ExoRequest -tenantid $TenantFilter -cmdlet 'get-unifiedgroup' -cmdParams $params -UseSystemMailbox $true).RequireSenderAuthenticationEnabled 
+                
+            }
+            default { $state = $true }
+        }
+
+    } catch {
+        $state = $true
+    }
+
+    # We flip the value because the API is asking if the group is allowed to receive external mail
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK 
+            Body       = @{ allowedToReceiveExternal = !$state }
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -156,7 +156,7 @@ Function Invoke-ExecJITAdmin {
 
         $DisableTaskBody = @{
             TenantFilter  = $Request.Body.TenantFilter
-            Name          = "JIT Admin (disable): $Username"
+            Name          = "JIT Admin ($($Request.Body.ExpireAction)): $Username"
             Command       = @{
                 value = 'Set-CIPPUserJITAdmin'
                 label = 'Set-CIPPUserJITAdmin'
@@ -177,7 +177,7 @@ Function Invoke-ExecJITAdmin {
             ScheduledTime = $Request.Body.EndDate
         }
         Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
-        $Results.Add("Scheduling JIT Admin disable task for $Username")
+        $Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction) task for $Username")
         $Body = @{
             Results = @($Results)
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAlertsQueue.ps1

@@ -20,7 +20,7 @@ Function Invoke-ListAlertsQueue {
     $WebhookRules = Get-CIPPAzDataTableEntity @WebhookTable
 
     $ScheduledTasks = Get-CIPPTable -TableName 'ScheduledTasks'
-    $ScheduledTasks = Get-CIPPAzDataTableEntity @ScheduledTasks | Where-Object { $_.hidden -eq $true }
+    $ScheduledTasks = Get-CIPPAzDataTableEntity @ScheduledTasks | Where-Object { $_.hidden -eq $true -and $_.command -like 'Get-CippAlert*' }
 
     $AllowedTenants = Test-CIPPAccess -Request $Request -TenantList
     $TenantList = Get-Tenants -IncludeErrors

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Conditional/Invoke-ListConditionalAccessPolicies.ps1

@@ -19,8 +19,6 @@ Function Invoke-ListConditionalAccessPolicies {
         param (
             [Parameter()]
             $ID,
-
-            [Parameter(Mandatory = $true)]
             $Locations
         )
         if ($id -eq 'All') {
@@ -39,8 +37,6 @@ Function Invoke-ListConditionalAccessPolicies {
         param (
             [Parameter()]
             $ID,
-
-            [Parameter(Mandatory = $true)]
             $RoleDefinitions
         )
         if ($id -eq 'All') {
@@ -59,8 +55,6 @@ Function Invoke-ListConditionalAccessPolicies {
         param (
             [Parameter()]
             $ID,
-
-            [Parameter(Mandatory = $true)]
             $Users
         )
         if ($id -eq 'All') {
@@ -78,8 +72,6 @@ Function Invoke-ListConditionalAccessPolicies {
         param (
             [Parameter()]
             $ID,
-
-            [Parameter(Mandatory = $true)]
             $Groups
         )
         if ($id -eq 'All') {
@@ -98,8 +90,6 @@ Function Invoke-ListConditionalAccessPolicies {
         param (
             [Parameter()]
             $ID,
-
-            [Parameter(Mandatory = $true)]
             $Applications
         )
         if ($id -eq 'All') {

Modules/CIPPCore/Public/New-CIPPBackup.ps1

@@ -4,6 +4,7 @@ function New-CIPPBackup {
         $backupType,
         $StorageOutput = 'default',
         $TenantFilter,
+        $ScheduledBackupValues,
         $APIName = 'CIPP Backup',
         $ExecutingUser
     )
@@ -50,36 +51,28 @@ function New-CIPPBackup {
         }
 
         #If Backup type is ConditionalAccess, create Conditional Access backup.
-        'ConditionalAccess' { 
-            $ConditionalAccessPolicyOutput = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $tenantfilter
-            $AllNamedLocations = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations' -tenantid $tenantfilter
-            switch ($StorageOutput) {
-                'default' {
-                    [PSCustomObject]@{
-                        ConditionalAccessPolicies = $ConditionalAccessPolicyOutput
-                        NamedLocations            = $AllNamedLocations
-                    }
-                }
-                'table' {
-                    #Store output in tablestorage for Recovery
-                    $RowKey = $TenantFilter + '_' + (Get-Date).ToString('yyyy-MM-dd-HHmm')
-                    $entity = [PSCustomObject]@{
-                        PartitionKey   = 'ConditionalAccessBackup'
-                        RowKey         = $RowKey
-                        TenantFilter   = $TenantFilter
-                        Policies       = [string]($ConditionalAccessPolicyOutput | ConvertTo-Json -Compress -Depth 10)
-                        NamedLocations = [string]($AllNamedLocations | ConvertTo-Json -Compress -Depth 10)
-                    }
-                    $Table = Get-CippTable -tablename 'ConditionalAccessBackup'
-                    try {
-                        $Result = Add-CIPPAzDataTableEntity @Table -entity $entity -Force
-                        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Created backup for Conditional Access Policies' -Sev 'Debug'
-                        $Result
-                    } catch {
-                        Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create backup for Conditional Access Policies: $($_.Exception.Message)" -Sev 'Error'
-                        [pscustomobject]@{'Results' = "Backup Creation failed: $($_.Exception.Message)" }
-                    }
-                }
+        'Scheduled' { 
+            #Do a sub switch here based on the ScheduledBackupValues?
+            #Store output in tablestorage for Recovery
+            $RowKey = $TenantFilter + '_' + (Get-Date).ToString('yyyy-MM-dd-HHmm')
+            $entity = @{
+                PartitionKey = 'ScheduledBackup'
+                RowKey       = $RowKey
+                TenantFilter = $TenantFilter
+            }
+            Write-Host "ScheduledBackupValues: $($ScheduledBackupValues | ConvertTo-Json -Compress -Depth 100)"
+            Write-Host "Scheduled backup value psproperties: $($ScheduledBackupValues.psobject.Properties.Name)"
+            foreach ($ScheduledBackup in $ScheduledBackupValues.psobject.Properties.Name) {
+                $entity[$ScheduledBackup] = New-CIPPBackupTask -Task $ScheduledBackup -TenantFilter $TenantFilter
+            }
+            $Table = Get-CippTable -tablename 'ScheduledBackup'
+            try {
+                $Result = Add-CIPPAzDataTableEntity @Table -entity $entity -Force
+                Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Created backup for Conditional Access Policies' -Sev 'Debug'
+                $Result
+            } catch {
+                Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Failed to create backup for Conditional Access Policies: $($_.Exception.Message)" -Sev 'Error'
+                [pscustomobject]@{'Results' = "Backup Creation failed: $($_.Exception.Message)" }
             }
         }
 

Modules/CIPPCore/Public/New-CIPPBackupTask.ps1

@@ -0,0 +1,48 @@
+function New-CIPPBackupTask {
+    [CmdletBinding()]
+    param (
+        $Task,
+        $TenantFilter
+    )
+
+    $BackupData = switch ($Task) {
+        'users' {
+            $BackupData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/users?$top=999' -tenantid $TenantFilter
+        }
+        'groups' {
+            $BackupData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$top=999' -tenantid $TenantFilter
+        }
+        'ca' {
+            $BackupData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/conditionalAccess/policies?$top=999' -tenantid $TenantFilter
+        }
+        'namedlocations' {
+            $BackupData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/conditionalAccess/namedLocations?$top=999' -tenantid $TenantFilter
+        }
+        'authstrengths' {
+            $BackupData = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/conditionalAccess/authenticationStrength/policies' -tenantid $TenantFilter
+        }
+        'intuneconfig' {
+            #alert
+        }
+        'intunecompliance' {}
+
+        'intuneprotection' {}
+    
+        'CippWebhookAlerts' {
+            $WebhookTable = Get-CIPPTable -TableName 'WebhookRules'
+            $BackupData = Get-CIPPAzDataTableEntity @WebhookTable | Where-Object { $TenantFilter -in ($_.Tenants | ConvertFrom-Json).fullvalue.defaultDomainName }
+        }
+        'CippScriptedAlerts' {
+            $ScheduledTasks = Get-CIPPTable -TableName 'ScheduledTasks'
+            $BackupData = Get-CIPPAzDataTableEntity @ScheduledTasks | Where-Object { $_.hidden -eq $true -and $_.command -like 'Get-CippAlert*' -and $TenantFilter -in $_.Tenant }
+        }
+        'CippStandards' { 
+            $Table = Get-CippTable -tablename 'standards'
+            $Filter = "PartitionKey eq 'standards' and RowKey eq '$($TenantFilter)'"
+            $BackupData = (Get-CIPPAzDataTableEntity @Table -Filter $Filter)
+        }
+
+    }
+    return $BackupData
+}
+

Modules/CIPPCore/Public/SAMManifest.json

@@ -11,6 +11,12 @@
     ]
   },
   "requiredResourceAccess": [
+    {
+			"resourceAppId": "aeb86249-8ea3-49e2-900b-54cc8e308f85",
+			"resourceAccess": [
+				{ "id": "fc946a4f-bc4d-413b-a090-b2c86113ec4f", "type": "Scope" }
+			]
+		},
     {
       "resourceAppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd",
       "resourceAccess": [

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1

@@ -9,28 +9,87 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
     .TAG
     "mediumimpact"
     .HELPTEXT
-    This standard currently does not function and can be safely disabled
+    This standard disables all self service licenses and enables all exclusions
     .ADDEDCOMPONENT
     .LABEL
     Disable Self Service Licensing
     .IMPACT
     Medium Impact
     .POWERSHELLEQUIVALENT
-    Set-MsolCompanySettings -AllowAdHocSubscriptions $false
+    Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId {productId} -Value "Disabled"
     .RECOMMENDEDBY
     .DOCSDESCRIPTION
-    This standard currently does not function and can be safely disabled
+    This standard disables all self service licenses and enables all exclusions
     .UPDATECOMMENTBLOCK
     Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     #>
 
+    param($Tenant, $Settings)
 
+    #Write-LogMessage -API 'Standards' -tenant $tenant -message 'Self Service Licenses cannot be disabled' -sev Error
+    try {
+        $selfServiceItems = (New-GraphGETRequest -scope "aeb86249-8ea3-49e2-900b-54cc8e308f85/.default" -uri "https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products" -tenantid $Tenant).items
+        #$selfServiceItems = (Invoke-RestMethod -Method GET -Uri "https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products" -Headers $header).items
+    } catch {
+        Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to retrieve self service products: $($_.Exception.Message)" -sev Error
+        throw "Failed to retrieve self service products: $($_.Exception.Message)"
+    }
 
+    if ($settings.remediate) {
+        if ($settings.exclusions -like "*;*") {
+            $exclusions = $settings.Exclusions -split(';')
+        } else {
+            $exclusions = $settings.Exclusions -split(',')
+        }
 
-    param($Tenant, $Settings)
+        $selfServiceItems | ForEach-Object {
+            $body = $null
+
+            if ($_.policyValue -eq "Enabled" -AND ($_.productId -in $exclusions)) {
+                # Self service is enabled on product and productId is in exclusions, skip
+            }
+            if ($_.policyValue -eq "Disabled" -AND ($_.productId -in $exclusions)) {
+                # Self service is disabled on product and productId is in exclusions, enable
+                $body = '{ "policyValue": "Enabled" }'
+            }
+            if ($_.policyValue -eq "Enabled" -AND ($_.productId -notin $exclusions)) {
+                # Self service is enabled on product and productId is NOT in exclusions, disable
+                $body = '{ "policyValue": "Disabled" }'
+            }
+            if ($_.policyValue -eq "Disabled" -AND ($_.productId -notin $exclusions)) {
+                # Self service is disabled on product and productId is NOT in exclusions, skip
+            }
+
+            try {
+                if ($body) {
+                    $product = $_
+                    New-GraphPOSTRequest -scope "aeb86249-8ea3-49e2-900b-54cc8e308f85/.default" -uri "https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products/$($product.productId)" -tenantid $Tenant -body $body -type PUT
+                }
+            } catch {
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set product status for $($product.productId) with body $($body) for reason: $($_.Exception.Message)" -sev Error
+                #Write-Error "Failed to disable product $($product.productName):$($_.Exception.Message)"
+            }
+        }
+
+        if (!$exclusions) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'No exclusions set for self-service licenses, disabled all not excluded licenses for self-service.' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Exclusions present for self-service licenses, disabled all not excluded licenses for self-service.' -sev Info
+        }
+    }
 
-    Write-LogMessage -API 'Standards' -tenant $tenant -message 'Self Service Licenses cannot be disabled' -sev Error
+    if ($Settings.alert) {
+        $selfServiceItemsToAlert = $selfServiceItems | Where-Object { $_.policyValue -eq "Enabled"}
+        if (!$selfServiceItemsToAlert) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'All self-service licenses are disabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'One or more self-service licenses are enabled' -sev Alert
+        }
+    }
 
+    if ($Settings.report -eq $true) {
+        #Add-CIPPBPAField -FieldName '????' -FieldValue "????" -StoreAs bool -Tenant $tenant
+    }
 }