Merge branch 'KelvinTegelaar:master' into master

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -25,7 +25,7 @@ function Add-CIPPDelegatedPermission {
     foreach ($App in $requiredResourceAccess) {
         $svcPrincipalId = $ServicePrincipalList | Where-Object -Property AppId -EQ $App.resourceAppId
         if (!$svcPrincipalId) { continue }
-        $NewScope = ($Translator | Where-Object { $_.id -in $App.ResourceAccess.id } | Where-Object { $_.value -notin 'profile', 'openid', 'offline_access' }).value -join ' '
+        $NewScope = ($Translator | Where-Object { $_.id -in $App.ResourceAccess.id }).value -join ' '
         $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id)
 
         if (!$OldScope) {
@@ -40,14 +40,14 @@ function Add-CIPPDelegatedPermission {
         } else {
             $compare = Compare-Object -ReferenceObject $OldScope.scope.Split(' ') -DifferenceObject $NewScope.Split(' ')
             if (!$compare) {
-                $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)") | Out-Null
+                $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName): $($NewScope)") | Out-Null
                 continue
             }
             $Patchbody = @{
                 scope = "$NewScope"
             } | ConvertTo-Json -Compress
             $Patchrequest = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/oauth2PermissionGrants/$($OldScope.id)" -tenantid $Tenantfilter -body $Patchbody -type PATCH
-            $Results.add("Successfully updated permissions for $($svcPrincipalId.displayName)") | Out-Null
+            $Results.add("Successfully updated permissions for $($svcPrincipalId.displayName): $($NewScope)") | Out-Null
         }
     }
 

Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1

@@ -33,7 +33,7 @@ Function Invoke-AddSharedMailbox {
     }
     catch {
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error'
-        $body = [pscustomobject]@{'Results' = "Failed to create group. $($_.Exception.Message)" }
+        $body = [pscustomobject]@{'Results' = "Failed to create Shared Mailbox. $($_.Exception.Message)" }
 
     }
 

Modules/CIPPCore/Public/Entrypoints/Invoke-ListIPWhitelist.ps1

@@ -0,0 +1,18 @@
+using namespace System.Net
+
+Function Invoke-ListIPWhitelist {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $Table = Get-CippTable -tablename 'trustedIps'
+    $body = Get-CIPPAzDataTableEntity @Table
+
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @($body)
+        })
+}

Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxRules.ps1

@@ -18,8 +18,7 @@ Function Invoke-ListMailboxRules {
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Query.TenantFilter
 
-    $Table = Get-CIPPTable -TableName cachembxrules
-    $Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).Addhours(-1)
+
     if (!$Rows) {
         Push-OutputBinding -Name mbxrulequeue -Value $TenantFilter
         $GraphRequest = [PSCustomObject]@{
@@ -28,17 +27,16 @@ Function Invoke-ListMailboxRules {
         }
     } else {
         if ($TenantFilter -ne 'AllTenants') {
+            $Table = Get-CIPPTable -TableName cachembxrules
+            $Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).Addhours(-1)
             $GraphRequest = $Rows | Where-Object -Property Tenant -EQ $TenantFilter | ForEach-Object {
                 $NewObj = $_.Rules | ConvertFrom-Json
                 $NewObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $TenantFilter
                 $NewObj
             }
         } else {
-            $GraphRequest = $Rows | ForEach-Object {
-                $TenantName = $_.Tenant
-                $NewObj = $_.Rules | ConvertFrom-Json
-                $NewObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $TenantName
-                $NewObj
+            $GraphRequest = New-ExoRequest -tenantid $tenantFilter -cmdlet 'Get-Mailbox' -Select 'userPrincipalName,GUID' | ForEach-Object {
+                New-ExoRequest -Anchor $_.UserPrincipalName -tenantid $tenantFilter -cmdlet 'Get-InboxRule' -cmdParams @{Mailbox = $_.GUID }
             }
         }
     }

Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxRulesAllTenants.ps1

@@ -23,8 +23,6 @@ Function Invoke-ListMailboxRulesAllTenants {
         try {
 
             $Rules = New-ExoRequest -tenantid $domainName -cmdlet 'Get-Mailbox' | ForEach-Object -Parallel {
-                Import-Module '.\Modules\AzBobbyTables'
-                Import-Module '.\Modules\CIPPCore'
                 New-ExoRequest -Anchor $_.UserPrincipalName -tenantid $domainName -cmdlet 'Get-InboxRule' -cmdParams @{Mailbox = $_.GUID }
             }
             foreach ($Rule in $Rules) {

Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAdmins.ps1

@@ -6,46 +6,22 @@ function Push-CIPPAlertMFAAdmins {
         $TriggerMetadata
     )
     try {
-        $LastRunTable = Get-CIPPTable -Table AlertLastRun
-        $Filter = "RowKey eq 'MFAAllAdmins' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
-        $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
-        $Yesterday = (Get-Date).AddDays(-1)
-        if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
-            $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
-            $AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
-            $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
-            foreach ($Policy in $CAPolicies) {
-                if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
-                    $DuoActive = $true
-                }
-            } 
+        $CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
+        foreach ($Policy in $CAPolicies) {
+            if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
+                $DuoActive = $true
+            }
             if (!$DuoActive) {
-                $AdminList | ForEach-Object {
-                    $CARegistered = $null
-                    try {
-                        New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
-                            if ($_.'@odata.type' -in $StrongMFAMethods) {
-                                $CARegistered = $true
-                            }
-                        }
-                        if ($CARegistered -ne $true) { 
-                            Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured." 
-                        }
-                    } catch {
-                        # Error handling here if needed
-                    }
+                $users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$filter=IsAdmin eq true' -tenantid $($QueueItem.tenant) | Where-Object -Property 'isMfaRegistered' -EQ $false
+                if ($users) {
+                    Write-AlertMessage -tenant $QueueItem.tenant -message "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
                 }
             } else {
                 Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
             }
-            $LastRun = @{
-                RowKey       = 'MFAAllAdmins'
-                PartitionKey = $QueueItem.tenantid
-            }
-            Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
-        }
+        }        
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for admins for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
+        Write-LogMessage -message "Failed to check MFA status for Admins: $($_.exception.message)" -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Error
     }
 
 }

Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAlertUsers.ps1

@@ -11,51 +11,13 @@ function Push-CIPPAlertMFAAlertUsers {
         $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
         $Yesterday = (Get-Date).AddDays(-1)
         if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
-            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
-            Write-Host "found $($users.count) users for $($QueueItem.tenant)"
-            $StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
-
-            $UserBatches = [System.Collections.Generic.List[Object]]@()
-            for ($i = 0; $i -lt $users.count; $i += 20) {
-                $UserBatches.Add($users[$i..($i + 19)])
+            $users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$filter=isMfaRegistered eq false' -tenantid $($QueueItem.tenant) 
+            if ($users) {
+                Write-AlertMessage -tenant $QueueItem.tenant -message "The following users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
             }
-
-            $UserBatches | ForEach-Object -Parallel {
-                try {
-                    Write-Host "processing batch of $($_.count) users for $($using:QueueItem.tenant)"
-                    Import-Module CippCore
-                    Import-Module AzBobbyTables
-                    $UserBatch = $_
-                    Write-Host "processing batch of $($UserBatch.count) users"
-                    $BatchRequests = $UserBatch | ForEach-Object {
-                        @{
-                            id     = $_.id
-                            method = 'GET'
-                            url    = "users/$($_.ID)/authentication/Methods"
-                        }
-                    }
-                    $BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
-                    foreach ($response in $BatchResponses) {
-                        $UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
-                        $CARegistered = $false
-
-                        foreach ($method in $response.body.value) {
-                            if ($method.'@odata.type' -in $using:StrongMFAMethods) {
-                                $CARegistered = $true
-                                break
-                            }
-                        }
-
-                        if (-not $CARegistered) {
-                            Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
-                        }
-                    }
-                } catch {
-                }
-            } -ThrottleLimit 25
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for users for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
+        Write-LogMessage -message "Failed to check MFA status for all users: $($_.exception.message)" -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
     }
     $LastRun = @{
         RowKey       = 'MFAAllUsers'

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1

@@ -20,17 +20,22 @@ function Invoke-CIPPStandardPhishProtection {
 
         try {
             if (!$currentBody) {
-                $AddedHeaders = @{'Accept-Language' = 0}
+                $AddedHeaders = @{'Accept-Language' = 0 }
                 $defaultBrandingBody = '{"usernameHintText":null,"signInPageText":null,"backgroundColor":null,"customPrivacyAndCookiesText":null,"customCannotAccessYourAccountText":null,"customForgotMyPasswordText":null,"customTermsOfUseText":null,"loginPageLayoutConfiguration":{"layoutTemplateType":"default","isFooterShown":true,"isHeaderShown":false},"loginPageTextVisibilitySettings":{"hideAccountResetCredentials":false,"hideTermsOfUse":true,"hidePrivacyAndCookies":true},"contentCustomization":{"conditionalAccess":[],"attributeCollection":[]}}'
-                New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/" -ContentType 'application/json' -asApp $true -Type POST -Body $defaultBrandingBody -AddedHeaders $AddedHeaders
+                try {
+                    New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/" -ContentType 'application/json' -asApp $true -Type POST -Body $defaultBrandingBody -AddedHeaders $AddedHeaders
+                } catch { 
+
+                }
             }
             if ($currentBody -like "*$CSS*") {
                 Write-Host 'Logon Screen Phishing Protection system already active'
                 Write-LogMessage -API 'Standards' -tenant $tenant -message 'Logon Screen Phishing Protection system already active' -sev Info
             } else {
                 $currentBody = $currentBody + $CSS
-                Write-Host 'Creating Logon Screen Phishing Protection System'
-                New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0/customCSS" -ContentType 'text/css' -asApp $true -Type PUT -Body $CSS
+                Write-Host 'Creating Logon Screen Phising Protection System'
+                New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0/customCSS" -ContentType 'text/css' -asApp $true -Type PUT -Body $currentBody
+
                 Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Logon Screen Phishing Protection system' -sev Info
             }
         } catch {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1

@@ -8,8 +8,9 @@ function Invoke-CIPPStandardintuneRequireMFA {
 
     If ($Settings.remediate) {
         try {
-            $PreviousSetting.multiFactorAuthConfiguration = '1'
-            $Newbody = ConvertTo-Json -Compress -InputObject $PreviousSetting
+            $NewSetting = $PreviousSetting
+            $NewSetting.multiFactorAuthConfiguration = '1'
+            $Newbody = ConvertTo-Json -Compress -InputObject $NewSetting
             New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json'
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Set required to use MFA when joining Intune Devices' -sev Info
         } catch {

Scheduler_CIPPNotifications/run.ps1

@@ -60,7 +60,7 @@ try {
       $JSONBody = @"
                     {
                         "message": {
-                          "subject": "$tenant CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
+                          "subject": "CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
                           "body": {
                             "contentType": "HTML",
                             "content": "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log:<br><br>
@@ -78,12 +78,12 @@ try {
                       }
 "@
       New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody)
-      Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev Debug
+      Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant 'All Tenants' -sev Debug
     }
   }
 } catch {
   Write-Host "Could not send alerts to email: $($_.Exception.message)"
-  Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant $Tenant -sev error
+  Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant 'All Tenants' -sev error
 }
 
 

version_latest.txt

@@ -1 +1 @@
-5.0.4
+5.0.5