Skip to content

Commit 819c270

Browse files
JohnDupreyJohnDuprey
authored
Merge pull request KelvinTegelaar#265 from KelvinTegelaar/dev
[pull] dev from KelvinTegelaar:dev
2 parents 2bde73a + 6822e4b commit 819c270

12 files changed

+373
-255
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDeviceAction.ps1

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,19 @@ Function Invoke-ExecDeviceAction {
2020
if ($Request.Query.Action -eq 'setDeviceName') {
2121
$ActionBody = @{ deviceName = $Request.Body.input } | ConvertTo-Json -Compress
2222
}
23-
$ActionResult = New-CIPPDeviceAction -Action $Request.Query.Action -ActionBody $ActionBody -DeviceFilter $Request.Query.GUID -TenantFilter $Request.Query.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal' -APINAME $APINAME
23+
else {
24+
$ActionBody = $Request.Body | ConvertTo-Json -Compress
25+
}
26+
27+
$cmdparams = @{
28+
Action = $Request.Query.Action
29+
ActionBody = $ActionBody
30+
DeviceFilter = $Request.Query.GUID
31+
TenantFilter = $Request.Query.TenantFilter
32+
ExecutingUser = $request.headers.'x-ms-client-principal'
33+
APINAME = $APINAME
34+
}
35+
$ActionResult = New-CIPPDeviceAction @cmdparams
2436
$body = [pscustomobject]@{'Results' = "$ActionResult" }
2537

2638
} catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroup.ps1

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,6 @@ Function Invoke-AddGroup {
6868
}
6969
$GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
7070
}
71-
$GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
7271
# At some point add logic to use AddOwner/AddMember for New-DistributionGroup, but idk how we're going to brr that - rvdwegen
7372
}
7473
"Successfully created group $($groupobj.displayname) for $($tenant)"

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListPerUserMFA.ps1

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
using namespace System.Net
2+
3+
function Invoke-ListPerUserMFA {
4+
<#
5+
.FUNCTIONALITY
6+
Entrypoint
7+
.ROLE
8+
Identity.User.Read
9+
#>
10+
[CmdletBinding()]
11+
param($Request, $TriggerMetadata)
12+
13+
$APIName = $TriggerMetadata.FunctionName
14+
$User = $request.headers.'x-ms-client-principal'
15+
Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug'
16+
17+
# Write to the Azure Functions log stream.
18+
Write-Host 'PowerShell HTTP trigger function processed a request.'
19+
20+
# Parse query parameters
21+
$Tenant = $Request.query.tenantFilter
22+
try {
23+
$AllUsers = [System.Convert]::ToBoolean($Request.query.allUsers)
24+
} catch {
25+
$AllUsers = $false
26+
}
27+
$UserId = $Request.query.userId
28+
29+
# Get the MFA state for the user/all users
30+
try {
31+
if ($AllUsers -eq $true) {
32+
$Results = Get-CIPPPerUserMFA -TenantFilter $Tenant -AllUsers $true
33+
} else {
34+
$Results = Get-CIPPPerUserMFA -TenantFilter $Tenant -userId $UserId
35+
}
36+
$StatusCode = [HttpStatusCode]::OK
37+
} catch {
38+
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
39+
$Results = "Failed to get MFA State for $UserId : $ErrorMessage"
40+
$StatusCode = [HttpStatusCode]::Forbidden
41+
}
42+
43+
# Associate values to output bindings by calling 'Push-OutputBinding'.
44+
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
45+
StatusCode = $StatusCode
46+
Body = @($Results)
47+
})
48+
49+
50+
}

Modules/CIPPCore/Public/Get-CIPPMFAState.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,9 @@ function Get-CIPPMFAState {
9292
}
9393
}
9494

95-
$PerUser = if ($PerUserMFAState -eq $null) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }
95+
$PerUser = if ($null -eq $PerUserMFAState) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }
9696

97-
$MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }
97+
$MFARegUser = if ($null -eq ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }
9898

9999
[PSCustomObject]@{
100100
Tenant = $TenantFilter

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1

Lines changed: 70 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,11 @@ function Invoke-CIPPStandardAntiPhishPolicy {
5151
param($Tenant, $Settings)
5252
##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AntiPhishPolicy'
5353

54+
$ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
55+
$ServicePlans = $ServicePlans.servicePlans.servicePlanName
56+
$MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
57+
Write-Information "MDOLicensed: $MDOLicensed"
58+
5459
$PolicyList = @('CIPP Default Anti-Phishing Policy','Default Anti-Phishing Policy')
5560
$ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' | Where-Object -Property Name -In $PolicyList
5661
if ($null -eq $ExistingPolicy.Name) {
@@ -69,27 +74,38 @@ function Invoke-CIPPStandardAntiPhishPolicy {
6974
$CurrentState = $ExistingPolicy |
7075
Select-Object Name, Enabled, PhishThresholdLevel, EnableMailboxIntelligence, EnableMailboxIntelligenceProtection, EnableSpoofIntelligence, EnableFirstContactSafetyTips, EnableSimilarUsersSafetyTips, EnableSimilarDomainsSafetyTips, EnableUnusualCharactersSafetyTips, EnableUnauthenticatedSender, EnableViaTag, AuthenticationFailAction, SpoofQuarantineTag, MailboxIntelligenceProtectionAction, MailboxIntelligenceQuarantineTag, TargetedUserProtectionAction, TargetedUserQuarantineTag, TargetedDomainProtectionAction, TargetedDomainQuarantineTag, EnableOrganizationDomainsProtection
7176

72-
$StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
73-
($CurrentState.Enabled -eq $true) -and
74-
($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
75-
($CurrentState.EnableMailboxIntelligence -eq $true) -and
76-
($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
77-
($CurrentState.EnableSpoofIntelligence -eq $true) -and
78-
($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
79-
($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
80-
($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
81-
($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
82-
($CurrentState.EnableUnauthenticatedSender -eq $true) -and
83-
($CurrentState.EnableViaTag -eq $true) -and
84-
($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
85-
($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
86-
($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
87-
($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
88-
($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
89-
($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
90-
($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
91-
($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
92-
($CurrentState.EnableOrganizationDomainsProtection -eq $true)
77+
if ($MDOLicensed) {
78+
$StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
79+
($CurrentState.Enabled -eq $true) -and
80+
($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
81+
($CurrentState.EnableMailboxIntelligence -eq $true) -and
82+
($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
83+
($CurrentState.EnableSpoofIntelligence -eq $true) -and
84+
($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
85+
($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
86+
($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
87+
($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
88+
($CurrentState.EnableUnauthenticatedSender -eq $true) -and
89+
($CurrentState.EnableViaTag -eq $true) -and
90+
($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
91+
($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
92+
($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
93+
($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
94+
($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
95+
($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
96+
($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
97+
($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
98+
($CurrentState.EnableOrganizationDomainsProtection -eq $true)
99+
} else {
100+
$StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
101+
($CurrentState.Enabled -eq $true) -and
102+
($CurrentState.EnableSpoofIntelligence -eq $true) -and
103+
($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
104+
($CurrentState.EnableUnauthenticatedSender -eq $true) -and
105+
($CurrentState.EnableViaTag -eq $true) -and
106+
($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
107+
($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag)
108+
}
93109

94110
$AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
95111

@@ -106,27 +122,39 @@ function Invoke-CIPPStandardAntiPhishPolicy {
106122
if ($StateIsCorrect -eq $true) {
107123
Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy already correctly configured' -sev Info
108124
} else {
109-
$cmdparams = @{
110-
Enabled = $true
111-
PhishThresholdLevel = $Settings.PhishThresholdLevel
112-
EnableMailboxIntelligence = $true
113-
EnableMailboxIntelligenceProtection = $true
114-
EnableSpoofIntelligence = $true
115-
EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
116-
EnableSimilarUsersSafetyTips = $Settings.EnableSimilarUsersSafetyTips
117-
EnableSimilarDomainsSafetyTips = $Settings.EnableSimilarDomainsSafetyTips
118-
EnableUnusualCharactersSafetyTips = $Settings.EnableUnusualCharactersSafetyTips
119-
EnableUnauthenticatedSender = $true
120-
EnableViaTag = $true
121-
AuthenticationFailAction = $Settings.AuthenticationFailAction
122-
SpoofQuarantineTag = $Settings.SpoofQuarantineTag
123-
MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
124-
MailboxIntelligenceQuarantineTag = $Settings.MailboxIntelligenceQuarantineTag
125-
TargetedUserProtectionAction = $Settings.TargetedUserProtectionAction
126-
TargetedUserQuarantineTag = $Settings.TargetedUserQuarantineTag
127-
TargetedDomainProtectionAction = $Settings.TargetedDomainProtectionAction
128-
TargetedDomainQuarantineTag = $Settings.TargetedDomainQuarantineTag
129-
EnableOrganizationDomainsProtection = $true
125+
if ($MDOLicensed) {
126+
$cmdparams = @{
127+
Enabled = $true
128+
PhishThresholdLevel = $Settings.PhishThresholdLevel
129+
EnableMailboxIntelligence = $true
130+
EnableMailboxIntelligenceProtection = $true
131+
EnableSpoofIntelligence = $true
132+
EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
133+
EnableSimilarUsersSafetyTips = $Settings.EnableSimilarUsersSafetyTips
134+
EnableSimilarDomainsSafetyTips = $Settings.EnableSimilarDomainsSafetyTips
135+
EnableUnusualCharactersSafetyTips = $Settings.EnableUnusualCharactersSafetyTips
136+
EnableUnauthenticatedSender = $true
137+
EnableViaTag = $true
138+
AuthenticationFailAction = $Settings.AuthenticationFailAction
139+
SpoofQuarantineTag = $Settings.SpoofQuarantineTag
140+
MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
141+
MailboxIntelligenceQuarantineTag = $Settings.MailboxIntelligenceQuarantineTag
142+
TargetedUserProtectionAction = $Settings.TargetedUserProtectionAction
143+
TargetedUserQuarantineTag = $Settings.TargetedUserQuarantineTag
144+
TargetedDomainProtectionAction = $Settings.TargetedDomainProtectionAction
145+
TargetedDomainQuarantineTag = $Settings.TargetedDomainQuarantineTag
146+
EnableOrganizationDomainsProtection = $true
147+
}
148+
} else {
149+
$cmdparams = @{
150+
Enabled = $true
151+
EnableSpoofIntelligence = $true
152+
EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
153+
EnableUnauthenticatedSender = $true
154+
EnableViaTag = $true
155+
AuthenticationFailAction = $Settings.AuthenticationFailAction
156+
SpoofQuarantineTag = $Settings.SpoofQuarantineTag
157+
}
130158
}
131159

132160
if ($CurrentState.Name -eq $PolicyName) {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableEmail {
4242

4343
if ($Settings.alert -eq $true) {
4444
if ($StateIsCorrect -eq $true) {
45-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is enabled' -sev Alert
46-
} else {
4745
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is not enabled' -sev Info
46+
} else {
47+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is enabled' -sev Alert
4848
}
4949
}
5050

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableSMS {
4242

4343
if ($Settings.alert -eq $true) {
4444
if ($StateIsCorrect -eq $true) {
45-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is enabled' -sev Alert
46-
} else {
4745
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is not enabled' -sev Info
46+
} else {
47+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is enabled' -sev Alert
4848
}
4949
}
5050

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableVoice {
4242

4343
if ($Settings.alert -eq $true) {
4444
if ($StateIsCorrect -eq $true) {
45-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is enabled' -sev Alert
46-
} else {
4745
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is not enabled' -sev Info
46+
} else {
47+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is enabled' -sev Alert
4848
}
4949
}
5050

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisablex509Certificate {
4242

4343
if ($Settings.alert -eq $true) {
4444
if ($StateIsCorrect -eq $true) {
45-
Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is enabled' -sev Alert
46-
} else {
4745
Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is not enabled' -sev Info
46+
} else {
47+
Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is enabled' -sev Alert
4848
}
4949
}
5050

0 commit comments

Comments
 (0)