more tests

KelvinTegelaar · KelvinTegelaar · commit 020776ac5432 · 2025-12-24T13:03:33.000+01:00
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21858.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21858.ps1
@@ -20,7 +20,7 @@ function Invoke-CippTestZTNA21858 {
         $InactiveGuests = @()
         foreach ($Guest in $EnabledGuests) {
             $DaysSinceLastActivity = $null
-            
+
             if ($Guest.signInActivity.lastSuccessfulSignInDateTime) {
                 $LastSignIn = [DateTime]$Guest.signInActivity.lastSuccessfulSignInDateTime
                 $DaysSinceLastActivity = ($Today - $LastSignIn).Days
@@ -36,7 +36,45 @@ function Invoke-CippTestZTNA21858 {
 
         if ($InactiveGuests.Count -gt 0) {
             $Status = 'Failed'
-            $Result = "Found $($InactiveGuests.Count) inactive guest user(s) with no sign-in activity in the last $InactivityThresholdDays days"
+
+            $ResultLines = @(
+                "Found $($InactiveGuests.Count) inactive guest user(s) with no sign-in activity in the last $InactivityThresholdDays days."
+                ''
+                "**Total enabled guests:** $($EnabledGuests.Count)"
+                "**Inactive guests:** $($InactiveGuests.Count)"
+                "**Inactivity threshold:** $InactivityThresholdDays days"
+                ''
+                '**Top 10 inactive guest users:**'
+            )
+
+            $Top10Guests = $InactiveGuests | Sort-Object {
+                if ($_.signInActivity.lastSuccessfulSignInDateTime) {
+                    [DateTime]$_.signInActivity.lastSuccessfulSignInDateTime
+                } else {
+                    [DateTime]$_.createdDateTime
+                }
+            } | Select-Object -First 10
+
+            foreach ($Guest in $Top10Guests) {
+                if ($Guest.signInActivity.lastSuccessfulSignInDateTime) {
+                    $LastActivity = [DateTime]$Guest.signInActivity.lastSuccessfulSignInDateTime
+                    $DaysInactive = [Math]::Round(($Today - $LastActivity).TotalDays, 0)
+                    $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName)) - Last sign-in: $DaysInactive days ago"
+                } else {
+                    $Created = [DateTime]$Guest.createdDateTime
+                    $DaysSinceCreated = [Math]::Round(($Today - $Created).TotalDays, 0)
+                    $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName)) - Never signed in (Created $DaysSinceCreated days ago)"
+                }
+            }
+
+            if ($InactiveGuests.Count -gt 10) {
+                $ResultLines += "- ... and $($InactiveGuests.Count - 10) more inactive guest(s)"
+            }
+
+            $ResultLines += ''
+            $ResultLines += '**Recommendation:** Review and remove or disable inactive guest accounts to reduce security risks.'
+
+            $Result = $ResultLines -join "`n"
         } else {
             $Status = 'Passed'
             $Result = "All enabled guest users have been active within the last $InactivityThresholdDays days"
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21869.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21869.ps1
@@ -21,7 +21,28 @@ function Invoke-CippTestZTNA21869 {
         }
 
         $Status = 'Investigate'
-        $Result = "Found $($AppsWithoutAssignment.Count) enterprise application(s) without assignment requirements. Full provisioning scope validation requires Graph API calls not available in cache."
+
+        $ResultLines = @(
+            "Found $($AppsWithoutAssignment.Count) enterprise application(s) without assignment requirements."
+            ''
+            '**Applications without user assignment requirements:**'
+        )
+
+        $Top10Apps = $AppsWithoutAssignment | Select-Object -First 10
+        foreach ($App in $Top10Apps) {
+            $ResultLines += "- $($App.displayName) (SSO: $($App.preferredSingleSignOnMode))"
+        }
+
+        if ($AppsWithoutAssignment.Count -gt 10) {
+            $ResultLines += "- ... and $($AppsWithoutAssignment.Count - 10) more application(s)"
+        }
+
+        $ResultLines += ''
+        $ResultLines += '**Note:** Full provisioning scope validation requires Graph API synchronization endpoint not available in cache.'
+        $ResultLines += ''
+        $ResultLines += '**Recommendation:** Enable user assignment requirements or configure scoped provisioning to limit application access.'
+
+        $Result = $ResultLines -join "`n"
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
     }
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21877.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21877.ps1
@@ -20,7 +20,30 @@ function Invoke-CippTestZTNA21877 {
             $Result = 'All guest accounts in the tenant have an assigned sponsor'
         } else {
             $Status = 'Failed'
-            $Result = "Found $($GuestsWithoutSponsors.Count) guest user(s) without sponsors out of $($Guests.Count) total guests"
+
+            $ResultLines = @(
+                "Found $($GuestsWithoutSponsors.Count) guest user(s) without sponsors out of $($Guests.Count) total guests."
+                ''
+                "**Total guests:** $($Guests.Count)"
+                "**Guests without sponsors:** $($GuestsWithoutSponsors.Count)"
+                "**Guests with sponsors:** $($Guests.Count - $GuestsWithoutSponsors.Count)"
+                ''
+                '**Top 10 guests without sponsors:**'
+            )
+
+            $Top10Guests = $GuestsWithoutSponsors | Select-Object -First 10
+            foreach ($Guest in $Top10Guests) {
+                $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName))"
+            }
+
+            if ($GuestsWithoutSponsors.Count -gt 10) {
+                $ResultLines += "- ... and $($GuestsWithoutSponsors.Count - 10) more guest(s)"
+            }
+
+            $ResultLines += ''
+            $ResultLines += '**Recommendation:** Assign sponsors to all guest accounts for better accountability and lifecycle management.'
+
+            $Result = $ResultLines -join "`n"
         }
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21886.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21886.ps1
@@ -20,7 +20,32 @@ function Invoke-CippTestZTNA21886 {
         }
 
         $Status = 'Investigate'
-        $Result = "Found $($AppsWithSSO.Count) application(s) configured for SSO. Provisioning template and job validation requires Graph API synchronization endpoint not available in cache."
+
+        $ResultLines = @(
+            "Found $($AppsWithSSO.Count) application(s) configured for SSO."
+            ''
+            '**Applications with SSO enabled:**'
+        )
+
+        $SSOByType = $AppsWithSSO | Group-Object -Property preferredSingleSignOnMode
+        foreach ($Group in $SSOByType) {
+            $ResultLines += ""
+            $ResultLines += "**$($Group.Name.ToUpper()) SSO** ($($Group.Count) app(s)):"
+            $Top5 = $Group.Group | Select-Object -First 5
+            foreach ($App in $Top5) {
+                $ResultLines += "- $($App.displayName)"
+            }
+            if ($Group.Count -gt 5) {
+                $ResultLines += "- ... and $($Group.Count - 5) more"
+            }
+        }
+
+        $ResultLines += ''
+        $ResultLines += '**Note:** Provisioning template and job validation requires Graph API synchronization endpoint not available in cache.'
+        $ResultLines += ''
+        $ResultLines += '**Recommendation:** Configure automatic user provisioning for applications that support it to ensure consistent access management.'
+
+        $Result = $ResultLines -join "`n"
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
     } catch {
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21896.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21896.ps1
@@ -0,0 +1,56 @@
+function Invoke-CippTestZTNA21896 {
+    param($Tenant)
+
+    try {
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+        if (-not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Service principal data not found in database' -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $MicrosoftOwnerId = 'f8cdef31-a31e-4b4a-93e4-5f571e91255a'
+        $SPsWithPassCreds = $ServicePrincipals | Where-Object {
+            $_.passwordCredentials -and $_.passwordCredentials.Count -gt 0 -and $_.appOwnerOrganizationId -ne $MicrosoftOwnerId
+        }
+        $SPsWithKeyCreds = $ServicePrincipals | Where-Object {
+            $_.keyCredentials -and $_.keyCredentials.Count -gt 0 -and $_.appOwnerOrganizationId -ne $MicrosoftOwnerId
+        }
+
+        if (-not $SPsWithPassCreds -and -not $SPsWithKeyCreds) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'Service principals do not have credentials associated with them' -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $TotalWithCreds = $SPsWithPassCreds.Count + $SPsWithKeyCreds.Count
+        $Status = 'Investigate'
+
+        $ResultLines = @(
+            "Found $TotalWithCreds service principal(s) with credentials configured in the tenant, which represents a security risk."
+            ''
+        )
+
+        if ($SPsWithPassCreds.Count -gt 0) {
+            $ResultLines += "**Service principals with password credentials:** $($SPsWithPassCreds.Count)"
+            $ResultLines += ''
+        }
+
+        if ($SPsWithKeyCreds.Count -gt 0) {
+            $ResultLines += "**Service principals with key credentials (certificates):** $($SPsWithKeyCreds.Count)"
+            $ResultLines += ''
+        }
+
+        $ResultLines += '**Security implications:**'
+        $ResultLines += '- Service principals with credentials can be compromised if not properly secured'
+        $ResultLines += '- Password credentials are less secure than managed identities or certificate-based authentication'
+        $ResultLines += '- Consider using managed identities where possible to eliminate credential management'
+
+        $Result = $ResultLines -join "`n"
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21992.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21992.ps1
@@ -0,0 +1,110 @@
+function Invoke-CippTestZTNA21992 {
+    param($Tenant)
+
+    try {
+        $Apps = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Apps'
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+
+        if (-not $Apps -and -not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21992' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Application and service principal data not found in database' -Risk 'High' -Name 'Application certificates must be rotated on a regular basis' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Application management'
+            return
+        }
+
+        $RotationThresholdDays = 180
+        $ThresholdDate = (Get-Date).AddDays(-$RotationThresholdDays)
+
+        $OldAppCerts = @()
+        if ($Apps) {
+            $OldAppCerts = $Apps | Where-Object {
+                $_.keyCredentials -and $_.keyCredentials.Count -gt 0
+            } | ForEach-Object {
+                $App = $_
+                $OldestCert = $App.keyCredentials | Where-Object { $_.startDateTime } | ForEach-Object {
+                    [DateTime]$_.startDateTime
+                } | Sort-Object | Select-Object -First 1
+
+                if ($OldestCert -and $OldestCert -lt $ThresholdDate) {
+                    [PSCustomObject]@{
+                        Type           = 'Application'
+                        DisplayName    = $App.displayName
+                        AppId          = $App.appId
+                        Id             = $App.id
+                        OldestCertDate = $OldestCert
+                    }
+                }
+            }
+        }
+
+        $OldSPCerts = @()
+        if ($ServicePrincipals) {
+            $OldSPCerts = $ServicePrincipals | Where-Object {
+                $_.keyCredentials -and $_.keyCredentials.Count -gt 0
+            } | ForEach-Object {
+                $SP = $_
+                $OldestCert = $SP.keyCredentials | Where-Object { $_.startDateTime } | ForEach-Object {
+                    [DateTime]$_.startDateTime
+                } | Sort-Object | Select-Object -First 1
+
+                if ($OldestCert -and $OldestCert -lt $ThresholdDate) {
+                    [PSCustomObject]@{
+                        Type           = 'ServicePrincipal'
+                        DisplayName    = $SP.displayName
+                        AppId          = $SP.appId
+                        Id             = $SP.id
+                        OldestCertDate = $OldestCert
+                    }
+                }
+            }
+        }
+
+        if ($OldAppCerts.Count -eq 0 -and $OldSPCerts.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21992' -TestType 'Identity' -Status 'Passed' -ResultMarkdown "Certificates for applications in your tenant have been issued within $RotationThresholdDays days" -Risk 'High' -Name 'Application certificates must be rotated on a regular basis' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Application management'
+            return
+        }
+
+        $Status = 'Failed'
+
+        $ResultLines = @(
+            "Found $($OldAppCerts.Count) application(s) and $($OldSPCerts.Count) service principal(s) with certificates not rotated within $RotationThresholdDays days."
+            ''
+            "**Certificate rotation threshold:** $RotationThresholdDays days"
+            ''
+        )
+
+        if ($OldAppCerts.Count -gt 0) {
+            $ResultLines += '**Applications with old certificates:**'
+            $Top10Apps = $OldAppCerts | Select-Object -First 10
+            foreach ($App in $Top10Apps) {
+                $DaysOld = [Math]::Round(((Get-Date) - $App.OldestCertDate).TotalDays, 0)
+                $ResultLines += "- $($App.DisplayName) (Certificate age: $DaysOld days)"
+            }
+            if ($OldAppCerts.Count -gt 10) {
+                $ResultLines += "- ... and $($OldAppCerts.Count - 10) more application(s)"
+            }
+            $ResultLines += ''
+        }
+
+        if ($OldSPCerts.Count -gt 0) {
+            $ResultLines += '**Service principals with old certificates:**'
+            $Top10SPs = $OldSPCerts | Select-Object -First 10
+            foreach ($SP in $Top10SPs) {
+                $DaysOld = [Math]::Round(((Get-Date) - $SP.OldestCertDate).TotalDays, 0)
+                $ResultLines += "- $($SP.DisplayName) (Certificate age: $DaysOld days)"
+            }
+            if ($OldSPCerts.Count -gt 10) {
+                $ResultLines += "- ... and $($OldSPCerts.Count - 10) more service principal(s)"
+            }
+            $ResultLines += ''
+        }
+
+        $ResultLines += '**Recommendation:** Rotate certificates regularly to reduce the risk of credential compromise.'
+
+        $Result = $ResultLines -join "`n"
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21992' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Application certificates must be rotated on a regular basis' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Application management'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21992' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Application certificates must be rotated on a regular basis' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Application management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA22128.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA22128.ps1
