Merge pull request KelvinTegelaar#1737 from kris6673/AutoArchive

Feat: Add auto-archiving configuration standard

Author: KelvinTegelaar

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1

@@ -23,6 +23,7 @@ function Invoke-CIPPStandardAntiPhishPolicy {
             "CIS M365 5.0 (2.1.7)"
             "NIST CSF 2.0 (DE.CM-09)"
         ADDEDCOMPONENT
+            {"type":"textField","name":"standards.AntiPhishPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default Anti-Phishing Policy"}
             {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","defaultValue":1}
             {"type":"switch","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","defaultValue":true}
             {"type":"switch","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","defaultValue":true}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoArchive.ps1

@@ -0,0 +1,96 @@
+function Invoke-CIPPStandardAutoArchive {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) AutoArchive
+    .SYNOPSIS
+        (Label) Configure Auto-Archiving Threshold
+    .DESCRIPTION
+        (Helptext) Configures the auto-archiving threshold percentage for the tenant. When a mailbox exceeds this threshold, the oldest items are automatically moved to the archive mailbox. Archive must be enabled manually or via the CIPP standard 'Enable Online Archive for all users'. More information can be found in [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/security-and-compliance/messaging-records-management/auto-archiving)
+        (DocsDescription) Configures the auto-archiving threshold at the organization level. Auto-archiving automatically moves the oldest items from a user's primary mailbox to their archive mailbox when mailbox usage exceeds the configured threshold percentage. This prevents mail flow disruptions caused by full mailboxes. Valid range is 80-100, where 100 disables auto-archiving for the tenant. More information can be found in [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/security-and-compliance/messaging-records-management/auto-archiving)
+    .NOTES
+        CAT
+            Exchange Standards
+        TAG
+        EXECUTIVETEXT
+            Configures automatic archiving of mailbox items when storage approaches capacity, preventing email delivery failures due to full mailboxes. This proactive storage management ensures business continuity and reduces helpdesk tickets related to mailbox quota issues.
+        ADDEDCOMPONENT
+            {"type":"number","name":"standards.AutoArchive.AutoArchivingThresholdPercentage","label":"Auto-Archiving Threshold Percentage (80-100, default 96, 100 disables)","defaultValue":96}
+        IMPACT
+            Low Impact
+        ADDEDDATE
+            2025-12-11
+        POWERSHELLEQUIVALENT
+            Set-OrganizationConfig -AutoArchivingThresholdPercentage 80-100
+        RECOMMENDEDBY
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+    #>
+
+    param($Tenant, $Settings)
+    $TestResult = Test-CIPPStandardLicense -StandardName 'AutoArchive' -TenantFilter $Tenant -RequiredCapabilities @('EXCHANGE_S_STANDARD', 'EXCHANGE_S_ENTERPRISE', 'EXCHANGE_S_STANDARD_GOV', 'EXCHANGE_S_ENTERPRISE_GOV', 'EXCHANGE_LITE')
+
+    if ($TestResult -eq $false) {
+        Write-Host "We're exiting as the correct license is not present for this standard."
+        return $true
+    }
+
+    # Get the threshold value from settings
+    $DesiredThreshold = [int]($Settings.AutoArchivingThresholdPercentage)
+
+    # Validate the threshold is within valid range
+    if ($DesiredThreshold -lt 80 -or $DesiredThreshold -gt 100) {
+        Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Invalid AutoArchivingThresholdPercentage value: $DesiredThreshold. Must be between 80 and 100." -Sev Error
+        return
+    }
+
+    try {
+        $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig' -Select 'AutoArchivingThresholdPercentage').AutoArchivingThresholdPercentage
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the AutoArchive state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+        return
+    }
+
+    $CorrectState = $CurrentState -eq $DesiredThreshold
+
+    if ($Settings.remediate -eq $true) {
+        Write-Host 'Time to remediate'
+
+        if ($CorrectState) {
+            Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Auto-archiving threshold is already set to $CurrentState%." -Sev Info
+        } else {
+            try {
+                $null = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{ AutoArchivingThresholdPercentage = $DesiredThreshold }
+                Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Auto-archiving threshold has been set to $DesiredThreshold%." -Sev Info
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set auto-archiving threshold. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+
+        if ($CorrectState) {
+            Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Auto-archiving threshold is correctly set to $CurrentState%." -Sev Info
+        } else {
+            Write-StandardsAlert -message "Auto-archiving threshold is set to $CurrentState% but should be $DesiredThreshold%." -object @{ CurrentThreshold = $CurrentState; DesiredThreshold = $DesiredThreshold } -tenant $Tenant -standardName 'AutoArchive' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Auto-archiving threshold is set to $CurrentState% but should be $DesiredThreshold%." -Sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        Add-CIPPBPAField -FieldName 'AutoArchive' -FieldValue $CorrectState -StoreAs bool -Tenant $Tenant
+
+        if ($CorrectState) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = @{ CurrentThreshold = $CurrentState; DesiredThreshold = $DesiredThreshold }
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.AutoArchive' -FieldValue $FieldValue -Tenant $Tenant
+    }
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBitLockerKeysForOwnedDevice.ps1

@@ -1,31 +1,29 @@
-function Invoke-CIPPStandardBitLockerKeysForOwnedDevice {
+function Invoke-CIPPStandardBitLockerKeysForOwnedDevice {
     <#
     .FUNCTIONALITY
         Internal
     .COMPONENT
         (APIName) BitLockerKeysForOwnedDevice
     .SYNOPSIS
-        (Label) Restrict users from recovering BitLocker keys for owned devices
+        (Label) Control BitLocker key recovery for owned devices
     .DESCRIPTION
-    (Helptext) Controls whether standard users can recover BitLocker keys for devices they own via Microsoft 365 portals.
-    (DocsDescription) Updates the default user role setting that governs access to BitLocker recovery keys for owned devices. This allows administrators to either permit self-service recovery or require helpdesk involvement through Microsoft Entra authorization policies.
+        (Helptext) Controls whether standard users can recover BitLocker keys for devices they own.
+        (DocsDescription) Updates the Microsoft Entra authorization policy that controls whether standard users can read BitLocker recovery keys for devices they own. Choose to restrict access for tighter security or allow self-service recovery when operational needs require it.
     .NOTES
         CAT
             Entra (AAD) Standards
         TAG
-            "NIST CSF 2.0 (PR.AA-05)"
         EXECUTIVETEXT
-            Ensures administrators retain control over BitLocker recovery secrets when required, while still allowing flexibility to enable self-service recovery when business needs demand it.
+            Gives administrators centralized control over BitLocker recovery secrets—restrict access to ensure IT-assisted recovery flows, or allow self-service when rapid device unlocks are a priority.
         ADDEDCOMPONENT
             {"type":"autoComplete","multiple":false,"creatable":false,"label":"Select state","name":"standards.BitLockerKeysForOwnedDevice.state","options":[{"label":"Restrict","value":"restrict"},{"label":"Allow","value":"allow"}]}
         IMPACT
-            Medium Impact
+            Low Impact
         ADDEDDATE
             2025-10-12
         POWERSHELLEQUIVALENT
             Update-MgBetaPolicyAuthorizationPolicy
         RECOMMENDEDBY
-            "CIPP"
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1

@@ -23,9 +23,10 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
         EXECUTIVETEXT
             Deploys standardized conditional access policies that automatically enforce security requirements based on user location, device compliance, and risk factors. These templates ensure consistent security controls across the organization while enabling secure access to business resources.
         ADDEDCOMPONENT
-            {"type":"autoComplete","name":"TemplateList","multiple":false,"label":"Select Conditional Access Template","api":{"url":"/api/ListCATemplates","labelField":"displayName","valueField":"GUID","queryKey":"ListCATemplates"}}
+            {"type":"autoComplete","name":"TemplateList","multiple":false,"label":"Select Conditional Access Template","api":{"url":"/api/ListCATemplates","labelField":"displayName","valueField":"GUID","queryKey":"ListCATemplates","showRefresh":true,"templateView":{"title":"Conditional Access Policy"}}}
             {"name":"state","label":"What state should we deploy this template in?","type":"radio","options":[{"value":"donotchange","label":"Do not change state"},{"value":"Enabled","label":"Set to enabled"},{"value":"Disabled","label":"Set to disabled"},{"value":"enabledForReportingButNotEnforced","label":"Set to report only"}]}
             {"type":"switch","name":"DisableSD","label":"Disable Security Defaults when deploying policy"}
+            {"type":"switch","name":"CreateGroups","label":"Create groups if they do not exist"}
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1

@@ -23,11 +23,13 @@ function Invoke-CIPPStandardIntuneTemplate {
         EXECUTIVETEXT
             Deploys standardized device management configurations across all corporate devices, ensuring consistent security policies, application settings, and compliance requirements. This template-based approach streamlines device management while maintaining uniform security standards across the organization.
         ADDEDCOMPONENT
-            {"type":"autoComplete","multiple":false,"creatable":false,"required":false,"name":"TemplateList","label":"Select Intune Template","api":{"queryKey":"ListIntuneTemplates-autcomplete","url":"/api/ListIntuneTemplates","labelField":"Displayname","valueField":"GUID"}}
+            {"type":"autoComplete","multiple":false,"creatable":false,"required":false,"name":"TemplateList","label":"Select Intune Template","api":{"queryKey":"ListIntuneTemplates-autcomplete","url":"/api/ListIntuneTemplates","labelField":"Displayname","valueField":"GUID","showRefresh":true,"templateView":{"title":"Intune Template","property":"RAWJson","type":"intune"}}}
             {"type":"autoComplete","multiple":false,"required":false,"creatable":false,"name":"TemplateList-Tags","label":"Or select a package of Intune Templates","api":{"queryKey":"ListIntuneTemplates-tag-autcomplete","url":"/api/ListIntuneTemplates?mode=Tag","labelField":"label","valueField":"value","addedField":{"templates":"templates"}}}
             {"name":"AssignTo","label":"Who should this template be assigned to?","type":"radio","options":[{"label":"Do not assign","value":"On"},{"label":"Assign to all users","value":"allLicensedUsers"},{"label":"Assign to all devices","value":"AllDevices"},{"label":"Assign to all users and devices","value":"AllDevicesAndUsers"},{"label":"Assign to Custom Group","value":"customGroup"}]}
             {"type":"textField","required":false,"name":"customGroup","label":"Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed."}
             {"name":"excludeGroup","label":"Exclude Groups","type":"textField","required":false,"helpText":"Enter the group name(s) to exclude from the assignment. Wildcards are allowed. Multiple group names are comma-seperated."}
+            {"type":"textField","required":false,"name":"assignmentFilter","label":"Assignment Filter Name (Optional)","helpText":"Enter the assignment filter name to apply to this policy assignment. Wildcards are allowed."}
+            {"name":"assignmentFilterType","label":"Assignment Filter Mode (Optional)","type":"radio","required":false,"helpText":"Choose whether to include or exclude devices matching the filter. Only applies if you specified a filter name above. Defaults to Include if not specified.","options":[{"label":"Include - Assign to devices matching the filter","value":"include"},{"label":"Exclude - Assign to devices NOT matching the filter","value":"exclude"}]}
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1

@@ -20,6 +20,7 @@ function Invoke-CIPPStandardMalwareFilterPolicy {
             "mdo_zapmalware"
             "NIST CSF 2.0 (DE.CM-09)"
         ADDEDCOMPONENT
+            {"type":"textField","name":"standards.MalwareFilterPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default Malware Policy"}
             {"type":"select","multiple":false,"label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","options":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]}
             {"type":"textField","name":"standards.MalwareFilterPolicy.OptionalFileTypes","required":false,"label":"Optional File Types, Comma separated"}
             {"type":"select","multiple":false,"creatable":true,"label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1

@@ -19,6 +19,7 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
             "mdo_safeattachmentpolicy"
             "NIST CSF 2.0 (DE.CM-09)"
         ADDEDCOMPONENT
+            {"type":"textField","name":"standards.SafeAttachmentPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default Safe Attachment Policy"}
             {"type":"select","multiple":false,"label":"Safe Attachment Action","name":"standards.SafeAttachmentPolicy.SafeAttachmentAction","options":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]}
             {"type":"select","multiple":false,"creatable":true,"label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
             {"type":"switch","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1

@@ -18,6 +18,7 @@ function Invoke-CIPPStandardSafeLinksPolicy {
             "mdo_safelinksforOfficeApps"
             "NIST CSF 2.0 (DE.CM-09)"
         ADDEDCOMPONENT
+            {"type":"textField","name":"standards.SafeLinksPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default SafeLinks Policy"}
             {"type":"switch","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"}
             {"type":"switch","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"}
             {"type":"switch","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecureScoreRemediation.ps1

@@ -8,26 +8,23 @@ function Invoke-CIPPStandardSecureScoreRemediation {
         (Label) Update Secure Score Control Profiles
     .DESCRIPTION
         (Helptext) Allows bulk updating of Secure Score control profiles across tenants. Select controls and assign them to different states: Default, Ignored, Third-Party, or Reviewed.
-        (DocsDescription) Enables automated or template-based updates to Microsoft Secure Score recommendations. This is particularly useful for MSPs managing multiple tenants, allowing you to mark controls as "Third-party" (e.g., when using Mimecast, IronScales, or other third-party security tools) or set them to other states in bulk. This ensures Secure Scores accurately reflect each tenant's true security posture without repetitive manual updates.
+        (DocsDescription) Allows bulk updating of Secure Score control profiles across tenants. Select controls and assign them to different states: Default, Ignored, Third-Party, or Reviewed.
     .NOTES
         CAT
             Global Standards
         TAG
             "lowimpact"
-        EXECUTIVETEXT
-            Automates the management of Secure Score control profiles by allowing bulk updates across tenants. This ensures accurate representation of security posture when using third-party security tools or when certain controls need to be marked as resolved or ignored, significantly reducing manual administrative overhead for MSPs managing multiple clients.
         ADDEDCOMPONENT
-            {"type":"autoComplete","multiple":true,"creatable":true,"name":"standards.SecureScoreRemediation.Default","label":"Controls to set to Default"}
-            {"type":"autoComplete","multiple":true,"creatable":true,"name":"standards.SecureScoreRemediation.Ignored","label":"Controls to set to Ignored"}
-            {"type":"autoComplete","multiple":true,"creatable":true,"name":"standards.SecureScoreRemediation.ThirdParty","label":"Controls to set to Third-Party"}
-            {"type":"autoComplete","multiple":true,"creatable":true,"name":"standards.SecureScoreRemediation.Reviewed","label":"Controls to set to Reviewed"}
+            {"type":"autoComplete","multiple":true,"creatable":true,"required":false,"name":"standards.SecureScoreRemediation.Default","label":"Controls to set to Default","api":{"url":"/secureScore.json","labelField":"title","valueField":"id"}}
+            {"type":"autoComplete","multiple":true,"creatable":true,"required":false,"name":"standards.SecureScoreRemediation.Ignored","label":"Controls to set to Ignored","api":{"url":"/secureScore.json","labelField":"title","valueField":"id"}}
+            {"type":"autoComplete","multiple":true,"creatable":true,"required":false,"name":"standards.SecureScoreRemediation.ThirdParty","label":"Controls to set to Third-Party","api":{"url":"/secureScore.json","labelField":"title","valueField":"id"}}
+            {"type":"autoComplete","multiple":true,"required":false,"creatable":true,"name":"standards.SecureScoreRemediation.Reviewed","label":"Controls to set to Reviewed","api":{"url":"/secureScore.json","labelField":"title","valueField":"id"}}
         IMPACT
             Low Impact
         ADDEDDATE
             2025-11-19
         POWERSHELLEQUIVALENT
             New-GraphPostRequest to /beta/security/secureScoreControlProfiles/{id}
-        RECOMMENDEDBY
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK