Merge pull request #645 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 1e4a2f93dfd0 · 2025-12-24T12:41:21.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheGuests.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheGuests.ps1
@@ -15,7 +15,7 @@ function Set-CIPPDBCacheGuests {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching guest users' -sev Info
 
-        $Guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=userType eq 'Guest'&`$top=999" -tenantid $TenantFilter
+        $Guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=userType eq 'Guest'&`$expand=sponsors&`$top=999" -tenantid $TenantFilter
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Guests' -Data $Guests
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Guests' -Data $Guests -Count
         $Guests = $null
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheServicePrincipals.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheServicePrincipals.ps1
@@ -15,7 +15,7 @@ function Set-CIPPDBCacheServicePrincipals {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching service principals' -sev Info
 
-        $ServicePrincipals = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$select=id,appId,displayName,servicePrincipalType,accountEnabled' -tenantid $TenantFilter
+        $ServicePrincipals = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipals' -Data $ServicePrincipals
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipals' -Data $ServicePrincipals -Count
         $ServicePrincipals = $null
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21858.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21858.ps1
@@ -0,0 +1,89 @@
+function Invoke-CippTestZTNA21858 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        if (-not $Guests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Guest user data not found in database' -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        $InactivityThresholdDays = 90
+        $Today = Get-Date
+        $EnabledGuests = $Guests | Where-Object { $_.AccountEnabled -eq $true }
+
+        if (-not $EnabledGuests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No guest users found in the tenant' -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        $InactiveGuests = @()
+        foreach ($Guest in $EnabledGuests) {
+            $DaysSinceLastActivity = $null
+
+            if ($Guest.signInActivity.lastSuccessfulSignInDateTime) {
+                $LastSignIn = [DateTime]$Guest.signInActivity.lastSuccessfulSignInDateTime
+                $DaysSinceLastActivity = ($Today - $LastSignIn).Days
+            } elseif ($Guest.createdDateTime) {
+                $Created = [DateTime]$Guest.createdDateTime
+                $DaysSinceLastActivity = ($Today - $Created).Days
+            }
+
+            if ($null -ne $DaysSinceLastActivity -and $DaysSinceLastActivity -gt $InactivityThresholdDays) {
+                $InactiveGuests += $Guest
+            }
+        }
+
+        if ($InactiveGuests.Count -gt 0) {
+            $Status = 'Failed'
+
+            $ResultLines = @(
+                "Found $($InactiveGuests.Count) inactive guest user(s) with no sign-in activity in the last $InactivityThresholdDays days."
+                ''
+                "**Total enabled guests:** $($EnabledGuests.Count)"
+                "**Inactive guests:** $($InactiveGuests.Count)"
+                "**Inactivity threshold:** $InactivityThresholdDays days"
+                ''
+                '**Top 10 inactive guest users:**'
+            )
+
+            $Top10Guests = $InactiveGuests | Sort-Object {
+                if ($_.signInActivity.lastSuccessfulSignInDateTime) {
+                    [DateTime]$_.signInActivity.lastSuccessfulSignInDateTime
+                } else {
+                    [DateTime]$_.createdDateTime
+                }
+            } | Select-Object -First 10
+
+            foreach ($Guest in $Top10Guests) {
+                if ($Guest.signInActivity.lastSuccessfulSignInDateTime) {
+                    $LastActivity = [DateTime]$Guest.signInActivity.lastSuccessfulSignInDateTime
+                    $DaysInactive = [Math]::Round(($Today - $LastActivity).TotalDays, 0)
+                    $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName)) - Last sign-in: $DaysInactive days ago"
+                } else {
+                    $Created = [DateTime]$Guest.createdDateTime
+                    $DaysSinceCreated = [Math]::Round(($Today - $Created).TotalDays, 0)
+                    $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName)) - Never signed in (Created $DaysSinceCreated days ago)"
+                }
+            }
+
+            if ($InactiveGuests.Count -gt 10) {
+                $ResultLines += "- ... and $($InactiveGuests.Count - 10) more inactive guest(s)"
+            }
+
+            $ResultLines += ''
+            $ResultLines += '**Recommendation:** Review and remove or disable inactive guest accounts to reduce security risks.'
+
+            $Result = $ResultLines -join "`n"
+        } else {
+            $Status = 'Passed'
+            $Result = "All enabled guest users have been active within the last $InactivityThresholdDays days"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21868.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21868.ps1
@@ -0,0 +1,21 @@
+function Invoke-CippTestZTNA21868 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        $Apps = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Apps'
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+
+        if (-not $Guests -or -not $Apps -or -not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Required data not found in database' -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'This test requires Graph API calls to check application and service principal ownership. Owner relationships are not cached.' -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21869.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21869.ps1
@@ -0,0 +1,54 @@
+function Invoke-CippTestZTNA21869 {
+    param($Tenant)
+
+    try {
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+        if (-not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Service principal data not found in database' -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $AppsWithoutAssignment = $ServicePrincipals | Where-Object {
+            $_.appRoleAssignmentRequired -eq $false -and
+            $null -ne $_.preferredSingleSignOnMode -and
+            $_.preferredSingleSignOnMode -in @('password', 'saml', 'oidc') -and
+            $_.accountEnabled -eq $true
+        }
+
+        if (-not $AppsWithoutAssignment) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'All enterprise applications have explicit assignment requirements' -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $Status = 'Investigate'
+
+        $ResultLines = @(
+            "Found $($AppsWithoutAssignment.Count) enterprise application(s) without assignment requirements."
+            ''
+            '**Applications without user assignment requirements:**'
+        )
+
+        $Top10Apps = $AppsWithoutAssignment | Select-Object -First 10
+        foreach ($App in $Top10Apps) {
+            $ResultLines += "- $($App.displayName) (SSO: $($App.preferredSingleSignOnMode))"
+        }
+
+        if ($AppsWithoutAssignment.Count -gt 10) {
+            $ResultLines += "- ... and $($AppsWithoutAssignment.Count - 10) more application(s)"
+        }
+
+        $ResultLines += ''
+        $ResultLines += '**Note:** Full provisioning scope validation requires Graph API synchronization endpoint not available in cache.'
+        $ResultLines += ''
+        $ResultLines += '**Recommendation:** Enable user assignment requirements or configure scoped provisioning to limit application access.'
+
+        $Result = $ResultLines -join "`n"
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21877.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21877.ps1
@@ -0,0 +1,55 @@
+function Invoke-CippTestZTNA21877 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        if (-not $Guests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Guest user data not found in database' -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        if ($Guests.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No guest accounts found in the tenant' -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $GuestsWithoutSponsors = $Guests | Where-Object { -not $_.sponsors -or $_.sponsors.Count -eq 0 }
+
+        if ($GuestsWithoutSponsors.Count -eq 0) {
+            $Status = 'Passed'
+            $Result = 'All guest accounts in the tenant have an assigned sponsor'
+        } else {
+            $Status = 'Failed'
+
+            $ResultLines = @(
+                "Found $($GuestsWithoutSponsors.Count) guest user(s) without sponsors out of $($Guests.Count) total guests."
+                ''
+                "**Total guests:** $($Guests.Count)"
+                "**Guests without sponsors:** $($GuestsWithoutSponsors.Count)"
+                "**Guests with sponsors:** $($Guests.Count - $GuestsWithoutSponsors.Count)"
+                ''
+                '**Top 10 guests without sponsors:**'
+            )
+
+            $Top10Guests = $GuestsWithoutSponsors | Select-Object -First 10
+            foreach ($Guest in $Top10Guests) {
+                $ResultLines += "- $($Guest.displayName) ($($Guest.userPrincipalName))"
+            }
+
+            if ($GuestsWithoutSponsors.Count -gt 10) {
+                $ResultLines += "- ... and $($GuestsWithoutSponsors.Count - 10) more guest(s)"
+            }
+
+            $ResultLines += ''
+            $ResultLines += '**Recommendation:** Assign sponsors to all guest accounts for better accountability and lifecycle management.'
+
+            $Result = $ResultLines -join "`n"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21886.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21886.ps1
@@ -0,0 +1,56 @@
+function Invoke-CippTestZTNA21886 {
+    param($Tenant)
+
+    try {
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+        if (-not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Service principal data not found in database' -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+            return
+        }
+
+        $AppsWithSSO = $ServicePrincipals | Where-Object {
+            $null -ne $_.preferredSingleSignOnMode -and
+            $_.preferredSingleSignOnMode -in @('password', 'saml', 'oidc') -and
+            $_.accountEnabled -eq $true
+        }
+
+        if (-not $AppsWithSSO) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No applications configured for SSO found' -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+            return
+        }
+
+        $Status = 'Investigate'
+
+        $ResultLines = @(
+            "Found $($AppsWithSSO.Count) application(s) configured for SSO."
+            ''
+            '**Applications with SSO enabled:**'
+        )
+
+        $SSOByType = $AppsWithSSO | Group-Object -Property preferredSingleSignOnMode
+        foreach ($Group in $SSOByType) {
+            $ResultLines += ""
+            $ResultLines += "**$($Group.Name.ToUpper()) SSO** ($($Group.Count) app(s)):"
+            $Top5 = $Group.Group | Select-Object -First 5
+            foreach ($App in $Top5) {
+                $ResultLines += "- $($App.displayName)"
+            }
+            if ($Group.Count -gt 5) {
+                $ResultLines += "- ... and $($Group.Count - 5) more"
+            }
+        }
+
+        $ResultLines += ''
+        $ResultLines += '**Note:** Provisioning template and job validation requires Graph API synchronization endpoint not available in cache.'
+        $ResultLines += ''
+        $ResultLines += '**Recommendation:** Configure automatic user provisioning for applications that support it to ensure consistent access management.'
+
+        $Result = $ResultLines -join "`n"
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21896.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21896.ps1
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21992.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21992.ps1
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA22128.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA22128.ps1
