Merge pull request #330 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1

@@ -147,7 +147,7 @@ function New-CippAuditLogSearch {
     if ($IPAddressFilters) {
         $SearchParams.ipAddressFilters = @($IPAddressFilters)
     }
-    if ($ObjectIdFilterss) {
+    if ($ObjectIdFilters) {
         $SearchParams.objectIdFilters = @($ObjectIdFilters)
     }
     if ($AdministrativeUnitFilters) {

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserDomain.ps1

@@ -83,7 +83,7 @@ function Push-DomainAnalyserDomain {
     # Setup Score Explanation
     $ScoreExplanation = [System.Collections.Generic.List[string]]::new()
 
-    # Check MX Record
+    #Region MX Check
     $MXRecord = Read-MXRecord -Domain $Domain -ErrorAction Stop
 
     $Result.ExpectedSPFRecord = $MXRecord.ExpectedInclude
@@ -106,8 +106,9 @@ function Push-DomainAnalyserDomain {
     } else {
         $Result.MailProvider = $MXRecord.MailProvider.Name
     }
+    #EndRegion MX Check
 
-    # Get SPF Record
+    #Region SPF Check
     try {
         $SPFRecord = Read-SpfRecord -Domain $Domain -ErrorAction Stop
         if ($SPFRecord.RecordCount -gt 0) {
@@ -126,21 +127,21 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
     }
 
-    # Check SPF Record
-    $Result.SPFPassAll = $false
 
     # Check warning + fail counts to ensure all tests pass
     #$SPFWarnCount = $SPFRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count
     $SPFFailCount = $SPFRecord.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
+    $Result.SPFPassAll = $false
 
     if ($SPFFailCount -eq 0) {
         $ScoreDomain += $Scores.SPFCorrectAll
         $Result.SPFPassAll = $true
     } else {
         $ScoreExplanation.Add('SPF record did not pass validation') | Out-Null
     }
+    #EndRegion SPF Check
 
-    # Get DMARC Record
+    #Region DMARC Check
     try {
         $DMARCPolicy = Read-DmarcPolicy -Domain $Domain -ErrorAction Stop
 
@@ -188,8 +189,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DMARC Check
 
-    # DNS Sec Check
+    #Region DNS Sec Check
     try {
         $DNSSECResult = Test-DNSSEC -Domain $Domain -ErrorAction Stop
         $DNSSECFailCount = $DNSSECResult.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
@@ -206,8 +208,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DNS Sec Check
 
-    # DKIM Check
+    #Region DKIM Check
     try {
         $DkimParams = @{
             Domain                       = $Domain
@@ -241,7 +244,9 @@ function Push-DomainAnalyserDomain {
         Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message $Message -LogData (Get-CippException -Exception $_) -sev Error
         #return $Message
     }
+    #EndRegion DKIM Check
 
+    #Region MSCNAME DKIM Records
     # Get Microsoft DKIM CNAME selector Records
     # Ugly, but i needed to create a scope/loop i could break out of without breaking the rest of the function
     foreach ($d in $Domain) {
@@ -250,7 +255,7 @@ function Push-DomainAnalyserDomain {
             if ($Result.DKIMEnabled -eq $true) {
                 continue
             }
-            # Test if its a onmicrosft.com domain, skip domain if it is
+            # Test if its a onmicrosoft.com domain, skip domain if it is
             if ($Domain -match 'onmicrosoft.com') {
                 continue
             }
@@ -264,28 +269,21 @@ function Push-DomainAnalyserDomain {
                 }
             }
 
+            # Get the DKIM record from EXO. This is the only way to get the correct values for the MSCNAME records since the new format was introduced in May 2025.
+            $DKIM = (New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'Get-DkimSigningConfig' -Select 'Domain,Selector1CNAME,Selector2CNAME') | Where-Object { $_.Domain -eq $Domain }
 
-            # Compute the DKIM CNAME records from $Tenant.InitialDomainName according to this logic: https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dkim-configure#syntax-for-dkim-cname-records
-            # Test if it has a - in the domain name
-            if ($Domain -like '*-*') {
-                Write-Information 'Domain has a - in it. Got to query EXO for the right values'
-                $DKIM = (New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Domain -eq $Domain } | Select-Object Domain, Selector1CNAME, Selector2CNAME
-
-                # If no DKIM signing record is found, create a new disabled one
-                if ($null -eq $DKIM) {
-                    Write-Information 'No DKIM record found in EXO - Creating new signing'
-                    $NewDKIMSigningRequest = New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'New-DkimSigningConfig' -cmdParams @{  KeySize = 2048; DomainName = $Domain; Enabled = $false }
-                    $Selector1Value = $NewDKIMSigningRequest.Selector1CNAME
-                    $Selector2Value = $NewDKIMSigningRequest.Selector2CNAME
-                } else {
-                    $Selector1Value = $DKIM.Selector1CNAME
-                    $Selector2Value = $DKIM.Selector2CNAME
-                }
+            # If no DKIM signing record is found, create a new disabled one
+            if ($null -eq $DKIM) {
+                Write-Information 'No DKIM record found in EXO - Creating new signing'
+                $NewDKIMSigningRequest = New-ExoRequest -tenantid $Tenant.Tenant -cmdlet 'New-DkimSigningConfig' -cmdParams @{  KeySize = 2048; DomainName = $Domain; Enabled = $false }
+                $Selector1Value = $NewDKIMSigningRequest.Selector1CNAME
+                $Selector2Value = $NewDKIMSigningRequest.Selector2CNAME
             } else {
-                $Selector1Value = "selector1-$($Domain -replace '\.', '-' )._domainkey.$($Tenant.InitialDomainName)"
-                $Selector2Value = "selector2-$($Domain -replace '\.', '-' )._domainkey.$($Tenant.InitialDomainName)"
+                $Selector1Value = $DKIM.Selector1CNAME
+                $Selector2Value = $DKIM.Selector2CNAME
             }
 
+
             # Create the MSCNAME object
             $MSCNAMERecords = [PSCustomObject]@{
                 Domain    = $Domain
@@ -304,7 +302,7 @@ function Push-DomainAnalyserDomain {
             Write-LogMessage -API 'DomainAnalyser' -tenant $DomainObject.TenantId -message "MS CNAME DKIM error: $($ErrorMessage.NormalizedError)" -LogData $ErrorMessage -sev Error
         }
     }
-
+    #EndRegion MSCNAME DKIM Records
     # Final Score
     $Result.Score = $ScoreDomain
     $Result.ScorePercentage = [int](($Result.Score / $Result.MaximumScore) * 100)

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-AddSharedMailbox.ps1

@@ -29,7 +29,7 @@ Function Invoke-AddSharedMailbox {
             Shared             = $true
         }
         $AddSharedRequest = New-ExoRequest -tenantid $Tenant -cmdlet 'New-Mailbox' -cmdParams $BodyToShip
-        $Body = $Results.Add("Successfully created shared mailbox: $Email.")
+        $Body = $Results.Add("Successfully created shared mailbox: $Email")
         Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message "Created shared mailbox $($MailboxObject.displayName) with email $Email" -Sev 'Info'
 
         # Block sign-in for the mailbox
@@ -38,7 +38,7 @@ Function Invoke-AddSharedMailbox {
             $Body = $Results.Add("Blocked sign-in for shared mailbox $Email")
         } catch {
             $ErrorMessage = Get-CippException -Exception $_
-            $Message = "Failed to block sign-in for shared mailbox $Email. Error: $($ErrorMessage.NormalizedError)"
+            $Message = "Failed to block sign-in for shared mailbox $Email Error: $($ErrorMessage.NormalizedError)"
             Write-LogMessage -Headers $Headers -API $APIName -tenant $Tenant -message $Message -Sev 'Error' -LogData $ErrorMessage
             $Body = $Results.Add($Message)
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecSetOoO.ps1

@@ -30,8 +30,8 @@ Function Invoke-ExecSetOoO {
         # User action uses input, edit exchange uses InternalMessage and ExternalMessage
         # User action disable OoO doesn't send any input
         if ($Request.Body.input) {
-            $InternalMessage = $Request.Body.input
-            $ExternalMessage = $Request.Body.input
+            $SplatParams.InternalMessage = $Request.Body.input
+            $SplatParams.ExternalMessage = $Request.Body.input
         } else {
             $InternalMessage = $Request.Body.InternalMessage
             $ExternalMessage = $Request.Body.ExternalMessage

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-EditGroup.ps1

@@ -55,7 +55,7 @@ function Invoke-EditGroup {
             Write-Host "body: $($PatchObj | ConvertTo-Json -Depth 10 -Compress)" -ForegroundColor Yellow
             if ($UserObj.membershipRules) { $PatchObj | Add-Member -MemberType NoteProperty -Name 'membershipRule' -Value $UserObj.membershipRules -Force }
             try {
-                $patch = New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $UserObj.tenantFilter -body ($PatchObj | ConvertTo-Json -Depth 10 -Compress)
+                $null = New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $UserObj.tenantFilter -body ($PatchObj | ConvertTo-Json -Depth 10 -Compress)
                 $Results.Add("Success - Edited group properties for $($GroupName) group. It might take some time to reflect the changes.")
                 Write-LogMessage -headers $Headers -API $APIName -tenant $UserObj.tenantFilter -message "Edited group properties for $($GroupName) group" -Sev 'Info'
             } catch {
@@ -134,7 +134,7 @@ function Invoke-EditGroup {
                         })
                 } else {
                     Write-LogMessage -API $APIName -tenant $TenantId -headers $Headers -message 'You cannot add a Contact to a Security Group or a M365 Group' -Sev 'Error'
-                    $null = $Results.Add('Error - You cannot add a contact to a Security Group or a M365 Group')
+                    $Results.Add('Error - You cannot add a contact to a Security Group or a M365 Group')
                 }
             } catch {
                 Write-Warning "Error in AddContacts: $($_.Exception.Message)"
@@ -162,7 +162,7 @@ function Invoke-EditGroup {
                         })
                 } else {
                     Write-LogMessage -API $APIName-tenant $TenantId -headers $Headers -message 'You cannot remove a contact from a Security Group' -Sev 'Error'
-                    $null = $Results.Add('You cannot remove a contact from a Security Group')
+                    $Results.Add('You cannot remove a contact from a Security Group')
                 }
             }
         }
@@ -260,7 +260,7 @@ function Invoke-EditGroup {
     if ($GroupType -in @( 'Distribution List', 'Mail-Enabled Security') -and ($AddOwners -or $RemoveOwners)) {
         $CurrentOwners = New-ExoRequest -tenantid $TenantId -cmdlet 'Get-DistributionGroup' -cmdParams @{ Identity = $GroupId } -UseSystemMailbox $true | Select-Object -ExpandProperty ManagedBy
 
-        $NewManagedBy = [system.collections.generic.list[string]]::new()
+        $NewManagedBy = [System.Collections.Generic.List[string]]::new()
         foreach ($CurrentOwner in $CurrentOwners) {
             if ($RemoveOwners -and $RemoveOwners.addedFields.id -contains $CurrentOwner) {
                 $OwnerToRemove = $RemoveOwners | Where-Object { $_.addedFields.id -eq $CurrentOwner }
@@ -330,7 +330,7 @@ function Invoke-EditGroup {
         foreach ($ExoError in $LastError.error) {
             $Sev = 'Error'
             $Results.Add("Error - $ExoError")
-            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message $Message -Sev $Sev
+            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message $ExoError -Sev $Sev
         }
 
         foreach ($ExoLog in $ExoLogs) {
@@ -344,39 +344,65 @@ function Invoke-EditGroup {
         }
     }
 
-    if ($UserObj.allowExternal -eq $true -and $GroupType -ne 'Security') {
+    # Only process allowExternal if it was explicitly sent
+    if ($null -ne $UserObj.allowExternal -and $GroupType -ne 'Security') {
         try {
-            Set-CIPPGroupAuthentication -ID $UserObj.mail -OnlyAllowInternal (!$UserObj.allowExternal) -GroupType $GroupType -tenantFilter $TenantId -APIName $APIName -Headers $Headers
-            $body = $Results.Add("Allowed external senders to send to $($UserObj.mail).")
+            $OnlyAllowInternal = $UserObj.allowExternal -eq $true ? $false : $true
+            Set-CIPPGroupAuthentication -ID $UserObj.mail -OnlyAllowInternal $OnlyAllowInternal -GroupType $GroupType -tenantFilter $TenantId -APIName $APIName -Headers $Headers
+            if ($UserObj.allowExternal -eq $true) {
+                $Results.Add("Allowed external senders to send to $($UserObj.mail).")
+            } else {
+                $Results.Add("Blocked external senders from sending to $($UserObj.mail).")
+            }
         } catch {
-            $body = $Results.Add("Failed to allow external senders to send to $($UserObj.mail).")
-            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Failed to allow external senders for $($UserObj.mail). Error:$($_.Exception.Message)" -Sev 'Error'
+            $action = if ($UserObj.allowExternal -eq $true) { 'allow' } else { 'block' }
+            $Results.Add("Failed to $action external senders for $($UserObj.mail).")
         }
-
     }
 
-    if ($UserObj.sendCopies -eq $true) {
+    # Only process sendCopies if it was explicitly sent
+    if ($null -ne $UserObj.sendCopies) {
         try {
-            $Params = @{ Identity = $GroupId; subscriptionEnabled = $true; AutoSubscribeNewMembers = $true }
-            New-ExoRequest -tenantid $TenantId -cmdlet 'Set-UnifiedGroup' -cmdParams $Params -useSystemMailbox $true
-
-            $MemberParams = @{ Identity = $GroupId; LinkType = 'members' }
-            $Members = New-ExoRequest -tenantid $TenantId -cmdlet 'Get-UnifiedGroupLinks' -cmdParams $MemberParams
+            if ($UserObj.sendCopies -eq $true) {
+                $Params = @{ Identity = $GroupId; subscriptionEnabled = $true; AutoSubscribeNewMembers = $true }
+                New-ExoRequest -tenantid $TenantId -cmdlet 'Set-UnifiedGroup' -cmdParams $Params -useSystemMailbox $true
+
+                $MemberParams = @{ Identity = $GroupId; LinkType = 'members' }
+                $Members = New-ExoRequest -tenantid $TenantId -cmdlet 'Get-UnifiedGroupLinks' -cmdParams $MemberParams
+
+                $MembershipIds = $Members | ForEach-Object { $_.ExternalDirectoryObjectId }
+                if ($MembershipIds) {
+                    $subscriberParams = @{ Identity = $GroupId; LinkType = 'subscribers'; Links = @($MembershipIds | Where-Object { $_ }) }
+
+                    try {
+                        New-ExoRequest -tenantid $TenantId -cmdlet 'Add-UnifiedGroupLinks' -cmdParams $subscriberParams -Anchor $UserObj.mail
+                    } catch {
+                        $ErrorMessage = Get-CippException -Exception $_
+                        Write-Warning "Error in SendCopies: Add-UnifiedGroupLinks $($ErrorMessage.NormalizedError) - $($_.InvocationInfo.ScriptLineNumber)"
+                        throw "Error in SendCopies: Add-UnifiedGroupLinks $($ErrorMessage.NormalizedError)"
+                    }
 
-            $MemberSmtpAddresses = $Members | ForEach-Object { $_.PrimarySmtpAddress }
+                }
 
-            if ($MemberSmtpAddresses) {
-                $subscriberParams = @{ Identity = $GroupId; LinkType = 'subscribers'; Links = @($MemberSmtpAddresses | Where-Object { $_ }) }
-                New-ExoRequest -tenantid $TenantId -cmdlet 'Add-UnifiedGroupLinks' -cmdParams $subscriberParams -Anchor $UserObj.mail
+                $Results.Add("Send Copies of team emails and events to team members inboxes for $($UserObj.mail) enabled.")
+                Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Send Copies of team emails and events to team members inboxes for $($UserObj.mail) enabled." -Sev 'Info'
+            } else {
+                # Disable send copies. Has to be done in 2 calls, otherwise it fails saying AutoSubscribeNewMembers cannot be true when subscriptionEnabled is false.
+                # Why this happens and can't be done in one call, only Bill Gates and the mystical gods of Exchange knows.
+                $Params = @{ Identity = $GroupId; AutoSubscribeNewMembers = $false }
+                $null = New-ExoRequest -tenantid $TenantId -cmdlet 'Set-UnifiedGroup' -cmdParams $Params -useSystemMailbox $true
+                $Params = @{ Identity = $GroupId; subscriptionEnabled = $false }
+                $null = New-ExoRequest -tenantid $TenantId -cmdlet 'Set-UnifiedGroup' -cmdParams $Params -useSystemMailbox $true
+
+                $Results.Add("Send Copies of team emails and events to team members inboxes for $($UserObj.mail) disabled.")
+                Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Send Copies of team emails and events to team members inboxes for $($UserObj.mail) disabled." -Sev 'Info'
             }
-
-            $body = $Results.Add("Send Copies of team emails and events to team members inboxes for $($UserObj.mail) enabled.")
-            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Send Copies of team emails and events to team members inboxes for $($UserObj.mail) enabled." -Sev 'Info'
         } catch {
-            Write-Warning "Error in SendCopies: $($_.Exception.Message) - $($_.InvocationInfo.ScriptLineNumber)"
-            Write-Warning ($_.InvocationInfo.PositionMessage)
-            $body = $Results.Add("Failed to Send Copies of team emails and events to team members inboxes for $($UserObj.mail).")
-            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Failed to Send Copies of team emails and events to team members inboxes for $($UserObj.mail). Error:$($_.Exception.Message)" -Sev 'Error'
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-Warning "Error in SendCopies: $($ErrorMessage.NormalizedError) - $($_.InvocationInfo.ScriptLineNumber)"
+            $action = if ($UserObj.sendCopies -eq $true) { 'enable' } else { 'disable' }
+            $Results.Add("Failed to $action Send Copies of team emails and events to team members inboxes for $($UserObj.mail).")
+            Write-LogMessage -headers $Headers -API $APIName -tenant $TenantId -message "Failed to $action Send Copies of team emails and events to team members inboxes for $($UserObj.mail). Error:$($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
         }
     }