Merge pull request #475 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 4eea87abce7e · 2025-10-03T00:41:22.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Config/standards.json b/Config/standards.json
@@ -965,10 +965,18 @@
     "name": "standards.DisableGuests",
     "cat": "Entra (AAD) Standards",
     "tag": [],
-    "helpText": "Blocks login for guest users that have not logged in for 90 days",
-    "executiveText": "Automatically disables external guest accounts that haven't been used for 90 days, reducing security risks from dormant accounts while maintaining access for active external collaborators. This helps maintain a clean user directory and reduces potential attack vectors.",
-    "addedComponent": [],
-    "label": "Disable Guest accounts that have not logged on for 90 days",
+    "helpText": "Blocks login for guest users that have not logged in for a number of days",
+    "executiveText": "Automatically disables external guest accounts that haven't been used for a number of days, reducing security risks from dormant accounts while maintaining access for active external collaborators. This helps maintain a clean user directory and reduces potential attack vectors.",
+    "addedComponent": [
+      {
+        "type": "number",
+        "name": "standards.DisableGuests.days",
+        "required": true,
+        "defaultValue": 90,
+        "label": "Days of inactivity"
+      }
+    ],
+    "label": "Disable Guest accounts that have not logged on for a number of days",
     "impact": "Medium Impact",
     "impactColour": "warning",
     "addedDate": "2022-10-20",
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecAssignPolicy.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecAssignPolicy.ps1
@@ -24,13 +24,26 @@ Function Invoke-ExecAssignPolicy {
 
     $results = try {
         if ($AssignTo) {
-            $null = Set-CIPPAssignedPolicy -PolicyId $ID -TenantFilter $TenantFilter -GroupName $AssignTo -Type $Type -Headers $Headers
+            $AssignmentResult = Set-CIPPAssignedPolicy -PolicyId $ID -TenantFilter $TenantFilter -GroupName $AssignTo -Type $Type -Headers $Headers
+            if ($AssignmentResult) {
+                # Check if it's a warning message (no groups found)
+                if ($AssignmentResult -like "*No groups found*") {
+                    $StatusCode = [HttpStatusCode]::BadRequest
+                } else {
+                    $StatusCode = [HttpStatusCode]::OK
+                }
+                $AssignmentResult
+            } else {
+                $StatusCode = [HttpStatusCode]::OK
+                "Successfully edited policy for $($TenantFilter)"
+            }
+        } else {
+            $StatusCode = [HttpStatusCode]::OK
+            "Successfully edited policy for $($TenantFilter)"
         }
-        "Successfully edited policy for $($TenantFilter)"
-        $StatusCode = [HttpStatusCode]::OK
     } catch {
-        "Failed to add policy for $($TenantFilter): $($_.Exception.Message)"
         $StatusCode = [HttpStatusCode]::InternalServerError
+        "Failed to add policy for $($TenantFilter): $($_.Exception.Message)"
     }
 
 
diff --git a/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1 b/Modules/CIPPCore/Public/Set-CIPPAssignedPolicy.ps1
@@ -51,7 +51,6 @@ function Set-CIPPAssignedPolicy {
                 )
             }
             default {
-                Write-Host "We're supposed to assign a custom group. The group is $GroupName"
                 $GroupNames = $GroupName.Split(',').Trim()
                 $GroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter |
                     ForEach-Object {
@@ -61,6 +60,13 @@ function Set-CIPPAssignedPolicy {
                             }
                         }
                     }
+                
+                if (-not $GroupIds -or $GroupIds.Count -eq 0) {
+                    $ErrorMessage = "No groups found matching the specified name(s): $GroupName. Policy not assigned."
+                    Write-LogMessage -headers $Headers -API $APIName -message $ErrorMessage -Sev 'Warning' -tenant $TenantFilter
+                    return $ErrorMessage
+                }
+                
                 foreach ($gid in $GroupIds) {
                     $assignmentsList.Add(
                         @{
@@ -102,19 +108,21 @@ function Set-CIPPAssignedPolicy {
         }
 
         $AssignJSON = $assignmentsObject | ConvertTo-Json -Depth 10 -Compress
-        Write-Host "AssignJSON: $AssignJSON"
         if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) {
             $uri = "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"
             $null = New-GraphPOSTRequest -uri $uri -tenantid $TenantFilter -type POST -body $AssignJSON
             if ($ExcludeGroup) {
                 Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
+                return "Successfully assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId"
             } else {
                 Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter
+                return "Successfully assigned group '$GroupName' on Policy $PolicyId"
             }
         }
 
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -headers $Headers -API $APIName -message "Failed to assign $GroupName to Policy $PolicyId, using Platform $PlatformType and $Type. The error is:$ErrorMessage" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
+        return "Failed to assign $GroupName to Policy $PolicyId. Error: $ErrorMessage"
     }
 }
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1
@@ -5,15 +5,18 @@ function Invoke-CIPPStandardDisableGuests {
     .COMPONENT
         (APIName) DisableGuests
     .SYNOPSIS
-        (Label) Disable Guest accounts that have not logged on for 90 days
+        (Label) Disable Guest accounts that have not logged on for a number of days
     .DESCRIPTION
-        (Helptext) Blocks login for guest users that have not logged in for 90 days
-        (DocsDescription) Blocks login for guest users that have not logged in for 90 days
+        (Helptext) Blocks login for guest users that have not logged in for a number of days
+        (DocsDescription) Blocks login for guest users that have not logged in for a number of days
     .NOTES
         CAT
             Entra (AAD) Standards
         TAG
+        EXECUTIVETEXT
+            Automatically disables external guest accounts that haven't been used for a number of days, reducing security risks from dormant accounts while maintaining access for active external collaborators. This helps maintain a clean user directory and reduces potential attack vectors.
         ADDEDCOMPONENT
+            {"type":"number","name":"standards.DisableGuests.days","required":true,"defaultValue":90,"label":"Days of inactivity"}
         IMPACT
             Medium Impact
         ADDEDDATE
@@ -31,27 +34,26 @@ function Invoke-CIPPStandardDisableGuests {
 
     param($Tenant, $Settings)
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'DisableGuests'
-
-    $90Days = (Get-Date).AddDays(-90).ToUniversalTime()
-    $Lookup = $90Days.ToString('o')
+    $checkDays = if ($Settings.days) { $Settings.days } else { 90 }
+    $Days = (Get-Date).AddDays(-$checkDays).ToUniversalTime()
+    $Lookup = $Days.ToString('o')
     $AuditLookup = (Get-Date).AddDays(-7).ToUniversalTime().ToString('o')
 
     try {
         $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=createdDateTime le $Lookup and userType eq 'Guest' and accountEnabled eq true &`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,createdDateTime,externalUserState" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant |
-        Where-Object { $_.signInActivity.lastSuccessfulSignInDateTime -le $90Days }
-    }
-    catch {
+        Where-Object { $_.signInActivity.lastSuccessfulSignInDateTime -le $Days }
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the DisableGuests state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
     }
 
     $RecentlyReactivatedUsers = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/auditLogs/directoryAudits?`$filter=activityDisplayName eq 'Enable account' and activityDateTime ge $AuditLookup" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant |
-            ForEach-Object { $_.targetResources[0].id } | Select-Object -Unique)
+        ForEach-Object { $_.targetResources[0].id } | Select-Object -Unique)
 
     $GraphRequest = $GraphRequest | Where-Object { -not ($RecentlyReactivatedUsers -contains $_.id) }
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
         if ($GraphRequest.Count -gt 0) {
             foreach ($guest in $GraphRequest) {
                 try {
@@ -63,7 +65,7 @@ function Invoke-CIPPStandardDisableGuests {
                 }
             }
         } else {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'No guests accounts with a login longer than 90 days ago.' -sev Info
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "No guests accounts with a login longer than $($Settings.days) days ago." -sev Info
         }
 
     }
@@ -72,9 +74,9 @@ function Invoke-CIPPStandardDisableGuests {
         if ($GraphRequest.Count -gt 0) {
             $Filtered = $GraphRequest | Select-Object -Property UserPrincipalName, id, signInActivity, mail, userType, accountEnabled, externalUserState
             Write-StandardsAlert -message "Guests accounts with a login longer than 90 days ago: $($GraphRequest.count)" -object $Filtered -tenant $tenant -standardName 'DisableGuests' -standardId $Settings.standardId
-            Write-LogMessage -API 'Standards' -tenant $tenant -message "Guests accounts with a login longer than 90 days ago: $($GraphRequest.count)" -sev Info
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "Guests accounts with a login longer than $($Settings.days) days ago: $($GraphRequest.count)" -sev Info
         } else {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'No guests accounts with a login longer than 90 days ago.' -sev Info
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "No guests accounts with a login longer than $($Settings.days) days ago." -sev Info
         }
     }
     if ($Settings.report -eq $true) {

Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,6 @@ function Set-CIPPAssignedPolicy {`
`51`	`51`	`)`
`52`	`52`	`}`
`53`	`53`	`default {`
`54`		`- Write-Host "We're supposed to assign a custom group. The group is $GroupName"`
`55`	`54`	`$GroupNames = $GroupName.Split(',').Trim()`
`56`	`55`	`$GroupIds = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter \|`
`57`	`56`	`ForEach-Object {`
`@@ -61,6 +60,13 @@ function Set-CIPPAssignedPolicy {`
`61`	`60`	`}`
`62`	`61`	`}`
`63`	`62`	`}`
	`63`	`+`
	`64`	`+ if (-not $GroupIds -or $GroupIds.Count -eq 0) {`
	`65`	`+ $ErrorMessage = "No groups found matching the specified name(s): $GroupName. Policy not assigned."`
	`66`	`+ Write-LogMessage -headers $Headers -API $APIName -message $ErrorMessage -Sev 'Warning' -tenant $TenantFilter`
	`67`	`+ return $ErrorMessage`
	`68`	`+ }`
	`69`	`+`
`64`	`70`	`foreach ($gid in $GroupIds) {`
`65`	`71`	`$assignmentsList.Add(`
`66`	`72`	`@{`
`@@ -102,19 +108,21 @@ function Set-CIPPAssignedPolicy {`
`102`	`108`	`}`
`103`	`109`
`104`	`110`	`$AssignJSON = $assignmentsObject \| ConvertTo-Json -Depth 10 -Compress`
`105`		`- Write-Host "AssignJSON: $AssignJSON"`
`106`	`111`	`if ($PSCmdlet.ShouldProcess($GroupName, "Assigning policy $PolicyId")) {`
`107`	`112`	`$uri = "https://graph.microsoft.com/beta/$($PlatformType)/$Type('$($PolicyId)')/assign"`
`108`	`113`	`$null = New-GraphPOSTRequest -uri $uri -tenantid $TenantFilter -type POST -body $AssignJSON`
`109`	`114`	`if ($ExcludeGroup) {`
`110`	`115`	`Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter`
	`116`	`+ return "Successfully assigned group '$GroupName' and excluded group '$ExcludeGroup' on Policy $PolicyId"`
`111`	`117`	`} else {`
`112`	`118`	`Write-LogMessage -headers $Headers -API $APIName -message "Assigned group '$GroupName' on Policy $PolicyId" -Sev 'Info' -tenant $TenantFilter`
	`119`	`+ return "Successfully assigned group '$GroupName' on Policy $PolicyId"`
`113`	`120`	`}`
`114`	`121`	`}`
`115`	`122`
`116`	`123`	`} catch {`
`117`	`124`	`$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message`
`118`	`125`	`Write-LogMessage -headers $Headers -API $APIName -message "Failed to assign $GroupName to Policy $PolicyId, using Platform $PlatformType and $Type. The error is:$ErrorMessage" -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage`
	`126`	`+ return "Failed to assign $GroupName to Policy $PolicyId. Error: $ErrorMessage"`
`119`	`127`	`}`
`120`	`128`	`}`