Merge pull request #248 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 5047c3f6a831 · 2025-05-16T12:41:05.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecSetMailboxEmailSize.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecSetMailboxEmailSize.ps1
@@ -0,0 +1,49 @@
+using namespace System.Net
+
+Function Invoke-ExecSetMailboxEmailSize {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Exchange.Mailbox.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -Headers $User -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with query parameters or the body of the request.
+    $Tenant = $Request.Body.tenantFilter
+    $UserPrincipalName = $Request.Body.UPN
+    $UserID = $Request.Body.id
+    $MaxSendSize = $Request.Body.maxSendSize
+    $MaxReceiveSize = $Request.Body.maxReceiveSize
+
+    try {
+        $Params = @{
+            TenantFilter      = $Tenant
+            APIName           = $APIName
+            Headers           = $Headers
+            UserPrincipalName = $UserPrincipalName
+            UserID            = $UserID
+            MaxSendSize       = $MaxSendSize
+            MaxReceiveSize    = $MaxReceiveSize
+        }
+        if ([string]::IsNullOrWhiteSpace($MaxSendSize)) { $Params.Remove('MaxSendSize') }
+        if ([string]::IsNullOrWhiteSpace($MaxReceiveSize)) { $Params.Remove('MaxReceiveSize') }
+        $Result = Set-CippMaxEmailSize @Params
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $Result = "$($_.Exception.Message)"
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{ Results = $Result }
+        })
+
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDeviceAction.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDeviceAction.ps1
@@ -15,36 +15,45 @@ Function Invoke-ExecDeviceAction {
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
     # Interact with Body parameters or the body of the request.
-
+    $Action = $Request.Body.Action
+    $DeviceFilter = $Request.Body.GUID
+    $TenantFilter = $Request.Body.tenantFilter
 
     try {
-        if ($Request.Body.Action -eq 'setDeviceName') {
-            $ActionBody = @{ deviceName = $Request.Body.input } | ConvertTo-Json -Compress
-        }
-        else {
-            $ActionBody = $Request.Body | ConvertTo-Json -Compress
+        switch ($Action) {
+            'setDeviceName' {
+                $ActionBody = @{ deviceName = $Request.Body.input } | ConvertTo-Json -Compress
+                break
+            }
+            'users' {
+                $ActionBody = @{ '@odata.id' = "https://graph.microsoft.com/beta/users('$($Request.Body.user.value)')" } | ConvertTo-Json -Compress
+                Write-Host "ActionBody: $ActionBody"
+                break
+            }
+            Default { $ActionBody = $Request.Body | ConvertTo-Json -Compress }
         }
 
-        $cmdparams = @{
-            Action = $Request.Body.Action
-            ActionBody = $ActionBody
-            DeviceFilter = $Request.Body.GUID
-            TenantFilter = $Request.Body.TenantFilter
-            Headers = $Request.Headers
-            APINAME = $APINAME
+        $cmdParams = @{
+            Action       = $Action
+            ActionBody   = $ActionBody
+            DeviceFilter = $DeviceFilter
+            TenantFilter = $TenantFilter
+            Headers      = $Headers
+            APINAME      = $APIName
         }
-        $ActionResult = New-CIPPDeviceAction @cmdparams
+        $ActionResult = New-CIPPDeviceAction @cmdParams
 
-        $body = [pscustomobject]@{'Results' = "$ActionResult" }
+        $StatusCode = [HttpStatusCode]::OK
+        $Results = "$ActionResult"
 
     } catch {
-        $body = [pscustomobject]@{'Results' = "Failed to queue action $action on $DeviceFilter $($_.Exception.Message)" }
+        $StatusCode = [HttpStatusCode]::InternalServerError
+        $Results = "$($_.Exception.Message)"
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
-            Body       = $body
+            StatusCode = $StatusCode
+            Body       = @{ 'Results' = $Results }
         })
-
 }
diff --git a/Modules/CIPPCore/Public/New-CIPPDeviceAction.ps1 b/Modules/CIPPCore/Public/New-CIPPDeviceAction.ps1
@@ -6,20 +6,27 @@ function New-CIPPDeviceAction {
         $DeviceFilter,
         $TenantFilter,
         $Headers,
-        $APINAME
+        $APIName
     )
     try {
-        if ($action -eq 'delete') {
-            $null = New-Graphpostrequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$DeviceFilter" -type DELETE -tenantid $TenantFilter
-            Write-LogMessage -headers $Headers -API $APINAME -tenant $TenantFilter -message "Queued $Action on $DeviceFilter" -Sev 'Info'
-            return "Queued $Action on $DeviceFilter"
+        if ($Action -eq 'delete') {
+            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices/$DeviceFilter" -type DELETE -tenantid $TenantFilter
+        } elseif ($Action -eq 'users') {
+            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$DeviceFilter')/$($Action)/`$ref" -type POST -tenantid $TenantFilter -body $ActionBody
+            $regex = "(?<=\(')([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})(?='|\))"
+            $PrimaryUser = $ActionBody | Select-String -Pattern $regex -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value
+            $Result = "Changed primary user on device $DeviceFilter to $PrimaryUser"
+        } else {
+            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$DeviceFilter')/$($Action)" -type POST -tenantid $TenantFilter -body $ActionBody
+            $Result = "Queued $Action on $DeviceFilter"
         }
-        $null = New-Graphpostrequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices('$DeviceFilter')/$($Action)" -type POST -tenantid $TenantFilter -body $ActionBody
-        Write-LogMessage -headers $Headers -API $APINAME -tenant $TenantFilter -message "Queued $Action on $DeviceFilter" -Sev 'Info'
-        return "Queued $Action on $DeviceFilter"
+
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev Info
+        return $Result
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        Write-LogMessage -headers $Headers -API $APINAME -tenant $TenantFilter -message "Failed to queue action $Action on $DeviceFilter : $($ErrorMessage.NormalizedError)" -Sev 'Error' -LogData $ErrorMessage
-        return    "Failed to queue action $Action on $DeviceFilter $($ErrorMessage.NormalizedError)"
+        $Result = "Failed to queue action $Action on $DeviceFilter : $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev Error -LogData $ErrorMessage
+        throw $Result
     }
 }
diff --git a/Modules/CIPPCore/Public/Set-CippMaxEmailSize.ps1 b/Modules/CIPPCore/Public/Set-CippMaxEmailSize.ps1
@@ -0,0 +1,57 @@
+function Set-CippMaxEmailSize {
+    [CmdletBinding()]
+    param (
+        $Headers,
+        $TenantFilter,
+        $APIName = 'Mailbox Max Send/Receive Size',
+        $UserPrincipalName,
+        $UserID,
+        [ValidateRange(1, 150)]
+        [Int32]$MaxSendSize,
+        [ValidateRange(1, 150)]
+        [Int32]$MaxReceiveSize
+    )
+
+    try {
+        # Id the ID is provided, use it. Otherwise, use the UPN
+        $Identity = $UserID ?? $UserPrincipalName
+        if ([string]::IsNullOrWhiteSpace($Identity)) {
+            $Result = 'No identity provided. Cannot set mailbox email max size.'
+            Write-LogMessage -headers $Headers -API $APIName -message $Result -Sev Error -tenant $TenantFilter
+            throw $Result
+        }
+
+        if ($MaxSendSize -eq 0 -and $MaxReceiveSize -eq 0) {
+            $Result = 'No max send or receive size provided. Cannot set mailbox email max size.'
+            Write-LogMessage -headers $Headers -API $APIName -message $Result -Sev Error -tenant $TenantFilter
+            throw $Result
+        }
+
+        $cmdletParams = @{
+            Identity = $Identity
+        }
+        # Set the max send and receive size if they are provided. Convert to bytes
+        if ($MaxSendSize -gt 0) { $cmdletParams['MaxSendSize'] = $MaxSendSize * 1MB }
+        if ($MaxReceiveSize -gt 0) { $cmdletParams['MaxReceiveSize'] = $MaxReceiveSize * 1MB }
+
+        $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Set-Mailbox' -cmdParams $cmdletParams
+
+        # Use UPN for logging if provided
+        $Identity = $UserPrincipalName ?? $UserID
+        $Result = "Set mailbox email max size for $($Identity) to "
+        if ($MaxSendSize -gt 0) { $Result += "Send: $($MaxSendSize)MB " }
+        if ($MaxReceiveSize -gt 0) { $Result += "Receive: $($MaxReceiveSize)MB" }
+
+        Write-LogMessage -headers $Headers -API $APIName -message $Result -Sev Info -tenant $TenantFilter
+        return $Result
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+
+        # Use UPN for logging if provided
+        $Identity = $UserPrincipalName ?? $UserID
+        $Result = "Failed to set mailbox email max size for $($Identity). Error: $($ErrorMessage)"
+
+        Write-LogMessage -headers $Headers -API $APIName -message $Result -Sev Error -tenant $TenantFilter -LogData $ErrorMessage
+        throw $Result
+    }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1
@@ -42,25 +42,23 @@ function Invoke-CIPPStandardProfilePhotos {
     # true if wanted state is enabled, false if disabled
     $DesiredState = $StateValue -eq 'enabled'
 
-    <#
-    HACK This does not work, as the API endpoint is not available via GDAP it seems? It works in the Graph Explorer, but not here.
-    The error is: "Authorization failed because of missing requirement(s)."
-    I'm keeping the code here for now, so it's much easier to re-enable if Microsoft makes it possible someday. -Bobby
-    #>
-
     # Get current Graph policy state
-    # $Uri = 'https://graph.microsoft.com/beta/admin/people/photoUpdateSettings'
-    # $CurrentGraphState = New-GraphGetRequest -uri $Uri -tenantid $Tenant
-    # $UsersCanChangePhotos = if (($CurrentGraphState.allowedRoles -contains 'fe930be7-5e62-47db-91af-98c3a49a38b1' -and $CurrentGraphState.allowedRoles -contains '62e90394-69f5-4237-9190-012177145e10') -or
-    #     $null -ne $CurrentGraphState.allowedRoles) { $false } else { $true }
-    # $GraphStateCorrect = $UsersCanChangePhotos -eq $DesiredState
+    $Uri = 'https://graph.microsoft.com/beta/admin/people/photoUpdateSettings'
+    $CurrentGraphState = New-GraphGetRequest -uri $Uri -tenantid $Tenant
+    $UsersCanChangePhotos = if ([string]::IsNullOrWhiteSpace($CurrentGraphState.allowedRoles) ) { $true } else { $false }
+    $GraphStateCorrect = $UsersCanChangePhotos -eq $DesiredState
 
+    if ($UsersCanChangePhotos -eq $false -and $DesiredState -eq $false) {
+        # Check if the correct roles are present
+        $GraphStateCorrect = $CurrentGraphState.allowedRoles -contains '62e90394-69f5-4237-9190-012177145e10' -and $CurrentGraphState.allowedRoles -contains 'fe930be7-5e62-47db-91af-98c3a49a38b1'
+    }
 
     # Get current OWA mailbox policy state
     $CurrentOWAState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' } -Select 'Identity,SetPhotoEnabled'
     $OWAStateCorrect = $CurrentOWAState.SetPhotoEnabled -eq $DesiredState
-    # $CurrentStatesCorrect = $GraphStateCorrect -eq $true -and $OWAStateCorrect -eq $true
-    $CurrentStatesCorrect = $OWAStateCorrect -eq $true
+
+    # Check if both states are correct
+    $CurrentStatesCorrect = $GraphStateCorrect -eq $true -and $OWAStateCorrect -eq $true
 
     if ($Settings.remediate -eq $true) {
         Write-Host 'Time to remediate'
@@ -72,23 +70,23 @@ function Invoke-CIPPStandardProfilePhotos {
                     Write-Host 'Enabling'
                     # Enable photo updates
                     $null = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{Identity = $CurrentOWAState.Identity; SetPhotoEnabled = $true } -useSystemMailbox $true
-                    # $null = New-GraphRequest -uri $Uri -tenant $Tenant -type DELETE
+                    $null = New-GraphPostRequest -uri $Uri -tenant $Tenant -type DELETE -AsApp $true
                     Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Profile photo settings to $StateValue" -sev Info
 
                 } else {
                     Write-Host 'Disabling'
                     # Disable photo updates
                     $null = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{Identity = $CurrentOWAState.Identity; SetPhotoEnabled = $false } -useSystemMailbox $true
 
-                    # $body = @{
-                    #     source       = 'cloud'
-                    #     allowedRoles = @(
-                    #         'fe930be7-5e62-47db-91af-98c3a49a38b1', # Global admin
-                    #         '62e90394-69f5-4237-9190-012177145e10'  # User admin
-                    #     )
-                    # }
-                    # $body = ConvertTo-Json -InputObject $body -Depth 5 -Compress
-                    # $null = New-GraphPostRequest -uri $Uri -tenant $Tenant -body $body -type PATCH -AsApp $true
+                    $body = @{
+                        source       = 'cloud'
+                        allowedRoles = @(
+                            'fe930be7-5e62-47db-91af-98c3a49a38b1', # Global admin
+                            '62e90394-69f5-4237-9190-012177145e10'  # User admin
+                        )
+                    }
+                    $body = ConvertTo-Json -InputObject $body -Depth 5 -Compress
+                    $null = New-GraphPostRequest -uri $Uri -tenant $Tenant -body $body -type PATCH -AsApp $true
                     Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Profile photo settings to $StateValue" -sev Info
                 }
             } catch {
@@ -115,7 +113,10 @@ function Invoke-CIPPStandardProfilePhotos {
         if ($CurrentStatesCorrect) {
             $FieldValue = $true
         } else {
-            $FieldValue = $CurrentOWAState
+            $FieldValue = [PSCustomObject]@{
+                OwaStateCorrect   = $OWAStateCorrect
+                GraphStateCorrect = $GraphStateCorrect
+            }
         }
         Set-CIPPStandardsCompareField -FieldName 'standards.ProfilePhotos' -FieldValue $FieldValue -Tenant $Tenant
     }
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1
@@ -15,7 +15,6 @@ function Invoke-CIPPStandardTeamsExternalAccessPolicy {
         TAG
         ADDEDCOMPONENT
             {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableFederationAccess","label":"Allow communication from trusted organizations"}
-            {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnablePublicCloudAccess","label":"Allow user to communicate with Skype users"}
             {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess","label":"Allow communication with unmanaged Teams accounts"}
         IMPACT
             Medium Impact
@@ -35,23 +34,20 @@ function Invoke-CIPPStandardTeamsExternalAccessPolicy {
 
     $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsExternalAccessPolicy' -CmdParams @{Identity = 'Global' } | Select-Object *
 
-    if ($null -eq $Settings.EnableFederationAccess) { $Settings.EnableFederationAccess = $false }
-    if ($null -eq $Settings.EnablePublicCloudAccess) { $Settings.EnablePublicCloudAccess = $false }
-    if ($null -eq $Settings.EnableTeamsConsumerAccess) { $Settings.EnableTeamsConsumerAccess = $false }
+    $EnableFederationAccess = $Settings.EnableFederationAccess ?? $false
+    $EnableTeamsConsumerAccess = $Settings.EnableTeamsConsumerAccess ?? $false
 
-    $StateIsCorrect = ($CurrentState.EnableFederationAccess -eq $Settings.EnableFederationAccess) -and
-    ($CurrentState.EnablePublicCloudAccess -eq $Settings.EnablePublicCloudAccess) -and
-    ($CurrentState.EnableTeamsConsumerAccess -eq $Settings.EnableTeamsConsumerAccess)
+    $StateIsCorrect = ($CurrentState.EnableFederationAccess -eq $EnableFederationAccess) -and
+    ($CurrentState.EnableTeamsConsumerAccess -eq $EnableTeamsConsumerAccess)
 
     if ($Settings.remediate -eq $true) {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy already set.' -sev Info
         } else {
             $cmdParams = @{
                 Identity                  = 'Global'
-                EnableFederationAccess    = $Settings.EnableFederationAccess
-                EnablePublicCloudAccess   = $Settings.EnablePublicCloudAccess
-                EnableTeamsConsumerAccess = $Settings.EnableTeamsConsumerAccess
+                EnableFederationAccess    = $EnableFederationAccess
+                EnableTeamsConsumerAccess = $EnableTeamsConsumerAccess
             }
 
             try {
@@ -76,10 +72,10 @@ function Invoke-CIPPStandardTeamsExternalAccessPolicy {
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'TeamsExternalAccessPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
 
-        if ($StateIsCorrect) {
+        if ($StateIsCorrect -eq $true) {
             $FieldValue = $true
         } else {
-            $FieldValue = $CurrentState | Select-Object EnableFederationAccess, EnablePublicCloudAccess, EnableTeamsConsumerAccess
+            $FieldValue = $CurrentState | Select-Object EnableFederationAccess, EnableTeamsConsumerAccess
         }
 
         Set-CIPPStandardsCompareField -FieldName 'standards.TeamsExternalAccessPolicy' -FieldValue $FieldValue -Tenant $Tenant
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1
@@ -15,7 +15,6 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
         TAG
         ADDEDCOMPONENT
             {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowTeamsConsumer","label":"Allow users to communicate with other organizations"}
-            {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowPublicUsers","label":"Allow users to communicate with Skype Users"}
             {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsFederationConfiguration.DomainControl","label":"Communication Mode","options":[{"label":"Allow all external domains","value":"AllowAllExternal"},{"label":"Block all external domains","value":"BlockAllExternal"},{"label":"Allow specific external domains","value":"AllowSpecificExternal"},{"label":"Block specific external domains","value":"BlockSpecificExternal"}]}
             {"type":"textField","name":"standards.TeamsFederationConfiguration.DomainList","label":"Domains, Comma separated","required":false}
         IMPACT
@@ -87,7 +86,6 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
     $BlockedDomainsMatches = -not (Compare-Object -ReferenceObject $BlockedDomains -DifferenceObject $CurrentState.BlockedDomains)
 
     $StateIsCorrect = ($CurrentState.AllowTeamsConsumer -eq $Settings.AllowTeamsConsumer) -and
-    ($CurrentState.AllowPublicUsers -eq $Settings.AllowPublicUsers) -and
     ($CurrentState.AllowFederatedUsers -eq $AllowFederatedUsers) -and
     $AllowedDomainsMatches -and
     $BlockedDomainsMatches
@@ -99,7 +97,6 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
             $cmdParams = @{
                 Identity            = 'Global'
                 AllowTeamsConsumer  = $Settings.AllowTeamsConsumer
-                AllowPublicUsers    = $Settings.AllowPublicUsers
                 AllowFederatedUsers = $AllowFederatedUsers
                 BlockedDomains      = $BlockedDomains
             }
@@ -134,7 +131,7 @@ function Invoke-CIPPStandardTeamsFederationConfiguration {
         if ($StateIsCorrect -eq $true) {
             $FieldValue = $true
         } else {
-            $FieldValue = $CurrentState
+            $FieldValue = $CurrentState | Select-Object AllowTeamsConsumer, AllowFederatedUsers, AllowedDomains, BlockedDomains
         }
         Set-CIPPStandardsCompareField -FieldName 'standards.TeamsFederationConfiguration' -FieldValue $FieldValue -Tenant $Tenant
     }
