Merge pull request #315 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1

@@ -30,6 +30,8 @@ function Push-DomainAnalyserTenant {
                 '*.signature365.net'
                 '*.myteamsconnect.io'
                 '*.teams.dstny.com'
+                '*.msteams.8x8.com'
+                '*.ucconnect.co.uk'
             )
             $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant.customerId | Where-Object { $_.isVerified -eq $true } | ForEach-Object {
                 $Domain = $_

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecAccessChecks.ps1

@@ -1,6 +1,6 @@
 using namespace System.Net
 
-Function Invoke-ExecAccessChecks {
+function Invoke-ExecAccessChecks {
     <#
     .FUNCTIONALITY
         Entrypoint
@@ -50,16 +50,17 @@ Function Invoke-ExecAccessChecks {
                     $Results = foreach ($Tenant in $Tenants) {
                         $TenantCheck = $AccessChecks | Where-Object -Property RowKey -EQ $Tenant.customerId | Select-Object -Property Data
                         $TenantResult = [PSCustomObject]@{
-                            TenantId          = $Tenant.customerId
-                            TenantName        = $Tenant.displayName
-                            DefaultDomainName = $Tenant.defaultDomainName
-                            GraphStatus       = 'Not run yet'
-                            ExchangeStatus    = 'Not run yet'
-                            GDAPRoles         = ''
-                            MissingRoles      = ''
-                            LastRun           = ''
-                            GraphTest         = ''
-                            ExchangeTest      = ''
+                            TenantId           = $Tenant.customerId
+                            TenantName         = $Tenant.displayName
+                            DefaultDomainName  = $Tenant.defaultDomainName
+                            GraphStatus        = 'Not run yet'
+                            ExchangeStatus     = 'Not run yet'
+                            GDAPRoles          = ''
+                            MissingRoles       = ''
+                            LastRun            = ''
+                            GraphTest          = ''
+                            ExchangeTest       = ''
+                            OrgManagementRoles = @()
                         }
                         if ($TenantCheck) {
                             $Data = @($TenantCheck.Data | ConvertFrom-Json -ErrorAction Stop)
@@ -70,6 +71,7 @@ Function Invoke-ExecAccessChecks {
                             $TenantResult.LastRun = $Data.LastRun
                             $TenantResult.GraphTest = $Data.GraphTest
                             $TenantResult.ExchangeTest = $Data.ExchangeTest
+                            $TenantResult.OrgManagementRoles = $Data.OrgManagementRoles
                         }
                         $TenantResult
                     }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecCreateTAP.ps1

@@ -17,9 +17,23 @@ Function Invoke-ExecCreateTAP {
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
     $UserID = $Request.Query.ID ?? $Request.Body.ID
+    $LifetimeInMinutes = $Request.Query.lifetimeInMinutes ?? $Request.Body.lifetimeInMinutes
+    $IsUsableOnce = $Request.Query.isUsableOnce ?? $Request.Body.isUsableOnce
+    $StartDateTime = $Request.Query.startDateTime ?? $Request.Body.startDateTime
 
     try {
-        $TAPResult = New-CIPPTAP -userid $UserID -TenantFilter $TenantFilter -APIName $APIName -Headers $Headers
+        # Create parameter hashtable for splatting
+        $TAPParams = @{
+            UserID            = $UserID
+            TenantFilter      = $TenantFilter
+            APIName           = $APIName
+            Headers           = $Headers
+            LifetimeInMinutes = $LifetimeInMinutes
+            IsUsableOnce      = $IsUsableOnce
+            StartDateTime     = $StartDateTime
+        }
+
+        $TAPResult = New-CIPPTAP @TAPParams
 
         # Create results array with both TAP and UserID as separate items
         $Results = @(
@@ -33,7 +47,7 @@ Function Invoke-ExecCreateTAP {
 
         $StatusCode = [HttpStatusCode]::OK
     } catch {
-        $Results = Get-NormalizedError -message $_.Exception.Message
+        $Results = $_.Exception.Message
         $StatusCode = [HttpStatusCode]::InternalServerError
     }
 

Modules/CIPPCore/Public/New-CIPPTAP.ps1

@@ -1,28 +1,75 @@
 function New-CIPPTAP {
     [CmdletBinding()]
     param (
-        $userid,
+        $UserID,
         $TenantFilter,
         $APIName = 'Create TAP',
-        $Headers
+        $Headers,
+        $LifetimeInMinutes,
+        [bool]$IsUsableOnce,
+        $StartDateTime
     )
 
     try {
-        $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($userid)/authentication/temporaryAccessPassMethods" -tenantid $TenantFilter -type POST -body '{}' -verbose
-        Write-LogMessage -headers $Headers -API $APIName -message "Created Temporary Access Password (TAP) for $userid" -Sev 'Info' -tenant $TenantFilter
+        # Build the request body based on provided parameters
+        $RequestBody = @{}
+
+        if ($LifetimeInMinutes) {
+            $RequestBody.lifetimeInMinutes = [int]$LifetimeInMinutes
+        }
+
+        if ($null -ne $IsUsableOnce) {
+            $RequestBody.isUsableOnce = $IsUsableOnce
+        }
+
+        if ($StartDateTime) {
+            # Convert Unix timestamp to DateTime if it's a number
+            if ($StartDateTime -match '^\d+$') {
+                $dateTime = [DateTimeOffset]::FromUnixTimeSeconds([int]$StartDateTime).DateTime
+                $RequestBody.startDateTime = Get-Date $dateTime -Format 'o'
+            } else {
+                # If it's already a date string, format it properly
+                $dateTime = Get-Date $StartDateTime
+                $RequestBody.startDateTime = Get-Date $dateTime -Format 'o'
+            }
+        }
+
+        # Convert request body to JSON
+        $BodyJson = if ($RequestBody) { $RequestBody | ConvertTo-Json } else { '{}' }
+        $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($UserID)/authentication/temporaryAccessPassMethods" -tenantid $TenantFilter -type POST -body $BodyJson -verbose
+
+        # Build log message parts based on actual response values
+        $logParts = [System.Collections.Generic.List[string]]::new()
+        $logParts.Add("Lifetime: $($GraphRequest.lifetimeInMinutes) minutes")
+
+        $logParts.Add($GraphRequest.isUsableOnce ? 'one-time use' : 'multi-use')
+
+        $logParts.Add($StartDateTime ? "starts at $(Get-Date $GraphRequest.startDateTime -Format 'yyyy-MM-dd HH:mm:ss') UTC" : 'starts immediately')
+
+        # Create parameter string for logging
+        $paramString = ' with ' + ($logParts -join ', ')
+
+        Write-LogMessage -headers $Headers -API $APIName -message "Created Temporary Access Password (TAP) for $UserID$paramString" -Sev 'Info' -tenant $TenantFilter
+
+        # Build result text with parameters
+        $resultText = "The TAP for $UserID is $($GraphRequest.temporaryAccessPass) - This TAP is usable for the next $($GraphRequest.LifetimeInMinutes) minutes"
+        $resultText += $GraphRequest.isUsableOnce ? ' (one-time use only)' : ''
+        $resultText += $StartDateTime ? " starting at $(Get-Date $GraphRequest.startDateTime -Format 'yyyy-MM-dd HH:mm:ss') UTC" : ''
+
         return @{
-            resultText          = "The TAP for $userid is $($GraphRequest.temporaryAccessPass) - This TAP is usable for the next $($GraphRequest.LifetimeInMinutes) minutes"
-            userid              = $userid
+            resultText          = $resultText
+            userId              = $UserID
             copyField           = $GraphRequest.temporaryAccessPass
             temporaryAccessPass = $GraphRequest.temporaryAccessPass
             lifetimeInMinutes   = $GraphRequest.LifetimeInMinutes
             startDateTime       = $GraphRequest.startDateTime
+            isUsableOnce        = $GraphRequest.isUsableOnce
             state               = 'success'
         }
 
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
-        $Result = "Failed to create Temporary Access Password (TAP) for $($userid): $($ErrorMessage.NormalizedError)"
+        $Result = "Failed to create Temporary Access Password (TAP) for $($UserID): $($ErrorMessage.NormalizedError)"
         Write-LogMessage -headers $Headers -API $APIName -message $Result -Sev 'Error' -tenant $TenantFilter -LogData $ErrorMessage
         throw $Result
     }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1

@@ -76,6 +76,8 @@ function Invoke-CIPPStandardAddDKIM {
         '*.signature365.net'
         '*.myteamsconnect.io'
         '*.teams.dstny.com'
+        '*.msteams.8x8.com'
+        '*.ucconnect.co.uk'
     )
 
     $AllDomains = ($BatchResults | Where-Object { $_.DomainName }).DomainName | ForEach-Object {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDMARCToMOERA.ps1

@@ -0,0 +1,142 @@
+function Invoke-CIPPStandardAddDMARCToMOERA {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) AddDMARCToMOERA
+    .SYNOPSIS
+        (Label) Enables DMARC on MOERA (onmicrosoft.com) domains
+    .DESCRIPTION
+        (Helptext) Note: requires 'Domain Name Administrator' GDAP role. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default value is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
+        (DocsDescription) Note: requires 'Domain Name Administrator' GDAP role. Adds a DMARC record to MOERA (onmicrosoft.com) domains. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default record is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
+    .NOTES
+        CAT
+            Global Standards
+        TAG
+            "CIS"
+            "Security"
+            "PhishingProtection"
+        ADDEDCOMPONENT
+            {"type":"autoComplete","multiple":false,"creatable":true,"required":false,"placeholder":"v=DMARC1; p=reject; (recommended)","label":"Value","name":"standards.AddDMARCToMOERA.RecordValue","options":[{"label":"v=DMARC1; p=reject; (recommended)","value":"v=DMARC1; p=reject;"}]}
+        IMPACT
+            Low Impact
+        ADDEDDATE
+            2025-06-16
+        POWERSHELLEQUIVALENT
+            Portal only
+        RECOMMENDEDBY
+            "CIS"
+            "Microsoft"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+    #>
+
+    param($Tenant, $Settings)
+    #$Rerun -Type Standard -Tenant $Tenant -API 'AddDMARCToMOERA' -Settings $Settings
+
+    $RecordModel = [PSCustomObject]@{
+        HostName = '_dmarc'
+        TtlValue = 3600
+        Type     = 'TXT'
+        Value    = $Settings.RecordValue.Value ?? "v=DMARC1; p=reject;"
+    }
+
+    # Get all fallback domains (onmicrosoft.com domains) and check if the DMARC record is set correctly
+    try {
+        $Domains = New-GraphGetRequest -scope 'https://admin.microsoft.com/.default' -TenantID $Tenant -Uri 'https://admin.microsoft.com/admin/api/Domains/List' | Where-Object -Property Name -like "*.onmicrosoft.com"
+
+        $CurrentInfo = $Domains | ForEach-Object {
+            # Get current DNS records that matches _dmarc hostname and TXT type
+            $CurrentRecords = New-GraphGetRequest -scope 'https://admin.microsoft.com/.default' -TenantID $Tenant -Uri "https://admin.microsoft.com/admin/api/Domains/Records?domainName=$($_.Name)" | Select-Object -ExpandProperty DnsRecords | Where-Object { $_.HostName -eq $RecordModel.HostName -and $_.Type -eq $RecordModel.Type }
+
+            if ($CurrentRecords.count -eq 0) {
+                #record not found, return a model with Match set to false
+                [PSCustomObject]@{
+                    DomainName      = $_.Name
+                    Match           = $false
+                    CurrentRecord   = $null
+                }
+            } else {
+                foreach ($CurrentRecord in $CurrentRecords) {
+                    # Create variable matching the RecordModel used for comparison
+                    $CurrentRecordModel = [PSCustomObject]@{
+                        HostName = $CurrentRecord.HostName
+                        TtlValue = $CurrentRecord.TtlValue
+                        Type     = $CurrentRecord.Type
+                        Value    = $CurrentRecord.Value
+                    }
+
+                    # Compare the current record with the expected record model
+                    if (!(Compare-Object -ReferenceObject $RecordModel -DifferenceObject $CurrentRecordModel -Property HostName, TtlValue, Type, Value)) {
+                        [PSCustomObject]@{
+                            DomainName      = $_.Name
+                            Match           = $true
+                            CurrentRecord   = $CurrentRecord
+                        }
+                    } else {
+                        [PSCustomObject]@{
+                            DomainName      = $_.Name
+                            Match           = $false
+                            CurrentRecord   = $CurrentRecord
+                        }
+                    }
+                }
+            }
+        }
+        # Check if match is true and there is only one DMARC record for the domain
+        $StateIsCorrect = $false -notin $CurrentInfo.Match -and $CurrentInfo.Count -eq 1
+    } catch {
+        if ($_.Exception.Message -like '*403*') {
+            $Message = "AddDMARCToMOERA: Insufficient permissions. Please ensure the tenant GDAP relationship includes the 'Domain Name Administrator' role: $(Get-NormalizedError -message $_.Exception.message)"
+        }
+        else {
+            $Message = "Failed to get dns records for MOERA domains: $(Get-NormalizedError -message $_.Exception.message)"
+        }
+        Write-LogMessage -API 'Standards' -tenant $tenant -message $Message -sev Error
+        throw $Message
+    }
+
+    If ($Settings.remediate -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'DMARC record is already set for all MOERA (onmicrosoft.com) domains.' -sev Info
+        }
+        else {
+            # Loop through each domain and set the DMARC record, existing misconfigured records and duplicates will be deleted
+            foreach ($Domain in ($CurrentInfo | Sort-Object -Property DomainName -Unique)) {
+                try {
+                    foreach ($Record in ($CurrentInfo | Where-Object -Property DomainName -eq $Domain.DomainName)) {
+                        if ($Record.CurrentRecord) {
+                            New-GraphPOSTRequest -tenantid $tenant -scope 'https://admin.microsoft.com/.default' -Uri "https://admin.microsoft.com/admin/api/Domains/Record?domainName=$($Domain.DomainName)" -Body ($Record.CurrentRecord | ConvertTo-Json -Compress) -AddedHeaders @{'x-http-method-override' = 'Delete'}
+                            Write-LogMessage -API 'Standards' -tenant $tenant -message "Deleted incorrect DMARC record for domain $($Domain.DomainName)" -sev Info
+                        }
+                        New-GraphPOSTRequest -tenantid $tenant -scope 'https://admin.microsoft.com/.default' -type "PUT" -Uri "https://admin.microsoft.com/admin/api/Domains/Record?domainName=$($Domain.DomainName)" -Body (@{RecordModel = $RecordModel} | ConvertTo-Json -Compress)
+                        Write-LogMessage -API 'Standards' -tenant $tenant -message "Set DMARC record for domain $($Domain.DomainName)" -sev Info
+                    }
+                }
+                catch {
+                    Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set DMARC record for domain $($Domain.DomainName): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
+                }
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'DMARC record is already set for all MOERA (onmicrosoft.com) domains.' -sev Info
+        } else {
+            $UniqueDomains = ($CurrentInfo | Sort-Object -Property DomainName -Unique)
+            $NotSetDomains = @($UniqueDomains | ForEach-Object {if ($_.Match -eq $false -or ($CurrentInfo | Where-Object -Property DomainName -eq $_.DomainName).Count -eq 1) { $_.DomainName } })
+            $Message = "DMARC record is not set for $($NotSetDomains.count) of $($UniqueDomains.count) MOERA (onmicrosoft.com) domains."
+
+            Write-StandardsAlert -message $Message -object @{MissingDMARC = ($NotSetDomains -join ', ')} -tenant $tenant -standardName 'AddDMARCToMOERA' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "$Message. Missing for: $($NotSetDomains -join ', ')" -sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        set-CIPPStandardsCompareField -FieldName 'standards.AddDMARCToMOERA' -FieldValue $StateIsCorrect -TenantFilter $Tenant
+        Add-CIPPBPAField -FieldName 'AddDMARCToMOERA' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+    }
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1

@@ -7,8 +7,8 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
     .SYNOPSIS
         (Label) Disable Self Service Licensing
     .DESCRIPTION
-        (Helptext) This standard disables all self service licenses and enables all exclusions
-        (DocsDescription) This standard disables all self service licenses and enables all exclusions
+        (Helptext) Note: requires 'Billing Administrator' GDAP role. This standard disables all self service licenses and enables all exclusions
+        (DocsDescription) Note: requires 'Billing Administrator' GDAP role. This standard disables all self service licenses and enables all exclusions
     .NOTES
         CAT
             Entra (AAD) Standards
@@ -31,15 +31,17 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
     param($Tenant, $Settings)
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'DisableSelfServiceLicenses'
 
-    # disable for now - MS enforced role requirement
-    Write-LogMessage -API 'Standards' -tenant $tenant -message 'Self Service Licenses cannot be disabled' -sev Error
-    return
-
     try {
         $selfServiceItems = (New-GraphGETRequest -scope 'aeb86249-8ea3-49e2-900b-54cc8e308f85/.default' -uri 'https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products' -tenantid $Tenant).items
     } catch {
-        Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to retrieve self service products: $($_.Exception.Message)" -sev Error
-        throw "Failed to retrieve self service products: $($_.Exception.Message)"
+        if ($_.Exception.Message -like '*403*') {
+            $Message = "Failed to retrieve self service products: Insufficient permissions. Please ensure the tenant GDAP relationship includes the 'Billing Administrator' role: $($_.Exception.Message)"
+        }
+        else {
+            $Message = "Failed to retrieve self service products: $($_.Exception.Message)"
+        }
+        Write-LogMessage -API 'Standards' -tenant $tenant -message $Message -sev Error
+        throw $Message
     }
 
     if ($settings.remediate) {