Merge pull request #649 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -18,6 +18,14 @@ function Push-CIPPDBCacheData {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Starting database cache collection for tenant' -sev Info
 
+        # Check tenant capabilities for license-specific features
+        $IntuneCapable = Test-CIPPStandardLicense -StandardName 'IntuneLicenseCheck' -TenantFilter $TenantFilter -RequiredCapabilities @('INTUNE_A', 'MDM_Services', 'EMS', 'SCCM', 'MICROSOFTINTUNEPLAN1') -SkipLog
+        $ConditionalAccessCapable = Test-CIPPStandardLicense -StandardName 'ConditionalAccessLicenseCheck' -TenantFilter $TenantFilter -RequiredCapabilities @('AAD_PREMIUM', 'AAD_PREMIUM_P2') -SkipLog
+        $AzureADPremiumP2Capable = Test-CIPPStandardLicense -StandardName 'AzureADPremiumP2LicenseCheck' -TenantFilter $TenantFilter -RequiredCapabilities @('AAD_PREMIUM_P2') -SkipLog
+
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "License capabilities - Intune: $IntuneCapable, Conditional Access: $ConditionalAccessCapable, Azure AD Premium P2: $AzureADPremiumP2Capable" -sev Info
+
+        #region All Licenses - Basic tenant data collection
         Write-Host 'Getting cache for Users'
         try { Set-CIPPDBCacheUsers -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Users collection failed: $($_.Exception.Message)" -sev Error
@@ -48,11 +56,6 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Devices collection failed: $($_.Exception.Message)" -sev Error
         }
 
-        Write-Host 'Getting cache for ManagedDevices'
-        try { Set-CIPPDBCacheManagedDevices -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ManagedDevices collection failed: $($_.Exception.Message)" -sev Error
-        }
-
         Write-Host 'Getting cache for Organization'
         try { Set-CIPPDBCacheOrganization -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Organization collection failed: $($_.Exception.Message)" -sev Error
@@ -108,16 +111,6 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "SecureScore collection failed: $($_.Exception.Message)" -sev Error
         }
 
-        Write-Host 'Getting cache for IntunePolicies'
-        try { Set-CIPPDBCacheIntunePolicies -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "IntunePolicies collection failed: $($_.Exception.Message)" -sev Error
-        }
-
-        Write-Host 'Getting cache for ConditionalAccessPolicies'
-        try { Set-CIPPDBCacheConditionalAccessPolicies -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ConditionalAccessPolicies collection failed: $($_.Exception.Message)" -sev Error
-        }
-
         Write-Host 'Getting cache for PIMSettings'
         try { Set-CIPPDBCachePIMSettings -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "PIMSettings collection failed: $($_.Exception.Message)" -sev Error
@@ -153,26 +146,6 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthenticationFlowsPolicy collection failed: $($_.Exception.Message)" -sev Error
         }
 
-        Write-Host 'Getting cache for RiskyUsers'
-        try { Set-CIPPDBCacheRiskyUsers -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyUsers collection failed: $($_.Exception.Message)" -sev Error
-        }
-
-        Write-Host 'Getting cache for RiskyServicePrincipals'
-        try { Set-CIPPDBCacheRiskyServicePrincipals -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyServicePrincipals collection failed: $($_.Exception.Message)" -sev Error
-        }
-
-        Write-Host 'Getting cache for ServicePrincipalRiskDetections'
-        try { Set-CIPPDBCacheServicePrincipalRiskDetections -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ServicePrincipalRiskDetections collection failed: $($_.Exception.Message)" -sev Error
-        }
-
-        Write-Host 'Getting cache for RiskDetections'
-        try { Set-CIPPDBCacheRiskDetections -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskDetections collection failed: $($_.Exception.Message)" -sev Error
-        }
-
         Write-Host 'Getting cache for DeviceRegistrationPolicy'
         try { Set-CIPPDBCacheDeviceRegistrationPolicy -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "DeviceRegistrationPolicy collection failed: $($_.Exception.Message)" -sev Error
@@ -188,11 +161,6 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "UserRegistrationDetails collection failed: $($_.Exception.Message)" -sev Error
         }
 
-        Write-Host 'Getting cache for ManagedDeviceEncryptionStates'
-        try { Set-CIPPDBCacheManagedDeviceEncryptionStates -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ManagedDeviceEncryptionStates collection failed: $($_.Exception.Message)" -sev Error
-        }
-
         Write-Host 'Getting cache for OAuth2PermissionGrants'
         try { Set-CIPPDBCacheOAuth2PermissionGrants -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "OAuth2PermissionGrants collection failed: $($_.Exception.Message)" -sev Error
@@ -242,11 +210,70 @@ function Push-CIPPDBCacheData {
         try { Set-CIPPDBCacheExoAcceptedDomains -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ExoAcceptedDomains collection failed: $($_.Exception.Message)" -sev Error
         }
-
-        Write-Host 'Getting cache for IntuneAppProtectionPolicies'
-        try { Set-CIPPDBCacheIntuneAppProtectionPolicies -TenantFilter $TenantFilter } catch {
-            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "IntuneAppProtectionPolicies collection failed: $($_.Exception.Message)" -sev Error
-        }
+        #endregion All Licenses
+
+        #region Conditional Access Licensed - Azure AD Premium features
+        if ($ConditionalAccessCapable) {
+            Write-Host 'Getting cache for ConditionalAccessPolicies'
+            try { Set-CIPPDBCacheConditionalAccessPolicies -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ConditionalAccessPolicies collection failed: $($_.Exception.Message)" -sev Error
+            }
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Skipping Conditional Access data collection - tenant does not have required license' -sev Info
+        }
+        #endregion Conditional Access Licensed
+
+        #region Azure AD Premium P2 - Identity Protection features
+        if ($AzureADPremiumP2Capable) {
+            Write-Host 'Getting cache for RiskyUsers'
+            try { Set-CIPPDBCacheRiskyUsers -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyUsers collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for RiskyServicePrincipals'
+            try { Set-CIPPDBCacheRiskyServicePrincipals -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyServicePrincipals collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for ServicePrincipalRiskDetections'
+            try { Set-CIPPDBCacheServicePrincipalRiskDetections -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ServicePrincipalRiskDetections collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for RiskDetections'
+            try { Set-CIPPDBCacheRiskDetections -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskDetections collection failed: $($_.Exception.Message)" -sev Error
+            }
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Skipping Azure AD Premium P2 Identity Protection data collection - tenant does not have required license' -sev Info
+        }
+        #endregion Azure AD Premium P2
+
+        #region Intune Licensed - Intune management features
+        if ($IntuneCapable) {
+            Write-Host 'Getting cache for ManagedDevices'
+            try { Set-CIPPDBCacheManagedDevices -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ManagedDevices collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for IntunePolicies'
+            try { Set-CIPPDBCacheIntunePolicies -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "IntunePolicies collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for ManagedDeviceEncryptionStates'
+            try { Set-CIPPDBCacheManagedDeviceEncryptionStates -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ManagedDeviceEncryptionStates collection failed: $($_.Exception.Message)" -sev Error
+            }
+
+            Write-Host 'Getting cache for IntuneAppProtectionPolicies'
+            try { Set-CIPPDBCacheIntuneAppProtectionPolicies -TenantFilter $TenantFilter } catch {
+                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "IntuneAppProtectionPolicies collection failed: $($_.Exception.Message)" -sev Error
+            }
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Skipping Intune data collection - tenant does not have required license' -sev Info
+        }
+        #endregion Intune Licensed
 
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Completed database cache collection for tenant' -sev Info
 

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21837.ps1

@@ -5,7 +5,7 @@ function Invoke-CippTestZTNA21837 {
     #Tested
     try {
         # Get device registration policy
-        $DeviceSettings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'deviceRegistrationPolicy'
+        $DeviceSettings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'DeviceRegistrationPolicy'
 
         if (-not $DeviceSettings) {
             Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Device settings not found in database' -Risk 'High' -Name 'Limit the maximum number of devices per user to 10' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Devices'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21896.ps1

@@ -1,6 +1,6 @@
 function Invoke-CippTestZTNA21896 {
     param($Tenant)
-
+    #tested
     try {
         $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
         if (-not $ServicePrincipals) {
@@ -47,8 +47,7 @@ function Invoke-CippTestZTNA21896 {
         $Result = $ResultLines -join "`n"
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'
-    }
-    catch {
+    } catch {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21896' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Service principals do not have certificates or credentials associated with them' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Application management'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21941.ps1

@@ -16,7 +16,7 @@ function Invoke-CippTestZTNA21941 {
         [Parameter(Mandatory = $true)]
         [string]$Tenant
     )
-
+    #Tested
     try {
         # Get CA policies from cache
         $CAPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ConditionalAccessPolicies'

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21953.ps1

@@ -15,23 +15,24 @@ function Invoke-CippTestZTNA21953 {
         [Parameter(Mandatory = $true)]
         [string]$Tenant
     )
+    #Tested
 
     try {
         # Get device registration policy from cache
         $DeviceRegPolicy = New-CIPPDbRequest -TenantFilter $Tenant -Type 'DeviceRegistrationPolicy'
 
         if (-not $DeviceRegPolicy) {
             $TestParams = @{
-                TestId = 'ZTNA21953'
-                TenantFilter = $Tenant
-                TestType = 'ZeroTrustNetworkAccess'
-                Status = 'Skipped'
-                ResultMarkdown = 'Unable to retrieve device registration policy from cache.'
-                Risk = 'High'
-                Name = 'Deploy Windows Local Administrator Password Solution (LAPS)'
-                UserImpact = 'Low'
+                TestId               = 'ZTNA21953'
+                TenantFilter         = $Tenant
+                TestType             = 'ZeroTrustNetworkAccess'
+                Status               = 'Skipped'
+                ResultMarkdown       = 'Unable to retrieve device registration policy from cache.'
+                Risk                 = 'High'
+                Name                 = 'Deploy Windows Local Administrator Password Solution (LAPS)'
+                UserImpact           = 'Low'
                 ImplementationEffort = 'Low'
-                Category = 'Device security'
+                Category             = 'Device security'
             }
             Add-CippTestResult @TestParams
             return
@@ -51,31 +52,31 @@ function Invoke-CippTestZTNA21953 {
         }
 
         $TestParams = @{
-            TestId = 'ZTNA21953'
-            TenantFilter = $Tenant
-            TestType = 'ZeroTrustNetworkAccess'
-            Status = $Status
-            ResultMarkdown = $ResultMarkdown
-            Risk = 'High'
-            Name = 'Deploy Windows Local Administrator Password Solution (LAPS)'
-            UserImpact = 'Low'
+            TestId               = 'ZTNA21953'
+            TenantFilter         = $Tenant
+            TestType             = 'ZeroTrustNetworkAccess'
+            Status               = $Status
+            ResultMarkdown       = $ResultMarkdown
+            Risk                 = 'High'
+            Name                 = 'Deploy Windows Local Administrator Password Solution (LAPS)'
+            UserImpact           = 'Low'
             ImplementationEffort = 'Low'
-            Category = 'Device security'
+            Category             = 'Device security'
         }
         Add-CippTestResult @TestParams
 
     } catch {
         $TestParams = @{
-            TestId = 'ZTNA21953'
-            TenantFilter = $Tenant
-            TestType = 'ZeroTrustNetworkAccess'
-            Status = 'Failed'
-            ResultMarkdown = "❌ **Error**: $($_.Exception.Message)"
-            Risk = 'High'
-            Name = 'Deploy Windows Local Administrator Password Solution (LAPS)'
-            UserImpact = 'Low'
+            TestId               = 'ZTNA21953'
+            TenantFilter         = $Tenant
+            TestType             = 'ZeroTrustNetworkAccess'
+            Status               = 'Failed'
+            ResultMarkdown       = "❌ **Error**: $($_.Exception.Message)"
+            Risk                 = 'High'
+            Name                 = 'Deploy Windows Local Administrator Password Solution (LAPS)'
+            UserImpact           = 'Low'
             ImplementationEffort = 'Low'
-            Category = 'Device security'
+            Category             = 'Device security'
         }
         Add-CippTestResult @TestParams
         Write-LogMessage -API 'ZeroTrustNetworkAccess' -tenant $Tenant -message "Test ZTNA21953 failed: $($_.Exception.Message)" -sev Error