more standards

Author: JohnDuprey

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1

@@ -29,14 +29,11 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'PWcompanionAppAllowedState'
 
     $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET)
     $authState = if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { $true } else { $false }
 
-    if ($Settings.report -eq $true) {
-        Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue $authState -StoreAs bool -Tenant $Tenant
-    }
+
 
     # Get state value using null-coalescing operator
     $state = $Settings.state.value ?? $Settings.state
@@ -87,4 +84,14 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState {
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'companionAppAllowedState is not enabled.' -sev Info
         }
     }
+
+    if ($Settings.report -eq $true) {
+        Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue $authState -StoreAs bool -Tenant $Tenant
+        if ($authState) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $authenticatorFeaturesState.featureSettings
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.PWcompanionAppAllowedState' -FieldValue $FieldValue -Tenant $Tenant
+    }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1

@@ -30,14 +30,13 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'PWdisplayAppInformationRequiredState'
 
     $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant
-    $StateIsCorrect =   ($CurrentState.state -eq 'enabled') -and
-                        ($CurrentState.featureSettings.numberMatchingRequiredState.state -eq 'enabled') -and
-                        ($CurrentState.featureSettings.displayAppInformationRequiredState.state -eq 'enabled')
+    $StateIsCorrect = ($CurrentState.state -eq 'enabled') -and
+    ($CurrentState.featureSettings.numberMatchingRequiredState.state -eq 'enabled') -and
+    ($CurrentState.featureSettings.displayAppInformationRequiredState.state -eq 'enabled')
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is already enabled.' -sev Info
         } else {
@@ -52,12 +51,18 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is enabled.' -sev Info
         } else {
-            Write-StandardsAlert -message "Passwordless with Information and Number Matching is not enabled" -object $CurrentState -tenant $tenant -standardName 'PWdisplayAppInformationRequiredState' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Passwordless with Information and Number Matching is not enabled' -object $CurrentState -tenant $tenant -standardName 'PWdisplayAppInformationRequiredState' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Passwordless with Information and Number Matching is not enabled.' -sev Info
         }
     }
 
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'PWdisplayAppInformationRequiredState' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+        if ($StateIsCorrect) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $CurrentState
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.PWdisplayAppInformationRequiredState' -FieldValue $FieldValue -Tenant $tenant
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardQuarantineRequestAlert.ps1

@@ -29,13 +29,12 @@ function Invoke-CIPPStandardQuarantineRequestAlert {
     #>
 
     param ($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'QuarantineRequestAlert'
 
     $PolicyName = 'CIPP User requested to release a quarantined message'
 
     $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-ProtectionAlert' -Compliance |
-    Where-Object { $_.Name -eq $PolicyName } |
-    Select-Object -Property *
+        Where-Object { $_.Name -eq $PolicyName } |
+        Select-Object -Property *
 
     $StateIsCorrect = ($CurrentState.NotifyUser -contains $Settings.NotifyUser)
 
@@ -85,5 +84,12 @@ function Invoke-CIPPStandardQuarantineRequestAlert {
 
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'QuarantineRequestAlert' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+
+        if ($StateIsCorrect) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $CurrentState
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.QuarantineRequestAlert' -FieldValue $FieldValue -Tenant $Tenant
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRetentionPolicyTag.ps1

@@ -29,7 +29,6 @@ function Invoke-CIPPStandardRetentionPolicyTag {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'RetentionPolicyTag'
 
     $PolicyName = 'CIPP Deleted Items'
     $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RetentionPolicyTag' |
@@ -39,11 +38,11 @@ function Invoke-CIPPStandardRetentionPolicyTag {
         Where-Object -Property Identity -EQ 'Default MRM Policy'
 
     $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
-                        ($CurrentState.RetentionEnabled -eq $true) -and
-                        ($CurrentState.RetentionAction -eq 'PermanentlyDelete') -and
-                        ($CurrentState.AgeLimitForRetention -eq ([timespan]::FromDays($Settings.AgeLimitForRetention))) -and
-                        ($CurrentState.Type -eq 'DeletedItems') -and
-                        ($PolicyState.RetentionPolicyTagLinks -contains $PolicyName)
+    ($CurrentState.RetentionEnabled -eq $true) -and
+    ($CurrentState.RetentionAction -eq 'PermanentlyDelete') -and
+    ($CurrentState.AgeLimitForRetention -eq ([timespan]::FromDays($Settings.AgeLimitForRetention))) -and
+    ($CurrentState.Type -eq 'DeletedItems') -and
+    ($PolicyState.RetentionPolicyTagLinks -contains $PolicyName)
 
     if ($Settings.remediate -eq $true) {
         Write-Host 'Time to remediate'
@@ -102,13 +101,20 @@ function Invoke-CIPPStandardRetentionPolicyTag {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Retention Policy is enabled' -sev Info
         } else {
-            Write-StandardsAlert -message "Retention Policy is not enabled" -object $CurrentState -tenant $Tenant -standardName 'RetentionPolicyTag' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Retention Policy is not enabled' -object $CurrentState -tenant $Tenant -standardName 'RetentionPolicyTag' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Retention Policy is not enabled' -sev Info
         }
     }
 
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'RetentionPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+
+        if ($StateIsCorrect) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $CurrentState
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.RetentionPolicyTag' -FieldValue $FieldValue -Tenant $Tenant
     }
 
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1

@@ -31,11 +31,10 @@ function Invoke-CIPPStandardRotateDKIM {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'RotateDKIM'
 
-    $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -Eq 1024 -and $_.Enabled -eq $true }
+    $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -eq 1024 -and $_.Enabled -eq $true }
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
 
         if ($DKIM) {
             $DKIM | ForEach-Object {
@@ -64,5 +63,10 @@ function Invoke-CIPPStandardRotateDKIM {
 
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIM -StoreAs json -Tenant $tenant
+        if ($DKIM) {
+            Set-CIPPStandardsCompareField -FieldName 'standards.RotateDKIM' -FieldValue $DKIM -Tenant $tenant
+        } else {
+            Set-CIPPStandardsCompareField -FieldName 'standards.RotateDKIM' -FieldValue $true -Tenant $tenant
+        }
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1

@@ -37,21 +37,20 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SafeAttachmentPolicy'
 
     $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
     $ServicePlans = $ServicePlans.servicePlans.servicePlanName
-    $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
+    $MDOLicensed = $ServicePlans -contains 'ATP_ENTERPRISE'
 
     if ($MDOLicensed) {
-        $PolicyList = @('CIPP Default Safe Attachment Policy','Default Safe Attachment Policy')
+        $PolicyList = @('CIPP Default Safe Attachment Policy', 'Default Safe Attachment Policy')
         $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentPolicy' | Where-Object -Property Name -In $PolicyList
         if ($null -eq $ExistingPolicy.Name) {
             $PolicyName = $PolicyList[0]
         } else {
             $PolicyName = $ExistingPolicy.Name
         }
-        $RuleList = @( 'CIPP Default Safe Attachment Rule','CIPP Default Safe Attachment Policy')
+        $RuleList = @( 'CIPP Default Safe Attachment Rule', 'CIPP Default Safe Attachment Policy')
         $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentRule' | Where-Object -Property Name -In $RuleList
         if ($null -eq $ExistingRule.Name) {
             $RuleName = $RuleList[0]
@@ -64,11 +63,11 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
             Select-Object Name, Enable, Action, QuarantineTag, Redirect, RedirectAddress
 
         $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
-                        ($CurrentState.Enable -eq $true) -and
-                        ($CurrentState.Action -eq $Settings.SafeAttachmentAction) -and
-                        ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
-                        ($CurrentState.Redirect -eq $Settings.Redirect) -and
-                        (($null -eq $Settings.RedirectAddress) -or ($CurrentState.RedirectAddress -eq $Settings.RedirectAddress))
+        ($CurrentState.Enable -eq $true) -and
+        ($CurrentState.Action -eq $Settings.SafeAttachmentAction) -and
+        ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
+        ($CurrentState.Redirect -eq $Settings.Redirect) -and
+        (($null -eq $Settings.RedirectAddress) -or ($CurrentState.RedirectAddress -eq $Settings.RedirectAddress))
 
         $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
 
@@ -77,9 +76,9 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
             Select-Object Name, SafeAttachmentPolicy, Priority, RecipientDomainIs
 
         $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
-                            ($RuleState.SafeAttachmentPolicy -eq $PolicyName) -and
-                            ($RuleState.Priority -eq 0) -and
-                            (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+        ($RuleState.SafeAttachmentPolicy -eq $PolicyName) -and
+        ($RuleState.Priority -eq 0) -and
+        (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
 
         if ($Settings.remediate -eq $true) {
 
@@ -115,8 +114,8 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
 
             if ($RuleStateIsCorrect -eq $false) {
                 $cmdparams = @{
-                    Priority             = 0
-                    RecipientDomainIs    = $AcceptedDomains.Name
+                    Priority          = 0
+                    RecipientDomainIs = $AcceptedDomains.Name
                 }
 
                 if ($RuleState.SafeAttachmentPolicy -ne $PolicyName) {
@@ -148,26 +147,33 @@ function Invoke-CIPPStandardSafeAttachmentPolicy {
             if ($StateIsCorrect -eq $true) {
                 Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is enabled' -sev Info
             } else {
-                Write-StandardsAlert -message "Safe Attachment Policy is not enabled" -object $CurrentState -tenant $Tenant -standardName 'SafeAttachmentPolicy' -standardId $Settings.standardId
+                Write-StandardsAlert -message 'Safe Attachment Policy is not enabled' -object $CurrentState -tenant $Tenant -standardName 'SafeAttachmentPolicy' -standardId $Settings.standardId
                 Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled' -sev Info
             }
         }
 
         if ($Settings.report -eq $true) {
             Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+            if ($StateIsCorrect) {
+                $FieldValue = $true
+            } else {
+                $FieldValue = $CurrentState
+            }
+            Set-CIPPStandardsCompareField -FieldName 'standards.SafeAttachmentPolicy' -FieldValue $FieldValue -Tenant $Tenant
         }
     } else {
         if ($Settings.remediate -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment policy: Tenant does not have Microsoft Defender for Office 365 license" -sev Error
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Failed to create Safe Attachment policy: Tenant does not have Microsoft Defender for Office 365 license' -sev Error
         }
 
         if ($Settings.alert -eq $true) {
-            Write-StandardsAlert -message "Safe Attachment Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license" -object $MDOLicensed -tenant $Tenant -standardName 'SafeAttachmentPolicy' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Safe Attachment Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -object $MDOLicensed -tenant $Tenant -standardName 'SafeAttachmentPolicy' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -sev Info
         }
 
         if ($Settings.report -eq $true) {
             Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant
+            Set-CIPPStandardsCompareField -FieldName 'standards.SafeAttachmentPolicy' -FieldValue $false -Tenant $Tenant
         }
     }
 }