Merge branch 'KelvinTegelaar:master' into master

Author: lacymooretx

ConversionTable.csv

@@ -10,8 +10,7 @@ try {
     $ValidResolvers = @('Google', 'CloudFlare', 'Quad9')
     if ($ValidResolvers -contains $Config.Resolver) {
         $Resolver = $Config.Resolver
-    }
-    else {
+    } else {
         $Resolver = 'Google'
         $Config = @{
             PartitionKey = 'Domains'
@@ -20,8 +19,7 @@ try {
         }
         Add-CIPPAzDataTableEntity @ConfigTable -Entity $Config -Force
     }
-}
-catch {
+} catch {
     $Resolver = 'Google'
 }
 Set-DnsResolver -Resolver $Resolver
@@ -30,8 +28,7 @@ $Domain = $DomainObject.rowKey
 
 try {
     $Tenant = $DomainObject.TenantDetails | ConvertFrom-Json -ErrorAction Stop
-}
-catch {
+} catch {
     $Tenant = @{Tenant = 'None' }
 }
 
@@ -45,6 +42,7 @@ $Result = [PSCustomObject]@{
     ExpectedSPFRecord    = ''
     ActualSPFRecord      = ''
     SPFPassAll           = ''
+    ActualMXRecords      = ''
     MXPassTest           = ''
     DMARCPresent         = ''
     DMARCFullPolicy      = ''
@@ -82,6 +80,7 @@ $MXRecord = Read-MXRecord -Domain $Domain -ErrorAction Stop
 
 $Result.ExpectedSPFRecord = $MXRecord.ExpectedInclude
 $Result.MXPassTest = $false
+$Result.ActualMXRecords = $MXRecord.Records
 
 # Check fail counts to ensure all tests pass
 #$MXWarnCount = $MXRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count
@@ -90,15 +89,13 @@ $MXFailCount = $MXRecord.ValidationFails | Measure-Object | Select-Object -Expan
 if ($MXFailCount -eq 0) {
     $Result.MXPassTest = $true
     $ScoreDomain += $Scores.MXRecommended
-}
-else {
+} else {
     $ScoreExplanation.Add('MX record did not pass validation') | Out-Null
 }
 
 if ([string]::IsNullOrEmpty($MXRecord.MailProvider)) {
     $Result.MailProvider = 'Unknown'
-}
-else {
+} else {
     $Result.MailProvider = $MXRecord.MailProvider.Name
 }
 
@@ -109,22 +106,19 @@ try {
         $Result.ActualSPFRecord = $SPFRecord.Record
         if ($SPFRecord.RecordCount -eq 1) {
             $ScoreDomain += $Scores.SPFPresent
-        }
-        else {
+        } else {
             $ScoreExplanation.Add('Multiple SPF records detected') | Out-Null
         }
-    }
-    else {
+    } else {
         $Result.ActualSPFRecord = 'No SPF Record'
         $ScoreExplanation.Add('No SPF Record Found') | Out-Null
     }
-}
-catch {
+} catch {
     $Message = 'SPF Exception: {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
     Write-LogMessage -API 'DomainAnalyser' -tenant $tenant.tenant -message $Message -sev Error
     throw $Message
 }
-    
+
 # Check SPF Record
 $Result.SPFPassAll = $false
 
@@ -135,8 +129,7 @@ $SPFFailCount = $SPFRecord.ValidationFails | Measure-Object | Select-Object -Exp
 if ($SPFFailCount -eq 0) {
     $ScoreDomain += $Scores.SPFCorrectAll
     $Result.SPFPassAll = $true
-}
-else {
+} else {
     $ScoreExplanation.Add('SPF record did not pass validation') | Out-Null
 }
 
@@ -147,19 +140,18 @@ try {
     If ([string]::IsNullOrEmpty($DMARCPolicy.Record)) {
         $Result.DMARCPresent = $false
         $ScoreExplanation.Add('No DMARC Records Found') | Out-Null
-    }
-    else {
+    } else {
         $Result.DMARCPresent = $true
         $ScoreDomain += $Scores.DMARCPresent
 
-        $Result.DMARCFullPolicy = $DMARCResults.Record
-        if ($DMARCPolicy.Policy -eq 'reject' -and $DMARCPolicy.SubdomainPolicy -eq 'reject') { 
+        $Result.DMARCFullPolicy = $DMARCPolicy.Record
+        if ($DMARCPolicy.Policy -eq 'reject' -and $DMARCPolicy.SubdomainPolicy -eq 'reject') {
             $Result.DMARCActionPolicy = 'Reject'
             $ScoreDomain += $Scores.DMARCSetReject
         }
-        if ($DMARCPolicy.Policy -eq 'none') { 
+        if ($DMARCPolicy.Policy -eq 'none') {
             $Result.DMARCActionPolicy = 'None'
-            $ScoreExplanation.Add('DMARC is not being enforced') | Out-Null 
+            $ScoreExplanation.Add('DMARC is not being enforced') | Out-Null
         }
         if ($DMARCPolicy.Policy -eq 'quarantine') {
             $Result.DMARCActionPolicy = 'Quarantine'
@@ -171,23 +163,20 @@ try {
         if ($ReportEmailCount -gt 0) {
             $Result.DMARCReportingActive = $true
             $ScoreDomain += $Scores.DMARCReportingActive
-        }
-        else {
+        } else {
             $Result.DMARCReportingActive = $False
             $ScoreExplanation.Add('DMARC Reporting not Configured') | Out-Null
         }
 
         if ($DMARCPolicy.Percent -eq 100) {
             $Result.DMARCPercentagePass = $true
             $ScoreDomain += $Scores.DMARCPercentageGood
-        }
-        else {
+        } else {
             $Result.DMARCPercentagePass = $false
-            $ScoreExplanation.Add('DMARC Not Checking All Messages') | Out-Null                
+            $ScoreExplanation.Add('DMARC Not Checking All Messages') | Out-Null
         }
     }
-}
-catch {
+} catch {
     $Message = 'DMARC Exception: {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
     Write-LogMessage -API 'DomainAnalyser' -tenant $tenant.tenant -message $Message -sev Error
     throw $Message
@@ -201,13 +190,11 @@ try {
     if (($DNSSECFailCount + $DNSSECWarnCount) -eq 0) {
         $Result.DNSSECPresent = $true
         $ScoreDomain += $Scores.DNSSECPresent
-    }
-    else {
+    } else {
         $Result.DNSSECPresent = $false
-        $ScoreExplanation.Add('DNSSEC Not Configured or Enabled') | Out-Null 
+        $ScoreExplanation.Add('DNSSEC Not Configured or Enabled') | Out-Null
     }
-}
-catch {
+} catch {
     $Message = 'DNSSEC Exception: {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
     Write-LogMessage -API 'DomainAnalyser' -tenant $tenant.tenant -message $Message -sev Error
     throw $Message
@@ -216,27 +203,26 @@ catch {
 # DKIM Check
 try {
     $DkimParams = @{
-        Domain = $Domain
+        Domain                       = $Domain
+        FallbackToMicrosoftSelectors = $true
     }
     if (![string]::IsNullOrEmpty($DomainObject.DkimSelectors)) {
         $DkimParams.Selectors = $DomainObject.DkimSelectors | ConvertFrom-Json
     }
 
     $DkimRecord = Read-DkimRecord @DkimParams -ErrorAction Stop
-    
+
     $DkimRecordCount = $DkimRecord.Records | Measure-Object | Select-Object -ExpandProperty Count
     $DkimFailCount = $DkimRecord.ValidationFails | Measure-Object | Select-Object -ExpandProperty Count
     #$DkimWarnCount = $DkimRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count
     if ($DkimRecordCount -gt 0 -and $DkimFailCount -eq 0) {
         $Result.DKIMEnabled = $true
         $ScoreDomain += $Scores.DKIMActiveAndWorking
-    }
-    else {
+    } else {
         $Result.DKIMEnabled = $false
-        $ScoreExplanation.Add('DKIM Not Configured') | Out-Null 
+        $ScoreExplanation.Add('DKIM Not Configured') | Out-Null
     }
-}
-catch {
+} catch {
     $Message = 'DKIM Exception: {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message
     Write-LogMessage -API 'DomainAnalyser' -tenant $tenant.tenant -message $Message -sev Error
     throw $Message

DomainAnalyser_All/run.ps1

@@ -2,46 +2,45 @@ param($Context)
 #$Context does not allow itself to be cast to a pscustomobject for some reason, so we convert
 $context = $Context | ConvertTo-Json | ConvertFrom-Json
 $APIName = $TriggerMetadata.FunctionName
-Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME  -message "Accessed this API" -Sev "Debug"
+Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
 $TenantFilter = $Context.input.tenantfilter
 $SuspectUser = $Context.input.userid
 $UserName = $Context.input.username
 Write-Host "Working on $UserName"
 try {
   $startDate = (Get-Date).AddDays(-7)
   $endDate = (Get-Date)
-  $auditLog = (New-ExoRequest -tenantid $Tenantfilter -cmdlet "Get-AdminAuditLogConfig").UnifiedAuditLogIngestionEnabled 
+  $auditLog = (New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled 
   $7dayslog = if ($auditLog -eq $false) {
-    $ExtractResult = "AuditLog is disabled. Cannot perform full analysis"
-  }
-  else {
+    $ExtractResult = 'AuditLog is disabled. Cannot perform full analysis'
+  } else {
     $sessionid = Get-Random -Minimum 10000 -Maximum 99999
     $operations = @(
-      "New-InboxRule",
-      "Set-InboxRule",
-      "UpdateInboxRules",
-      "Remove-MailboxPermission",
-      "Add-MailboxPermission",
-      "UpdateCalendarDelegation",
-      "AddFolderPermissions",
-      "MailboxLogin",
-      "UserLoggedIn"
+      'New-InboxRule',
+      'Set-InboxRule',
+      'UpdateInboxRules',
+      'Remove-MailboxPermission',
+      'Add-MailboxPermission',
+      'UpdateCalendarDelegation',
+      'AddFolderPermissions',
+      'MailboxLogin',
+      'UserLoggedIn'
     )
     $startDate = (Get-Date).AddDays(-7)
     $endDate = (Get-Date)
     $SearchParam = @{
-      SessionCommand = "ReturnLargeSet"
+      SessionCommand = 'ReturnLargeSet'
       Operations     = $operations
       sessionid      = $sessionid
       startDate      = $startDate
       endDate        = $endDate
     }
     do {
-      New-ExoRequest -tenantid $Tenantfilter -cmdlet "Search-unifiedAuditLog" -cmdParams $SearchParam -Anchor $Username
+      New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Search-unifiedAuditLog' -cmdParams $SearchParam -Anchor $Username
       Write-Host "Retrieved $($logsTenant.count) logs" -ForegroundColor Yellow
       $logsTenant
     } while ($LogsTenant.count % 5000 -eq 0 -and $LogsTenant.count -ne 0)
-    $ExtractResult = "Succesfully extracted logs from auditlog"
+    $ExtractResult = 'Succesfully extracted logs from auditlog'
   }
   Try {
     $URI = "https://graph.microsoft.com/beta/auditLogs/signIns?`$filter=(userId eq '$SuspectUser')&`$top=1&`$orderby=createdDateTime desc" 
@@ -50,29 +49,26 @@ try {
     @{ Name = 'AppDisplayName'; Expression = { $_.resourceDisplayName } },
     @{ Name = 'Status'; Expression = { if (($_.conditionalAccessStatus -eq 'Success' -or 'Not Applied') -and $_.status.errorCode -eq 0) { 'Success' } else { 'Failed' } } },
     @{ Name = 'IPAddress'; Expression = { $_.ipAddress } }
-  }
-  catch {
+  } catch {
     $LastSignIn = [PSCustomObject]@{
-      AppDisplayName  = "Unknown - could not retrieve information. No access to sign-in logs"
-      CreatedDateTime = "Unknown"
-      Id              = "0"
-      Status          = "Could not retrieve additional details"
+      AppDisplayName  = 'Unknown - could not retrieve information. No access to sign-in logs'
+      CreatedDateTime = 'Unknown'
+      Id              = '0'
+      Status          = 'Could not retrieve additional details'
     }
   }
   #List all users devices
   $Bytes = [System.Text.Encoding]::UTF8.GetBytes($SuspectUser)
   $base64IdentityParam = [Convert]::ToBase64String($Bytes)
   Try {
     $Devices = New-GraphGetRequest -uri "https://outlook.office365.com:443/adminapi/beta/$($TenantFilter)/mailbox('$($base64IdentityParam)')/MobileDevice/Exchange.GetMobileDeviceStatistics()/?IsEncoded=True" -Tenantid $tenantfilter -scope ExchangeOnline
-  }
-  catch {
+  } catch {
     $Devices = $null
   }
-  $PermissionsLog = ($7dayslog | Where-Object -Property Operations -In "Remove-MailboxPermission", "Add-MailboxPermission", "UpdateCalendarDelegation", "AddFolderPermissions" ).AuditData | ConvertFrom-Json -Depth 100 | ForEach-Object {
+  $PermissionsLog = ($7dayslog | Where-Object -Property Operations -In 'Remove-MailboxPermission', 'Add-MailboxPermission', 'UpdateCalendarDelegation', 'AddFolderPermissions' ).AuditData | ConvertFrom-Json -Depth 100 | ForEach-Object {
     $perms = if ($_.Parameters) {
-      $_.Parameters | ForEach-Object { if ($_.Name -eq "AccessRights") { $_.Value } }
-    }
-    else
+      $_.Parameters | ForEach-Object { if ($_.Name -eq 'AccessRights') { $_.Value } }
+    } else
     { $_.item.ParentFolder.MemberRights }
     $objectID = if ($_.ObjectID) { $_.ObjectID } else { $($_.MailboxOwnerUPN) + $_.item.ParentFolder.Path }
     [pscustomobject]@{
@@ -83,43 +79,42 @@ try {
     }
   }
 
-  $RulesLog = @(($7dayslog | Where-Object -Property Operations -In "New-InboxRule", "Set-InboxRule", "UpdateInboxRules").AuditData | ConvertFrom-Json) | ForEach-Object {
+  $RulesLog = @(($7dayslog | Where-Object -Property Operations -In 'New-InboxRule', 'Set-InboxRule', 'UpdateInboxRules').AuditData | ConvertFrom-Json) | ForEach-Object {
     Write-Host ($_ | ConvertTo-Json)
     [pscustomobject]@{
       ClientIP      = $_.ClientIP
       CreationTime  = $_.CreationTime
       UserId        = $_.UserId
-      RuleName      = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq "RuleName") { $_.Value } })
-      RuleCondition = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq "RuleCondition") { $_.Value } })
+      RuleName      = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq 'RuleName') { $_.Value } })
+      RuleCondition = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq 'RuleCondition') { $_.Value } })
     }
   }
   $PasswordChanges = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`select=lastPasswordChangeDateTime,displayname,UserPrincipalName" -Tenantid $tenantfilter | Where-Object { $_.lastPasswordChangeDateTime -gt $startDate }
-  $NewUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayname,UserPrincipalName,CreatedDateTime"  -Tenantid $tenantfilter | Where-Object { $_.CreatedDateTime -gt $startDate }
+  $NewUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayname,UserPrincipalName,CreatedDateTime" -Tenantid $tenantfilter | Where-Object { $_.CreatedDateTime -gt $startDate }
   $MFADevices = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($SuspectUser)/authentication/methods" -Tenantid $tenantfilter
   $NewSPs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$select=displayName,createdDateTime,id,AppDisplayName&`$filter=createdDateTime ge $($startDate.ToString('yyyy-MM-ddTHH:mm:ssZ'))" -Tenantid $tenantfilter
-  $Last50Logons = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/auditLogs/signIns?`$top=50&`$orderby=createdDateTime desc"  -tenantid $TenantFilter -noPagination $true -verbose | Select-Object @{ Name = 'CreatedDateTime'; Expression = { $(($_.createdDateTime | Out-String) -replace '\r\n') } },
+  $Last50Logons = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/auditLogs/signIns?`$top=50&`$orderby=createdDateTime desc" -tenantid $TenantFilter -noPagination $true -verbose | Select-Object @{ Name = 'CreatedDateTime'; Expression = { $(($_.createdDateTime | Out-String) -replace '\r\n') } },
   id,
   @{ Name = 'AppDisplayName'; Expression = { $_.resourceDisplayName } },
   @{ Name = 'Status'; Expression = { if (($_.conditionalAccessStatus -eq 'Success' -or 'Not Applied') -and $_.status.errorCode -eq 0) { 'Success' } else { 'Failed' } } },
   @{ Name = 'IPAddress'; Expression = { $_.ipAddress } }, UserPrincipalName
   $Results = [PSCustomObject]@{
-    AddedApps                = $NewSPs
-    SuspectUserMailboxLogons = $Last50Logons
+    AddedApps                = @($NewSPs)
+    SuspectUserMailboxLogons = @($Last50Logons)
     LastSuspectUserLogon     = @($LastSignIn)
     SuspectUserDevices       = @($Devices)
     NewRules                 = @($RulesLog)
     MailboxPermissionChanges = @($PermissionsLog)
     NewUsers                 = @($NewUsers)
-    MFADevices               = $MFADevices
-    ChangedPasswords         = $PasswordChanges
+    MFADevices               = @($MFADevices)
+    ChangedPasswords         = @($PasswordChanges)
     ExtractedAt              = (Get-Date).ToString('s')
     ExtractResult            = $ExtractResult
   }
 
-}
-catch {
+} catch {
   $errMessage = Get-NormalizedError -message $_.Exception.Message
-  $results = [pscustomobject]@{"Results" = "$errMessage" }
+  $results = [pscustomobject]@{'Results' = "$errMessage" }
 }
 
 $Table = Get-CippTable -tablename 'cachebec'
@@ -128,5 +123,5 @@ Add-CIPPAzDataTableEntity @Table -Entity @{
   UserId       = $Context.input.userid
   Results      = "$($results | ConvertTo-Json -Depth 10)"
   RowKey       = $Context.input.userid
-  PartitionKey = "bec"
+  PartitionKey = 'bec'
 }