new tests

Author: KelvinTegelaar

Modules/CIPPCore/Public/Set-CIPPDBCacheGuests.ps1

@@ -15,7 +15,7 @@ function Set-CIPPDBCacheGuests {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching guest users' -sev Info
 
-        $Guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=userType eq 'Guest'&`$top=999" -tenantid $TenantFilter
+        $Guests = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=userType eq 'Guest'&`$expand=sponsors&`$top=999" -tenantid $TenantFilter
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Guests' -Data $Guests
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Guests' -Data $Guests -Count
         $Guests = $null

Modules/CIPPCore/Public/Set-CIPPDBCacheServicePrincipals.ps1

@@ -15,7 +15,7 @@ function Set-CIPPDBCacheServicePrincipals {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching service principals' -sev Info
 
-        $ServicePrincipals = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals?$top=999&$select=id,appId,displayName,servicePrincipalType,accountEnabled' -tenantid $TenantFilter
+        $ServicePrincipals = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/servicePrincipals' -tenantid $TenantFilter
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipals' -Data $ServicePrincipals
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipals' -Data $ServicePrincipals -Count
         $ServicePrincipals = $null

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21858.ps1

@@ -0,0 +1,51 @@
+function Invoke-CippTestZTNA21858 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        if (-not $Guests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Guest user data not found in database' -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        $InactivityThresholdDays = 90
+        $Today = Get-Date
+        $EnabledGuests = $Guests | Where-Object { $_.AccountEnabled -eq $true }
+
+        if (-not $EnabledGuests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No guest users found in the tenant' -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        $InactiveGuests = @()
+        foreach ($Guest in $EnabledGuests) {
+            $DaysSinceLastActivity = $null
+            
+            if ($Guest.signInActivity.lastSuccessfulSignInDateTime) {
+                $LastSignIn = [DateTime]$Guest.signInActivity.lastSuccessfulSignInDateTime
+                $DaysSinceLastActivity = ($Today - $LastSignIn).Days
+            } elseif ($Guest.createdDateTime) {
+                $Created = [DateTime]$Guest.createdDateTime
+                $DaysSinceLastActivity = ($Today - $Created).Days
+            }
+
+            if ($null -ne $DaysSinceLastActivity -and $DaysSinceLastActivity -gt $InactivityThresholdDays) {
+                $InactiveGuests += $Guest
+            }
+        }
+
+        if ($InactiveGuests.Count -gt 0) {
+            $Status = 'Failed'
+            $Result = "Found $($InactiveGuests.Count) inactive guest user(s) with no sign-in activity in the last $InactivityThresholdDays days"
+        } else {
+            $Status = 'Passed'
+            $Result = "All enabled guest users have been active within the last $InactivityThresholdDays days"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21858' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Inactive guest identities are disabled or removed from the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21868.ps1

@@ -0,0 +1,21 @@
+function Invoke-CippTestZTNA21868 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        $Apps = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Apps'
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+
+        if (-not $Guests -or -not $Apps -or -not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Required data not found in database' -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+            return
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'This test requires Graph API calls to check application and service principal ownership. Owner relationships are not cached.' -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21868' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Guests do not own apps in the tenant' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21869.ps1

@@ -0,0 +1,33 @@
+function Invoke-CippTestZTNA21869 {
+    param($Tenant)
+
+    try {
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+        if (-not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Service principal data not found in database' -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $AppsWithoutAssignment = $ServicePrincipals | Where-Object {
+            $_.appRoleAssignmentRequired -eq $false -and
+            $null -ne $_.preferredSingleSignOnMode -and
+            $_.preferredSingleSignOnMode -in @('password', 'saml', 'oidc') -and
+            $_.accountEnabled -eq $true
+        }
+
+        if (-not $AppsWithoutAssignment) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'All enterprise applications have explicit assignment requirements' -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $Status = 'Investigate'
+        $Result = "Found $($AppsWithoutAssignment.Count) enterprise application(s) without assignment requirements. Full provisioning scope validation requires Graph API calls not available in cache."
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21869' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Enterprise applications must require explicit assignment or scoped provisioning' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21877.ps1

@@ -0,0 +1,34 @@
+function Invoke-CippTestZTNA21877 {
+    param($Tenant)
+
+    try {
+        $Guests = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Guests'
+        if (-not $Guests) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Guest user data not found in database' -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        if ($Guests.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No guest accounts found in the tenant' -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+            return
+        }
+
+        $GuestsWithoutSponsors = $Guests | Where-Object { -not $_.sponsors -or $_.sponsors.Count -eq 0 }
+
+        if ($GuestsWithoutSponsors.Count -eq 0) {
+            $Status = 'Passed'
+            $Result = 'All guest accounts in the tenant have an assigned sponsor'
+        }
+        else {
+            $Status = 'Failed'
+            $Result = "Found $($GuestsWithoutSponsors.Count) guest user(s) without sponsors out of $($Guests.Count) total guests"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21877' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'All guests have a sponsor' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'Application management'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21886.ps1

@@ -0,0 +1,32 @@
+function Invoke-CippTestZTNA21886 {
+    param($Tenant)
+
+    try {
+        $ServicePrincipals = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ServicePrincipals'
+        if (-not $ServicePrincipals) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Service principal data not found in database' -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+            return
+        }
+
+        $AppsWithSSO = $ServicePrincipals | Where-Object {
+            $null -ne $_.preferredSingleSignOnMode -and
+            $_.preferredSingleSignOnMode -in @('password', 'saml', 'oidc') -and
+            $_.accountEnabled -eq $true
+        }
+
+        if (-not $AppsWithSSO) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Passed' -ResultMarkdown 'No applications configured for SSO found' -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+            return
+        }
+
+        $Status = 'Investigate'
+        $Result = "Found $($AppsWithSSO.Count) application(s) configured for SSO. Provisioning template and job validation requires Graph API synchronization endpoint not available in cache."
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21886' -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Applications are configured for automatic user provisioning' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Applications management'
+    }
+}