Merge branch 'dev' into update-tenant-user-templates

Author: Zacgoose

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ListMailQuarantineAllTenants.ps1

@@ -12,7 +12,7 @@
 
     try {
         $quarantineMessages = New-ExoRequest -tenantid $domainName -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 } | Select-Object -ExcludeProperty *data.type*
-        $GraphRequest = foreach ($message in $quarantineMessages) {
+        foreach ($message in $quarantineMessages) {
             $messageData = @{
                 QuarantineMessage = [string]($message | ConvertTo-Json -Depth 10 -Compress)
                 RowKey            = [string](New-Guid).Guid

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxRules.ps1

@@ -31,9 +31,6 @@ function Invoke-ListMailboxRules {
             QueueMessage = "Still loading data for $TenantFilter. Please check back in a few more minutes"
             QueueId      = $RunningQueue.RowKey
         }
-        [PSCustomObject]@{
-            Waiting = $true
-        }
     } elseif ((!$Rows -and !$RunningQueue) -or ($TenantFilter -eq 'AllTenants' -and ($Rows | Measure-Object).Count -eq 1)) {
         Write-Information "No cached mailbox rules found for $TenantFilter, starting new orchestration"
         if ($TenantFilter -eq 'AllTenants') {
@@ -58,7 +55,7 @@ function Invoke-ListMailboxRules {
                 SkipLog          = $true
             }
             #Write-Host ($InputObject | ConvertTo-Json)
-            $InstanceId = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
+            Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
             Write-Host "Started mailbox rules orchestration with ID = '$InstanceId'"
         }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Spamfilter/Invoke-ListMailQuarantine.ps1

@@ -19,16 +19,13 @@ function Invoke-ListMailQuarantine {
             $Filter = "PartitionKey eq '$PartitionKey'"
             $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-30)
             $QueueReference = '{0}-{1}' -f $TenantFilter, $PartitionKey
-            $RunningQueue = Invoke-ListCippQueue | Where-Object { $_.Reference -eq $QueueReference -and $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
+            $RunningQueue = Invoke-ListCippQueue -Reference $QueueReference | Where-Object { $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
             # If a queue is running, we will not start a new one
             if ($RunningQueue) {
                 $Metadata = [PSCustomObject]@{
                     QueueMessage = 'Still loading data for all tenants. Please check back in a few more minutes'
                     QueueId      = $RunningQueue.RowKey
                 }
-                [PSCustomObject]@{
-                    Waiting = $true
-                }
             } elseif (!$Rows -and !$RunningQueue) {
                 # If no rows are found and no queue is running, we will start a new one
                 $TenantList = Get-Tenants -IncludeErrors
@@ -49,16 +46,13 @@ function Invoke-ListMailQuarantine {
                     }
                     SkipLog          = $true
                 }
-                Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
-                [PSCustomObject]@{
-                    Waiting = $true
-                }
+                $null = Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress)
             } else {
                 $Metadata = [PSCustomObject]@{
                     QueueId = $RunningQueue.RowKey ?? $null
                 }
-                $messages = $Rows
-                foreach ($message in $messages) {
+                $Messages = $Rows
+                foreach ($message in $Messages) {
                     $messageObj = $message.QuarantineMessage | ConvertFrom-Json
                     $messageObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $message.Tenant -Force
                     $messageObj

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1

@@ -16,13 +16,9 @@ function Invoke-ExecJITAdmin {
     $TenantFilter = $Request.Body.tenantFilter.value ? $Request.Body.tenantFilter.value : $Request.Body.tenantFilter
 
 
-    if ($Request.Body.existingUser.value -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
-        $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.existingUser.value)" -tenantid $TenantFilter).userPrincipalName
-    }
-
     $Start = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate)).DateTime.ToLocalTime()
     $Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime()
-    $Results = [System.Collections.Generic.List[string]]::new()
+    $Results = [System.Collections.Generic.List[object]]::new()
 
     if ($Request.Body.userAction -eq 'create') {
         $Domain = $Request.Body.Domain.value ? $Request.Body.Domain.value : $Request.Body.Domain
@@ -39,17 +35,62 @@ function Invoke-ExecJITAdmin {
             Reason       = $Request.Body.reason
             Action       = 'Create'
             TenantFilter = $TenantFilter
+            Headers      = $Headers
+            APIName      = $APIName
+        }
+        try {
+            $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
+        } catch {
+            return ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::BadRequest
+                    Body       = @{'Results' = @("Failed to create JIT Admin user: $($_.Exception.Message)") }
+                })
         }
-        $CreateResult = Set-CIPPUserJITAdmin @JITAdmin
-        Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Created JIT Admin user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ')" -Sev 'Info' -LogData $JITAdmin
-        $Results.Add("Created User: $Username")
+        $Results.Add(@{
+                resultText = "Created User: $Username"
+                copyField  = $Username
+                state      = 'success'
+            })
         if (!$Request.Body.UseTAP) {
-            $Results.Add("Password: $($CreateResult.password)")
+            $Results.Add(@{
+                    resultText = "Password: $($CreateResult.password)"
+                    copyField  = $CreateResult.password
+                    state      = 'success'
+                })
         }
         $Results.Add("JIT Admin Expires: $($Expiration)")
         Start-Sleep -Seconds 1
+    } else {
+
+        $Username = $Request.Body.existingUser.value
+        if ($Username -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') {
+            Write-Information "Resolving UserPrincipalName from ObjectId: $($Request.Body.existingUser.value)"
+            $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.existingUser.value)" -tenantid $TenantFilter).userPrincipalName
+
+            # If the resolved username is a guest user, we need to use the id instead of the UPN
+            if ($Username -clike '*#EXT#*') {
+                $Username = $Request.Body.existingUser.value
+            }
+        }
+
+        # Validate we have a username
+        if ([string]::IsNullOrWhiteSpace($Username)) {
+            return [HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = @{ 'Results' = @("Could not resolve username from existingUser value: $($Request.Body.existingUser.value)") }
+            }
+        }
+
+        # Add username result for existing user
+        $Results.Add(@{
+                resultText = "User: $Username"
+                copyField  = $Username
+                state      = 'success'
+            })
     }
 
+
+
     #Region TAP creation
     if ($Request.Body.UseTAP) {
         try {
@@ -82,13 +123,21 @@ function Invoke-ExecJITAdmin {
             $PasswordLink = New-PwPushLink -Payload $TempPass
             $Password = $PasswordLink ? $PasswordLink : $TempPass
 
-            $Results.Add("Temporary Access Pass: $Password")
+            $Results.Add(@{
+                    resultText = "Temporary Access Pass: $Password"
+                    copyField  = $Password
+                    state      = 'success'
+                })
             $Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes")
         } catch {
             $Results.Add('Failed to create TAP, if this is not yet enabled, use the Standards to push the settings to the tenant.')
             Write-Information (Get-CippException -Exception $_ | ConvertTo-Json -Depth 5)
             if ($Password) {
-                $Results.Add("Password: $Password")
+                $Results.Add(@{
+                        resultText = "Password: $Password"
+                        copyField  = $Password
+                        state      = 'success'
+                    })
             }
         }
     }
@@ -103,6 +152,8 @@ function Invoke-ExecJITAdmin {
         Action       = 'AddRoles'
         Reason       = $Request.Body.Reason
         Expiration   = $Expiration
+        Headers      = $Headers
+        APIName      = $APIName
     }
     if ($Start -gt (Get-Date)) {
         $TaskBody = @{
@@ -125,11 +176,16 @@ function Invoke-ExecJITAdmin {
             Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $Request.Body.existingUser.value -Expiration $Expiration -Reason $Request.Body.Reason
         }
         $Results.Add("Scheduling JIT Admin enable task for $Username")
-        Write-LogMessage -Headers $Headers -API $APIName -message "Scheduling JIT Admin for existing user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ') " -tenant $TenantFilter -Sev 'Info'
     } else {
-        $Results.Add("Executing JIT Admin enable task for $Username")
-        Set-CIPPUserJITAdmin @Parameters
-        Write-LogMessage -Headers $Headers -API $APIName -message "Executing JIT Admin for existing user: $Username. Reason: $($Request.Body.reason). Roles: $($Request.Body.adminRoles.label -join ', ') " -tenant $TenantFilter -Sev 'Info'
+        try {
+            $Results.Add("Executing JIT Admin enable task for $Username")
+            Set-CIPPUserJITAdmin @Parameters
+        } catch {
+            return ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::BadRequest
+                    Body       = @{'Results' = @("Failed to execute JIT Admin enable task: $($_.Exception.Message)") }
+                })
+        }
     }
 
     $DisableTaskBody = [pscustomobject]@{
@@ -158,7 +214,6 @@ function Invoke-ExecJITAdmin {
     $null = Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false
     $Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction.value) task for $Username")
 
-    # TODO - We should find a way to have this return a HTTP status code based on the success or failure of the operation. This also doesn't return the results of the operation in a Results hash table, like most of the rest of the API.
     return ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
             Body       = @{'Results' = @($Results) }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Security/Invoke-ExecAlertsList.ps1

@@ -62,9 +62,6 @@ function Invoke-ExecAlertsList {
                     QueueMessage = 'Still loading data for all tenants. Please check back in a few more minutes'
                     QueueId      = $RunningQueue.RowKey
                 }
-                [PSCustomObject]@{
-                    Waiting = $true
-                }
             } elseif (!$Rows -and !$RunningQueue) {
                 # If no rows are found and no queue is running, we will start a new one
                 $TenantList = Get-Tenants -IncludeErrors
@@ -85,11 +82,7 @@ function Invoke-ExecAlertsList {
                     }
                     SkipLog          = $true
                 } | ConvertTo-Json -Depth 10
-                $InstanceId = Start-NewOrchestration -FunctionName CIPPOrchestrator -InputObject $InputObject
-                [PSCustomObject]@{
-                    Waiting    = $true
-                    InstanceId = $InstanceId
-                }
+                Start-NewOrchestration -FunctionName CIPPOrchestrator -InputObject $InputObject
             } else {
                 $Metadata = [PSCustomObject]@{
                     QueueId = $RunningQueue.RowKey ?? $null

Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1

@@ -24,6 +24,9 @@ function Set-CIPPUserJITAdmin {
     .PARAMETER Reason
     Reason for JIT admin assignment. Defaults to 'No reason provided' as due to backwards compatibility this is not a mandatory field.
 
+    .PARAMETER Headers
+    Headers to include in logging
+
     .EXAMPLE
     Set-CIPPUserJITAdmin -TenantFilter 'contoso.onmicrosoft.com' -Headers@{UserPrincipalName = '[email protected]'} -Roles @('62e90394-69f5-4237-9190-012177145e10') -Action 'AddRoles' -Expiration (Get-Date).AddDays(1) -Reason 'Emergency access'
 
@@ -32,19 +35,16 @@ function Set-CIPPUserJITAdmin {
     param(
         [Parameter(Mandatory = $true)]
         [string]$TenantFilter,
-
         [Parameter(Mandatory = $true)]
         [hashtable]$User,
-
         [string[]]$Roles,
-
         [Parameter(Mandatory = $true)]
         [ValidateSet('Create', 'AddRoles', 'RemoveRoles', 'DeleteUser', 'DisableUser')]
         [string]$Action,
-
         [datetime]$Expiration,
-
-        [string]$Reason = 'No reason provided'
+        [string]$Reason = 'No reason provided',
+        $Headers,
+        [string]$APIName = 'Set-CIPPUserJITAdmin'
     )
 
     if ($PSCmdlet.ShouldProcess("User: $($User.UserPrincipalName)", "Action: $Action")) {
@@ -83,6 +83,7 @@ function Set-CIPPUserJITAdmin {
                     if ($PasswordLink) {
                         $Password = $PasswordLink
                     }
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Created JIT Admin user: $($User.UserPrincipalName). Reason: $Reason" -Sev 'Info'
                     [PSCustomObject]@{
                         id                = $NewUser.id
                         userPrincipalName = $NewUser.userPrincipalName
@@ -116,6 +117,8 @@ function Set-CIPPUserJITAdmin {
                 }
 
                 Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Enabled -Expiration $Expiration -Reason $Reason | Out-Null
+                $Message = "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName)). Reason: $Reason"
+                Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
                 return "Added admin roles to user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
             }
             'RemoveRoles' {
@@ -125,15 +128,20 @@ function Set-CIPPUserJITAdmin {
                     } catch {}
                 }
                 Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $UserObj.id -Clear | Out-Null
+                $Message = "Removed admin roles from user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
                 return "Removed admin roles from user $($UserObj.displayName)"
             }
             'DeleteUser' {
                 try {
                     $null = New-GraphPOSTRequest -type DELETE -uri "https://graph.microsoft.com/beta/users/$($UserObj.id)" -tenantid $TenantFilter
-                    return "Deleted user $($UserObj.displayName) ($($UserObj.userPrincipalName)) with id $($UserObj.id)"
+                    $Message = "Deleted user $($UserObj.displayName) ($($UserObj.userPrincipalName)) with id $($UserObj.id)"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
+                    return $Message
                 } catch {
                     $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-                    return "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage" -Sev 'Error'
+                    throw "Error deleting user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
                 }
             }
             'DisableUser' {
@@ -147,11 +155,13 @@ function Set-CIPPUserJITAdmin {
                     Write-Information "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)"
                     $null = New-GraphPOSTRequest -type PATCH -uri "https://graph.microsoft.com/beta/users/$($User.UserPrincipalName)" -tenantid $TenantFilter -body $Json
                     Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null
-                    return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                    $Message = "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))"
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
+                    return $Message
                 } catch {
                     $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-                    return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
-
+                    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage" -Sev 'Error'
+                    throw "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrorMessage"
                 }
             }
         }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1

@@ -23,6 +23,7 @@ function Invoke-CIPPStandardAntiPhishPolicy {
             "CIS M365 5.0 (2.1.7)"
             "NIST CSF 2.0 (DE.CM-09)"
         ADDEDCOMPONENT
+            {"type":"textField","name":"standards.AntiPhishPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default Anti-Phishing Policy"}
             {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","defaultValue":1}
             {"type":"switch","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","defaultValue":true}
             {"type":"switch","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","defaultValue":true}