better logging and fix alert being wrong

kris6673 · kris6673 · commit 97c8c01b82e9 · 2025-06-10T19:04:35.000+02:00
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1
@@ -30,32 +30,31 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState {
 
     param($Tenant, $Settings)
 
-    $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator')
-    $authState = if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq 'enabled') { $true } else { $false }
-
-
+    $AuthenticatorFeaturesState = (New-GraphGetRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator')
 
     # Get state value using null-coalescing operator
-    $state = $Settings.state.value ? $Settings.state.value : $settings.state
-    $authState = if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq $state) { $true } else { $false }
+    $CurrentState = $AuthenticatorFeaturesState.featureSettings.companionAppAllowedState.state
+    $WantedState = $Settings.state.value ? $Settings.state.value : $settings.state
+    $AuthStateCorrect = if ($CurrentState -eq $WantedState) { $true } else { $false }
 
     # Input validation
-    if (([string]::IsNullOrWhiteSpace($state) -or $state -eq 'Select a value') -and ($Settings.remediate -eq $true -or $Settings.alert -eq $true)) {
+    if (([string]::IsNullOrWhiteSpace($WantedState) -or $WantedState -eq 'Select a value') -and ($Settings.remediate -eq $true -or $Settings.alert -eq $true)) {
         Write-LogMessage -API 'Standards' -tenant $Tenant -message 'PWcompanionAppAllowedState: Invalid state parameter set' -sev Error
         Return
     }
 
     If ($Settings.remediate -eq $true) {
+        Write-Host "Remediating PWcompanionAppAllowedState for tenant $Tenant to $WantedState"
 
-        if ($authenticatorFeaturesState.featureSettings.companionAppAllowedState.state -eq $state) {
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message "companionAppAllowedState is already set to the desired state of $state." -sev Info
+        if ($AuthStateCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "companionAppAllowedState is already set to the desired state of $WantedState." -sev Info
         } else {
             try {
                 # Remove number matching from featureSettings because this is now Microsoft enforced and shipping it returns an error
-                $authenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState')
+                $AuthenticatorFeaturesState.featureSettings.PSObject.Properties.Remove('numberMatchingRequiredState')
                 # Define feature body
                 $featureBody = @{
-                    state         = $state
+                    state         = $WantedState
                     includeTarget = [PSCustomObject]@{
                         targetType = 'group'
                         id         = 'all_users'
@@ -65,33 +64,33 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState {
                         id         = '00000000-0000-0000-0000-000000000000'
                     }
                 }
-                $authenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody
-                $body = ConvertTo-Json -Depth 3 -Compress -InputObject $authenticatorFeaturesState
+                $AuthenticatorFeaturesState.featureSettings.companionAppAllowedState = $featureBody
+                $body = ConvertTo-Json -Depth 3 -Compress -InputObject $AuthenticatorFeaturesState
                 $null = (New-GraphPostRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type patch -Body $body -ContentType 'application/json')
-                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set companionAppAllowedState to $state." -sev Info
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set companionAppAllowedState to $WantedState." -sev Info
             } catch {
                 $ErrorMessage = Get-CippExceptionMessage -Exception $_
-                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set companionAppAllowedState to $state. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set companionAppAllowedState to $WantedState. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
             }
         }
     }
 
     if ($Settings.alert -eq $true) {
 
-        if ($authState) {
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'companionAppAllowedState is enabled.' -sev Info
+        if ($AuthStateCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "companionAppAllowedState is set to $WantedState." -sev Info
         } else {
-            Write-StandardsAlert -message 'companionAppAllowedState is not enabled' -object $authenticatorFeaturesState -tenant $Tenant -standardName 'PWcompanionAppAllowedState' -standardId $Settings.standardId
-            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'companionAppAllowedState is not enabled.' -sev Info
+            Write-StandardsAlert -message "companionAppAllowedState is not set to $WantedState. Current state is $CurrentState." -object $AuthenticatorFeaturesState -tenant $Tenant -standardName 'PWcompanionAppAllowedState' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "companionAppAllowedState is not set to $WantedState. Current state is $CurrentState." -sev Info
         }
     }
 
     if ($Settings.report -eq $true) {
-        Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue $authState -StoreAs bool -Tenant $Tenant
-        if ($authState) {
+        Add-CIPPBPAField -FieldName 'companionAppAllowedState' -FieldValue $AuthStateCorrect -StoreAs bool -Tenant $Tenant
+        if ($AuthStateCorrect -eq $true) {
             $FieldValue = $true
         } else {
-            $FieldValue = $authenticatorFeaturesState.featureSettings.companionAppAllowedState
+            $FieldValue = $AuthenticatorFeaturesState.featureSettings.companionAppAllowedState
         }
         Set-CIPPStandardsCompareField -FieldName 'standards.PWcompanionAppAllowedState' -FieldValue $FieldValue -Tenant $Tenant
     }
