Merge pull request #417 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-ListGroups.ps1

@@ -19,7 +19,14 @@ function Invoke-ListGroups {
     $GroupType = $Request.Query.groupType
     $Members = $Request.Query.members
     $Owners = $Request.Query.owners
-    $SelectString = 'id,createdDateTime,displayName,description,mail,mailEnabled,mailNickname,resourceProvisioningOptions,securityEnabled,visibility,organizationId,onPremisesSamAccountName,membershipRule,groupTypes,onPremisesSyncEnabled,resourceProvisioningOptions,userPrincipalName&$expand=members($select=userPrincipalName)'
+
+    $ExpandMembers = $Request.Query.expandMembers ?? $false
+
+    $SelectString = 'id,createdDateTime,displayName,description,mail,mailEnabled,mailNickname,resourceProvisioningOptions,securityEnabled,visibility,organizationId,onPremisesSamAccountName,membershipRule,groupTypes,onPremisesSyncEnabled,resourceProvisioningOptions,userPrincipalName'
+    if ($ExpandMembers -ne $false) {
+        $SelectString = '{0}&$expand=members($select=userPrincipalName)' -f $SelectString
+    }
+
 
     $BulkRequestArrayList = [System.Collections.Generic.List[object]]::new()
 
@@ -86,7 +93,7 @@ function Invoke-ListGroups {
             $RawGraphRequest = New-GraphBulkRequest -tenantid $TenantFilter -scope 'https://graph.microsoft.com/.default' -Requests @($BulkRequestArrayList) -asapp $true
             $GraphRequest = [PSCustomObject]@{
                 groupInfo              = ($RawGraphRequest | Where-Object { $_.id -eq 1 }).body | Select-Object *, @{ Name = 'primDomain'; Expression = { $_.mail -split '@' | Select-Object -Last 1 } },
-                @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -Like '*Team*') { $true } else { $false } } },
+                @{Name = 'teamsEnabled'; Expression = { if ($_.resourceProvisioningOptions -like '*Team*') { $true } else { $false } } },
                 @{Name = 'calculatedGroupType'; Expression = {
                         if ($_.mailEnabled -and $_.securityEnabled) { 'Mail-Enabled Security' }
                         if (!$_.mailEnabled -and $_.securityEnabled) { 'Security' }
@@ -129,4 +136,4 @@ function Invoke-ListGroups {
             Body       = $GraphRequest
         })
 
-}
+}

Modules/CIPPCore/Public/GraphHelper/Write-AlertTrace.ps1

@@ -20,8 +20,8 @@ function Write-AlertTrace {
             $TableRow = @{
                 'PartitionKey' = $PartitionKey
                 'RowKey'       = "$($tenantFilter)-$($cmdletName)"
-                'CmdletName'   = $cmdletName
-                'Tenant'       = $tenantFilter
+                'CmdletName'   = "$cmdletName"
+                'Tenant'       = "$tenantFilter"
                 'LogData'      = [string]$LogData
             }
             $Table.Entity = $TableRow
@@ -33,8 +33,8 @@ function Write-AlertTrace {
         $TableRow = @{
             'PartitionKey' = $PartitionKey
             'RowKey'       = "$($tenantFilter)-$($cmdletName)"
-            'CmdletName'   = $cmdletName
-            'Tenant'       = $tenantFilter
+            'CmdletName'   = "$cmdletName"
+            'Tenant'       = "$tenantFilter"
             'LogData'      = [string]$LogData
         }
         $Table.Entity = $TableRow

Modules/CIPPCore/Public/New-CIPPCAPolicy.ps1

@@ -153,7 +153,7 @@ function New-CIPPCAPolicy {
     }
 
     foreach ($location in $JSONObj.conditions.locations.includeLocations) {
-        Write-Information "Replacing $location"
+        Write-Information "Replacing named location - $location"
         $lookup = $LocationLookupTable | Where-Object -Property name -EQ $location
         Write-Information "Found $lookup"
         if (!$lookup) { continue }
@@ -198,6 +198,11 @@ function New-CIPPCAPolicy {
                     }
                 }
 
+                if ($JSONObj.conditions.users.includeUsers.Count -eq 0) {
+                    Write-Information 'No users matched in this policy, setting to none'
+                    $JSONObj.conditions.users.includeUsers = 'none'
+                }
+
             } catch {
                 $ErrorMessage = Get-CippException -Exception $_
                 Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to replace displayNames for conditional access rule $($JSONObj.displayName). Error: $($ErrorMessage.NormalizedError)" -sev 'Error' -LogData $ErrorMessage
@@ -229,14 +234,19 @@ function New-CIPPCAPolicy {
     if ($DisableSD -eq $true) {
         #Send request to disable security defaults.
         $body = '{ "isEnabled": false }'
-        $null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -ContentType 'application/json'
-        Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
-        Start-Sleep 3
+        try {
+            $null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -Type patch -Body $body -asApp $true -ContentType 'application/json'
+            Write-LogMessage -Headers $User -API 'Create CA Policy' -tenant $($Tenant) -message "Disabled Security Defaults for tenant $($TenantFilter)" -Sev 'Info'
+            Start-Sleep 3
+        } catch {
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-Information "Failed to disable security defaults for tenant $($TenantFilter): $($ErrorMessage.NormalizedError)"
+        }
     }
     $RawJSON = ConvertTo-Json -InputObject $JSONObj -Depth 10 -Compress
     Write-Information $RawJSON
     try {
-        Write-Information 'Checking'
+        Write-Information 'Checking for existing policies'
         $CheckExististing = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -tenantid $TenantFilter -asApp $true | Where-Object -Property displayName -EQ $displayname
         if ($CheckExististing) {
             if ($Overwrite -ne $true) {
@@ -249,7 +259,7 @@ function New-CIPPCAPolicy {
                 return "Updated policy $displayname for $tenantfilter"
             }
         } else {
-            Write-Information 'Creating'
+            Write-Information 'Creating new policy'
             if ($JSONobj.GrantControls.authenticationStrength.policyType -or $JSONObj.$jsonobj.LocationInfo) {
                 Start-Sleep 3
             }
@@ -260,6 +270,10 @@ function New-CIPPCAPolicy {
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError) " -sev 'Error' -LogData $ErrorMessage
+
+        Write-Warning "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError)"
+        Write-Information $_.InvocationInfo.PositionMessage
+        Write-Information ($JSONObj | ConvertTo-Json -Depth 10)
         throw "Failed to create or update conditional access rule $($JSONObj.displayName): $($ErrorMessage.NormalizedError)"
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1

@@ -32,6 +32,7 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'ConditionalAccess'
     $Table = Get-CippTable -tablename 'templates'
     $TestResult = Test-CIPPStandardLicense -StandardName 'ConditionalAccessTemplate_general' -TenantFilter $Tenant -RequiredCapabilities @('AAD_PREMIUM', 'AAD_PREMIUM_P2')
+    $TestP2 = Test-CIPPStandardLicense -StandardName 'ConditionalAccessTemplate_p2' -TenantFilter $Tenant -RequiredCapabilities @('AAD_PREMIUM_P2')
     if ($TestResult -eq $false) {
         #writing to each item that the license is not present.
         $settings.TemplateList | ForEach-Object {
@@ -42,9 +43,8 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
     } #we're done.
 
     try {
-        $AllCAPolicies = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies?$top=999' -tenantid $Tenant
-    }
-    catch {
+        $AllCAPolicies = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies?$top=999' -tenantid $Tenant -asApp $true
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the ConditionalAccessTemplate state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
@@ -55,6 +55,13 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
             try {
                 $Filter = "PartitionKey eq 'CATemplate' and RowKey eq '$($Setting.TemplateList.value)'"
                 $JSONObj = (Get-CippAzDataTableEntity @Table -Filter $Filter).JSON
+                $Policy = $JSONObj | ConvertFrom-Json
+                if ($Policy.conditions.userRiskLevels.count -gt 0 -or $Policy.conditions.signInRiskLevels.count -gt 0) {
+                    if (!$TestP2) {
+                        Write-Information "Skipping policy $($Policy.displayName) as it requires AAD Premium P2 license."
+                        continue
+                    }
+                }
                 $null = New-CIPPCAPolicy -replacePattern 'displayName' -TenantFilter $tenant -state $Setting.state -RawJSON $JSONObj -Overwrite $true -APIName $APIName -Headers $Request.Headers -DisableSD $Setting.DisableSD
             } catch {
                 $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
@@ -70,7 +77,15 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
             $policy = $Policies | Where-Object { $_.displayName -eq $Setting.label }
             $CheckExististing = $AllCAPolicies | Where-Object -Property displayName -EQ $Setting.label
             if (!$CheckExististing) {
-                Set-CIPPStandardsCompareField -FieldName "standards.ConditionalAccessTemplate.$($Setting.value)" -FieldValue "Policy $($Setting.label) is missing from this tenant." -Tenant $Tenant
+                if ($Setting.conditions.userRiskLevels.Count -gt 0 -or $Setting.conditions.signInRiskLevels.Count -gt 0) {
+                    if (!$TestP2) {
+                        Set-CIPPStandardsCompareField -FieldName "standards.ConditionalAccessTemplate.$($Setting.value)" -FieldValue "Policy $($Setting.label) requires AAD Premium P2 license." -Tenant $Tenant
+                    } else {
+                        Set-CIPPStandardsCompareField -FieldName "standards.ConditionalAccessTemplate.$($Setting.value)" -FieldValue "Policy $($Setting.label) is missing from this tenant." -Tenant $Tenant
+                    }
+                } else {
+                    Set-CIPPStandardsCompareField -FieldName "standards.ConditionalAccessTemplate.$($Setting.value)" -FieldValue "Policy $($Setting.label) is missing from this tenant." -Tenant $Tenant
+                }
             } else {
                 $CompareObj = ConvertFrom-Json -ErrorAction SilentlyContinue -InputObject (New-CIPPCATemplate -TenantFilter $tenant -JSON $CheckExististing)
                 $Compare = Compare-CIPPIntuneObject -ReferenceObject $policy -DifferenceObject $CompareObj