Merge pull request #643 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

ExampleReportTemplate.ps1

@@ -1,11 +1,17 @@
 $Table = Get-CippTable -tablename 'CippReportTemplates'
 
+# Dynamically discover all ZTNA test files
+$TestFiles = Get-ChildItem "C:\Github\CIPP-API\Modules\CIPPCore\Public\Tests\Invoke-CippTestZTNA*.ps1" | Sort-Object Name
+$AllTestIds = $TestFiles.BaseName | ForEach-Object { $_ -replace 'Invoke-CippTestZTNA', 'ZTNA' }
+
+Write-Host "Discovered $($AllTestIds.Count) ZTNA tests"
+
 $Entity = @{
-    RowKey       = (New-Guid).ToString()
-    PartitionKey = 'ReportingTemplate'
-    Tests        = [string](@('Test01', 'Test02', 'Test03', 'Test04', 'Test05') | ConvertTo-Json -Compress)
-    Description  = 'This is a test report'
-    Name         = 'Test Report'
+    RowKey        = 'd5d1e123-bce0-482d-971f-be6ed820dd92'
+    PartitionKey  = 'ReportingTemplate'
+    IdentityTests = [string]($AllTestIds | ConvertTo-Json -Compress)
+    Description   = 'Complete Zero Trust Network Assessment Report'
+    Name          = 'Full ZTNA Report'
 }
 
 Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -62,6 +62,10 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthorizationPolicy collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheAuthenticationMethodsPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthenticationMethodsPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         try { Set-CIPPDBCacheDeviceSettings -TenantFilter $TenantFilter } catch {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "DeviceSettings collection failed: $($_.Exception.Message)" -sev Error
         }
@@ -98,6 +102,50 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "PIMSettings collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheDomains -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Domains collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRoleEligibilitySchedules -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RoleEligibilitySchedules collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRoleManagementPolicies -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RoleManagementPolicies collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRoleAssignmentScheduleInstances -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RoleAssignmentScheduleInstances collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheB2BManagementPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "B2BManagementPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheAuthenticationFlowsPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthenticationFlowsPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRiskyUsers -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyUsers collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRiskyServicePrincipals -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyServicePrincipals collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheServicePrincipalRiskDetections -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ServicePrincipalRiskDetections collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRiskDetections -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskDetections collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheDeviceRegistrationPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "DeviceRegistrationPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Completed database cache collection for tenant' -sev Info
 
     } catch {

Modules/CIPPCore/Public/Get-CippDbRole.ps1

@@ -0,0 +1,53 @@
+function Get-CippDbRole {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludePrivilegedRoles,
+
+        [Parameter(Mandatory = $false)]
+        [switch]$CisaHighlyPrivilegedRoles
+    )
+
+    $Roles = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'Roles'
+
+    if ($IncludePrivilegedRoles) {
+        $PrivilegedRoleTemplateIds = @(
+            '62e90394-69f5-4237-9190-012177145e10',
+            '194ae4cb-b126-40b2-bd5b-6091b380977d',
+            '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
+            'e8611ab8-c189-46e8-94e1-60213ab1f814',
+            '29232cdf-9323-42fd-ade2-1d097af3e4de',
+            'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9',
+            'f28a1f50-f6e7-4571-818b-6a12f2af6b6c',
+            'fe930be7-5e62-47db-91af-98c3a49a38b1',
+            '729827e3-9c14-49f7-bb1b-9608f156bbb8',
+            '966707d0-3269-4727-9be2-8c3a10f19b9d',
+            'b0f54661-2d74-4c50-afa3-1ec803f12efe',
+            '7be44c8a-adaf-4e2a-84d6-ab2649e08a13',
+            '158c047a-c907-4556-b7ef-446551a6b5f7',
+            'c4e39bd9-1100-46d3-8c65-fb160da0071f',
+            '9f06204d-73c1-4d4c-880a-6edb90606fd8',
+            '17315797-102d-40b4-93e0-432062caca18',
+            '4a5d8f65-41da-4de4-8968-e035b65339cf',
+            '75941009-915a-4869-abe7-691bff18279e'
+        )
+        $Roles = $Roles | Where-Object { $PrivilegedRoleTemplateIds -contains $_.templateId }
+    }
+
+    if ($CisaHighlyPrivilegedRoles) {
+        $CisaRoleTemplateIds = @(
+            '62e90394-69f5-4237-9190-012177145e10',
+            '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
+            '29232cdf-9323-42fd-ade2-1d097af3e4de',
+            '729827e3-9c14-49f7-bb1b-9608f156bbb8',
+            '966707d0-3269-4727-9be2-8c3a10f19b9d',
+            'b0f54661-2d74-4c50-afa3-1ec803f12efe'
+        )
+        $Roles = $Roles | Where-Object { $CisaRoleTemplateIds -contains $_.templateId }
+    }
+
+    return $Roles
+}

Modules/CIPPCore/Public/Get-CippDbRoleMembers.ps1

@@ -0,0 +1,49 @@
+function Get-CippDbRoleMembers {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+
+        [Parameter(Mandatory = $true)]
+        [string]$RoleTemplateId
+    )
+
+    $RoleAssignments = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'RoleAssignmentScheduleInstances'
+    $RoleEligibilities = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'RoleEligibilitySchedules'
+
+    $ActiveMembers = $RoleAssignments | Where-Object {
+        $_.roleDefinitionId -eq $RoleTemplateId -and $_.assignmentType -eq 'Assigned'
+    }
+
+    $EligibleMembers = $RoleEligibilities | Where-Object {
+        $_.roleDefinitionId -eq $RoleTemplateId
+    }
+
+    $AllMembers = [System.Collections.Generic.List[object]]::new()
+
+    foreach ($member in $ActiveMembers) {
+        $memberObj = [PSCustomObject]@{
+            id                = $member.principalId
+            displayName       = $member.principal.displayName
+            userPrincipalName = $member.principal.userPrincipalName
+            '@odata.type'     = $member.principal.'@odata.type'
+            AssignmentType    = 'Active'
+        }
+        $AllMembers.Add($memberObj)
+    }
+
+    foreach ($member in $EligibleMembers) {
+        if ($AllMembers.id -notcontains $member.principalId) {
+            $memberObj = [PSCustomObject]@{
+                id                = $member.principalId
+                displayName       = $member.principal.displayName
+                userPrincipalName = $member.principal.userPrincipalName
+                '@odata.type'     = $member.principal.'@odata.type'
+                AssignmentType    = 'Eligible'
+            }
+            $AllMembers.Add($memberObj)
+        }
+    }
+
+    return $AllMembers
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheApps.ps1

@@ -15,7 +15,7 @@ function Set-CIPPDBCacheApps {
     try {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching applications' -sev Info
 
-        $Apps = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/applications?$top=999&$select=id,appId,displayName,createdDateTime,signInAudience' -tenantid $TenantFilter
+        $Apps = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/applications?$top=999' -tenantid $TenantFilter
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Apps' -Data $Apps
         Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Apps' -Data $Apps -Count
         $Apps = $null

Modules/CIPPCore/Public/Set-CIPPDBCacheAuthenticationFlowsPolicy.ps1

@@ -0,0 +1,31 @@
+function Set-CIPPDBCacheAuthenticationFlowsPolicy {
+    <#
+    .SYNOPSIS
+        Caches authentication flows policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache authentication flows policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching authentication flows policy' -sev Info
+
+        $AuthFlowPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/authenticationFlowsPolicy' -tenantid $TenantFilter
+
+        if ($AuthFlowPolicy) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationFlowsPolicy' -Data @($AuthFlowPolicy)
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authentication flows policy successfully' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache authentication flows policy: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheAuthenticationMethodsPolicy.ps1

@@ -0,0 +1,26 @@
+function Set-CIPPDBCacheAuthenticationMethodsPolicy {
+    <#
+    .SYNOPSIS
+        Caches authentication methods policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache authentication methods policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching authentication methods policy' -sev Info
+        $AuthMethodsPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $TenantFilter
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'AuthenticationMethodsPolicy' -Data @($AuthMethodsPolicy)
+        $AuthMethodsPolicy = $null
+
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached authentication methods policy successfully' -sev Info
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache authentication methods policy: $($_.Exception.Message)" -sev Error
+    }
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheB2BManagementPolicy.ps1

@@ -0,0 +1,34 @@
+function Set-CIPPDBCacheB2BManagementPolicy {
+    <#
+    .SYNOPSIS
+        Caches B2B management policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache B2B management policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching B2B management policy' -sev Info
+
+        $LegacyPolicies = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies' -tenantid $TenantFilter
+        $B2BManagementPolicy = $LegacyPolicies | Where-Object { $_.Type -eq 'B2BManagementPolicy' }
+
+        if ($B2BManagementPolicy) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'B2BManagementPolicy' -Data @($B2BManagementPolicy)
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached B2B management policy successfully' -sev Info
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No B2B management policy found' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache B2B management policy: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheDeviceRegistrationPolicy.ps1

@@ -0,0 +1,31 @@
+function Set-CIPPDBCacheDeviceRegistrationPolicy {
+    <#
+    .SYNOPSIS
+        Caches device registration policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache device registration policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching device registration policy' -sev Info
+
+        $DeviceRegistrationPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/deviceRegistrationPolicy' -tenantid $TenantFilter
+        
+        if ($DeviceRegistrationPolicy) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'DeviceRegistrationPolicy' -Data @($DeviceRegistrationPolicy)
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached device registration policy successfully' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache device registration policy: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}

Modules/CIPPCore/Public/Set-CIPPDBCacheDomains.ps1

@@ -0,0 +1,26 @@
+function Set-CIPPDBCacheDomains {
+    <#
+    .SYNOPSIS
+        Caches domains for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache domains for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching domains' -sev Info
+        $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter
+        Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'Domains' -Data @($Domains)
+        $Domains = $null
+
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached domains successfully' -sev Info
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache domains: $($_.Exception.Message)" -sev Error
+    }
+}