Merge pull request #223 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewAppApproval.ps1

@@ -13,9 +13,25 @@ function Get-CIPPAlertNewAppApproval {
         $Headers
     )
     try {
-        $Approvals = New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests?`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
+        $Approvals = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests?`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
         if ($Approvals.count -gt 0) {
-            $AlertData = "There are $($Approvals.count) App Approval(s) pending."
+            $AlertData = [System.Collections.Generic.List[string]]::new()
+            foreach ($App in $Approvals) {
+                $userConsentRequests = New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/$($App.id)/userConsentRequests" -tenantid $TenantFilter
+                $userConsentRequests | ForEach-Object {
+                    $consentUrl = if ($App.consentType -eq 'Static') {
+                        # if something is going wrong here you've probably stumbled on a fourth variation - rvdwegen
+                        "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                    } elseif ($App.pendingScopes.displayName) {
+                        "https://login.microsoftonline.com/$($TenantFilter)/v2.0/adminConsent?client_id=$($App.appId)&scope=$($App.pendingScopes.displayName -Join(' '))&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                    } else {
+                        "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                    }
+
+                    $Message = "App name: $($App.appDisplayName) - Request user: $($_.createdBy.user.userPrincipalName) - Reason: $($_.reason)`nApp Id: $($App.appId) - Scopes: $($App.pendingScopes.displayName)`nConsent URL: $consentUrl"
+                    $AlertData.Add($Message)
+                }
+            }
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
         }
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecSetRecipientLimits.ps1

@@ -0,0 +1,50 @@
+function Invoke-ExecSetRecipientLimits {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Exchange.Mailbox.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with the query or body of the request
+    $TenantFilter = $Request.Body.tenantFilter
+    $recipientLimit = $Request.Body.recipientLimit
+    $Identity = $Request.Body.Identity
+    $UserPrincipalName = $Request.Body.userid
+
+    # Set the parameters for the EXO request
+    $ExoRequest = @{
+        tenantid  = $TenantFilter
+        cmdlet    = 'Set-Mailbox'
+        cmdParams = @{
+            Identity              = $Identity
+            RecipientLimits       = $recipientLimit
+        }
+    }
+
+    # Execute the EXO request
+    try {
+        $null = New-ExoRequest @ExoRequest
+        $Results = "Recipient limit for $UserPrincipalName has been set to $recipientLimit"
+        
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message $Results -sev Info
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = "Could not set recipient limit for $UserPrincipalName to $recipientLimit. Error: $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -API $APIName -tenant $TenantFilter -message $Results -sev Error -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{ Results = $Results }
+        })
+}

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ListMailboxes.ps1

@@ -63,8 +63,8 @@ Function Invoke-ListMailboxes {
         @{ Name = 'recipientType'; Expression = { $_.'RecipientType' } },
         @{ Name = 'recipientTypeDetails'; Expression = { $_.'RecipientTypeDetails' } },
         @{ Name = 'AdditionalEmailAddresses'; Expression = { ($_.'EmailAddresses' | Where-Object { $_ -clike 'smtp:*' }).Replace('smtp:', '') -join ', ' } },
-        @{Name = 'ForwardingSmtpAddress'; Expression = { $_.'ForwardingSmtpAddress' -replace 'smtp:', '' } },
-        @{Name = 'InternalForwardingAddress'; Expression = { $_.'ForwardingAddress' } },
+        @{ Name = 'ForwardingSmtpAddress'; Expression = { $_.'ForwardingSmtpAddress' -replace 'smtp:', '' } },
+        @{ Name = 'InternalForwardingAddress'; Expression = { $_.'ForwardingAddress' } },
         DeliverToMailboxAndForward,
         HiddenFromAddressListsEnabled,
         ExternalDirectoryObjectId,
@@ -77,6 +77,8 @@ Function Invoke-ListMailboxes {
         ComplianceTagHoldApplied,
         RetentionHoldEnabled,
         InPlaceHolds
+        # This select also exists in ListUserMailboxDetails and should be updated if this is changed here
+
 
         $StatusCode = [HttpStatusCode]::OK
     } catch {

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/Applications/Invoke-ExecAssignApp.ps1

@@ -14,13 +14,10 @@ Function Invoke-ExecAssignApp {
     $Headers = $Request.Headers
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
-
-
-
     # Interact with query parameters or the body of the request.
-    $tenantfilter = $Request.Query.TenantFilter
-    $appFilter = $Request.Query.ID
-    $AssignTo = $Request.Query.AssignTo
+    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+    $appFilter = $Request.Query.ID ?? $Request.Body.ID
+    $AssignTo = $Request.Query.AssignTo ?? $Request.Body.AssignTo
     $AssignBody = switch ($AssignTo) {
 
         'AllUsers' {
@@ -42,20 +39,23 @@ Function Invoke-ExecAssignApp {
         }
 
     }
-    $body = [pscustomobject]@{'Results' = "$($TenantFilter): Assigned app to $assignTo" }
     try {
-        $GraphRequest = New-Graphpostrequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$appFilter/assign" -tenantid $TenantFilter -body $Assignbody
-        Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenantfilter) -message "Assigned $($appFilter) to $assignTo" -Sev 'Info'
+        $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/$appFilter/assign" -tenantid $TenantFilter -body $AssignBody
+        $Result = "Successfully assigned app $($appFilter) to $($AssignTo)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $($TenantFilter) -message $Result -Sev Info
+        $StatusCode = [HttpStatusCode]::OK
 
     } catch {
-        Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenantfilter) -message "Failed to assign app $($appFilter): $($_.Exception.Message)" -Sev 'Error'
-        $body = [pscustomobject]@{'Results' = "Failed to assign. $($_.Exception.Message)" }
+        $ErrorMessage = Get-CippException -Exception $_
+        $Result = "Failed to assign app $($appFilter) to $($AssignTo). Error: $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev 'Error' -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::InternalServerError
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-            StatusCode = [HttpStatusCode]::OK
-            Body       = $body
+            StatusCode = $StatusCode
+            Body       = @{ Results = $Result }
         })
 
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-AddUser.ps1

@@ -38,15 +38,20 @@ Function Invoke-AddUser {
     } else {
         $CreationResults = New-CIPPUserTask -userobj $UserObj -APIName $APINAME -Headers $Request.Headers
         $body = [pscustomobject] @{
-            'Results'  = $CreationResults.Results
-            'Username' = $CreationResults.username
-            'Password' = $CreationResults.password
+            'Results'  = @(
+                $CreationResults.Results[0],
+                $CreationResults.Results[1],
+                @{
+                    'resultText' = $CreationResults.Results[2]
+                    'copyField' = $CreationResults.password
+                    'state' = 'success'
+                }
+            )
             'CopyFrom' = @{
                 'Success' = $CreationResults.CopyFrom.Success
                 'Error'   = $CreationResults.CopyFrom.Error
             }
         }
-
     }
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListUserMailboxDetails.ps1

@@ -178,9 +178,9 @@ function Invoke-ListUserMailboxDetails {
     }
 
     # Parse InPlaceHolds to determine hold types if avaliable
-    $InPlaceHold             = $false
-    $EDiscoveryHold          = $false
-    $PurviewRetentionHold    = $false
+    $InPlaceHold = $false
+    $EDiscoveryHold = $false
+    $PurviewRetentionHold = $false
     $ExcludedFromOrgWideHold = $false
 
     # Check if InPlaceHolds property exists and has values
@@ -192,10 +192,10 @@ function Invoke-ListUserMailboxDetails {
             }
             # In-Place Hold - no prefix or starts with cld
             # Check if it doesn't match any of the other known prefixes
-            elseif (($hold -like 'cld*' -or 
-                    ($hold -notlike 'UniH*' -and 
-                    $hold -notlike 'mbx*' -and 
-                    $hold -notlike 'skp*' -and 
+            elseif (($hold -like 'cld*' -or
+                    ($hold -notlike 'UniH*' -and
+                    $hold -notlike 'mbx*' -and
+                    $hold -notlike 'skp*' -and
                     $hold -notlike '-mbx*'))) {
                 $InPlaceHold = $true
             }
@@ -240,20 +240,28 @@ function Invoke-ListUserMailboxDetails {
         AutoExpandingArchive     = $AutoExpandingArchiveEnabled
         RecipientTypeDetails     = $MailboxDetailedRequest.RecipientTypeDetails
         Mailbox                  = $MailboxDetailedRequest
-        MailboxActionsData       = ($MailboxDetailedRequest | Select-Object id, ExchangeGuid, ArchiveGuid, WhenSoftDeleted, @{ Name = 'UPN'; Expression = { $_.'UserPrincipalName' } },
+        MailboxActionsData       = ($MailboxDetailedRequest | Select-Object id, ExchangeGuid, ArchiveGuid, WhenSoftDeleted,
+            @{ Name = 'UPN'; Expression = { $_.'UserPrincipalName' } },
             @{ Name = 'displayName'; Expression = { $_.'DisplayName' } },
             @{ Name = 'primarySmtpAddress'; Expression = { $_.'PrimarySMTPAddress' } },
             @{ Name = 'recipientType'; Expression = { $_.'RecipientType' } },
             @{ Name = 'recipientTypeDetails'; Expression = { $_.'RecipientTypeDetails' } },
             @{ Name = 'AdditionalEmailAddresses'; Expression = { ($_.'EmailAddresses' | Where-Object { $_ -clike 'smtp:*' }).Replace('smtp:', '') -join ', ' } },
-            @{Name = 'ForwardingSmtpAddress'; Expression = { $_.'ForwardingSmtpAddress' -replace 'smtp:', '' } },
-            @{Name = 'InternalForwardingAddress'; Expression = { $_.'ForwardingAddress' } },
+            @{ Name = 'ForwardingSmtpAddress'; Expression = { $_.'ForwardingSmtpAddress' -replace 'smtp:', '' } },
+            @{ Name = 'InternalForwardingAddress'; Expression = { $_.'ForwardingAddress' } },
             DeliverToMailboxAndForward,
             HiddenFromAddressListsEnabled,
             ExternalDirectoryObjectId,
             MessageCopyForSendOnBehalfEnabled,
-            MessageCopyForSentAsEnabled)
-    } # Select statement taken from ListMailboxes to save a EXO request
+            MessageCopyForSentAsEnabled,
+            LitigationHoldEnabled,
+            LitigationHoldDate,
+            LitigationHoldDuration,
+            @{ Name = 'LicensedForLitigationHold'; Expression = { ($_.PersistedCapabilities -contains 'BPOS_S_DlpAddOn' -or $_.PersistedCapabilities -contains 'BPOS_S_Enterprise') } },
+            ComplianceTagHoldApplied,
+            RetentionHoldEnabled,
+            InPlaceHolds)
+    } # Select statement taken from ListMailboxes to save a EXO request. If updated here, update in ListMailboxes as well.
 
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/New-CIPPUserTask.ps1

@@ -13,7 +13,6 @@ function New-CIPPUserTask {
         $Results.Add('Created New User.')
         $Results.Add("Username: $($CreationResults.Username)")
         $Results.Add("Password: $($CreationResults.Password)")
-        $Results.Add("$($CreationResults.Password)")
     } catch {
         $Results.Add("Failed to create user. $($_.Exception.Message)" )
         return @{'Results' = $Results }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardStaleEntraDevices.ps1

@@ -7,8 +7,8 @@ function Invoke-CIPPStandardStaleEntraDevices {
     .SYNOPSIS
         (Label) Cleanup stale Entra devices
     .DESCRIPTION
-        (Helptext) Cleans up Entra devices that have not connected/signed in for the specified number of days.
-        (DocsDescription) Cleans up Entra devices that have not connected/signed in for the specified number of days. First disables and later deletes the devices. More info can be found in the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/devices/manage-stale-devices)
+        (Helptext) Remediate is currently not available. Cleans up Entra devices that have not connected/signed in for the specified number of days.
+        (DocsDescription) Remediate is currently not available. Cleans up Entra devices that have not connected/signed in for the specified number of days. First disables and later deletes the devices. More info can be found in the [Microsoft documentation](https://learn.microsoft.com/en-us/entra/identity/devices/manage-stale-devices)
     .NOTES
         CAT
             Entra (AAD) Standards

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingRecordingExpiration.ps1

@@ -0,0 +1,81 @@
+function Invoke-CIPPStandardTeamsMeetingRecordingExpiration {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) TeamsMeetingRecordingExpiration
+    .SYNOPSIS
+        (Label) Set Teams Meeting Recording Expiration
+    .DESCRIPTION
+        (Helptext) Sets the default number of days after which Teams meeting recordings automatically expire. Valid values are -1 (Never Expire) or between 1 and 99999. The default value is 120 days.
+        (DocsDescription) Allows administrators to configure a default expiration period (in days) for Teams meeting recordings. Recordings older than this period will be automatically moved to the recycle bin. This setting helps manage storage consumption and enforce data retention policies.
+    .NOTES
+        CAT
+            Teams Standards
+        TAG
+        ADDEDCOMPONENT
+            {"type":"number","name":"standards.TeamsMeetingRecordingExpiration.ExpirationDays","label":"Recording Expiration Days (e.g., 365)","required":true}
+        IMPACT
+            Medium Impact
+        ADDEDDATE
+            2025-04-17
+        POWERSHELLEQUIVALENT
+            Set-CsTeamsMeetingPolicy -Identity Global -MeetingRecordingExpirationDays \<days\>
+        RECOMMENDEDBY
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
+    #>
+    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsMeetingRecordingExpiration'
+
+    param($Tenant, $Settings)
+
+    # Input validation
+    $ExpirationDays = try { [int64]$Settings.ExpirationDays } catch { Write-Warning "Invalid ExpirationDays value provided: $($Settings.ExpirationDays)"; return }
+    if (($ExpirationDays -ne -1) -and ($ExpirationDays -lt 1 -or $ExpirationDays -gt 99999)) {
+        Write-LogMessage -API 'Standards' -tenant $Tenant -message "Invalid ExpirationDays value: $ExpirationDays. Must be -1 (Never Expire) or between 1 and 99999." -sev Error
+        return
+    }
+
+    $CurrentExpirationDays = (New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -CmdParams @{Identity = 'Global' }).NewMeetingRecordingExpirationDays
+    $StateIsCorrect = if ($CurrentExpirationDays -eq $ExpirationDays) { $true } else { $false }
+
+    if ($Settings.remediate -eq $true) {
+        Write-Host 'Time to remediate'
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Teams Meeting Recording Expiration Policy already set to $ExpirationDays days." -sev Info
+        } else {
+            $cmdParams = @{
+                Identity                          = 'Global'
+                NewMeetingRecordingExpirationDays = $ExpirationDays
+            }
+
+            try {
+                New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -CmdParams $cmdParams
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully updated Teams Meeting Recording Expiration Policy to $ExpirationDays days." -sev Info
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Meeting Recording Expiration Policy. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Teams Meeting Recording Expiration Policy is set correctly ($($CurrentExpirationDays) days)." -sev Info
+        } else {
+            Write-StandardsAlert -message "Teams Meeting Recording Expiration Policy is not set correctly. Current: $CurrentExpirationDays days, Desired: $ExpirationDays days." -object $CurrentExpirationDays -tenant $Tenant -standardName 'TeamsMeetingRecordingExpiration' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Teams Meeting Recording Expiration Policy is not set correctly (Current: $CurrentExpirationDays, Desired: $ExpirationDays)." -sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        Add-CIPPBPAField -FieldName 'TeamsMeetingRecordingExpiration' -FieldValue $CurrentExpirationDays -StoreAs string -Tenant $Tenant
+
+        $CurrentExpirationDays = [PSCustomObject]@{
+            ExpirationDays = [string]$CurrentExpirationDays
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.TeamsMeetingRecordingExpiration' -FieldValue $CurrentExpirationDays -Tenant $Tenant
+    }
+}

Tools/Update-StandardsComments.ps1

@@ -106,12 +106,10 @@ foreach ($Standard in $StandardsInfo) {
                             $NewComment.Add("           $(ConvertTo-Json -InputObject $Value -Depth 5 -Compress)`n")
                         }
                         continue
-                    }
-                    elseif ($Property.Value -is [System.Management.Automation.PSCustomObject]) {
+                    } elseif ($Property.Value -is [System.Management.Automation.PSCustomObject]) {
                         $NewComment.Add("           $(ConvertTo-Json -InputObject $Property.Value -Depth 5 -Compress)`n")
                         continue
-                    }
-                    else {
+                    } else {
                         if ($null -ne $Property.Value) {
                             $NewComment.Add("           $(EscapeMarkdown($Property.Value.ToString()))`n")
                         }