Merge branch 'KelvinTegelaar:master' into master

Author: lacymooretx

.github/workflows/dev_cippy6oom.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippy6oom
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+    
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+      
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippy6oom'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B9C635E19DF6459F8995BA602EFA638A }}

Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json

@@ -37,5 +37,5 @@
       "excludeApplications": []
     }
   },
-  "displayName": "Enforce Multi factor authentication for each application"
+  "displayName": "CIPP: Enforce Multi factor authentication for each application"
 }

Config/4d9206b0-4f96-41e6-86a5-f78cdcff5069.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Set screen lock time to 5 minutes",
+  "Displayname": "CIPP: Set screen lock time to 5 minutes",
   "Description": "Sets the screen to lock after 5 minutes of inactivity.",
   "RAWJson": "{\"name\":\"Set Screen Lockout to 5 minutes\",\"description\":\"\",\"platforms\":\"windows10\",\"technologies\":\"mdm\",\"roleScopeTagIds\":[\"0\"],\"settings\":[{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSetting\",\"settingInstance\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance\",\"settingDefinitionId\":\"device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_machineinactivitylimit_v2\",\"simpleSettingValue\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue\",\"value\":300}}}]}",
   "Type": "Catalog",

Config/59bd753c-4204-4b3a-b84b-850d4b69f494.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "LAPS",
+  "Displayname": "CIPP: LAPS",
   "Description": "",
   "RAWJson": "{\r\n  \"name\": \"LAPS\",\r\n  \"description\": \"\",\r\n  \"settings\": [\r\n    {\r\n      \"id\": \"0\",\r\n      \"settingInstance\": {\r\n        \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\r\n        \"settingDefinitionId\": \"device_vendor_msft_laps_policies_backupdirectory\",\r\n        \"settingInstanceTemplateReference\": {\r\n          \"settingInstanceTemplateId\": \"a3270f64-e493-499d-8900-90290f61ed8a\"\r\n        },\r\n        \"choiceSettingValue\": {\r\n          \"value\": \"device_vendor_msft_laps_policies_backupdirectory_1\",\r\n          \"settingValueTemplateReference\": {\r\n            \"settingValueTemplateId\": \"4d90f03d-e14c-43c4-86da-681da96a2f92\",\r\n            \"useTemplateDefault\": false\r\n          },\r\n          \"children\": [\r\n            {\r\n              \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance\",\r\n              \"settingDefinitionId\": \"device_vendor_msft_laps_policies_passwordagedays_aad\",\r\n              \"settingInstanceTemplateReference\": null,\r\n              \"simpleSettingValue\": {\r\n                \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationIntegerSettingValue\",\r\n                \"settingValueTemplateReference\": null,\r\n                \"value\": 30\r\n              }\r\n            }\r\n          ]\r\n        }\r\n      }\r\n    },\r\n    {\r\n      \"id\": \"1\",\r\n      \"settingInstance\": {\r\n        \"@odata.type\": \"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\r\n        \"settingDefinitionId\": \"device_vendor_msft_laps_policies_passwordcomplexity\",\r\n        \"settingInstanceTemplateReference\": {\r\n          \"settingInstanceTemplateId\": \"8a7459e8-1d1c-458a-8906-7b27d216de52\"\r\n        },\r\n        \"choiceSettingValue\": {\r\n          \"value\": \"device_vendor_msft_laps_policies_passwordcomplexity_4\",\r\n          \"settingValueTemplateReference\": {\r\n            \"settingValueTemplateId\": \"aa883ab5-625e-4e3b-b830-a37a4bb8ce01\",\r\n            \"useTemplateDefault\": false\r\n          },\r\n          \"children\": []\r\n        }\r\n      }\r\n    }\r\n  ],\r\n  \"platforms\": \"windows10\",\r\n  \"technologies\": \"mdm\",\r\n  \"templateReference\": {\r\n    \"templateId\": \"adc46e5a-f4aa-4ff6-aeff-4f27bc525796_1\",\r\n    \"templateFamily\": \"endpointSecurityAccountProtection\",\r\n    \"templateDisplayName\": \"Local admin password solution (Windows LAPS)\",\r\n    \"templateDisplayVersion\": \"Version 1\"\r\n  }\r\n}",
   "Type": "Catalog",

Config/7b41924e-3051-4a23-b0d0-8cdeadc2c05a.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Enable Onedrive Silent Logon and Known Folder Move",
+  "Displayname": "CIPP: Enable Onedrive Silent Logon and Known Folder Move",
   "Description": "This policy enables Onedrive Silent Logon and Known Folder move",
   "RAWJson": "{\n\"added\":[\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('9a4db949-29e4-4e31-a129-bf2b88d8fa1b')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"%tenantid%\",\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('fbefbbdf-5382-477c-8b6c-71f4a06e2805')\"\n},\n{\n\"@odata.type\":\"#microsoft.graph.groupPolicyPresentationValueText\",\n\"value\":\"0\",\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')/presentations('35c82072-a93b-4022-be14-8684c2f6fcc2')\"\n}\n],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('39147fa2-6c5e-437b-8264-19b50b891709')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('81c07ba0-7512-402d-b1f6-00856975cfab')\"\n},\n{\n\"enabled\":true,\n\"presentationValues\":[],\n\"[email protected]\":\"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('61b07a01-7e60-4127-b086-f6b32458a5c5')\"\n},\n],\n\"updated\":[],\n\"deletedIds\":[]\n}",
   "Type": "Admin",

Config/7e06b0de-0469-4aae-89be-d83c44b5799f.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Enable Bitlocker Encryption for OS drives",
+  "Displayname": "CIPP: Enable Bitlocker Encryption for OS drives",
   "Description": "Enables Bitlocker and stores the key in Azure AD for system Drives",
   "RAWJson": "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"displayName\":\"CIPP: Enable Bitlocker Encryption\",\"roleScopeTagIds\":[\"0\"],\"@odata.type\":\"#microsoft.graph.windows10EndpointProtectionConfiguration\",\"applicationGuardEnabledOptions\":\"notConfigured\",\"firewallCertificateRevocationListCheckMethod\":\"deviceDefault\",\"firewallPacketQueueingMethod\":\"deviceDefault\",\"deviceGuardLocalSystemAuthorityCredentialGuardSettings\":\"notConfigured\",\"defenderSecurityCenterNotificationsFromApp\":\"notConfigured\",\"windowsDefenderTamperProtection\":\"notConfigured\",\"defenderSecurityCenterITContactDisplay\":\"notConfigured\",\"xboxServicesAccessoryManagementServiceStartupMode\":\"manual\",\"xboxServicesLiveAuthManagerServiceStartupMode\":\"manual\",\"xboxServicesLiveGameSaveServiceStartupMode\":\"manual\",\"xboxServicesLiveNetworkingServiceStartupMode\":\"manual\",\"applicationGuardBlockClipboardSharing\":\"notConfigured\",\"defenderPreventCredentialStealingType\":\"notConfigured\",\"defenderAdobeReaderLaunchChildProcess\":\"notConfigured\",\"defenderOfficeCommunicationAppsLaunchChildProcess\":\"notConfigured\",\"defenderAdvancedRansomewareProtectionType\":\"notConfigured\",\"defenderNetworkProtectionType\":\"notConfigured\",\"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser\":\"notConfigured\",\"localSecurityOptionsSmartCardRemovalBehavior\":\"lockWorkstation\",\"localSecurityOptionsInformationDisplayedOnLockScreen\":\"notConfigured\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients\":\"none\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers\":\"none\",\"lanManagerAuthenticationLevel\":\"lmAndNltm\",\"localSecurityOptionsAdministratorElevationPromptBehavior\":\"notConfigured\",\"localSecurityOptionsStandardUserElevationPromptBehavior\":\"notConfigured\",\"userRightsAccessCredentialManagerAsTrustedCaller\":null,\"userRightsLocalLogOn\":null,\"userRightsAllowAccessFromNetwork\":null,\"userRightsActAsPartOfTheOperatingSystem\":null,\"userRightsBackupData\":null,\"userRightsChangeSystemTime\":null,\"userRightsCreateGlobalObjects\":null,\"userRightsCreatePageFile\":null,\"userRightsCreatePermanentSharedObjects\":null,\"userRightsCreateSymbolicLinks\":null,\"userRightsCreateToken\":null,\"userRightsDebugPrograms\":null,\"userRightsBlockAccessFromNetwork\":null,\"userRightsDenyLocalLogOn\":null,\"userRightsRemoteDesktopServicesLogOn\":null,\"userRightsDelegation\":null,\"userRightsGenerateSecurityAudits\":null,\"userRightsImpersonateClient\":null,\"userRightsIncreaseSchedulingPriority\":null,\"userRightsLoadUnloadDrivers\":null,\"userRightsLockMemory\":null,\"userRightsManageAuditingAndSecurityLogs\":null,\"userRightsManageVolumes\":null,\"userRightsModifyFirmwareEnvironment\":null,\"userRightsModifyObjectLabels\":null,\"userRightsProfileSingleProcess\":null,\"userRightsRemoteShutdown\":null,\"userRightsRestoreData\":null,\"userRightsTakeOwnership\":null,\"bitLockerRecoveryPasswordRotation\":\"notConfigured\",\"bitLockerPrebootRecoveryMsgURLOption\":\"default\",\"bitLockerEncryptDevice\":true,\"bitLockerDisableWarningForOtherDiskEncryption\":true,\"bitLockerAllowStandardUserEncryption\":true,\"bitLockerSyntheticSystemDrivePolicybitLockerDriveRecovery\":true,\"applicationGuardAllowPrintToPDF\":false,\"applicationGuardAllowPrintToXPS\":false,\"applicationGuardAllowPrintToLocalPrinters\":false,\"applicationGuardAllowPrintToNetworkPrinters\":false,\"bitLockerFixedDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"recoveryOptions\":null,\"encryptionMethod\":null},\"bitLockerRemovableDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"encryptionMethod\":null},\"bitLockerSystemDrivePolicy\":{\"startupAuthenticationRequired\":true,\"startupAuthenticationTpmUsage\":\"allowed\",\"startupAuthenticationTpmPinUsage\":\"allowed\",\"startupAuthenticationTpmKeyUsage\":\"allowed\",\"startupAuthenticationTpmPinAndKeyUsage\":\"allowed\",\"startupAuthenticationBlockWithoutTpmChip\":false,\"minimumPinLength\":null,\"recoveryOptions\":{\"blockDataRecoveryAgent\":false,\"recoveryPasswordUsage\":\"allowed\",\"recoveryKeyUsage\":\"allowed\",\"enableRecoveryInformationSaveToStore\":true,\"recoveryInformationToStore\":\"passwordAndKey\",\"enableBitLockerAfterRecoveryInformationToStore\":true},\"prebootRecoveryEnableMessageAndUrl\":false,\"encryptionMethod\":null},\"firewallProfileDomain\":null,\"firewallProfilePrivate\":null,\"firewallProfilePublic\":null,\"deviceGuardEnableVirtualizationBasedSecurity\":false,\"deviceGuardEnableSecureBootWithDMA\":false}",
   "Type": "Device",

Config/b79d0123-3105-4c5d-9f15-62cc7a7eb7e1.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Automatic Configuration of Outlook",
+  "Displayname": "CIPP: Automatic Configuration of Outlook",
   "Description": "Configures the first profile on a device to always use the e-mail address of the currently logged on user.",
   "RAWJson": "{\"name\":\"Automatic configuration of Outlook\",\"description\":\"\",\"platforms\":\"windows10\",\"technologies\":\"mdm\",\"roleScopeTagIds\":[\"0\"],\"settings\":[{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSetting\",\"settingInstance\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\"settingDefinitionId\":\"user_vendor_msft_policy_config_outlk16v2~policy~l_microsoftofficeoutlook~l_toolsaccounts~l_exchangesettings_l_automaticallyconfigureprofilebasedonactiveonce\",\"choiceSettingValue\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue\",\"value\":\"user_vendor_msft_policy_config_outlk16v2~policy~l_microsoftofficeoutlook~l_toolsaccounts~l_exchangesettings_l_automaticallyconfigureprofilebasedonactiveonce_1\",\"children\":[]}}}]}",
   "Type": "Catalog",

Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json

@@ -32,5 +32,5 @@
     "times": null,
     "clientApplications": null
   },
-  "displayName": "Enforce Multi-factor authentication for Static Web Apps"
+  "displayName": "CIPP: Enforce Multi-factor authentication for Static Web Apps"
 }

Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json

@@ -26,11 +26,11 @@
     "platforms": null,
     "clientApplications": null,
     "applications": {
-      "includeApplications": ["None"],
+      "includeApplications": ["All"],
       "includeUserActions": [],
       "includeAuthenticationContextClassReferences": [],
       "excludeApplications": []
     }
   },
-  "displayName": "Block Legacy Authentication"
+  "displayName": "CIPP: Block Legacy Authentication"
 }

Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1

@@ -18,6 +18,14 @@ Function Invoke-AddStandardsDeploy {
         $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
         $Settings = ($request.body | Select-Object -Property *, v2* -ExcludeProperty Select_*, None )
         $Settings | Add-Member -NotePropertyName 'v2.1' -NotePropertyValue $true -Force
+        if ($Settings.phishProtection.remediate) {
+            $URL = $request.headers.'x-ms-original-url'.split('/api') | Select-Object -First 1
+            write-host $URL
+            $Settings.phishProtection = [pscustomobject]@{
+                remediate = $true
+                URL       = $URL
+            }
+        }
         foreach ($Tenant in $tenants) {
 
             $object = [PSCustomObject]@{
@@ -37,8 +45,7 @@ Function Invoke-AddStandardsDeploy {
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -tenant $tenant -API 'Standards' -message 'Successfully added standards deployment' -Sev 'Info'
         }
         $body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' }
-    }
-    catch {
+    } catch {
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -message "Standards API failed. Error:$($_.Exception.Message)" -Sev 'Error'
         $body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" }
     }