add mfa service policy check

JohnDuprey · JohnDuprey · commit cde0cd3fc91d · 2025-03-21T10:52:55.000-04:00
diff --git a/Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1 b/Modules/CIPPCore/Public/Test-CIPPAccessPermissions.ps1
@@ -138,7 +138,7 @@ function Test-CIPPAccessPermissions {
         $CPVRefreshList = [System.Collections.Generic.List[object]]::new()
         $CPVSuccess = $true
         foreach ($Tenant in $TenantList) {
-            $LastRefresh = ($CpvRefresh | Where-Object { $_.RowKey -EQ $Tenant.customerId }).Timestamp.DateTime
+            $LastRefresh = ($CpvRefresh | Where-Object { $_.RowKey -eq $Tenant.customerId }).Timestamp.DateTime
             if ($LastRefresh -lt $LastUpdate) {
                 $CPVSuccess = $false
                 $CPVRefreshList.Add([PSCustomObject]@{
@@ -157,6 +157,19 @@ function Test-CIPPAccessPermissions {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -Headers $User -API $APINAME -message "Permissions check failed: $($ErrorMessage.NormalizedError) " -Sev 'Error' -LogData $ErrorMessage
         $ErrorMessages.Add("We could not connect to the API to retrieve the permissions. There might be a problem with the secure application model configuration. The returned error is: $($ErrorMessage.NormalizedError)") | Out-Null
+
+        try {
+            $MFAServicePolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/mfaServicePolicy' -tenantid $env:TenantID -AsApp $true -NoAuthCheck $true
+            if ($MFAServicePolicy.rememberMfaOnTrustedDevice.isEnabled -eq $true -and $MFAServicePolicy.rememberMfaOnTrustedDevice.allowedNumberOfDays -gt 0) {
+                $ErrorMessages.Add("MFA Service Policy has a session lifetime of $($MFAServicePolicy.rememberMfaOnTrustedDevice.allowedNumberOfDays) days. This may cause athentication issues for your service account.") | Out-Null
+                $Links.Add([PSCustomObject]@{
+                        Text = 'Troubleshooting'
+                        Href = 'https://docs.cipp.app/troubleshooting/troubleshooting#multi-factor-authentication-troubleshooting'
+                    }
+                ) | Out-Null
+            }
+        } catch {}
+
         $Success = $false
     }
 
