Merge pull request #658 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPDbItem.ps1

@@ -42,12 +42,7 @@ function Add-CIPPDbItem {
 
     try {
         $Table = Get-CippTable -tablename 'CippReportingDB'
-        #Get the existing type entries and nuke them. This ensures we don't have stale data.
-        $Filter = "PartitionKey eq '{0}' and RowKey ge '{1}-' and RowKey lt '{1}0'" -f $TenantFilter, $Type
-        $ExistingEntities = Get-CIPPAzDataTableEntity @Table -Filter $Filter
-        if ($ExistingEntities) {
-            Remove-AzDataTableEntity @Table -Entity $ExistingEntities -Force | Out-Null
-        }
+
 
         if ($Count) {
             $Entity = @{
@@ -59,6 +54,12 @@ function Add-CIPPDbItem {
             Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
 
         } else {
+            #Get the existing type entries and nuke them. This ensures we don't have stale data.
+            $Filter = "PartitionKey eq '{0}' and RowKey ge '{1}-' and RowKey lt '{1}0'" -f $TenantFilter, $Type
+            $ExistingEntities = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+            if ($ExistingEntities) {
+                Remove-AzDataTableEntity @Table -Entity $ExistingEntities -Force | Out-Null
+            }
             $Entities = foreach ($Item in $Data) {
                 $ItemId = $Item.id ? $Item.id : $item.skuId
                 @{

Modules/CIPPCore/Public/Add-CippTestResult.ps1

@@ -47,7 +47,7 @@ function Add-CippTestResult {
         [Parameter(Mandatory = $true)]
         [string]$TestId,
 
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $false)]
         [string]$testType = 'identity',
 
         [Parameter(Mandatory = $true)]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertIntunePolicyConflicts.ps1

@@ -0,0 +1,144 @@
+function Get-CIPPAlertIntunePolicyConflicts {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    # Normalize JSON/string input to object when possible
+    if ($InputValue -is [string]) {
+        try {
+            if ($InputValue.Trim().StartsWith('{')) {
+                $InputValue = $InputValue | ConvertFrom-Json -ErrorAction Stop
+            }
+        } catch {
+            # Leave as-is if parsing fails
+        }
+    }
+
+    $Config = [ordered]@{
+        AlertEachIssue      = $false   # align with AlertEachAdmin convention (false = aggregated)
+        IncludePolicies     = $true
+        IncludeApplications = $true
+        AlertConflicts      = $true
+        AlertErrors         = $true
+    }
+
+    if ($InputValue -is [hashtable] -or $InputValue -is [pscustomobject]) {
+        # Primary key follows AlertEach* convention; legacy Aggregate supported (true == aggregated)
+        if ($null -ne $InputValue.AlertEachIssue) { $Config.AlertEachIssue = [bool]$InputValue.AlertEachIssue }
+        if ($null -ne $InputValue.Aggregate) { $Config.AlertEachIssue = -not [bool]$InputValue.Aggregate }
+
+        $Config.IncludePolicies = if ($null -ne $InputValue.IncludePolicies) { [bool]$InputValue.IncludePolicies } else { $Config.IncludePolicies }
+        $Config.IncludeApplications = if ($null -ne $InputValue.IncludeApplications) { [bool]$InputValue.IncludeApplications } else { $Config.IncludeApplications }
+        $Config.AlertConflicts = if ($null -ne $InputValue.AlertConflicts) { [bool]$InputValue.AlertConflicts } else { $Config.AlertConflicts }
+        $Config.AlertErrors = if ($null -ne $InputValue.AlertErrors) { [bool]$InputValue.AlertErrors } else { $Config.AlertErrors }
+    } elseif ($InputValue -is [bool]) {
+        # Back-compat for boolean toggle used as Aggregate previously
+        $Config.AlertEachIssue = -not [bool]$InputValue
+    }
+
+    if (-not $Config.IncludePolicies -and -not $Config.IncludeApplications) {
+        return
+    }
+
+    $AlertableStatuses = @()
+    if ($Config.AlertErrors) { $AlertableStatuses += 'error', 'failed' }
+    if ($Config.AlertConflicts) { $AlertableStatuses += 'conflict' }
+
+    if (-not $AlertableStatuses) {
+        return
+    }
+
+    $HasLicense = Test-CIPPStandardLicense -StandardName 'IntunePolicyStatus' -TenantFilter $TenantFilter -RequiredCapabilities @(
+        'INTUNE_A',
+        'MDM_Services',
+        'EMS',
+        'SCCM',
+        'MICROSOFTINTUNEPLAN1'
+    )
+
+    if (-not $HasLicense) {
+        return
+    }
+
+    $Issues = @()
+
+    if ($Config.IncludePolicies) {
+        try {
+            $ManagedDevices = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/managedDevices?`$select=id,deviceName,userPrincipalName&`$expand=deviceConfigurationStates(`$select=displayName,state,settingStates)" -tenantid $TenantFilter
+
+            foreach ($Device in $ManagedDevices) {
+                $PolicyStates = $Device.deviceConfigurationStates | Where-Object { $_.state -and ($AlertableStatuses -contains $_.state) }
+                foreach ($State in $PolicyStates) {
+                    $Issues += [PSCustomObject]@{
+                        Message           = "Policy '$($State.displayName)' is $($State.state) on device '$($Device.deviceName)' for $($Device.userPrincipalName)."
+                        Tenant            = $TenantFilter
+                        Type              = 'Policy'
+                        PolicyName        = $State.displayName
+                        IssueStatus       = $State.state
+                        DeviceName        = $Device.deviceName
+                        UserPrincipalName = $Device.userPrincipalName
+                        DeviceId          = $Device.id
+                    }
+                }
+            }
+        } catch {
+            Write-AlertMessage -tenant $TenantFilter -message "Failed to query Intune policy states: $(Get-NormalizedError -message $_.Exception.Message)"
+        }
+    }
+
+    if ($Config.IncludeApplications) {
+        try {
+            $Applications = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?`$select=id,displayName&`$expand=deviceStatuses(`$select=installState,deviceName,userPrincipalName,deviceId)" -tenantid $TenantFilter
+
+            foreach ($App in $Applications) {
+                $BadStatuses = $App.deviceStatuses | Where-Object {
+                    $_.installState -and ($AlertableStatuses -contains $_.installState.ToLowerInvariant())
+                }
+
+                foreach ($Status in $BadStatuses) {
+                    $Issues += [PSCustomObject]@{
+                        Message           = "App '$($App.displayName)' install is $($Status.installState) on device '$($Status.deviceName)' for $($Status.userPrincipalName)."
+                        Tenant            = $TenantFilter
+                        Type              = 'Application'
+                        AppName           = $App.displayName
+                        IssueStatus       = $Status.installState
+                        DeviceName        = $Status.deviceName
+                        UserPrincipalName = $Status.userPrincipalName
+                        DeviceId          = $Status.deviceId
+                    }
+                }
+            }
+        } catch {
+            Write-AlertMessage -tenant $TenantFilter -message "Failed to query Intune application states: $(Get-NormalizedError -message $_.Exception.Message)"
+        }
+    }
+
+    if (-not $Issues) {
+        return
+    }
+
+    if (-not $Config.AlertEachIssue) {
+        $PolicyCount = ($Issues | Where-Object { $_.Type -eq 'Policy' }).Count
+        $AppCount = ($Issues | Where-Object { $_.Type -eq 'Application' }).Count
+
+        $AlertData = @([PSCustomObject]@{
+                Message        = "Found $PolicyCount policy issues and $AppCount application issues in Intune."
+                Tenant         = $TenantFilter
+                PolicyIssues   = $PolicyCount
+                AppIssues      = $AppCount
+                Issues         = $Issues
+            })
+    } else {
+        $AlertData = $Issues
+    }
+
+    Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1

@@ -33,15 +33,13 @@ function Get-CIPPAlertOneDriveQuota {
         if ($UsagePercent -gt $InputValue) {
             $GBLeft = [math]::Round(($_.storageAllocatedInBytes - $_.storageUsedInBytes) / 1GB)
             [PSCustomObject]@{
-                Details = @{
-                    Message                 = "$($_.ownerPrincipalName): OneDrive is $UsagePercent% full. OneDrive has $($GBLeft)GB storage left"
-                    Owner                   = $_.ownerPrincipalName
-                    UsagePercent            = $UsagePercent
-                    GBLeft                  = $GBLeft
-                    StorageUsedInBytes      = $_.storageUsedInBytes
-                    StorageAllocatedInBytes = $_.storageAllocatedInBytes
-                    Tenant                  = $TenantFilter
-                }
+                Message                 = "$($_.ownerPrincipalName): OneDrive is $UsagePercent% full. OneDrive has $($GBLeft)GB storage left"
+                Owner                   = $_.ownerPrincipalName
+                UsagePercent            = $UsagePercent
+                GBLeft                  = $GBLeft
+                StorageUsedInBytes      = $_.storageUsedInBytes
+                StorageAllocatedInBytes = $_.storageAllocatedInBytes
+                Tenant                  = $TenantFilter
             }
         }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Invoke-ListTests.ps1

@@ -93,6 +93,23 @@ function Invoke-ListTests {
         $IdentityResults = $TestResultsData.TestResults | Where-Object { $_.TestType -eq 'Identity' }
         $DeviceResults = $TestResultsData.TestResults | Where-Object { $_.TestType -eq 'Devices' }
 
+        # Add descriptions from markdown files to each test result
+        foreach ($TestResult in $TestResultsData.TestResults) {
+            $MdFile = Get-ChildItem -Path 'Modules\CIPPCore\Public\Tests' -Filter "*$($TestResult.RowKey).md" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1
+            if ($MdFile) {
+                try {
+                    $MdContent = Get-Content $MdFile.FullName -Raw -ErrorAction SilentlyContinue
+                    if ($MdContent) {
+                        $Description = ($MdContent -split '<!--- Results --->')[0].Trim()
+                        $Description = ($Description -split '%TestResult%')[0].Trim()
+                        $TestResult | Add-Member -NotePropertyName 'Description' -NotePropertyValue $Description -Force
+                    }
+                } catch {
+                    #Test
+                }
+            }
+        }
+
         $TestCounts = @{
             Identity = @{
                 Passed      = @($IdentityResults | Where-Object { $_.Status -eq 'Passed' }).Count
@@ -114,11 +131,11 @@ function Invoke-ListTests {
 
         $SecureScoreData = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'SecureScore'
         if ($SecureScoreData) {
-            $TestResultsData | Add-Member -NotePropertyName 'SecureScore' -NotePropertyValue $SecureScoreData -Force
+            $TestResultsData | Add-Member -NotePropertyName 'SecureScore' -NotePropertyValue @($SecureScoreData) -Force
         }
         $MFAStateData = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'MFAState'
         if ($MFAStateData) {
-            $TestResultsData | Add-Member -NotePropertyName 'MFAState' -NotePropertyValue $MFAStateData -Force
+            $TestResultsData | Add-Member -NotePropertyName 'MFAState' -NotePropertyValue @($MFAStateData) -Force
         }
 
         $LicenseData = New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'LicenseOverview'

Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1

@@ -125,13 +125,14 @@ function Get-CIPPTenantAlignment {
                         $TenantValues.Add($filterItem.value)
                     }
                 }
-
-                if ($TenantValues -contains 'AllTenants') {
+`
+                    if ($TenantValues -contains 'AllTenants') {
                     $AppliestoAllTenants = $true
                 } elseif ($TenantValues.Count -gt 0) {
                     $TemplateAssignedTenants = @($TenantValues)
                 } else {
-                    $TemplateAssignedTenants = @()
+                    # Filter was specified but resolved to no tenants (empty group) - skip this template
+                    continue
                 }
             } else {
                 $AppliestoAllTenants = $true

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24518.md

@@ -0,0 +1,9 @@
+Without owners, enterprise applications become orphaned assets that threat actors can exploit through credential harvesting and privilege escalation techniques, as these applications often retain elevated permissions and access to sensitive resources while lacking proper oversight and security governance. The elevation of privilege to owners can raise a security concern in some cases depending on the application's permissions, but more critically, applications without owner create a blind spot in security monitoring where threat actors can establish persistence by leveraging existing application permissions to access data or create backdoor accounts without triggering ownership-based detection mechanisms. When applications lack owners, security teams cannot effectively conduct application lifecycle management, leaving applications with potentially excessive permissions, outdated configurations, or compromised credentials that threat actors can discover through enumeration techniques and exploit to move laterally within the environment. The absence of ownership also prevents proper access reviews and permission audits, allowing threat actors to maintain long-term access through applications that should have been decommissioned or had their permissions reduced, ultimately providing persistent access vectors that can be leveraged for data exfiltration or further compromise of the environment.
+
+
+**Remediation action**
+
+- [Assign owners to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-app-owners?pivots=portal)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24540.md

@@ -0,0 +1,18 @@
+If policies for Windows Firewall aren't configured and assigned, threat actors can exploit unprotected endpoints to gain unauthorized access, move laterally, and escalate privileges within the environment. Without enforced firewall rules, attackers can bypass network segmentation, exfiltrate data, or deploy malware, increasing the risk of widespread compromise.
+
+Enforcing Windows Firewall policies ensures consistent application of inbound and outbound traffic controls, reducing exposure to unauthorized access and supporting Zero Trust through network segmentation and device-level protection.
+
+**Remediation action**
+
+Configure and assign firewall policies for Windows in Intune to block unauthorized traffic and enforce consistent network protections across all managed devices:
+
+- [Configure firewall policies for Windows devices](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci). Intune uses two complementary profiles to manage firewall settings:
+  - **Windows Firewall** - Use this profile to configure overall firewall behavior based on network type.
+  - **Windows Firewall rules** - Use this profile to define traffic rules for apps, ports, or IPs, tailored to specific groups or workloads. This Intune profile also supports use of [reusable settings groups](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#add-reusable-settings-groups-to-profiles-for-firewall-rules) to help simplify management of common settings you use for different profile instances.
+- [Assign policies in Intune](https://learn.microsoft.com/intune/intune-service/configuration/device-profile-assign?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#assign-a-policy-to-users-or-groups)
+
+For more information, see:  
+- [Available Windows Firewall settings](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-profile-settings?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#windows-firewall-profile)
+<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24541.md

@@ -0,0 +1,11 @@
+If compliance policies for Windows devices aren't configured and assigned, threat actors can exploit unmanaged or noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist within the environment. Without enforced compliance, devices can lack critical security configurations like BitLocker encryption, password requirements, firewall settings, and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures Windows devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured endpoints.
+
+**Remediation action**
+
+Create and assign Intune compliance policies to Windows devices to enforce organizational standards for secure access and management:
+- [Create and assign Intune compliance policies](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the Windows compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-windows?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24542.md

@@ -0,0 +1,12 @@
+If compliance policies for macOS devices aren't configured and assigned, threat actors can exploit unmanaged or noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist within the environment. Without enforced compliance, macOS devices can lack critical security configurations like data storage encryption, password requirements, and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures macOS devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured endpoints.
+
+**Remediation actions**
+
+Create and assign Intune compliance policies to macOS devices to enforce organizational standards for secure access and management:  
+- [Create and assign Intune compliance policies](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the macOS compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-mac-os?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
+<!--- Results --->
+%TestResult%
+