Merge pull request #495 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1

@@ -20,10 +20,18 @@ function Get-CIPPAlertEntraConnectSyncStatus {
             $LastPasswordSync = $ConnectSyncStatus.onPremisesLastPasswordSyncDateTime
             $SyncDateTime = $ConnectSyncStatus.onPremisesLastSyncDateTime
             # Get the older of the two sync times
-            $LastSync = if ($SyncDateTime -lt $LastPasswordSync) { $SyncDateTime } else { $LastPasswordSync }
+            $LastSync = if ($SyncDateTime -lt $LastPasswordSync) { $SyncDateTime; $Cause = 'DirectorySync' } else { $LastPasswordSync; $Cause = 'PasswordSync' }
 
             if ($LastSync -lt (Get-Date).AddHours(-$Hours).ToUniversalTime()) {
-                $AlertData = "Entra Connect Sync for $($TenantFilter) has not run for over $Hours hours. Last sync was at $($LastSync.ToString('o'))"
+
+                $AlertData = @{
+                    Message           = "Entra Connect $Cause for $($TenantFilter) has not run for over $Hours hours. Last sync was at $($LastSync.ToString('o'))"
+                    LastSync          = $LastSync
+                    Cause             = $Cause
+                    LastPasswordSync  = $LastPasswordSync
+                    LastDirectorySync = $SyncDateTime
+                    Tenant            = $TenantFilter
+                }
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
             }
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListUserSettings.ps1

@@ -20,6 +20,9 @@ function Invoke-ListUserSettings {
             $UserSettings = $UserSettings.JSON | ConvertFrom-Json -Depth 10 -ErrorAction SilentlyContinue
         } catch {
             Write-Warning "Failed to convert UserSettings JSON: $($_.Exception.Message)"
+        }
+
+        if (!$UserSettings) {
             $UserSettings = [pscustomobject]@{
                 direction      = 'ltr'
                 paletteMode    = 'light'
@@ -36,8 +39,7 @@ function Invoke-ListUserSettings {
         try {
             $UserSpecificSettings = Get-CIPPAzDataTableEntity @Table -Filter "PartitionKey eq 'UserSettings' and RowKey eq '$Username'"
             $UserSpecificSettings = $UserSpecificSettings.JSON | ConvertFrom-Json -Depth 10 -ErrorAction SilentlyContinue
-        }
-        catch {
+        } catch {
             Write-Warning "Failed to convert UserSpecificSettings JSON: $($_.Exception.Message)"
         }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/GDAP/Invoke-ExecGDAPInvite.ps1

@@ -94,10 +94,9 @@ function Invoke-ExecGDAPInvite {
                             'OnboardingUrl' = $OnboardingUrl
                             'RoleMappings'  = [string](@($RoleMappings) | ConvertTo-Json -Depth 10 -Compress)
                             'Technician'    = [string]$Technician
+                            'Reference'     = if ($Reference) { [string]$Reference } else { $null }
                         }
 
-                        if ($Reference) { $InviteEntity['Reference'] = [string]$Reference }
-
                         Add-CIPPAzDataTableEntity @Table -Entity $InviteEntity
 
                         $Message = 'GDAP relationship invite created. Log in as a Global Admin in the new tenant to approve the invite.'
@@ -133,10 +132,9 @@ function Invoke-ExecGDAPInvite {
                     'PartitionKey' = 'invite'
                     'RowKey'       = $InviteId
                     'Technician'   = $Technician
+                    'Reference'    = if ($Reference) { $Reference } else { $null }
                 }
 
-                if ($Reference) { $InviteEntity['Reference'] = $Reference }
-
                 Add-CIPPAzDataTableEntity @Table -Entity $InviteEntity -OperationType 'UpsertMerge'
                 $Message = 'Invite updated'
             } else {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBitLockerKeysForOwnedDevice.ps1

@@ -0,0 +1,101 @@
+function Invoke-CIPPStandardBitLockerKeysForOwnedDevice {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) BitLockerKeysForOwnedDevice
+    .SYNOPSIS
+        (Label) Restrict users from recovering BitLocker keys for owned devices
+    .DESCRIPTION
+    (Helptext) Controls whether standard users can recover BitLocker keys for devices they own via Microsoft 365 portals.
+    (DocsDescription) Updates the default user role setting that governs access to BitLocker recovery keys for owned devices. This allows administrators to either permit self-service recovery or require helpdesk involvement through Microsoft Entra authorization policies.
+    .NOTES
+        CAT
+            Entra (AAD) Standards
+        TAG
+            "NIST CSF 2.0 (PR.AA-05)"
+        EXECUTIVETEXT
+            Ensures administrators retain control over BitLocker recovery secrets when required, while still allowing flexibility to enable self-service recovery when business needs demand it.
+        ADDEDCOMPONENT
+            {"type":"autoComplete","multiple":false,"creatable":false,"label":"Select state","name":"standards.BitLockerKeysForOwnedDevice.state","options":[{"label":"Restrict","value":"restrict"},{"label":"Allow","value":"allow"}]}
+        IMPACT
+            Medium Impact
+        ADDEDDATE
+            2025-10-12
+        POWERSHELLEQUIVALENT
+            Update-MgBetaPolicyAuthorizationPolicy
+        RECOMMENDEDBY
+            "CIPP"
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+    #>
+
+    param($Tenant, $Settings)
+    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'BitLockerKeysForOwnedDevice'
+
+    $StateValue = $Settings.state.value ?? $Settings.state
+    if ([string]::IsNullOrWhiteSpace($StateValue)) {
+        Write-LogMessage -API 'Standards' -tenant $tenant -message 'BitLockerKeysForOwnedDevice: Invalid state parameter set.' -sev Error
+        return
+    }
+
+    switch ($StateValue.ToLowerInvariant()) {
+        'restrict' { $DesiredValue = $false; $DesiredLabel = 'restricted'; break }
+        'allow' { $DesiredValue = $true; $DesiredLabel = 'allowed'; break }
+        default {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "BitLockerKeysForOwnedDevice: Unsupported state value '$StateValue'." -sev Error
+            return
+        }
+    }
+
+    try {
+        $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the BitLockerKeysForOwnedDevice state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+        return
+    }
+    $CurrentValue = [bool]$CurrentState.defaultUserRolePermissions.allowedToReadBitLockerKeysForOwnedDevice
+    $StateIsCorrect = ($CurrentValue -eq $DesiredValue)
+
+    if ($Settings.remediate -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "Users are already $DesiredLabel from recovering BitLocker keys for their owned devices." -sev Info
+        } else {
+            try {
+                $BodyObject = @{ defaultUserRolePermissions = @{ allowedToReadBitLockerKeysForOwnedDevice = $DesiredValue } }
+                $BodyJson = $BodyObject | ConvertTo-Json -Depth 4 -Compress
+                $null = New-GraphPOSTRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -Type patch -Body $BodyJson
+                $ActionMessage = if ($DesiredValue) { 'Allowed users to recover BitLocker keys for their owned devices.' } else { 'Restricted users from recovering BitLocker keys for their owned devices.' }
+                Write-LogMessage -API 'Standards' -tenant $tenant -message $ActionMessage -sev Info
+
+
+                # Update current state variables to reflect the change immediately if running remediate and report/alert together
+                $CurrentState.defaultUserRolePermissions.allowedToReadBitLockerKeysForOwnedDevice = $DesiredValue
+                $CurrentValue = $DesiredValue
+                $StateIsCorrect = $true
+            } catch {
+                $ErrorMessage = Get-CippException -Exception $_
+                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to $StateValue users to recover BitLocker keys for their owned devices: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message "Users are $DesiredLabel to recover BitLocker keys for their owned devices as configured." -sev Info
+        } else {
+            $CurrentLabel = if ($CurrentValue) { 'allowed' } else { 'restricted' }
+            $AlertMessage = "Users are $CurrentLabel to recover BitLocker keys for their owned devices but should be $DesiredLabel."
+            Write-StandardsAlert -message $AlertMessage -object $CurrentState -tenant $tenant -standardName 'BitLockerKeysForOwnedDevice' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $tenant -message $AlertMessage -sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        Set-CIPPStandardsCompareField -FieldName 'standards.BitLockerKeysForOwnedDevice' -FieldValue $StateIsCorrect -Tenant $tenant
+        Add-CIPPBPAField -FieldName 'BitLockerKeysForOwnedDevice' -FieldValue $CurrentValue -StoreAs bool -Tenant $tenant
+    }
+}