extra test

Author: KelvinTegelaar

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1

@@ -142,6 +142,10 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskDetections collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheDeviceRegistrationPolicy -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "DeviceRegistrationPolicy collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Completed database cache collection for tenant' -sev Info
 
     } catch {

Modules/CIPPCore/Public/Set-CIPPDBCacheDeviceRegistrationPolicy.ps1

@@ -0,0 +1,31 @@
+function Set-CIPPDBCacheDeviceRegistrationPolicy {
+    <#
+    .SYNOPSIS
+        Caches device registration policy for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache device registration policy for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching device registration policy' -sev Info
+
+        $DeviceRegistrationPolicy = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/deviceRegistrationPolicy' -tenantid $TenantFilter
+        
+        if ($DeviceRegistrationPolicy) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'DeviceRegistrationPolicy' -Data @($DeviceRegistrationPolicy)
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached device registration policy successfully' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache device registration policy: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21866.ps1

@@ -0,0 +1,44 @@
+function Invoke-CippTestZTNA21866 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21866'
+
+    try {
+        # Get directory recommendations from cache
+        $Recommendations = New-CIPPDbRequest -TenantFilter $Tenant -Type 'DirectoryRecommendations'
+
+        if (-not $Recommendations) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Directory recommendations not found in cache' -Risk 'Medium' -Name 'All Microsoft Entra recommendations are addressed' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Monitoring'
+            return
+        }
+
+        # Filter for unaddressed recommendations (active or postponed status)
+        $UnaddressedRecommendations = $Recommendations | Where-Object { $_.status -in @('active', 'postponed') }
+
+        $Passed = if ($UnaddressedRecommendations.Count -eq 0) { 'Passed' } else { 'Failed' }
+
+        if ($Passed -eq 'Passed') {
+            $ResultMarkdown = '✅ All Entra Recommendations are addressed.'
+        } else {
+            $ResultMarkdown = "❌ Found $($UnaddressedRecommendations.Count) unaddressed Entra recommendations.`n`n"
+            $ResultMarkdown += "## Unaddressed Entra recommendations`n`n"
+            $ResultMarkdown += "| Display Name | Status | Insights | Priority |`n"
+            $ResultMarkdown += "| :--- | :--- | :--- | :--- |`n"
+
+            foreach ($Item in $UnaddressedRecommendations) {
+                $DisplayName = $Item.displayName
+                $Status = $Item.status
+                $Insights = $Item.insights
+                $Priority = $Item.priority
+                $ResultMarkdown += "| $DisplayName | $Status | $Insights | $Priority |`n"
+            }
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'All Microsoft Entra recommendations are addressed' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Monitoring'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'All Microsoft Entra recommendations are addressed' -UserImpact 'Low' -ImplementationEffort 'High' -Category 'Monitoring'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21872.ps1

@@ -0,0 +1,102 @@
+function Invoke-CippTestZTNA21872 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21872'
+
+    try {
+        # Get conditional access policies and device registration policy from cache
+        $CAPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'ConditionalAccessPolicies'
+        $DeviceRegistrationPolicy = New-CIPPDbRequest -TenantFilter $Tenant -Type 'DeviceRegistrationPolicy'
+
+        if (-not $CAPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Conditional Access policies not found in cache' -Risk 'High' -Name 'Require multifactor authentication for device join and device registration using user action' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access control'
+            return
+        }
+
+        if (-not $DeviceRegistrationPolicy) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Device registration policy not found in cache' -Risk 'High' -Name 'Require multifactor authentication for device join and device registration using user action' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access control'
+            return
+        }
+
+        $MfaRequiredInDeviceSettings = $DeviceRegistrationPolicy.multiFactorAuthConfiguration -eq 'required'
+
+        # Filter for enabled device registration CA policies
+        $DeviceRegistrationPolicies = $CAPolicies | Where-Object {
+            ($_.state -eq 'enabled') -and
+            ($_.conditions.applications.includeUserActions -eq 'urn:user:registerdevice')
+        }
+
+        # Check each policy to see if it properly requires MFA
+        $ValidPolicies = [System.Collections.Generic.List[object]]::new()
+        foreach ($Policy in $DeviceRegistrationPolicies) {
+            $RequiresMfa = $false
+
+            # Check if the policy directly requires MFA
+            if ($Policy.grantControls.builtInControls -contains 'mfa') {
+                $RequiresMfa = $true
+            }
+
+            # Check if the policy uses any authentication strength
+            if ($null -ne $Policy.grantControls.authenticationStrength) {
+                $RequiresMfa = $true
+            }
+
+            # If the policy requires MFA, add it to valid policies
+            if ($RequiresMfa) {
+                $ValidPolicies.Add($Policy)
+            }
+        }
+
+        # Determine pass/fail conditions
+        if ($MfaRequiredInDeviceSettings) {
+            $Passed = 'Failed'
+            $ResultMarkdown = "❌ **MFA is configured incorrectly.** Device Settings has 'Require Multi-Factor Authentication to register or join devices' set to Yes. According to best practices, this should be set to No, and MFA should be enforced through Conditional Access policies instead.`n`n"
+        } elseif ($DeviceRegistrationPolicies.Count -eq 0) {
+            $Passed = 'Failed'
+            $ResultMarkdown = "❌ **No Conditional Access policies found** for device registration or device join. Create a policy that requires MFA for these user actions.`n`n"
+        } elseif ($ValidPolicies.Count -eq 0) {
+            $Passed = 'Failed'
+            $ResultMarkdown = "❌ **Conditional Access policies found**, but they're not correctly configured. Policies should require MFA or appropriate authentication strength.`n`n"
+        } else {
+            $Passed = 'Passed'
+            $ResultMarkdown = "✅ **Properly configured Conditional Access policies found** that require MFA for device registration/join actions.`n`n"
+        }
+
+        # Add device settings information
+        $ResultMarkdown += "## Device Settings Configuration`n`n"
+        $ResultMarkdown += "| Setting | Value | Recommended Value | Status |`n"
+        $ResultMarkdown += "| :------ | :---- | :---------------- | :----- |`n"
+
+        $DeviceSettingStatus = if ($MfaRequiredInDeviceSettings) { '❌ Should be set to No' } else { '✅ Correctly configured' }
+        $DeviceSettingValue = if ($MfaRequiredInDeviceSettings) { 'Yes' } else { 'No' }
+        $ResultMarkdown += "| Require Multi-Factor Authentication to register or join devices | $DeviceSettingValue | No | $DeviceSettingStatus |`n"
+
+        # Add policies information if any found
+        if ($DeviceRegistrationPolicies.Count -gt 0) {
+            $ResultMarkdown += "`n## Device Registration/Join Conditional Access Policies`n`n"
+            $ResultMarkdown += "| Policy Name | State | Requires MFA | Status |`n"
+            $ResultMarkdown += "| :---------- | :---- | :----------- | :----- |`n"
+
+            foreach ($Policy in $DeviceRegistrationPolicies) {
+                $PolicyName = $Policy.displayName
+                $PolicyState = $Policy.state
+                $PolicyLink = "https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade/policyId/$($Policy.id)"
+                $PolicyNameLink = "[$PolicyName]($PolicyLink)"
+
+                # Check if this policy is properly configured
+                $IsValid = $Policy -in $ValidPolicies
+                $RequiresMfaText = if ($IsValid) { 'Yes' } else { 'No' }
+                $StatusText = if ($IsValid) { '✅ Properly configured' } else { '❌ Incorrectly configured' }
+
+                $ResultMarkdown += "| $PolicyNameLink | $PolicyState | $RequiresMfaText | $StatusText |`n"
+            }
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Require multifactor authentication for device join and device registration using user action' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access control'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Require multifactor authentication for device join and device registration using user action' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Access control'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21874.ps1

@@ -0,0 +1,40 @@
+function Invoke-CippTestZTNA21874 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21874'
+
+    try {
+        # Get B2B Management Policy from cache
+        $B2BManagementPolicyObject = New-CIPPDbRequest -TenantFilter $Tenant -Type 'B2BManagementPolicy'
+
+        if (-not $B2BManagementPolicyObject) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'B2B Management Policy not found in cache' -Risk 'Medium' -Name 'Guest access is limited to approved tenants' -UserImpact 'Medium' -ImplementationEffort 'High' -Category 'External collaboration'
+            return
+        }
+
+        $Passed = 'Failed'
+        $AllowedDomains = $null
+
+        if ($B2BManagementPolicyObject.definition) {
+            $B2BManagementPolicy = ($B2BManagementPolicyObject.definition | ConvertFrom-Json).B2BManagementPolicy
+            $AllowedDomains = $B2BManagementPolicy.InvitationsAllowedAndBlockedDomainsPolicy.AllowedDomains
+
+            if ($AllowedDomains -and $AllowedDomains.Count -gt 0) {
+                $Passed = 'Passed'
+            }
+        }
+
+        if ($Passed -eq 'Passed') {
+            $ResultMarkdown = '✅ Allow/Deny lists of domains to restrict external collaboration are configured.'
+        } else {
+            $ResultMarkdown = '❌ Allow/Deny lists of domains to restrict external collaboration are not configured.'
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'Guest access is limited to approved tenants' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'External collaboration'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Guest access is limited to approved tenants' -UserImpact 'Medium' -ImplementationEffort 'Medium' -Category 'External collaboration'
+    }
+}