Next batch

KelvinTegelaar · KelvinTegelaar · commit f61e984c99cb · 2025-12-24T01:12:41.000+01:00
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1
@@ -126,6 +126,22 @@ function Push-CIPPDBCacheData {
             Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "AuthenticationFlowsPolicy collection failed: $($_.Exception.Message)" -sev Error
         }
 
+        try { Set-CIPPDBCacheRiskyUsers -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyUsers collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRiskyServicePrincipals -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskyServicePrincipals collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheServicePrincipalRiskDetections -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "ServicePrincipalRiskDetections collection failed: $($_.Exception.Message)" -sev Error
+        }
+
+        try { Set-CIPPDBCacheRiskDetections -TenantFilter $TenantFilter } catch {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "RiskDetections collection failed: $($_.Exception.Message)" -sev Error
+        }
+
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Completed database cache collection for tenant' -sev Info
 
     } catch {
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskDetections.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskDetections.ps1
@@ -0,0 +1,35 @@
+function Set-CIPPDBCacheRiskDetections {
+    <#
+    .SYNOPSIS
+        Caches risk detections from Identity Protection for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache risk detections for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching risk detections from Identity Protection' -sev Info
+
+        # Requires P2 licensing
+        $RiskDetections = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskDetections' -tenantid $TenantFilter
+        
+        if ($RiskDetections) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskDetections' -Data $RiskDetections
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskDetections' -Data $RiskDetections -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($RiskDetections.Count) risk detections successfully" -sev Info
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No risk detections found or Identity Protection not available' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache risk detections: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskyServicePrincipals.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskyServicePrincipals.ps1
@@ -0,0 +1,35 @@
+function Set-CIPPDBCacheRiskyServicePrincipals {
+    <#
+    .SYNOPSIS
+        Caches risky service principals from Identity Protection for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache risky service principals for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching risky service principals from Identity Protection' -sev Info
+
+        # Requires Workload Identity Premium licensing
+        $RiskyServicePrincipals = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskyServicePrincipals' -tenantid $TenantFilter
+        
+        if ($RiskyServicePrincipals) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskyServicePrincipals' -Data $RiskyServicePrincipals
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskyServicePrincipals' -Data $RiskyServicePrincipals -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($RiskyServicePrincipals.Count) risky service principals successfully" -sev Info
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No risky service principals found or Workload Identity Protection not available' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache risky service principals: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskyUsers.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheRiskyUsers.ps1
@@ -0,0 +1,35 @@
+function Set-CIPPDBCacheRiskyUsers {
+    <#
+    .SYNOPSIS
+        Caches risky users from Identity Protection for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache risky users for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching risky users from Identity Protection' -sev Info
+
+        # Requires P2 or Governance licensing
+        $RiskyUsers = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskyUsers' -tenantid $TenantFilter
+        
+        if ($RiskyUsers) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskyUsers' -Data $RiskyUsers
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'RiskyUsers' -Data $RiskyUsers -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($RiskyUsers.Count) risky users successfully" -sev Info
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No risky users found or Identity Protection not available' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache risky users: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}
diff --git a/Modules/CIPPCore/Public/Set-CIPPDBCacheServicePrincipalRiskDetections.ps1 b/Modules/CIPPCore/Public/Set-CIPPDBCacheServicePrincipalRiskDetections.ps1
@@ -0,0 +1,35 @@
+function Set-CIPPDBCacheServicePrincipalRiskDetections {
+    <#
+    .SYNOPSIS
+        Caches service principal risk detections from Identity Protection for a tenant
+
+    .PARAMETER TenantFilter
+        The tenant to cache service principal risk detections for
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching service principal risk detections from Identity Protection' -sev Info
+
+        # Requires Workload Identity Premium licensing
+        $ServicePrincipalRiskDetections = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/servicePrincipalRiskDetections' -tenantid $TenantFilter
+        
+        if ($ServicePrincipalRiskDetections) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipalRiskDetections' -Data $ServicePrincipalRiskDetections
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ServicePrincipalRiskDetections' -Data $ServicePrincipalRiskDetections -Count
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($ServicePrincipalRiskDetections.Count) service principal risk detections successfully" -sev Info
+        } else {
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'No service principal risk detections found or Workload Identity Protection not available' -sev Info
+        }
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter `
+            -message "Failed to cache service principal risk detections: $($_.Exception.Message)" `
+            -sev Warning `
+            -LogData (Get-CippException -Exception $_)
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21848.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21848.ps1
@@ -0,0 +1,62 @@
+function Invoke-CippTestZTNA21848 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21848'
+
+    try {
+        # Get password protection settings from Settings cache
+        $Settings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Settings'
+        $PasswordProtectionSettings = $Settings | Where-Object { $_.templateId -eq '5cf42378-d67d-4f36-ba46-e8b86229381d' }
+
+        if (-not $PasswordProtectionSettings) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Password protection settings not found' -Risk 'Medium' -Name 'Add organizational terms to the banned password list' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+            return
+        }
+
+        $EnableBannedPasswordCheck = ($PasswordProtectionSettings.values | Where-Object { $_.name -eq 'EnableBannedPasswordCheck' }).value
+        $BannedPasswordList = ($PasswordProtectionSettings.values | Where-Object { $_.name -eq 'BannedPasswordList' }).value
+        
+        if ([string]::IsNullOrEmpty($BannedPasswordList)) {
+            $BannedPasswordList = $null
+        }
+
+        $Passed = if ($EnableBannedPasswordCheck -eq $true -and $null -ne $BannedPasswordList) { 'Passed' } else { 'Failed' }
+
+        $PortalLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/PasswordProtection/fromNav/'
+
+        $Enforced = if ($EnableBannedPasswordCheck -eq $true) { 'Yes' } else { 'No' }
+
+        # Split on tab characters to handle tab-delimited banned password entries
+        if ($BannedPasswordList) {
+            $BannedPasswordArray = $BannedPasswordList -split '\t'
+        } else {
+            $BannedPasswordArray = @()
+        }
+
+        # Show up to 10 banned passwords, summarize if more exist
+        $MaxDisplay = 10
+        if ($BannedPasswordArray.Count -gt $MaxDisplay) {
+            $DisplayList = $BannedPasswordArray[0..($MaxDisplay-1)] + "...and $($BannedPasswordArray.Count - $MaxDisplay) more"
+        } else {
+            $DisplayList = $BannedPasswordArray
+        }
+
+        if ($Passed -eq 'Passed') {
+            $ResultMarkdown = "✅ Custom banned passwords are properly configured with organization-specific terms.`n`n"
+        } else {
+            $ResultMarkdown = "❌ Custom banned passwords are not enabled or lack organization-specific terms.`n`n"
+        }
+
+        $ResultMarkdown += "## [Password protection settings]($PortalLink)`n`n"
+        $ResultMarkdown += "| Enforce custom list | Custom banned password list | Number of terms |`n"
+        $ResultMarkdown += "| :------------------ | :-------------------------- | :-------------- |`n"
+        $ResultMarkdown += "| $Enforced | $($DisplayList -join ', ') | $($BannedPasswordArray.Count) |`n"
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'Add organizational terms to the banned password list' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Add organizational terms to the banned password list' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21849.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21849.ps1
@@ -1,14 +1,61 @@
 function Invoke-CippTestZTNA21849 {
     param($Tenant)
 
+    $TestId = 'ZTNA21849'
+
     try {
-        $groupSettings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Settings'
+        # Get password rule settings from Settings cache
+        $Settings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Settings'
+        $PasswordRuleSettings = $Settings | Where-Object { $_.displayName -eq 'Password Rule Settings' }
+
+        $PortalLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/PasswordProtection/fromNav/'
+
+        if ($null -eq $PasswordRuleSettings) {
+            # Default is 60 seconds
+            $Passed = 'Passed'
+            $ResultMarkdown = "✅ Smart Lockout duration is configured to 60 seconds or higher (default).`n`n"
+            $ResultMarkdown += "## [Smart Lockout Settings]($PortalLink)`n`n"
+            $ResultMarkdown += "| Setting | Value |`n"
+            $ResultMarkdown += "| :---- | :---- |`n"
+            $ResultMarkdown += "| Lockout Duration (seconds) | 60 (Default) |`n"
+        } else {
+            $LockoutDurationSetting = $PasswordRuleSettings.values | Where-Object { $_.name -eq 'LockoutDurationInSeconds' }
+
+            if ($null -eq $LockoutDurationSetting) {
+                # Default is 60 seconds
+                $Passed = 'Passed'
+                $ResultMarkdown = "✅ Smart Lockout duration is configured to 60 seconds or higher (default).`n`n"
+                $ResultMarkdown += "## [Smart Lockout Settings]($PortalLink)`n`n"
+                $ResultMarkdown += "| Setting | Value |`n"
+                $ResultMarkdown += "| :---- | :---- |`n"
+                $ResultMarkdown += "| Lockout Duration (seconds) | 60 (Default) |`n"
+            } else {
+                $LockoutDuration = [int]$LockoutDurationSetting.value
+
+                if ($LockoutDuration -ge 60) {
+                    $Passed = 'Passed'
+                    $ResultMarkdown = "✅ Smart Lockout duration is configured to 60 seconds or higher.`n`n"
+                } else {
+                    $Passed = 'Failed'
+                    $ResultMarkdown = "❌ Smart Lockout duration is configured below 60 seconds.`n`n"
+                }
 
-        if (-not $groupSettings) {
-            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA21849' -TestType 'Identity' -Status 'Investigate' -ResultMarkdown 'Settings not found in database' -Risk 'Medium' -Name 'Smart lockout duration is set to a minimum of 60' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential Management'
-            return
+                $ResultMarkdown += "## [Smart Lockout Settings]($PortalLink)`n`n"
+                $ResultMarkdown += "| Setting | Value |`n"
+                $ResultMarkdown += "| :---- | :---- |`n"
+                $ResultMarkdown += "| Lockout Duration (seconds) | $LockoutDuration |`n"
+            }
         }
 
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'Smart lockout duration is set to a minimum of 60' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Smart lockout duration is set to a minimum of 60' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+    }
+}
+
         $passwordRuleSettings = $groupSettings | Where-Object { $_.displayName -eq 'Password Rule Settings' }
 
         $passed = 'Passed'
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21850.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21850.ps1
@@ -0,0 +1,47 @@
+function Invoke-CippTestZTNA21850 {
+    param($Tenant)
+
+    $TestId = 'ZTNA21850'
+
+    try {
+        # Get password rule settings from Settings cache
+        $Settings = New-CIPPDbRequest -TenantFilter $Tenant -Type 'Settings'
+        $PasswordRuleSettings = $Settings | Where-Object { $_.displayName -eq 'Password Rule Settings' }
+
+        $PortalLink = 'https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/PasswordProtection/fromNav/'
+
+        if ($null -eq $PasswordRuleSettings) {
+            $Passed = 'Failed'
+            $ResultMarkdown = "❌ Password rule settings template not found."
+        } else {
+            $LockoutThresholdSetting = $PasswordRuleSettings.values | Where-Object { $_.name -eq 'LockoutThreshold' }
+            
+            if ($null -eq $LockoutThresholdSetting) {
+                $Passed = 'Failed'
+                $ResultMarkdown = "❌ Lockout threshold setting not found in [password rule settings]($PortalLink)."
+            } else {
+                $LockoutThreshold = [int]$LockoutThresholdSetting.value
+
+                if ($LockoutThreshold -le 10) {
+                    $Passed = 'Passed'
+                    $ResultMarkdown = "✅ Smart lockout threshold is set to 10 or below.`n`n"
+                } else {
+                    $Passed = 'Failed'
+                    $ResultMarkdown = "❌ Smart lockout threshold is configured above 10.`n`n"
+                }
+
+                $ResultMarkdown += "## [Smart lockout configuration]($PortalLink)`n`n"
+                $ResultMarkdown += "| Setting | Value |`n"
+                $ResultMarkdown += "| :---- | :---- |`n"
+                $ResultMarkdown += "| Lockout threshold | $LockoutThreshold attempts |`n"
+            }
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status $Passed -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'Smart lockout threshold set to 10 or less' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Identity' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Smart lockout threshold set to 10 or less' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Credential management'
+    }
+}
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21861.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21861.ps1
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21862.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21862.ps1
diff --git a/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21863.ps1 b/Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA21863.ps1
