more standards

JohnDuprey · JohnDuprey · commit fa8aeb57c24e · 2025-03-19T15:41:27.000-04:00
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1
@@ -32,12 +32,11 @@ function Invoke-CIPPStandardOauthConsent {
     #>
 
     param($tenant, $settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'OauthConsent'
 
     $State = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant
     $StateIsCorrect = if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { $true } else { $false }
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
         $AllowedAppIdsForTenant = $settings.AllowedApps -split ','
         try {
             if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.cipp-consent-policy')) {
@@ -70,11 +69,17 @@ function Invoke-CIPPStandardOauthConsent {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is enabled.' -sev Info
         } else {
-            Write-StandardsAlert -message "Application Consent Mode is not enabled." -object $State -tenant $tenant -standardName 'OauthConsent' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Application Consent Mode is not enabled.' -object $State -tenant $tenant -standardName 'OauthConsent' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode is not enabled.' -sev Info
         }
     }
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'OauthConsent' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+        if ($StateIsCorrect) {
+            $FieldValue = $true
+        } else {
+            $FieldValue = $State
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.OauthConsent' -FieldValue $FieldValue -Tenant $tenant
     }
 }
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1
@@ -28,24 +28,23 @@ function Invoke-CIPPStandardOauthConsentLowSec {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'OauthConsentLowSec'
 
     $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant)
     $PermissionState = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications" -tenantid $tenant) | Select-Object -Property permissionName
 
     $requiredPermissions = @('offline_access', 'openid', 'User.Read', 'profile', 'email')
     $missingPermissions = $requiredPermissions | Where-Object { $PermissionState.permissionName -notcontains $_ }
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
         if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -in @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is already enabled.' -sev Info
         } else {
             try {
                 $GraphParam = @{
-                    tenantid = $tenant
-                    Uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
-                    Type = 'PATCH'
-                    Body = @{
+                    tenantid    = $tenant
+                    Uri         = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
+                    Type        = 'PATCH'
+                    Body        = @{
                         permissionGrantPolicyIdsAssignedToDefaultUserRole = @('managePermissionGrantsForSelf.microsoft-user-default-low')
                     } | ConvertTo-Json
                     ContentType = 'application/json'
@@ -64,10 +63,10 @@ function Invoke-CIPPStandardOauthConsentLowSec {
             try {
                 $missingPermissions | ForEach-Object {
                     $GraphParam = @{
-                        tenantid = $tenant
-                        Uri = "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications"
-                        Type = 'POST'
-                        Body = @{
+                        tenantid    = $tenant
+                        Uri         = "https://graph.microsoft.com/beta/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')/delegatedPermissionClassifications"
+                        Type        = 'POST'
+                        Body        = @{
                             permissionName = $_
                             classification = 'low'
                         } | ConvertTo-Json
@@ -85,7 +84,7 @@ function Invoke-CIPPStandardOauthConsentLowSec {
 
     if ($Settings.alert -eq $true) {
         if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
-            Write-StandardsAlert -message "Application Consent Mode(microsoft-user-default-low) is not enabled" -object $State -tenant $tenant -standardName 'OauthConsentLowSec' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Application Consent Mode(microsoft-user-default-low) is not enabled' -object $State -tenant $tenant -standardName 'OauthConsentLowSec' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is not enabled.' -sev Info
         } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Application Consent Mode(microsoft-user-default-low) is enabled.' -sev Info
@@ -95,9 +94,15 @@ function Invoke-CIPPStandardOauthConsentLowSec {
     if ($Settings.report -eq $true) {
         if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -notin @('managePermissionGrantsForSelf.microsoft-user-default-low')) {
             $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $false
+            $ValueField = @{
+                authorizationPolicy       = $State
+                permissionClassifications = $PermissionState
+            }
         } else {
             $State.permissionGrantPolicyIdsAssignedToDefaultUserRole = $true
+            $ValueField = $true
         }
         Add-CIPPBPAField -FieldName 'OauthConsentLowSec' -FieldValue $State.permissionGrantPolicyIdsAssignedToDefaultUserRole -StoreAs bool -Tenant $tenant
+        Set-CIPPStandardsCompareField -FieldName 'standards.OauthConsentLowSec' -FieldValue $ValueField -Tenant $tenant
     }
 }
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1
@@ -31,11 +31,10 @@ function Invoke-CIPPStandardOutBoundSpamAlert {
     #>
 
     param($Tenant, $Settings)
-    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'OutBoundSpamAlert'
 
     $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-HostedOutboundSpamFilterPolicy' -useSystemMailbox $true
 
-    If ($Settings.remediate -eq $true) {
+    if ($Settings.remediate -eq $true) {
 
         if ($CurrentInfo.NotifyOutboundSpam -ne $true -or $CurrentInfo.NotifyOutboundSpamRecipients -ne $settings.OutboundSpamContact) {
             $Contacts = $settings.OutboundSpamContact
@@ -56,12 +55,18 @@ function Invoke-CIPPStandardOutBoundSpamAlert {
         if ($CurrentInfo.NotifyOutboundSpam -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message "Outbound spam filter alert is set to $($CurrentInfo.NotifyOutboundSpamRecipients)" -sev Info
         } else {
-            Write-StandardsAlert -message "Outbound spam filter alert is not set" -object $CurrentInfo -tenant $tenant -standardName 'OutBoundSpamAlert' -standardId $Settings.standardId
+            Write-StandardsAlert -message 'Outbound spam filter alert is not set' -object $CurrentInfo -tenant $tenant -standardName 'OutBoundSpamAlert' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Outbound spam filter alert is not set' -sev Info
         }
     }
 
     if ($Settings.report -eq $true) {
         Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue $CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant
+        if ($CurrentInfo.NotifyOutboundSpam -ne $true -or $CurrentInfo.NotifyOutboundSpamRecipients -ne $settings.OutboundSpamContact) {
+            $ValueField = $CurrentInfo | Select-Object -Property NotifyOutboundSpamRecipients, NotifyOutboundSpam
+        } else {
+            $ValueField = $true
+        }
+        Set-CIPPStandardsCompareField -FieldName 'standards.OutBoundSpamAlert' -FieldValue $ValueField -Tenant $tenant
     }
 }
