Merge pull request KelvinTegelaar#1879 from KelvinTegelaar/dev

Dev to release

Author: KelvinTegelaar

CIPPHttpTrigger/function.json

@@ -26,6 +26,12 @@
       "name": "starter",
       "type": "durableClient",
       "direction": "in"
+    },
+    {
+      "type": "queue",
+      "direction": "out",
+      "name": "QueueItem",
+      "queueName": "cippqueue"
     }
   ]
 }

CIPPQueueTrigger/function.json

@@ -0,0 +1,17 @@
+{
+  "scriptFile": "../Modules/CippEntrypoints/CippEntrypoints.psm1",
+  "entryPoint": "Receive-CippQueueTrigger",
+  "bindings": [
+    {
+      "name": "QueueItem",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "cippqueue"
+    },
+    {
+      "name": "starter",
+      "type": "durableClient",
+      "direction": "in"
+    }
+  ]
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -18,31 +18,63 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
-                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $MFAReport = try { Get-CIPPMFAStateReport -TenantFilter $TenantFilter } catch { $null }
+            $IncludeDisabled = [System.Convert]::ToBoolean($InputValue)
 
-            # Filter out JIT admins if any users were found
-            if ($Users) {
+            # Check 1: Admins with no MFA registered — prefer cache, fall back to live Graph
+            $Users = if ($MFAReport) {
+                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
+            } else {
+                New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                    Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' } |
+                    Select-Object @{n = 'ID'; e = { $_.id } }, @{n = 'UPN'; e = { $_.userPrincipalName } }, @{n = 'DisplayName'; e = { $_.userDisplayName } }
+            }
+
+            # Check 2: Admins with MFA registered but no enforcement.
+            # I hate how this ended up looking, but I couldn't think of a better way to do it ¯\_(ツ)_/¯
+            $UnenforcedAdmins = $MFAReport | Where-Object {
+                $_.IsAdmin -eq $true -and
+                $_.MFARegistration -eq $true -and
+                ($IncludeDisabled -or $_.AccountEnabled -eq $true) -and
+                $_.PerUser -notin @('Enforced', 'Enabled') -and
+                $null -ne $_.CoveredBySD -and
+                $_.CoveredBySD -ne $true -and
+                $_.CoveredByCA -notlike 'Enforced*'
+            }
+
+            # Filter out JIT admins
+            if ($Users -or $UnenforcedAdmins) {
                 $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
                 $JITAdmins = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true" -tenantid $TenantFilter -ComplexFilter
                 $JITAdminIds = $JITAdmins.id
-                $Users = $Users | Where-Object { $_.id -notin $JITAdminIds }
+                $Users = $Users | Where-Object { $_.ID -notin $JITAdminIds }
+                $UnenforcedAdmins = $UnenforcedAdmins | Where-Object { $_.ID -notin $JITAdminIds }
+            }
+
+            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+            foreach ($user in $Users) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) does not have MFA registered."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
+                        Tenant            = $TenantFilter
+                    })
             }
 
-            if ($Users.UserPrincipalName) {
-                $AlertData = foreach ($user in $Users) {
-                    [PSCustomObject]@{
-                        Message           = "Admin user $($user.userDisplayName) ($($user.userPrincipalName)) does not have MFA registered."
-                        UserPrincipalName = $user.userPrincipalName
-                        DisplayName       = $user.userDisplayName
-                        Id                = $user.id
-                        LastUpdated       = $user.lastUpdatedDateTime
+            foreach ($user in $UnenforcedAdmins) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) has MFA registered but no enforcement method (Per-User MFA, Security Defaults, or Conditional Access) is active."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
                         Tenant            = $TenantFilter
-                    }
-                }
+                    })
+            }
 
+            if ($AlertData.Count -gt 0) {
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
             }
         } else {
             Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $TenantFilter -sev Info

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMXRecordChanged.ps1

@@ -16,6 +16,10 @@ function Get-CIPPAlertMXRecordChanged {
         $CacheTable = Get-CippTable -tablename 'CacheMxRecords'
         $PreviousResults = Get-CIPPAzDataTableEntity @CacheTable -Filter "PartitionKey eq '$TenantFilter'"
 
+        if (!$DomainData) {
+            return
+        }
+
         $ChangedDomains = foreach ($Domain in $DomainData) {
             try {
                 $PreviousDomain = $PreviousResults | Where-Object { $_.Domain -eq $Domain.Domain }
@@ -60,8 +64,6 @@ function Get-CIPPAlertMXRecordChanged {
         if ($ChangedDomains) {
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $ChangedDomains
         }
-        return $true
-
     } catch {
         Write-LogMessage -message "Failed to check MX record changes: $($_.Exception.Message)" -API 'MX Record Alert' -tenant $TenantFilter -sev Error
     }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewMFADevice.ps1

@@ -20,13 +20,30 @@ function Get-CIPPAlertNewMFADevice {
                 $User = $Log.targetResources[0].userPrincipalName
                 if (-not $User) { $User = $Log.initiatedBy.user.userPrincipalName }
 
+                $IPAddress = $Log.initiatedBy.user.ipAddress
+                $LocationData = $null
+                if (-not [string]::IsNullOrEmpty($IPAddress) -and $IPAddress -notmatch '[X]+') {
+                    try {
+                        $LocationData = Get-CIPPGeoIPLocation -IP $IPAddress
+                    } catch {
+                        Write-Information "Could not enrich MFA audit IP ${$IPAddress}: $($_.Exception.Message)"
+                    }
+                }
+
                 [PSCustomObject]@{
-                    Message      = "New MFA method registered: $User"
-                    User         = $User
-                    DisplayName  = $Log.targetResources[0].displayName
-                    Activity     = $Log.activityDisplayName
-                    ActivityTime = $Log.activityDateTime
-                    Tenant       = $TenantFilter
+                    Message           = "New MFA method registered: $User"
+                    User              = $User
+                    DisplayName       = $Log.targetResources[0].displayName
+                    Activity          = $Log.activityDisplayName
+                    ActivityTime      = $Log.activityDateTime
+                    Tenant            = $TenantFilter
+                    IpAddress         = $IPAddress
+                    CountryOrRegion   = if ($LocationData) { $LocationData.countryCode } else { $null }
+                    City              = if ($LocationData) { $LocationData.city } else { $null }
+                    Proxy             = if ($LocationData) { $LocationData.proxy } else { $null }
+                    Hosting           = if ($LocationData) { $LocationData.hosting } else { $null }
+                    ASN               = if ($LocationData) { $LocationData.asname } else { $null }
+                    GeoLocationInfo   = if ($LocationData) { ($LocationData | ConvertTo-Json -Depth 10 -Compress) } else { $null }
                 }
             }
         }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSmtpAuthSuccess.ps1

@@ -13,7 +13,7 @@ function Get-CIPPAlertSmtpAuthSuccess {
 
     try {
         # Graph API endpoint for sign-ins
-        $uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=clientAppUsed eq 'Authenticated SMTP' and status/errorCode eq 0"
+        $uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=(clientAppUsed eq 'Authenticated SMTP' or clientAppUsed eq 'SMTP') and status/errorCode eq 0"
 
         # Call Graph API for the given tenant
         $SignIns = New-GraphGetRequest -uri $uri -tenantid $TenantFilter

Modules/CIPPCore/Public/Compare-CIPPIntuneAssignments.ps1

@@ -0,0 +1,134 @@
+function Compare-CIPPIntuneAssignments {
+    <#
+    .SYNOPSIS
+        Compares existing Intune policy assignments against expected assignment settings.
+    .DESCRIPTION
+        Returns $true if the existing assignments match the expected settings, $false if they differ,
+        or $null if the comparison could not be completed (e.g. Graph error).
+    .PARAMETER ExistingAssignments
+        The current assignments on the policy, as returned by Get-CIPPIntunePolicyAssignments.
+    .PARAMETER ExpectedAssignTo
+        The expected assignment target type: allLicensedUsers, AllDevices, AllDevicesAndUsers,
+        customGroup, or On (no assignment).
+    .PARAMETER ExpectedCustomGroup
+        The expected custom group name(s), comma-separated. Used when ExpectedAssignTo is 'customGroup'.
+    .PARAMETER ExpectedExcludeGroup
+        The expected exclusion group name(s), comma-separated.
+    .PARAMETER ExpectedAssignmentFilter
+        The expected assignment filter display name. Wildcards supported.
+    .PARAMETER ExpectedAssignmentFilterType
+        'include' or 'exclude'. Defaults to 'include'.
+    .PARAMETER TenantFilter
+        The tenant to query for group/filter resolution.
+    .FUNCTIONALITY
+        Internal
+    #>
+    param(
+        [object[]]$ExistingAssignments,
+        [string]$ExpectedAssignTo,
+        [string]$ExpectedCustomGroup,
+        [string]$ExpectedExcludeGroup,
+        [string]$ExpectedAssignmentFilter,
+        [string]$ExpectedAssignmentFilterType = 'include',
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter
+    )
+
+    try {
+        # Normalize existing targets
+        $ExistingTargetTypes = @($ExistingAssignments.target.'@odata.type' | Where-Object { $_ })
+        $ExistingIncludeGroupIds = @(
+            $ExistingAssignments |
+                Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.groupAssignmentTarget' } |
+                ForEach-Object { $_.target.groupId }
+        )
+        $ExistingExcludeGroupIds = @(
+            $ExistingAssignments |
+                Where-Object { $_.target.'@odata.type' -eq '#microsoft.graph.exclusionGroupAssignmentTarget' } |
+                ForEach-Object { $_.target.groupId }
+        )
+
+        # Determine expected include target types
+        $ExpectedIncludeTypes = switch ($ExpectedAssignTo) {
+            'allLicensedUsers'   { @('#microsoft.graph.allLicensedUsersAssignmentTarget') }
+            'AllDevices'         { @('#microsoft.graph.allDevicesAssignmentTarget') }
+            'AllDevicesAndUsers' { @('#microsoft.graph.allDevicesAssignmentTarget', '#microsoft.graph.allLicensedUsersAssignmentTarget') }
+            'customGroup'        { @('#microsoft.graph.groupAssignmentTarget') }
+            'On'                 { @() }
+            default              { @() }
+        }
+
+        # Compare include target types (ignore exclusion targets)
+        $ExistingIncludeTypes = @($ExistingTargetTypes | Where-Object { $_ -ne '#microsoft.graph.exclusionGroupAssignmentTarget' })
+        $TargetTypeMatch = $true
+        foreach ($t in $ExpectedIncludeTypes) {
+            if ($t -notin $ExistingIncludeTypes) { $TargetTypeMatch = $false; break }
+        }
+        if ($TargetTypeMatch) {
+            foreach ($t in $ExistingIncludeTypes) {
+                if ($t -notin $ExpectedIncludeTypes) { $TargetTypeMatch = $false; break }
+            }
+        }
+
+        # Lazy-load groups cache only if needed
+        $AllGroupsCache = $null
+
+        # For custom groups, resolve names to IDs and compare
+        $IncludeGroupMatch = $true
+        if ($ExpectedAssignTo -eq 'customGroup' -and $ExpectedCustomGroup) {
+            $AllGroupsCache = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter
+            $ExpectedGroupIds = @(
+                $ExpectedCustomGroup.Split(',').Trim() | ForEach-Object {
+                    $name = $_
+                    $AllGroupsCache | Where-Object { $_.displayName -like $name } | Select-Object -ExpandProperty id
+                } | Where-Object { $_ }
+            )
+            $MissingIds = @($ExpectedGroupIds | Where-Object { $_ -notin $ExistingIncludeGroupIds })
+            $ExtraIds   = @($ExistingIncludeGroupIds | Where-Object { $_ -notin $ExpectedGroupIds })
+            $IncludeGroupMatch = ($MissingIds.Count -eq 0 -and $ExtraIds.Count -eq 0)
+        }
+
+        # Compare exclusion groups
+        $ExcludeGroupMatch = $true
+        if ($ExpectedExcludeGroup) {
+            if (-not $AllGroupsCache) {
+                $AllGroupsCache = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/groups?$select=id,displayName&$top=999' -tenantid $TenantFilter
+            }
+            $ExpectedExcludeIds = @(
+                $ExpectedExcludeGroup.Split(',').Trim() | ForEach-Object {
+                    $name = $_
+                    $AllGroupsCache | Where-Object { $_.displayName -like $name } | Select-Object -ExpandProperty id
+                } | Where-Object { $_ }
+            )
+            $MissingExcludeIds = @($ExpectedExcludeIds | Where-Object { $_ -notin $ExistingExcludeGroupIds })
+            $ExtraExcludeIds   = @($ExistingExcludeGroupIds | Where-Object { $_ -notin $ExpectedExcludeIds })
+            $ExcludeGroupMatch = ($MissingExcludeIds.Count -eq 0 -and $ExtraExcludeIds.Count -eq 0)
+        } elseif ($ExistingExcludeGroupIds.Count -gt 0) {
+            # No exclusions expected but some exist
+            $ExcludeGroupMatch = $false
+        }
+
+        # Compare assignment filter
+        $FilterMatch = $true
+        if ($ExpectedAssignmentFilter) {
+            $ExistingFilterIds = @(
+                $ExistingAssignments |
+                    Where-Object { $_.target.deviceAndAppManagementAssignmentFilterId } |
+                    ForEach-Object { $_.target.deviceAndAppManagementAssignmentFilterId }
+            )
+            if ($ExistingFilterIds.Count -eq 0) {
+                $FilterMatch = $false
+            } else {
+                $AllFilters = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/assignmentFilters' -tenantid $TenantFilter
+                $ExpectedFilter = $AllFilters | Where-Object { $_.displayName -like $ExpectedAssignmentFilter } | Select-Object -First 1
+                $FilterMatch = $ExpectedFilter -and ($ExpectedFilter.id -in $ExistingFilterIds)
+            }
+        }
+
+        return $TargetTypeMatch -and $IncludeGroupMatch -and $ExcludeGroupMatch -and $FilterMatch
+
+    } catch {
+        Write-Warning "Compare-CIPPIntuneAssignments failed for tenant $TenantFilter : $($_.Exception.Message)"
+        return $null  # null = unknown, don't treat as mismatch
+    }
+}