Merge pull request #265 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev
KelvinTegelaar · Dec 3, 2024 · 819c270 · 819c270
2 parents 2bde73a + 6822e4b
commit 819c270
Show file tree

Hide file tree

Showing 12 changed files with 373 additions and 255 deletions.
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDeviceAction.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ExecDeviceAction.ps1
@@ -20,7 +20,19 @@ Function Invoke-ExecDeviceAction {
         if ($Request.Query.Action -eq 'setDeviceName') {
             $ActionBody = @{ deviceName = $Request.Body.input } | ConvertTo-Json -Compress
         }
-        $ActionResult = New-CIPPDeviceAction -Action $Request.Query.Action -ActionBody $ActionBody -DeviceFilter $Request.Query.GUID -TenantFilter $Request.Query.TenantFilter -ExecutingUser $request.headers.'x-ms-client-principal' -APINAME $APINAME
+        else {
+            $ActionBody = $Request.Body | ConvertTo-Json -Compress
+        }
+
+        $cmdparams = @{
+            Action = $Request.Query.Action
+            ActionBody = $ActionBody
+            DeviceFilter = $Request.Query.GUID
+            TenantFilter = $Request.Query.TenantFilter
+            ExecutingUser = $request.headers.'x-ms-client-principal'
+            APINAME = $APINAME
+        }
+        $ActionResult = New-CIPPDeviceAction @cmdparams
         $body = [pscustomobject]@{'Results' = "$ActionResult" }
 
     } catch {

diff --git a/...Core/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroup.ps1 b/...Core/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroup.ps1
@@ -68,7 +68,6 @@ Function Invoke-AddGroup {
                     }
                     $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
                 }
-                $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
                 # At some point add logic to use AddOwner/AddMember for New-DistributionGroup, but idk how we're going to brr that - rvdwegen
             }
             "Successfully created group $($groupobj.displayname) for $($tenant)"

diff --git a/...Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListPerUserMFA.ps1 b/...Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ListPerUserMFA.ps1
@@ -0,0 +1,50 @@
+using namespace System.Net
+
+function Invoke-ListPerUserMFA {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Identity.User.Read
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $TriggerMetadata.FunctionName
+    $User = $request.headers.'x-ms-client-principal'
+    Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+
+    # Write to the Azure Functions log stream.
+    Write-Host 'PowerShell HTTP trigger function processed a request.'
+
+    # Parse query parameters
+    $Tenant = $Request.query.tenantFilter
+    try {
+        $AllUsers = [System.Convert]::ToBoolean($Request.query.allUsers)
+    } catch {
+        $AllUsers = $false
+    }
+    $UserId = $Request.query.userId
+
+    # Get the MFA state for the user/all users
+    try {
+        if ($AllUsers -eq $true) {
+            $Results = Get-CIPPPerUserMFA -TenantFilter $Tenant -AllUsers $true
+        } else {
+            $Results = Get-CIPPPerUserMFA -TenantFilter $Tenant -userId $UserId
+        }
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+        $Results = "Failed to get MFA State for $UserId : $ErrorMessage"
+        $StatusCode = [HttpStatusCode]::Forbidden
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @($Results)
+        })
+
+
+}
diff --git a/Modules/CIPPCore/Public/Get-CIPPMFAState.ps1 b/Modules/CIPPCore/Public/Get-CIPPMFAState.ps1
@@ -92,9 +92,9 @@ function Get-CIPPMFAState {
             }
         }
 
-        $PerUser = if ($PerUserMFAState -eq $null) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }
+        $PerUser = if ($null -eq $PerUserMFAState) { $null } else { ($PerUserMFAState | Where-Object -Property UserPrincipalName -EQ $_.UserPrincipalName).PerUserMFAState }
 
-        $MFARegUser = if (($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered -eq $null) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }
+        $MFARegUser = if ($null -eq ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName).isMFARegistered) { $false } else { ($MFARegistration | Where-Object -Property UserPrincipalName -EQ $_.userPrincipalName) }
 
         [PSCustomObject]@{
             Tenant          = $TenantFilter

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1
@@ -51,6 +51,11 @@ function Invoke-CIPPStandardAntiPhishPolicy {
     param($Tenant, $Settings)
     ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AntiPhishPolicy'
 
+    $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
+    $ServicePlans = $ServicePlans.servicePlans.servicePlanName
+    $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
+    Write-Information "MDOLicensed: $MDOLicensed"
+
     $PolicyList = @('CIPP Default Anti-Phishing Policy','Default Anti-Phishing Policy')
     $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' | Where-Object -Property Name -In $PolicyList
     if ($null -eq $ExistingPolicy.Name) {
@@ -69,27 +74,38 @@ function Invoke-CIPPStandardAntiPhishPolicy {
     $CurrentState = $ExistingPolicy |
         Select-Object Name, Enabled, PhishThresholdLevel, EnableMailboxIntelligence, EnableMailboxIntelligenceProtection, EnableSpoofIntelligence, EnableFirstContactSafetyTips, EnableSimilarUsersSafetyTips, EnableSimilarDomainsSafetyTips, EnableUnusualCharactersSafetyTips, EnableUnauthenticatedSender, EnableViaTag, AuthenticationFailAction, SpoofQuarantineTag, MailboxIntelligenceProtectionAction, MailboxIntelligenceQuarantineTag, TargetedUserProtectionAction, TargetedUserQuarantineTag, TargetedDomainProtectionAction, TargetedDomainQuarantineTag, EnableOrganizationDomainsProtection
 
-    $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
-                      ($CurrentState.Enabled -eq $true) -and
-                      ($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
-                      ($CurrentState.EnableMailboxIntelligence -eq $true) -and
-                      ($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
-                      ($CurrentState.EnableSpoofIntelligence -eq $true) -and
-                      ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
-                      ($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
-                      ($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
-                      ($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
-                      ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
-                      ($CurrentState.EnableViaTag -eq $true) -and
-                      ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
-                      ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
-                      ($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
-                      ($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
-                      ($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
-                      ($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
-                      ($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
-                      ($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
-                      ($CurrentState.EnableOrganizationDomainsProtection -eq $true)
+    if ($MDOLicensed) {
+        $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+                          ($CurrentState.Enabled -eq $true) -and
+                          ($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
+                          ($CurrentState.EnableMailboxIntelligence -eq $true) -and
+                          ($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
+                          ($CurrentState.EnableSpoofIntelligence -eq $true) -and
+                          ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
+                          ($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
+                          ($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
+                          ($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
+                          ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
+                          ($CurrentState.EnableViaTag -eq $true) -and
+                          ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
+                          ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
+                          ($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
+                          ($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
+                          ($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
+                          ($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
+                          ($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
+                          ($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
+                          ($CurrentState.EnableOrganizationDomainsProtection -eq $true)
+    } else {
+        $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+                          ($CurrentState.Enabled -eq $true) -and
+                          ($CurrentState.EnableSpoofIntelligence -eq $true) -and
+                          ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
+                          ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
+                          ($CurrentState.EnableViaTag -eq $true) -and
+                          ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
+                          ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag)
+    }
 
     $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
 
@@ -106,27 +122,39 @@ function Invoke-CIPPStandardAntiPhishPolicy {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy already correctly configured' -sev Info
         } else {
-            $cmdparams = @{
-                Enabled                             = $true
-                PhishThresholdLevel                 = $Settings.PhishThresholdLevel
-                EnableMailboxIntelligence           = $true
-                EnableMailboxIntelligenceProtection = $true
-                EnableSpoofIntelligence             = $true
-                EnableFirstContactSafetyTips        = $Settings.EnableFirstContactSafetyTips
-                EnableSimilarUsersSafetyTips        = $Settings.EnableSimilarUsersSafetyTips
-                EnableSimilarDomainsSafetyTips      = $Settings.EnableSimilarDomainsSafetyTips
-                EnableUnusualCharactersSafetyTips   = $Settings.EnableUnusualCharactersSafetyTips
-                EnableUnauthenticatedSender         = $true
-                EnableViaTag                        = $true
-                AuthenticationFailAction            = $Settings.AuthenticationFailAction
-                SpoofQuarantineTag                  = $Settings.SpoofQuarantineTag
-                MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
-                MailboxIntelligenceQuarantineTag    = $Settings.MailboxIntelligenceQuarantineTag
-                TargetedUserProtectionAction        = $Settings.TargetedUserProtectionAction
-                TargetedUserQuarantineTag           = $Settings.TargetedUserQuarantineTag
-                TargetedDomainProtectionAction      = $Settings.TargetedDomainProtectionAction
-                TargetedDomainQuarantineTag         = $Settings.TargetedDomainQuarantineTag
-                EnableOrganizationDomainsProtection = $true
+            if ($MDOLicensed) {
+                $cmdparams = @{
+                    Enabled                             = $true
+                    PhishThresholdLevel                 = $Settings.PhishThresholdLevel
+                    EnableMailboxIntelligence           = $true
+                    EnableMailboxIntelligenceProtection = $true
+                    EnableSpoofIntelligence             = $true
+                    EnableFirstContactSafetyTips        = $Settings.EnableFirstContactSafetyTips
+                    EnableSimilarUsersSafetyTips        = $Settings.EnableSimilarUsersSafetyTips
+                    EnableSimilarDomainsSafetyTips      = $Settings.EnableSimilarDomainsSafetyTips
+                    EnableUnusualCharactersSafetyTips   = $Settings.EnableUnusualCharactersSafetyTips
+                    EnableUnauthenticatedSender         = $true
+                    EnableViaTag                        = $true
+                    AuthenticationFailAction            = $Settings.AuthenticationFailAction
+                    SpoofQuarantineTag                  = $Settings.SpoofQuarantineTag
+                    MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
+                    MailboxIntelligenceQuarantineTag    = $Settings.MailboxIntelligenceQuarantineTag
+                    TargetedUserProtectionAction        = $Settings.TargetedUserProtectionAction
+                    TargetedUserQuarantineTag           = $Settings.TargetedUserQuarantineTag
+                    TargetedDomainProtectionAction      = $Settings.TargetedDomainProtectionAction
+                    TargetedDomainQuarantineTag         = $Settings.TargetedDomainQuarantineTag
+                    EnableOrganizationDomainsProtection = $true
+                }
+            } else {
+                $cmdparams = @{
+                    Enabled                             = $true
+                    EnableSpoofIntelligence             = $true
+                    EnableFirstContactSafetyTips        = $Settings.EnableFirstContactSafetyTips
+                    EnableUnauthenticatedSender         = $true
+                    EnableViaTag                        = $true
+                    AuthenticationFailAction            = $Settings.AuthenticationFailAction
+                    SpoofQuarantineTag                  = $Settings.SpoofQuarantineTag
+                }
             }
 
             if ($CurrentState.Name -eq $PolicyName) {

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableEmail {
 
     if ($Settings.alert -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is enabled' -sev Alert
-        } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is enabled' -sev Alert
         }
     }
 

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableSMS {
 
     if ($Settings.alert -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is enabled' -sev Alert
-        } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is enabled' -sev Alert
         }
     }
 

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisableVoice {
 
     if ($Settings.alert -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is enabled' -sev Alert
-        } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Voice authentication method is enabled' -sev Alert
         }
     }
 

diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1
@@ -42,9 +42,9 @@ function Invoke-CIPPStandardDisablex509Certificate {
 
     if ($Settings.alert -eq $true) {
         if ($StateIsCorrect -eq $true) {
-            Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is enabled' -sev Alert
-        } else {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'x509Certificate authentication method is enabled' -sev Alert
         }
     }