Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable site creation by standard users - Does not correctly prevent site creation #2916

Closed
BPT-CIPP opened this issue Oct 3, 2024 · 4 comments
Labels
bug Something isn't working unconfirmed-by-user

Comments

@BPT-CIPP
Copy link

BPT-CIPP commented Oct 3, 2024

Description

Appologies in advance as i am not truly a dev and may not follow usual GitHub etiquette.

The standard currently only changes the "isSiteCreationEnabled" flag, but does not change the "isSiteCreationUIEnabled" flag.
the isSiteCreationUIEnabled flag appears to control if the site creation is allowed through the UI (web).

I am assuming the "isSiteCreationEnabled" flag changes behavior through api/powershell.

I have updated the powershell and tested on my installation and the changes below appear to work

"isSiteCreationUIEnabled": true

image

"isSiteCreationUIEnabled": false

image

Invoke-CIPPStandardDisableUserSiteCreate.ps1
updated code:

function Invoke-CIPPStandardDisableUserSiteCreate {
    <#
    .FUNCTIONALITY
        Internal
    .COMPONENT
        (APIName) DisableUserSiteCreate
    .SYNOPSIS
        (Label) Disable site creation by standard users
    .DESCRIPTION
        (Helptext) Disables users from creating new SharePoint sites
        (DocsDescription) Disables standard users from creating SharePoint sites, also disables the ability to fully create teams
    .NOTES
        CAT
            SharePoint Standards
        TAG
            "highimpact"
        ADDEDCOMPONENT
        IMPACT
            High Impact
        POWERSHELLEQUIVALENT
            Update-MgAdminSharepointSetting
        RECOMMENDEDBY
        UPDATECOMMENTBLOCK
            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
    .LINK
        https://docs.cipp.app/user-documentation/tenant/standards/edit-standards
    #>

    param($Tenant, $Settings)
    ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'DisableUserSiteCreate'

    $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true

    If ($Settings.remediate -eq $true) {

        if ($CurrentInfo.isSiteCreationEnabled -or $CurrentInfo.isSiteCreationUIEnabled) {
            try {
                $body = '{"isSiteCreationEnabled": false, "isSiteCreationUIEnabled": false}'
                $null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json'
                Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled standard users from creating sites and adjusted UI setting' -sev Info
            } catch {
                $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
                Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable standard users from creating sites: $ErrorMessage" -sev Error
            }
        } else {
            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are already disabled from creating sites and UI setting is adjusted' -sev Info
        }

    }

    if ($Settings.alert -eq $true) {

        if ($CurrentInfo.isSiteCreationEnabled -eq $false -and $CurrentInfo.isSiteCreationUIEnabled -eq $false) {
            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are not allowed to create sites and UI setting is disabled' -sev Info
        } else {
            Write-LogMessage -API 'Standards' -tenant $tenant -message 'Standard users are allowed to create sites or UI setting is enabled' -sev Alert
        }
    }

    if ($Settings.report -eq $true) {
        Add-CIPPBPAField -FieldName 'DisableUserSiteCreate' -FieldValue $CurrentInfo.isSiteCreationEnabled -StoreAs bool -Tenant $tenant
        Add-CIPPBPAField -FieldName 'DisableUserSiteCreateUI' -FieldValue $CurrentInfo.isSiteCreationUIEnabled -StoreAs bool -Tenant $tenant
    }
}

Environment data

Non-sponsored
Front End Version Number:
Back End Version Number:

Tried Tenant Cache Clear: true
Tried Token Cache Clear: true

Also tested solution and verified functionality.
@BPT-CIPP BPT-CIPP added bug Something isn't working unconfirmed-by-user labels Oct 3, 2024
Copy link

github-actions bot commented Oct 3, 2024

Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://docs.cipp.app/
If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug."

Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".

@BPT-CIPP
Copy link
Author

BPT-CIPP commented Oct 3, 2024

I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.

@KelvinTegelaar
Copy link
Owner

That's great! thanks. Let us know if you're on discord and we'll give you a contributor tag!

@BPT-CIPP
Copy link
Author

BPT-CIPP commented Oct 4, 2024

I am on discord! - mhollierbpt_51429

Thanks!

franksnl pushed a commit to franksnl/CIPP-API that referenced this issue Oct 7, 2024
jchurchh pushed a commit to jchurchh/CIPP-API that referenced this issue Nov 15, 2024
* offboarding tweaks

* offboarding tweaks

* Update Package.zip

* Move group check inside if statement

* Ninja: Add try/catch around secure score

Addresses issues with $MaxSecureScore being 0

* fix keyvault refs

* Change to not show/disable the Out of office hidden rule

* Permission tweaks

* permission fixes for CPV

* New audit log search

* New audit logs

* audit logs

* try / catch

* Update Push-AuditLogTenant.ps1

* audit logs

* audit log tweaks

* Update Push-AuditLogTenant.ps1

* Update Invoke-ExecJITAdmin.ps1

Added tenant to the log entry

* Update Push-AuditLogTenant.ps1

* audit logs

* Update Push-AuditLogTenant.ps1

* audit logs fixes

* Fix api role permissions

* Update Start-AuditLogOrchestrator.ps1

* Update Push-AuditLogTenant.ps1

* Update Push-AuditLogTenant.ps1

* Fix issues with graph requests missing data

Only use -ComplexFilter when $filter is present

* Add sharepoint admin url endpoint

* Create Get-CippLastAuditLogSearch.ps1

* Update Start-AuditLogOrchestrator.ps1

* tweak timing

* audit logs

tweak timing

Update Start-AuditLogOrchestrator.ps1

Create Get-CippLastAuditLogSearch.ps1

Add sharepoint admin url endpoint

Fix issues with graph requests missing data

Only use -ComplexFilter when $filter is present

Update Push-AuditLogTenant.ps1

Update Push-AuditLogTenant.ps1

Update Start-AuditLogOrchestrator.ps1

Fix api role permissions

audit logs fixes

Update Push-AuditLogTenant.ps1

audit logs

Update Push-AuditLogTenant.ps1

Update Push-AuditLogTenant.ps1

audit log tweaks

audit logs

Update Push-AuditLogTenant.ps1

try / catch

New audit logs

* Update Start-AuditLogOrchestrator.ps1

* Update Start-AuditLogOrchestrator.ps1

* Update Start-AuditLogOrchestrator.ps1

* Update Start-AuditLogOrchestrator.ps1

* Update Start-AuditLogOrchestrator.ps1

* Update Start-AuditLogOrchestrator.ps1

* update timer

* Update Get-CIPPAlertQuotaUsed.ps1

* Update Start-AuditLogOrchestrator.ps1

* Update Get-CippAuditLogSearchResults.ps1

* Update Test-CIPPAuditLogRules.ps1

* pushing cippauditlogsearch

* Update Start-AuditLogOrchestrator.ps1

* Audit log cleanup

* Audit log tweaks

* Update Push-AuditLogBundleProcessing.ps1

* Add audit record

* Update Get-CIPPTimerFunctions.ps1

* Update Test-CIPPAuditLogRules.ps1

* Update Invoke-ListGraphRequest.ps1

* Copy group membership on add user

Improve performance
Add handling for additional group types
Add followup task for exchange groups if user hasn't replicated

* Update Set-CIPPCopyGroupMembers.ps1

* add webhookcreation task cleanup

* Adjust parameters for ListAuditLogTest

* New audit log api endpoints

* Update Push-AuditLogTenant.ps1

* Update Invoke-ListAuditLogSearches.ps1

* Cleanup triggers

* AsApp support

* Update Get-GraphRequestList.ps1

* Added Expand assignments

* JD Cleanup

Co-Authored-By: John Duprey <[email protected]>

* added logging

* Add or update the Azure App Service build and deployment workflow config

* logging

* update logging

* change to write warning to be able to read logs better in insights

* removing redundant logging

* log

* logon value logging

* test

* Fix Teams Global Meeting Policy StateIsCorrect

* add 1 hour to enddate

* changed start time to include an entire hour

* Add or update the Azure App Service build and deployment workflow config

* AntiPhish standard update

Fixes ticket 3458533280

* Audit log alerts

* update prefilter

* whoops

* Test stuff

* remove ExchangeItemAggregated

* revert

* revert

* User Offboarding - Schedule license removal

Fixes ticket 3399058699

* Update Invoke-CIPPStandardDisableUserSiteCreate.ps1

fixes KelvinTegelaar/CIPP#2916

* Delete Package.zip

* six five zero

* CPV partner tenant support

* Remove return on exo exception

* Fix listmailboxes param issue

* Fix CA vacation mode exclusion

Switch to AsApp so not impacted by CA changes

* Update domain analyser

Remove returns on exceptions for each test
Add new signature domain to domain list exclusion

* Correct issue with standard

* Optimize tenant refresh in onboarding

* Ninja webhook error handling

* Adjust logging webhooks for ninja

* Add function node to log messages

* Fix issue with ProcessorQueue functions

* Add missing timer

* app upload tweaks

* Update Start-CIPPProcessorQueue.ps1

* Update Start-CIPPProcessorQueue.ps1

* cleanup generic graph request

* Fix LAPS & error msgs

* handle json conversion issues in BPA

* NinjaOne API validation & fixes

Update standards.json file
Add hostname check to ExecExtensionsConfig
Add hostname check to NinjaOneTenantSync

* Fix complex queries

* Update Set-CIPPAssignedPolicy.ps1

* fix list intune policy urlname

* filter queries

* Intune

* Update Invoke-CIPPStandardPerUserMFA.ps1

* Audit log limit processing

* tweak audit log search query

* Remove queues from application approval

* Update Invoke-NinjaOneTenantSync.ps1

* Audit log error handling

* Update version_latest.txt

* ninja edit

* up version

* fix: InTune Compliance Policy deployment

* update delete template

* update to rerun detection

* filter final tenant result

* Clean up get-tenants

* fix: AuditLog check true or false

* Unify processorfunction injection

* add Login:reprocess to exclude

* Update Add-CIPPDelegatedPermission.ps1

* Update Start-CIPPProcessorQueue.ps1

* fix ninja url

* domain analyser fixes

* ExecBPA fix for offloading

* rerun tweaks

* Update azbobbytables to 3.3.1

* Add -Force to remove-azdatatableentity

* more error handling

* Update Push-AuditLogTenant.ps1

* Update Push-AuditLogTenant.ps1

* Small change to make it easier to add exclusions in the future

* entrypoint tweaks

* feat: New TeamsEnrollUser Standard

* fix: rename Remove-CIPPAzDataTableEntity function

* fix: improvements for Anti-phishing

* fix: small tweak to Spam Filter Policy

* fix: SafeLinks,SafeAttachment,Malware policy tweaks

* Add ExternalDirectoryObjectId to ListMailbox

* Add logging name param and change to use it for logging messages

* Add loggingName paraa and clean up a wrong logging message

* standards logging

* durable cleanup

* Add MFA reset back in

* bugfix

* Refactor block signin and alias addition logic in Invoke-AddSharedMailbox function

* Add SharePoint quota info to AlertData

* Update ContentType in New-ExoRequest function to include charset

* Refactor Invoke-AddRoomMailbox function to improve tenant ID handling and error logging

* Refactor Invoke-AddSharedMailbox function to enhance tenant ID handling and improve error logging

* feat: added IntuneComplianceSettings standard

* fix: check if $state -eq $true

* fix: ActivityBasedTimeout StateIsCorrect

* fix: remove try catch

* feat: new Guest Invite standard

* feat: Customize AllowAnonymousUsersToJoinMeeting

* Audit log tweaks

* feat: Customization MeetingChatEnabledType

* Fix partner webhook standards setting

* backup tweaks, fix DA issue

* the real domain analyser fix

* Durable cleanup tweak

Audit log tweak

* more timer tweaks

* Update version_latest.txt

---------

Co-authored-by: John Duprey <[email protected]>
Co-authored-by: John Duprey <[email protected]>
Co-authored-by: Kristian Kjærgård <[email protected]>
Co-authored-by: BNWEIN <[email protected]>
Co-authored-by: KelvinTegelaar <[email protected]>
Co-authored-by: KelvinTegelaar <[email protected]>
Co-authored-by: Esco <[email protected]>
Co-authored-by: John Duprey <[email protected]>
Co-authored-by: Kristian Kjærgård <[email protected]>
Co-authored-by: Craig Bradwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working unconfirmed-by-user
Projects
None yet
Development

No branches or pull requests

2 participants