Merge pull request #597 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewAppApproval.ps1

@@ -12,41 +12,56 @@ function Get-CIPPAlertNewAppApproval {
         $TenantFilter,
         $Headers
     )
-    try {
-        $Approvals = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests?`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
-        if ($Approvals.count -gt 0) {
-            $TenantGUID = (Get-Tenants -TenantFilter $TenantFilter -SkipDomains).customerId
-            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
-            foreach ($App in $Approvals) {
-                $userConsentRequests = New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/$($App.id)/userConsentRequests" -tenantid $TenantFilter
-                $userConsentRequests | ForEach-Object {
-                    $consentUrl = if ($App.consentType -eq 'Static') {
-                        # if something is going wrong here you've probably stumbled on a fourth variation - rvdwegen
-                        "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
-                    } elseif ($App.pendingScopes.displayName) {
-                        "https://login.microsoftonline.com/$($TenantFilter)/v2.0/adminConsent?client_id=$($App.appId)&scope=$($App.pendingScopes.displayName -Join(' '))&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
-                    } else {
-                        "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+
+    Measure-CippTask -TaskName 'NewAppApprovalAlert' -EventName 'CIPP.AlertProfile' -Script {
+        try {
+            $Approvals = Measure-CippTask -TaskName 'GetAppConsentRequests' -EventName 'CIPP.AlertProfile' -Script {
+                New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests?`$top=100&`$filter=userConsentRequests/any (u:u/status eq 'InProgress')" -tenantid $TenantFilter
+            }
+
+            if ($Approvals.count -gt 0) {
+                Measure-CippTask -TaskName 'ProcessApprovals' -EventName 'CIPP.AlertProfile' -Script {
+                    $TenantGUID = (Get-Tenants -TenantFilter $TenantFilter -SkipDomains).customerId
+                    $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+                    foreach ($App in $Approvals) {
+                        $userConsentRequests = Measure-CippTask -TaskName 'GetUserConsentRequests' -EventName 'CIPP.AlertProfile' -Script {
+                            New-GraphGetRequest -Uri "https://graph.microsoft.com/v1.0/identityGovernance/appConsent/appConsentRequests/$($App.id)/userConsentRequests" -tenantid $TenantFilter
+                        }
+
+                        $userConsentRequests | ForEach-Object {
+                            $consentUrl = if ($App.consentType -eq 'Static') {
+                                # if something is going wrong here you've probably stumbled on a fourth variation - rvdwegen
+                                "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                            } elseif ($App.pendingScopes.displayName) {
+                                "https://login.microsoftonline.com/$($TenantFilter)/v2.0/adminConsent?client_id=$($App.appId)&scope=$($App.pendingScopes.displayName -Join(' '))&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                            } else {
+                                "https://login.microsoftonline.com/$($TenantFilter)/adminConsent?client_id=$($App.appId)&bf_id=$($App.id)&redirect_uri=https://entra.microsoft.com/TokenAuthorize"
+                            }
+
+                            $Message = [PSCustomObject]@{
+                                RequestId   = $_.id
+                                AppName     = $App.appDisplayName
+                                RequestUser = $_.createdBy.user.userPrincipalName
+                                Reason      = $_.reason
+                                RequestDate = $_.createdDateTime
+                                Status      = $_.status # Will allways be InProgress as we filter to only get these but this will reduce confusion when an alert is generated
+                                AppId       = $App.appId
+                                Scopes      = ($App.pendingScopes.displayName -join ', ')
+                                ConsentURL  = $consentUrl
+                                Tenant      = $TenantFilter
+                                TenantId    = $TenantGUID
+                            }
+                            $AlertData.Add($Message)
+                        }
                     }
 
-                    $Message = [PSCustomObject]@{
-                        RequestId   = $_.id
-                        AppName     = $App.appDisplayName
-                        RequestUser = $_.createdBy.user.userPrincipalName
-                        Reason      = $_.reason
-                        RequestDate = $_.createdDateTime
-                        Status      = $_.status # Will allways be InProgress as we filter to only get these but this will reduce confusion when an alert is generated
-                        AppId       = $App.appId
-                        Scopes      = ($App.pendingScopes.displayName -join ', ')
-                        ConsentURL  = $consentUrl
-                        Tenant      = $TenantFilter
-                        TenantId    = $TenantGUID
+                    Measure-CippTask -TaskName 'WriteAlertTrace' -EventName 'CIPP.AlertProfile' -Script {
+                        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
                     }
-                    $AlertData.Add($Message)
                 }
             }
-            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {
         }
-    } catch {
     }
 }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1

@@ -0,0 +1,56 @@
+function Get-CIPPAlertQuarantineReleaseRequests {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    $HasLicense = Test-CIPPStandardLicense -StandardName 'QuarantineReleaseRequests' -TenantFilter $TenantFilter -RequiredCapabilities @(
+        'EXCHANGE_S_STANDARD',
+        'EXCHANGE_S_ENTERPRISE',
+        'EXCHANGE_S_STANDARD_GOV',
+        'EXCHANGE_S_ENTERPRISE_GOV',
+        'EXCHANGE_LITE'
+    )
+
+    if (-not $HasLicense) {
+        return
+    }
+
+    try {
+        $RequestedReleases = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ PageSize = 1000; ReleaseStatus = 'Requested' } -ErrorAction Stop | Select-Object -ExcludeProperty *data.type*
+
+        if ($RequestedReleases) {
+            # Get the CIPP URL for the Quarantine link
+            $CippConfigTable = Get-CippTable -tablename Config
+            $CippConfig = Get-CIPPAzDataTableEntity @CippConfigTable -Filter "PartitionKey eq 'InstanceProperties' and RowKey eq 'CIPPURL'"
+            $CIPPUrl = 'https://{0}' -f $CippConfig.Value
+
+            $AlertData = foreach ($Message in $RequestedReleases) {
+                [PSCustomObject]@{
+                    Identity          = $Message.Identity
+                    MessageId         = $Message.MessageId
+                    Subject           = $Message.Subject
+                    SenderAddress     = $Message.SenderAddress
+                    RecipientAddress  = $Message.RecipientAddress
+                    Type              = $Message.Type
+                    PolicyName        = $Message.PolicyName
+                    ReleaseStatus     = $Message.ReleaseStatus
+                    ReceivedTime      = $Message.ReceivedTime
+                    QuarantineViewUrl = "$CIPPUrl/email/administration/quarantine?tenantFilter=$TenantFilter"
+                    Tenant            = $TenantFilter
+                }
+            }
+
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        }
+    } catch {
+        Write-AlertMessage -tenant $TenantFilter -message "QuarantineReleaseRequests: $(Get-NormalizedError -message $_.Exception.Message)"
+    }
+}

Modules/CIPPCore/Public/GraphHelper/New-GraphGetRequest.ps1

@@ -87,13 +87,21 @@ function New-GraphGetRequest {
                     $RequestSuccessful = $true
 
                     if ($ReturnRawResponse) {
-                        if (Test-Json -Json $Data.Content) {
-                            $Content = $Data.Content | ConvertFrom-Json
-                        } else {
+                        try {
+                            if ($Data.Content -and (Test-Json -Json $Data.Content -ErrorAction Stop)) {
+                                $Content = $Data.Content | ConvertFrom-Json
+                            } else {
+                                $Content = $Data.Content
+                            }
+                        } catch {
                             $Content = $Data.Content
                         }
 
-                        $Data | Select-Object -Property StatusCode, StatusDescription, @{Name = 'Content'; Expression = { $Content } }
+                        [PSCustomObject]@{
+                            StatusCode        = $Data.StatusCode
+                            StatusDescription = $Data.StatusDescription
+                            Content           = $Content
+                        }
                         $nextURL = $null
                     } elseif ($CountOnly) {
                         $Data.'@odata.count'

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDMARCToMOERA.ps1

@@ -51,7 +51,10 @@ function Invoke-CIPPStandardAddDMARCToMOERA {
 
         $CurrentInfo = $Domains | ForEach-Object {
             # Get current DNS records that matches _dmarc hostname and TXT type
-            $CurrentRecords = New-GraphGetRequest -scope 'https://admin.microsoft.com/.default' -TenantID $Tenant -Uri "https://admin.microsoft.com/admin/api/Domains/Records?domainName=$($_.Name)" | Select-Object -ExpandProperty DnsRecords | Where-Object { $_.HostName -eq $RecordModel.HostName -and $_.Type -eq $RecordModel.Type }
+            $RecordsResponse = New-GraphGetRequest -scope 'https://admin.microsoft.com/.default' -TenantID $Tenant -Uri "https://admin.microsoft.com/admin/api/Domains/Records?domainName=$($_.Name)" -extraHeaders @{'User-Agent' = 'CIPP/1.0' }
+            $AllRecords = $RecordsResponse | Select-Object -ExpandProperty DnsRecords
+            $CurrentRecords = $AllRecords | Where-Object { $_.HostName -eq '_dmarc' -and $_.Type -eq 'TXT' }
+            Write-Information "Found $($CurrentRecords.count) DMARC records for domain $($_.Name)"
 
             if ($CurrentRecords.count -eq 0) {
                 #record not found, return a model with Match set to false
@@ -87,8 +90,8 @@ function Invoke-CIPPStandardAddDMARCToMOERA {
                 }
             }
         }
-        # Check if match is true and there is only one DMARC record for the domain
-        $StateIsCorrect = $false -notin $CurrentInfo.Match -and $CurrentInfo.Count -eq 1
+        # Check if match is true and there is only one DMARC record for each domain
+        $StateIsCorrect = $false -notin $CurrentInfo.Match -and $CurrentInfo.Count -eq $Domains.Count
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
         if ($_.Exception.Message -like '*403*') {
@@ -107,13 +110,29 @@ function Invoke-CIPPStandardAddDMARCToMOERA {
             # Loop through each domain and set the DMARC record, existing misconfigured records and duplicates will be deleted
             foreach ($Domain in ($CurrentInfo | Sort-Object -Property DomainName -Unique)) {
                 try {
-                    foreach ($Record in ($CurrentInfo | Where-Object -Property DomainName -EQ $Domain.DomainName)) {
+                    $DomainRecords = @($CurrentInfo | Where-Object -Property DomainName -EQ $Domain.DomainName)
+                    $HasMatchingRecord = $false
+
+                    # First, delete any non-matching records
+                    foreach ($Record in $DomainRecords) {
                         if ($Record.CurrentRecord) {
-                            New-GraphPOSTRequest -tenantid $tenant -scope 'https://admin.microsoft.com/.default' -Uri "https://admin.microsoft.com/admin/api/Domains/Record?domainName=$($Domain.DomainName)" -Body ($Record.CurrentRecord | ConvertTo-Json -Compress) -AddedHeaders @{'x-http-method-override' = 'Delete' }
-                            Write-LogMessage -API 'Standards' -tenant $tenant -message "Deleted incorrect DMARC record for domain $($Domain.DomainName)" -sev Info
+                            if ($Record.Match -eq $false) {
+                                # Delete incorrect record
+                                New-GraphPOSTRequest -tenantid $tenant -scope 'https://admin.microsoft.com/.default' -Uri "https://admin.microsoft.com/admin/api/Domains/Record?domainName=$($Domain.DomainName)" -Body ($Record.CurrentRecord | ConvertTo-Json -Compress) -AddedHeaders @{'x-http-method-override' = 'Delete' }
+                                Write-LogMessage -API 'Standards' -tenant $tenant -message "Deleted incorrect DMARC record for domain $($Domain.DomainName)" -sev Info
+                            } else {
+                                # Record already matches, no need to add
+                                $HasMatchingRecord = $true
+                            }
                         }
+                    }
+
+                    # Only add the record if we don't already have a matching one
+                    if (-not $HasMatchingRecord) {
                         New-GraphPOSTRequest -tenantid $tenant -scope 'https://admin.microsoft.com/.default' -type 'PUT' -Uri "https://admin.microsoft.com/admin/api/Domains/Record?domainName=$($Domain.DomainName)" -Body (@{RecordModel = $RecordModel } | ConvertTo-Json -Compress)
                         Write-LogMessage -API 'Standards' -tenant $tenant -message "Set DMARC record for domain $($Domain.DomainName)" -sev Info
+                    } else {
+                        Write-LogMessage -API 'Standards' -tenant $tenant -message "DMARC record already correctly set for domain $($Domain.DomainName)" -sev Info
                     }
                 } catch {
                     $ErrorMessage = Get-CippException -Exception $_

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1

@@ -49,8 +49,7 @@ function Invoke-CIPPStandardEnableMailboxAuditing {
 
     try {
         $AuditState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AuditDisabled
-    }
-    catch {
+    } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
         Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the EnableMailboxAuditing state for $Tenant. Error: $ErrorMessage" -Sev Error
         return
@@ -71,25 +70,30 @@ function Invoke-CIPPStandardEnableMailboxAuditing {
             $LogMessage = 'Tenant level mailbox audit already enabled. '
         }
 
-        # Check for mailbox audit on all mailboxes. Enable for all that it's not enabled for
-        $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{filter = "auditenabled -eq 'False'" } -useSystemMailbox $true -Select 'AuditEnabled,UserPrincipalName'
-        $Request = $mailboxes | ForEach-Object {
-            @{
-                CmdletInput = @{
-                    CmdletName = 'Set-Mailbox'
-                    Parameters = @{Identity = $_.UserPrincipalName; AuditEnabled = $true }
-                }
-            }
-        }
+        # Commented out because MS recommends NOT doing this anymore. From docs: https://learn.microsoft.com/en-us/purview/audit-mailboxes#verify-mailbox-auditing-on-by-default-is-turned-on
+        # When you turn on mailbox auditing on by default for the organization, the AuditEnabled property for affected mailboxes doesn't change from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.
+        # Auditing is automatically turned on when you create a new mailbox. You don't need to manually enable mailbox auditing for new users.
+        # You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each sign-in type (Admin, Delegate, and Owner).
+        # When Microsoft releases a new mailbox action, the action might be added automatically to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This result means you don't need to add new actions on mailboxes as they're released.
+        # You have a consistent mailbox auditing policy across your organization because you're auditing the same actions for all mailboxes.
+        #$Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{filter = "auditenabled -eq 'False'" } -useSystemMailbox $true -Select 'AuditEnabled,UserPrincipalName'
+        #$Request = $mailboxes | ForEach-Object {
+        #    @{
+        #       CmdletInput = @{
+        #          CmdletName = 'Set-Mailbox'
+        #         Parameters = @{Identity = $_.UserPrincipalName; AuditEnabled = $true }
+        #    }
+        #}
+        #}
 
-        $BatchResults = New-ExoBulkRequest -tenantid $tenant -cmdletArray @($Request)
-        $BatchResults | ForEach-Object {
-            if ($_.error) {
-                $ErrorMessage = Get-NormalizedError -Message $_.error
-                Write-Host "Failed to enable user level mailbox audit for $($_.target). Error: $ErrorMessage"
-                Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable user level mailbox audit for $($_.target). Error: $ErrorMessage" -sev Error
-            }
-        }
+        #$BatchResults = New-ExoBulkRequest -tenantid $tenant -cmdletArray @($Request)
+        #$BatchResults | ForEach-Object {
+        #    if ($_.error) {
+        #        $ErrorMessage = Get-NormalizedError -Message $_.error
+        #        Write-Host "Failed to enable user level mailbox audit for $($_.target). Error: $ErrorMessage"
+        #        Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable user level mailbox audit for $($_.target). Error: $ErrorMessage" -sev Error
+        # }
+        #}
 
         # Disable audit bypass for all mailboxes that have it enabled
 

cspell.json

@@ -14,6 +14,7 @@
     "CIPP-API",
     "CIPPCPV",
     "CIPPGDAP",
+    "CIPPURL",
     "Connectwise",
     "CPIM",
     "Datto",

host.json

@@ -10,8 +10,8 @@
   "functionTimeout": "00:10:00",
   "extensions": {
     "durableTask": {
-      "maxConcurrentActivityFunctions": 5,
-      "maxConcurrentOrchestratorFunctions": 2,
+      "maxConcurrentActivityFunctions": 1,
+      "maxConcurrentOrchestratorFunctions": 5,
       "tracing": {
         "distributedTracingEnabled": false,
         "version": "None"
@@ -20,13 +20,5 @@
       "versionMatchStrategy": "Strict",
       "versionFailureStrategy": "Fail"
     }
-  },
-  "logging": {
-    "logLevel": {
-      "default": "None"
-    },
-    "console": {
-      "isEnabled": false
-    }
   }
 }