From 1cad0b8cac99a4953c08d0f71f018383fcf9ba22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Tue, 6 Feb 2024 20:04:00 +0100 Subject: [PATCH 1/5] Add Mailbox audit bypass part to comply with CIS --- ...voke-CIPPStandardEnableMailboxAuditing.ps1 | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 index 477298bdcf66..3bde7b01121f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 @@ -19,7 +19,7 @@ function Invoke-CIPPStandardEnableMailboxAuditing { $LogMessage = 'Tenant level mailbox audit already enabled. ' } - # check for mailbox audit on all mailboxes. Enabled for all that it's not enabled for + # Check for mailbox audit on all mailboxes. Enable for all that it's not enabled for $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ResultSize = 'Unlimited' } | Where-Object { $_.AuditEnabled -ne $true } $Mailboxes | ForEach-Object { try { @@ -29,9 +29,30 @@ function Invoke-CIPPStandardEnableMailboxAuditing { Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable user level mailbox audit for $($_.UserPrincipalName). Error: $($_.exception.message)" -sev Error } } - if ($Mailboxes.Count -eq 0) { - $LogMessage += 'User level mailbox audit already enabled for all mailboxes' + + # Disable audit bypass for all mailboxes that have it enabled + $BypassMailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxAuditBypassAssociation' -cmdParams @{ResultSize = 'Unlimited' } | Where-Object { $_.AuditBypassEnabled -eq $true } + $BypassMailboxes | ForEach-Object { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxAuditBypassAssociation' -cmdParams @{Identity = $_.Guid; AuditBypassEnabled = $false } -UseSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Mailbox audit bypass disabled for $($_.Name)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to disable mailbox audit bypass for $($_.Name). Error: $($_.exception.message)" -sev Error + } + } + + if ($Mailboxes.Count -eq 0 -and $BypassMailboxes.Count -eq 0) { + # Make log message smaller if both are already in the desired state + $LogMessage += 'User level mailbox audit already enabled and mailbox audit bypass already disabled for all mailboxes' + } else { + if ($Mailboxes.Count -eq 0) { + $LogMessage += 'User level mailbox audit already enabled for all mailboxes. ' + } + if ($BypassMailboxes.Count -eq 0) { + $LogMessage += 'Mailbox audit bypass already disabled for all mailboxes' + } } + Write-LogMessage -API 'Standards' -tenant $Tenant -message $LogMessage -sev Info } From 12dc11f21f27fe9a448a5712930f0556af878801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 12 Feb 2024 20:02:39 +0100 Subject: [PATCH 2/5] Add ActualMXRecords to DA --- DomainAnalyser_All/run.ps1 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DomainAnalyser_All/run.ps1 b/DomainAnalyser_All/run.ps1 index 81678cbe8c98..d0da4a3e09da 100644 --- a/DomainAnalyser_All/run.ps1 +++ b/DomainAnalyser_All/run.ps1 @@ -42,6 +42,7 @@ $Result = [PSCustomObject]@{ ExpectedSPFRecord = '' ActualSPFRecord = '' SPFPassAll = '' + ActualMXRecords = '' MXPassTest = '' DMARCPresent = '' DMARCFullPolicy = '' @@ -79,6 +80,7 @@ $MXRecord = Read-MXRecord -Domain $Domain -ErrorAction Stop $Result.ExpectedSPFRecord = $MXRecord.ExpectedInclude $Result.MXPassTest = $false +$Result.ActualMXRecords = $MXRecord.Records # Check fail counts to ensure all tests pass #$MXWarnCount = $MXRecord.ValidationWarns | Measure-Object | Select-Object -ExpandProperty Count From 994b3666b053729e0c871fe68bc6e55a4d0ebeb0 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Mon, 12 Feb 2024 14:15:55 -0500 Subject: [PATCH 3/5] fix myroles check --- .../CIPPCore/Public/Test-CIPPAccessTenant.ps1 | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1 b/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1 index dd82b4fe2b98..6e9d85fd7a74 100644 --- a/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1 +++ b/Modules/CIPPCore/Public/Test-CIPPAccessTenant.ps1 @@ -2,7 +2,7 @@ function Test-CIPPAccessTenant { [CmdletBinding()] param ( $TenantCSV, - $APIName = "Access Check", + $APIName = 'Access Check', $ExecutingUser ) $ExpectedRoles = @( @@ -27,8 +27,7 @@ function Test-CIPPAccessTenant { } try { $MyRoles = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/managedTenants/myRoles?`$filter=tenantId in ('$($TenantIds -join "','")')" - } - catch { + } catch { $MyRoles = @() $AddedText = 'but could not retrieve GDAP roles from Lighthouse API' } @@ -37,7 +36,7 @@ function Test-CIPPAccessTenant { try { $TenantId = ($TenantList | Where-Object { $_.defaultDomainName -eq $tenant }).customerId $Assignments = ($MyRoles | Where-Object { $_.tenantId -eq $TenantId }).assignments - $SAMUserRoles = ($Assignments | Where-Object { $_.assignmentType -eq 'granularDelegatedAdminPrivileges' }).roles + $SAMUserRoles = $Assignments.roles $BulkRequests = $ExpectedRoles | ForEach-Object { @( @{ @@ -62,8 +61,7 @@ function Test-CIPPAccessTenant { } ) $AddedText = 'but missing GDAP roles' - } - else { + } else { $GDAPRoles.Add([PSCustomObject]$RoleId) } if (!$SAMRole) { @@ -88,8 +86,7 @@ function Test-CIPPAccessTenant { } Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $tenant -message 'Tenant access check executed successfully' -Sev 'Info' - } - catch { + } catch { @{ TenantName = "$($tenant)" Status = "Failed to connect: $(Get-NormalizedError -message $_.Exception.Message)" @@ -106,8 +103,7 @@ function Test-CIPPAccessTenant { Status = 'Successfully connected to Exchange' } - } - catch { + } catch { $ReportedError = ($_.ErrorDetails | ConvertFrom-Json -ErrorAction SilentlyContinue) $Message = if ($ReportedError.error.details.message) { $ReportedError.error.details.message } else { $ReportedError.error.innererror.internalException.message } if ($null -eq $Message) { $Message = $($_.Exception.Message) } From 7f4f4bc79d08bb8a2ef5fb4e2d1a42e4035c5c8e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 13 Feb 2024 20:41:13 +0100 Subject: [PATCH 4/5] edit user change. --- Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 index e869d8829311..d5d7b4e1b961 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-EditUser.ps1 @@ -12,6 +12,14 @@ Function Invoke-EditUser { Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' $userobj = $Request.body + if ($userobj.Userid -eq '') { + $body = @{'Results' = @('Failed to edit user. No user ID provided') } + Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ + StatusCode = [HttpStatusCode]::BadRequest + Body = $Body + }) + return + } $Results = [System.Collections.ArrayList]@() $licenses = ($userobj | Select-Object 'License_*').psobject.properties.value $Aliases = if ($userobj.AddedAliases) { ($userobj.AddedAliases).Split([Environment]::NewLine) } From 93c4dc6d836a359f678e35cd61e887d4c1c2578a Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 13 Feb 2024 20:55:12 +0100 Subject: [PATCH 5/5] hoftix --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index 3bff059174b8..1b47e8f3efe7 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -5.1.1 \ No newline at end of file +5.1.2 \ No newline at end of file