Merge branch 'KelvinTegelaar:master' into master

.github/workflows/dev_cippy6oom.yml

@@ -0,0 +1,30 @@
+# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
+# More GitHub Actions for Azure: https://github.com/Azure/actions
+
+name: Build and deploy Powershell project to Azure Function App - cippy6oom
+
+on:
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+
+jobs:
+  deploy:
+    runs-on: windows-latest
+
+    steps:
+      - name: 'Checkout GitHub Action'
+        uses: actions/checkout@v4
+
+      - name: 'Run Azure Functions Action'
+        uses: Azure/functions-action@v1
+        id: fa
+        with:
+          app-name: 'cippy6oom'
+          slot-name: 'Production'
+          package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+          publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_B9C635E19DF6459F8995BA602EFA638A }}

Config/49a8069e-3b46-4680-a035-9250bc675446.CATemplate.json

@@ -37,5 +37,5 @@
       "excludeApplications": []
     }
   },
-  "displayName": "Enforce Multi factor authentication for each application"
+  "displayName": "CIPP: Enforce Multi factor authentication for each application"
 }

Config/7e06b0de-0469-4aae-89be-d83c44b5799f.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Enable Bitlocker Encryption for OS drives",
+  "Displayname": "CIPP: Enable Bitlocker Encryption for OS drives",
   "Description": "Enables Bitlocker and stores the key in Azure AD for system Drives",
   "RAWJson": "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"displayName\":\"CIPP: Enable Bitlocker Encryption\",\"roleScopeTagIds\":[\"0\"],\"@odata.type\":\"#microsoft.graph.windows10EndpointProtectionConfiguration\",\"applicationGuardEnabledOptions\":\"notConfigured\",\"firewallCertificateRevocationListCheckMethod\":\"deviceDefault\",\"firewallPacketQueueingMethod\":\"deviceDefault\",\"deviceGuardLocalSystemAuthorityCredentialGuardSettings\":\"notConfigured\",\"defenderSecurityCenterNotificationsFromApp\":\"notConfigured\",\"windowsDefenderTamperProtection\":\"notConfigured\",\"defenderSecurityCenterITContactDisplay\":\"notConfigured\",\"xboxServicesAccessoryManagementServiceStartupMode\":\"manual\",\"xboxServicesLiveAuthManagerServiceStartupMode\":\"manual\",\"xboxServicesLiveGameSaveServiceStartupMode\":\"manual\",\"xboxServicesLiveNetworkingServiceStartupMode\":\"manual\",\"applicationGuardBlockClipboardSharing\":\"notConfigured\",\"defenderPreventCredentialStealingType\":\"notConfigured\",\"defenderAdobeReaderLaunchChildProcess\":\"notConfigured\",\"defenderOfficeCommunicationAppsLaunchChildProcess\":\"notConfigured\",\"defenderAdvancedRansomewareProtectionType\":\"notConfigured\",\"defenderNetworkProtectionType\":\"notConfigured\",\"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser\":\"notConfigured\",\"localSecurityOptionsSmartCardRemovalBehavior\":\"lockWorkstation\",\"localSecurityOptionsInformationDisplayedOnLockScreen\":\"notConfigured\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients\":\"none\",\"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers\":\"none\",\"lanManagerAuthenticationLevel\":\"lmAndNltm\",\"localSecurityOptionsAdministratorElevationPromptBehavior\":\"notConfigured\",\"localSecurityOptionsStandardUserElevationPromptBehavior\":\"notConfigured\",\"userRightsAccessCredentialManagerAsTrustedCaller\":null,\"userRightsLocalLogOn\":null,\"userRightsAllowAccessFromNetwork\":null,\"userRightsActAsPartOfTheOperatingSystem\":null,\"userRightsBackupData\":null,\"userRightsChangeSystemTime\":null,\"userRightsCreateGlobalObjects\":null,\"userRightsCreatePageFile\":null,\"userRightsCreatePermanentSharedObjects\":null,\"userRightsCreateSymbolicLinks\":null,\"userRightsCreateToken\":null,\"userRightsDebugPrograms\":null,\"userRightsBlockAccessFromNetwork\":null,\"userRightsDenyLocalLogOn\":null,\"userRightsRemoteDesktopServicesLogOn\":null,\"userRightsDelegation\":null,\"userRightsGenerateSecurityAudits\":null,\"userRightsImpersonateClient\":null,\"userRightsIncreaseSchedulingPriority\":null,\"userRightsLoadUnloadDrivers\":null,\"userRightsLockMemory\":null,\"userRightsManageAuditingAndSecurityLogs\":null,\"userRightsManageVolumes\":null,\"userRightsModifyFirmwareEnvironment\":null,\"userRightsModifyObjectLabels\":null,\"userRightsProfileSingleProcess\":null,\"userRightsRemoteShutdown\":null,\"userRightsRestoreData\":null,\"userRightsTakeOwnership\":null,\"bitLockerRecoveryPasswordRotation\":\"notConfigured\",\"bitLockerPrebootRecoveryMsgURLOption\":\"default\",\"bitLockerEncryptDevice\":true,\"bitLockerDisableWarningForOtherDiskEncryption\":true,\"bitLockerAllowStandardUserEncryption\":true,\"bitLockerSyntheticSystemDrivePolicybitLockerDriveRecovery\":true,\"applicationGuardAllowPrintToPDF\":false,\"applicationGuardAllowPrintToXPS\":false,\"applicationGuardAllowPrintToLocalPrinters\":false,\"applicationGuardAllowPrintToNetworkPrinters\":false,\"bitLockerFixedDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"recoveryOptions\":null,\"encryptionMethod\":null},\"bitLockerRemovableDrivePolicy\":{\"requireEncryptionForWriteAccess\":false,\"encryptionMethod\":null},\"bitLockerSystemDrivePolicy\":{\"startupAuthenticationRequired\":true,\"startupAuthenticationTpmUsage\":\"allowed\",\"startupAuthenticationTpmPinUsage\":\"allowed\",\"startupAuthenticationTpmKeyUsage\":\"allowed\",\"startupAuthenticationTpmPinAndKeyUsage\":\"allowed\",\"startupAuthenticationBlockWithoutTpmChip\":false,\"minimumPinLength\":null,\"recoveryOptions\":{\"blockDataRecoveryAgent\":false,\"recoveryPasswordUsage\":\"allowed\",\"recoveryKeyUsage\":\"allowed\",\"enableRecoveryInformationSaveToStore\":true,\"recoveryInformationToStore\":\"passwordAndKey\",\"enableBitLockerAfterRecoveryInformationToStore\":true},\"prebootRecoveryEnableMessageAndUrl\":false,\"encryptionMethod\":null},\"firewallProfileDomain\":null,\"firewallProfilePrivate\":null,\"firewallProfilePublic\":null,\"deviceGuardEnableVirtualizationBasedSecurity\":false,\"deviceGuardEnableSecureBootWithDMA\":false}",
   "Type": "Device",

Config/b79d0123-3105-4c5d-9f15-62cc7a7eb7e1.IntuneTemplate.json

@@ -1,5 +1,5 @@
 {
-  "Displayname": "CIPP Default: Automatic Configuration of Outlook",
+  "Displayname": "CIPP: Automatic Configuration of Outlook",
   "Description": "Configures the first profile on a device to always use the e-mail address of the currently logged on user.",
   "RAWJson": "{\"name\":\"Automatic configuration of Outlook\",\"description\":\"\",\"platforms\":\"windows10\",\"technologies\":\"mdm\",\"roleScopeTagIds\":[\"0\"],\"settings\":[{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationSetting\",\"settingInstance\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance\",\"settingDefinitionId\":\"user_vendor_msft_policy_config_outlk16v2~policy~l_microsoftofficeoutlook~l_toolsaccounts~l_exchangesettings_l_automaticallyconfigureprofilebasedonactiveonce\",\"choiceSettingValue\":{\"@odata.type\":\"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue\",\"value\":\"user_vendor_msft_policy_config_outlk16v2~policy~l_microsoftofficeoutlook~l_toolsaccounts~l_exchangesettings_l_automaticallyconfigureprofilebasedonactiveonce_1\",\"children\":[]}}}]}",
   "Type": "Catalog",

Config/cba836bb-33b7-4c50-88be-ee80f74cbeac.CATemplate.json

@@ -32,5 +32,5 @@
     "times": null,
     "clientApplications": null
   },
-  "displayName": "Enforce Multi-factor authentication for Static Web Apps"
+  "displayName": "CIPP: Enforce Multi-factor authentication for Static Web Apps"
 }

Config/f8be7e58-2419-40a8-a739-714bf5deff90.CATemplate.json

@@ -26,11 +26,11 @@
     "platforms": null,
     "clientApplications": null,
     "applications": {
-      "includeApplications": ["None"],
+      "includeApplications": ["All"],
       "includeUserActions": [],
       "includeAuthenticationContextClassReferences": [],
       "excludeApplications": []
     }
   },
-  "displayName": "Block Legacy Authentication"
+  "displayName": "CIPP: Block Legacy Authentication"
 }

Modules/CIPPCore/Public/Entrypoints/Invoke-AddStandardsDeploy.ps1

@@ -18,6 +18,14 @@ Function Invoke-AddStandardsDeploy {
         $Tenants = ($Request.body | Select-Object Select_*).psobject.properties.value
         $Settings = ($request.body | Select-Object -Property *, v2* -ExcludeProperty Select_*, None )
         $Settings | Add-Member -NotePropertyName 'v2.1' -NotePropertyValue $true -Force
+        if ($Settings.phishProtection.remediate) {
+            $URL = $request.headers.'x-ms-original-url'.split('/api') | Select-Object -First 1
+            write-host $URL
+            $Settings.phishProtection = [pscustomobject]@{
+                remediate = $true
+                URL       = $URL
+            }
+        }
         foreach ($Tenant in $tenants) {
 
             $object = [PSCustomObject]@{
@@ -37,8 +45,7 @@ Function Invoke-AddStandardsDeploy {
             Write-LogMessage -user $request.headers.'x-ms-client-principal' -tenant $tenant -API 'Standards' -message 'Successfully added standards deployment' -Sev 'Info'
         }
         $body = [pscustomobject]@{'Results' = 'Successfully added standards deployment' }
-    }
-    catch {
+    } catch {
         Write-LogMessage -user $request.headers.'x-ms-client-principal' -API 'Standards' -message "Standards API failed. Error:$($_.Exception.Message)" -Sev 'Error'
         $body = [pscustomobject]@{'Results' = "Failed to add standard: $($_.Exception.Message)" }
     }

Modules/CIPPCore/Public/Entrypoints/Invoke-ExecAssignAPDevice.ps1

@@ -0,0 +1,32 @@
+using namespace System.Net
+
+Function Invoke-ExecAssignAPDevice {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $tenantfilter = $Request.Body.TenantFilter
+    try {
+        $body = @{
+            UserPrincipalName   = $Request.body.UserPrincipalName
+            addressableUserName = $Request.body.addressableUserName
+        } | ConvertTo-Json
+        New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities/$($request.body.Device)/UpdateDeviceProperties" -tenantid $TenantFilter -body $body -method POST 
+        $Results = "Successfully assigned device to $($Request.body.UserPrincipalName) for $($tenantfilter)"
+    } catch {
+        $Results = "Could not $($Request.body.UserPrincipalName) to $($Request.body.device) for $($tenantfilter) Error: $($_.Exception.Message)"
+    }
+
+    $Results = [pscustomobject]@{'Results' = "$results" }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}

Modules/CIPPCore/Public/Entrypoints/Invoke-ExecOffboardTenant.ps1

@@ -12,6 +12,9 @@ Function Invoke-ExecOffboardTenant {
 
         $Tenantfilter = $request.body.tenantfilter
 
+        # temp fix -rvdwegen
+        $tenantId = (Invoke-RestMethod -Method GET "https://login.windows.net/$Tenantfilter/.well-known/openid-configuration").token_endpoint.Split('/')[3]
+
         $results = [System.Collections.ArrayList]@()
         $errors = [System.Collections.ArrayList]@()
 
@@ -105,7 +108,7 @@ Function Invoke-ExecOffboardTenant {
         }
 
         # All customer tenant specific actions ALWAYS have to be completed before this action!
-        if ($request.body.RemoveMultitenantApps) {
+        if ($request.body.RemoveMultitenantCSPApps) {
             # Remove multi-tenant apps with the CSP tenant as origin
             try {
                 $multitenantCSPApps = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$select=displayName,appId,id,appOwnerOrganizationId&`$filter=appOwnerOrganizationId eq $($env:TenantID)" -tenantid $Tenantfilter -ComplexFilter)
@@ -129,18 +132,23 @@ Function Invoke-ExecOffboardTenant {
         if ($request.body.TerminateGDAP) {
             # Terminate GDAP relationships
             try {
-                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$TenantFilter')" -tenantid $env:TenantID)
+                $TenantFilter
+                $TenantFilter
+                $TenantFilter
+                $delegatedAdminRelationships = (New-GraphGETRequest -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships?`$filter=(status eq 'active') AND (customer/tenantId eq '$tenantid')" -tenantid $env:TenantID)
                 $delegatedAdminRelationships | ForEach-Object {
                     try {
                         $terminate = (New-GraphPostRequest -type 'POST' -Uri "https://graph.microsoft.com/v1.0/tenantRelationships/delegatedAdminRelationships/$($_.id)/requests" -body '{"action":"terminate"}' -ContentType 'application/json' -tenantid $env:TenantID)
                         $results.Add("Succesfully terminated GDAP relationship $($_.displayName) from tenant $TenantFilter")
                         Write-LogMessage -user $ExecutingUser -API $APIName -message "GDAP Relationship $($_.displayName) has been terminated" -Sev "Info" -tenant $TenantFilter
                     } catch {
+                        $($_.Exception.message)
                         #$results.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                         $errors.Add("Failed to terminate GDAP relationship $($_.displayName): $($_.Exception.message)")
                     }
                 }
             } catch {
+                $($_.Exception.message)
                 #$results.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
                 $errors.Add("Failed to retrieve GDAP relationships, no relationships have been terminated: $($_.Exception.message)")
             }

Modules/CIPPCore/Public/Entrypoints/Invoke-ExecSyncAPDevices.ps1

@@ -0,0 +1,28 @@
+using namespace System.Net
+
+Function Invoke-ExecSyncAPDevices {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $APIName = $TriggerMetadata.FunctionName
+    Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $tenantfilter = $Request.Query.TenantFilter
+    try {
+        New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotSettings/sync' -tenantid $TenantFilter
+        $Results = "Successfully Started Sync for $($TenantFilter)"
+    } catch {
+        $Results = "Failed to start sync for $tenantfilter. Did you try syncing in the last 10 minutes?"
+    }
+
+    $Results = [pscustomobject]@{'Results' = "$results" }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = $Results
+        })
+
+}

Modules/CIPPCore/Public/Entrypoints/Invoke-ListAPDevices.ps1

@@ -17,7 +17,6 @@ Function Invoke-ListAPDevices {
 
     # Interact with query parameters or the body of the request.
     $TenantFilter = $Request.Query.TenantFilter
-    $userid = $Request.Query.UserID
     try {
         $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeviceIdentities?`$top=999" -tenantid $TenantFilter  
         $StatusCode = [HttpStatusCode]::OK

Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailQuarantine.ps1

@@ -13,7 +13,7 @@ Function Invoke-ListMailQuarantine {
     $Tenantfilter = $request.Query.tenantfilter
 
     try {
-        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage'
+        $GraphRequest = New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ 'PageSize' = 1000 }
         $StatusCode = [HttpStatusCode]::OK
     } catch {
         $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message

Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1

@@ -14,7 +14,6 @@ function Push-CIPPAlertExpiringLicenses {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
 

Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSharepointQuota.ps1

@@ -18,6 +18,5 @@ function Push-CIPPAlertSharepointQuota {
             }
         }
     } catch {
-        Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get SharePoint quota for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }

Modules/CIPPCore/Public/Entrypoints/invoke-DomainAnalyser_List.ps1

@@ -0,0 +1,39 @@
+
+using namespace System.Net
+
+Function Invoke-DomainAnalyser_List {
+    <#
+    .FUNCTIONALITY
+    Entrypoint
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+    $DomainTable = Get-CIPPTable -Table 'Domains'
+
+    # Get all the things
+
+    if ($Request.Query.tenantFilter -ne 'AllTenants') {
+        $DomainTable.Filter = "TenantId eq '{0}'" -f $Request.Query.tenantFilter
+    }
+
+    try {
+        # Extract json from table results
+        $Results = foreach ($DomainAnalyserResult in (Get-CIPPAzDataTableEntity @DomainTable).DomainAnalyser) {
+            try { 
+                if (![string]::IsNullOrEmpty($DomainAnalyserResult)) {
+                    $Object = $DomainAnalyserResult | ConvertFrom-Json -ErrorAction SilentlyContinue
+                    $Object
+                }
+            } catch {}
+        }
+    } catch {
+        $Results = @()
+    }
+
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @($Results)
+        })
+}

Modules/CIPPCore/Public/GraphHelper/New-GraphPOSTRequest.ps1

@@ -1,5 +1,5 @@
 
-function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders) {
+function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $NoAuthCheck, $skipTokenCache, $AddedHeaders, $contentType) {
     <#
     .FUNCTIONALITY
     Internal
@@ -16,10 +16,14 @@ function New-GraphPOSTRequest ($uri, $tenantid, $body, $type, $scope, $AsApp, $N
             $type = 'POST'
         }
 
+        if (!$contentType) {
+            $contentType = 'application/json; charset=utf-8'
+        }
         try {
-            $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType 'application/json; charset=utf-8')
+            $ReturnedData = (Invoke-RestMethod -Uri $($uri) -Method $TYPE -Body $body -Headers $headers -ContentType $contentType)
         } catch {
-            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error.message
+            $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).error
+            if ($Message.innerError) { $Message = $Message.Innererror.Message } else { $Message = $Message.Message.Error }
             if ($Message -eq $null) { 
                 try {
                     $Message = ($_.ErrorDetails.Message | ConvertFrom-Json -ErrorAction SilentlyContinue).message