From 7f2a76876a97c37338dd99eeb5178d56c4edc252 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 8 Jan 2024 20:33:52 +0100 Subject: [PATCH 1/8] Sharepoint URL list --- .../Public/Entrypoints/Invoke-ListSites.ps1 | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 index f224af6d2282b..7e125a0a1a904 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 @@ -27,8 +27,6 @@ Function Invoke-ListSites { } else { $ParsedRequest = $Result } - - $GraphRequest = $ParsedRequest | Select-Object @{ Name = 'UPN'; Expression = { $_.'Owner Principal Name' } }, @{ Name = 'displayName'; Expression = { $_.'Owner Display Name' } }, @{ Name = 'LastActive'; Expression = { $_.'Last Activity Date' } }, @@ -36,7 +34,22 @@ Function Invoke-ListSites { @{ Name = 'UsedGB'; Expression = { [math]::round($_.'Storage Used (Byte)' / 1GB, 2) } }, @{ Name = 'URL'; Expression = { $_.'Site URL' } }, @{ Name = 'Allocated'; Expression = { [math]::round($_.'Storage Allocated (Byte)' / 1GB, 2) } }, - @{ Name = 'Template'; Expression = { $_.'Root Web Template' } } + @{ Name = 'Template'; Expression = { $_.'Root Web Template' } }, + @{ Name = 'siteid'; Expression = { $_.'site Id' } } + + #Temporary workaround for url as report is broken. + if ($Type -eq 'SharePointSiteUsage') { + $URLs = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/sites?search=*&`$select=sharepointIds" -asapp $true -tenantid $TenantFilter).sharepointIds + } else { + #Get all OneDrive Urls + $URLs = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayName,userPrincipalName" -tenantid $TenantFilter) + } + + $GraphRequest = foreach ($site in $GraphRequest) { + $site.URL = ($URLs | Where-Object { $_.siteId -eq $site.SiteId }).siteUrl + $site + } + $StatusCode = [HttpStatusCode]::OK } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message From e6475376b9d68a0293ad08b08ef08ae9551377e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 8 Jan 2024 20:34:01 +0100 Subject: [PATCH 2/8] Add CIPP standards for enabling Customer Lockbox and fix logging issue --- ...StandardDisableExternalCalendarSharing.ps1 | 7 +++- ...voke-CIPPStandardEnableCustomerLockbox.ps1 | 32 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 index 92185029888a9..e5e9232ed9b49 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 @@ -7,7 +7,12 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing { if ($Settings.remediate) { New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SharingPolicy' | Where-Object { $_.Default -eq $true } | ForEach-Object { - New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SharingPolicy' -cmdParams @{ Identity = $_.Id ; Enabled = $false } -UseSystemMailbox $true + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SharingPolicy' -cmdParams @{ Identity = $_.Id ; Enabled = $false } -UseSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully disabled external calendar sharing for the policy $($_.Name)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable external calendar sharing for the policy $($_.Name). Error: $($_.exception.message)" -sev Error + } } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 new file mode 100644 index 0000000000000..6e259bc1bead6 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 @@ -0,0 +1,32 @@ +function Invoke-CIPPStandardEnableCustomerLockbox { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + + if ($Settings.remediate) { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{ CustomerLockboxEnabled = $true } -UseSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully enabled Customer Lockbox' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to enable Customer Lockbox. Error: $($_.exception.message)" -sev Error + } + } + if ($Settings.alert -or $Settings.report) { + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig' + + if ($Settings.alert) { + if ($CurrentInfo.CustomerLockboxEnabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Customer Lockbox is enabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Customer Lockbox is not enabled' -sev Alert + } + } + if ($Settings.report) { + Add-CIPPBPAField -FieldName 'CustomerLockboxEnabled' -FieldValue [bool]$CurrentInfo.CustomerLockboxEnabled -StoreAs bool -Tenant $tenant + } + } + +} + From 2432192fdf4b882ba16e5a5e4d0aa930c1a2311e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Mon, 8 Jan 2024 20:47:01 +0100 Subject: [PATCH 3/8] tmp fix onedrive --- Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 index 7e125a0a1a904..e9d9321257448 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListSites.ps1 @@ -42,7 +42,7 @@ Function Invoke-ListSites { $URLs = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/sites?search=*&`$select=sharepointIds" -asapp $true -tenantid $TenantFilter).sharepointIds } else { #Get all OneDrive Urls - $URLs = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayName,userPrincipalName" -tenantid $TenantFilter) + #$URLs = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayName,userPrincipalName" -tenantid $TenantFilter) } $GraphRequest = foreach ($site in $GraphRequest) { From f8464eb907168c69fdd7f3c80096419cac5bc65a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Mon, 8 Jan 2024 22:01:12 +0100 Subject: [PATCH 4/8] Add Mailbox audit logging standard --- ...voke-CIPPStandardEnableMailboxAuditing.ps1 | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 new file mode 100644 index 0000000000000..477298bdcf66d --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 @@ -0,0 +1,49 @@ +function Invoke-CIPPStandardEnableMailboxAuditing { + <# + .FUNCTIONALITY + Internal + #> + param($Tenant, $Settings) + + $AuditState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AuditDisabled + if ( $Settings.remediate) { + if ($AuditState) { + # Enable tenant level mailbox audit + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{AuditDisabled = $false } -useSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Tenant level mailbox audit enabled' -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable tenant level mailbox audit. Error: $($_.exception.message)" -sev Error + } + } else { + $LogMessage = 'Tenant level mailbox audit already enabled. ' + } + + # check for mailbox audit on all mailboxes. Enabled for all that it's not enabled for + $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ResultSize = 'Unlimited' } | Where-Object { $_.AuditEnabled -ne $true } + $Mailboxes | ForEach-Object { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-Mailbox' -cmdParams @{Identity = $_.UserPrincipalName; AuditEnabled = $true } -Anchor $_.UserPrincipalName + Write-LogMessage -API 'Standards' -tenant $Tenant -message "User level mailbox audit enabled for $($_.UserPrincipalName)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable user level mailbox audit for $($_.UserPrincipalName). Error: $($_.exception.message)" -sev Error + } + } + if ($Mailboxes.Count -eq 0) { + $LogMessage += 'User level mailbox audit already enabled for all mailboxes' + } + Write-LogMessage -API 'Standards' -tenant $Tenant -message $LogMessage -sev Info + } + + if ($Settings.alert) { + if ($AuditState) { + Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Tenant level mailbox audit is not enabled' -sev Alert + } else { + Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Tenant level mailbox audit is enabled' -sev Info + } + } + if ($Settings.report) { + Add-CIPPBPAField -FieldName 'MailboxAuditingEnabled' -FieldValue [bool]$AuditState -StoreAs bool -Tenant $Tenant + } + +} \ No newline at end of file From cb2db3c1bdd0cd67e3209d8878334ace5fccfb09 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 9 Jan 2024 10:09:49 +0100 Subject: [PATCH 5/8] int casting --- .../Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 index e1f94df1fa8d1..16d810b82f092 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertExpiringLicenses.ps1 @@ -6,8 +6,12 @@ function Push-CIPPAlertExpiringLicenses { $TriggerMetadata ) try { - Get-CIPPLicenseOverview -TenantFilter $QueueItem.tenant | Where-Object -Property 'TimeUntilRenew' -LT 29 | ForEach-Object { - Write-AlertMessage -tenant $($QueueItem.tenant) -message "$($_.License) will expire in $($_.TimeUntilRenew) days. The estimated term is $($_.EstTerm)" + Get-CIPPLicenseOverview -TenantFilter $QueueItem.tenant | ForEach-Object { + $timeTorenew = [int64]$_.TimeUntilRenew + if ($timeTorenew -lt 30 -and $_.TimeUntilRenew -gt 0) { + Write-Host "$($_.License) will expire in $($_.TimeUntilRenew) days. The estimated term is $($_.EstTerm)" + Write-AlertMessage -tenant $($QueueItem.tenant) -message "$($_.License) will expire in $($_.TimeUntilRenew) days. The estimated term is $($_.EstTerm)" + } } } catch { Write-AlertMessage -tenant $($QueueItem.tenant) -message "Error occurred: $(Get-NormalizedError -message $_.Exception.message)" From 3a1505623954e244c5899e7a5a137360b05eda5e Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 9 Jan 2024 13:39:02 +0100 Subject: [PATCH 6/8] switch to hourly --- Scheduler_Timer/function.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scheduler_Timer/function.json b/Scheduler_Timer/function.json index 1d19ac7d67338..56e4cf0cfda12 100644 --- a/Scheduler_Timer/function.json +++ b/Scheduler_Timer/function.json @@ -2,7 +2,7 @@ "bindings": [ { "name": "Timer", - "schedule": "0 */20 * * * *", + "schedule": "0 0 * * * *", "direction": "in", "type": "timerTrigger" }, From d4835570ad0180e11aed15d476d8541a0f48ee4c Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 9 Jan 2024 14:03:35 +0100 Subject: [PATCH 7/8] deny old webhooks with 403. --- PublicWebhooks/run.ps1 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/PublicWebhooks/run.ps1 b/PublicWebhooks/run.ps1 index ad13d0546ef71..124f05bd761ab 100644 --- a/PublicWebhooks/run.ps1 +++ b/PublicWebhooks/run.ps1 @@ -10,22 +10,23 @@ Write-Host 'Received request' Write-Host "CIPPID: $($request.Query.CIPPID)" $url = ($request.headers.'x-ms-original-url').split('/API') | Select-Object -First 1 Write-Host $url -if ($Request.Query.CIPPID -in $Webhooks.RowKey) { +if ($Request.Query.CIPPID -in $Webhooks.RowKey -and $Webhooks.Resource -ne 'M365AuditLogs') { Write-Host 'Found matching CIPPID' - if ($Request.query.ValidationToken -or $Request.body.validationCode) { Write-Host 'Validation token received' $body = $request.query.ValidationToken } else { Push-OutputBinding -Name QueueWebhook -Value $Request $Body = 'Webhook Recieved' + $StatusCode = [HttpStatusCode]::OK } } else { $body = 'This webhook is not authorized.' + $StatusCode = [HttpStatusCode]::Forbidden } # Associate values to output bindings by calling 'Push-OutputBinding'. Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ - StatusCode = [HttpStatusCode]::OK + StatusCode = $StatusCode Body = $body }) From d1905d2dbe01a2399d785c3a72235efc6155dea8 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Tue, 9 Jan 2024 14:06:06 +0100 Subject: [PATCH 8/8] version up for hotfix --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index e94f14fa9ed3d..f4cfd30c459e4 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.9.3 \ No newline at end of file +4.9.4 \ No newline at end of file