From 9b423f4af358319c2c00b29d1f01cc6f59ae5c20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Tue, 2 Jan 2024 22:50:30 +0100 Subject: [PATCH 1/3] Disable SMTP Basic Authentication on the user level and fix error logging in calDefaults --- ...nvoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 35 ++++++++++++++----- .../Invoke-CIPPStandardcalDefault.ps1 | 15 +++++--- 2 files changed, 37 insertions(+), 13 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index e16637950b76..470e5498a1dd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -5,23 +5,42 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { #> param($Tenant, $Settings) If ($Settings.remediate) { + + # Disable SMTP Basic Authentication for the tenant try { $Request = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info } catch { Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication: $($_.exception.message)" -sev Error } + + # Disable SMTP Basic Authentication for all users + $SMTPusers = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-CASMailbox' -cmdParams @{ ResultSize = 'Unlimited' } | Where-Object { ($null -ne $_.SmtpClientAuthenticationDisabled) } + $SMTPusers | ForEach-Object { + try { + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-CASMailbox' -cmdParams @{ Identity = $_.Identity; SmtpClientAuthenticationDisabled = $null } -UseSystemMailbox $true + Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabled SMTP Basic Authentication for $($_.DisplayName), $($_.PrimarySmtpAddress)" -sev Info + } catch { + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication for $($_.DisplayName), $($_.PrimarySmtpAddress). Error: $($_.exception.message)" -sev Error + + } + } } - if ($Settings.alert) { + + # This is ugly but done to avoid a second call to the Graph API + if ($Settings.alert -or $Settings.report) { $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' - if ($CurrentInfo.SmtpClientAuthenticationDisabled) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is disabled' -sev Info - } else { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is not disabled' -sev Alert + + if ($Settings.alert) { + if ($CurrentInfo.SmtpClientAuthenticationDisabled) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is disabled' -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication is not disabled' -sev Alert + } + } + if ($Settings.report) { + Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTP' -FieldValue [bool]$CurrentInfo.SmtpClientAuthenticationDisabled -StoreAs bool -Tenant $tenant } - } - if ($Settings.report) { - Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTP' -FieldValue [bool]$CurrentInfo.SmtpClientAuthenticationDisabled -StoreAs bool -Tenant $tenant } } diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index 63805abaf905..f05a9350a705 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -25,27 +25,32 @@ function Invoke-CIPPStandardcalDefault { do { # Get all calendars for the mailbox, retry if it fails try { - New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | + New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MailboxFolderStatistics' -cmdParams @{identity = $Mailbox.UserPrincipalName; FolderScope = 'Calendar' } -Anchor $Mailbox.UserPrincipalName | Where-Object { $_.FolderType -eq 'Calendar' } | # Set permissions for each calendar found - Where-Object { $_.FolderType -eq 'Calendar' } | ForEach-Object { + ForEach-Object { $SetRetryCount = 0 do { try { New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MailboxFolderPermission' -cmdparams @{Identity = "$($Mailbox.UserPrincipalName):$($_.FolderId)"; User = 'Default'; AccessRights = $Settings.permissionlevel } -Anchor $Mailbox.UserPrincipalName Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set default folder permission for $($Mailbox.UserPrincipalName):\$($_.Name) to $($Settings.permissionlevel)" -sev Debug $Success = $true + $UserSuccesses.Counter++ } catch { # Retry Set-MailboxFolderStatistics - Start-Sleep -Milliseconds 250 + Start-Sleep -Milliseconds (Get-Random -Minimum 200 -Maximum 300) $SetRetryCount++ + + # Log error if it fails 3 times + if ($SetRetryCount -ge 3) { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Could not set default calendar permissions for $($Mailbox.UserPrincipalName). Error: $($_.exception.message)" -sev Error + } } } Until ($SetRetryCount -ge 3 -or $Success -eq $true) } $Success = $true - $UserSuccesses.Counter++ } catch { # Retry Get-MailboxFolderStatistics - Start-Sleep -Milliseconds 250 + Start-Sleep -Milliseconds (Get-Random -Minimum 250 -Maximum 500) $GetRetryCount++ } From 2f31fc44f90ae07853d30dc43216ae4a34446c47 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 3 Jan 2024 01:34:43 +0100 Subject: [PATCH 2/3] fixes table context --- .../Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 | 3 ++- .../Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 | 6 +++--- .../Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 | 3 ++- .../CIPPCore/Public/Entrypoints/Push-CIPPAlertNewRole.ps1 | 2 +- .../Public/Entrypoints/Push-CIPPAlertSecDefaultsUpsell.ps1 | 3 ++- .../Public/Entrypoints/Push-CIPPAlertVppTokenExpiry.ps1 | 3 ++- Scheduler_Alert/run.ps1 | 4 ---- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 index 855b61a7e12c..07571db760aa 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertApnCertExpiry.ps1 @@ -5,7 +5,8 @@ function Push-CIPPAlertApnCertExpiry { $QueueItem, $TriggerMetadata ) - $LastRunTable = $QueueItem.LastRunTable + $LastRunTable = Get-CIPPTable -Table AlertLastRun + try { $Filter = "RowKey eq 'ApnCertExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid $LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 index 745f51b4ada3..e0936bb9c69c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertAppSecretExpiry.ps1 @@ -5,7 +5,7 @@ function Push-CIPPAlertAppSecretExpiry { $QueueItem, $TriggerMetadata ) - $LastRunTable = $QueueItem.LastRunTable + $LastRunTable = Get-CIPPTable -Table AlertLastRun try { @@ -18,7 +18,7 @@ function Push-CIPPAlertAppSecretExpiry { if ($App.passwordCredentials) { foreach ($Credential in $App.passwordCredentials) { if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) { - Write-AlertMessage -tenant $($QueueItem.tenant) -message ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime) + ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime) } } } @@ -31,7 +31,7 @@ function Push-CIPPAlertAppSecretExpiry { Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force } } catch { - # Error handling + throw $_ } } diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 index f0079fc4e335..c41d62c1f9b5 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertDepTokenExpiry.ps1 @@ -5,7 +5,8 @@ function Push-CIPPAlertDepTokenExpiry { $QueueItem, $TriggerMetadata ) - $LastRunTable = $QueueItem.LastRunTable + $LastRunTable = Get-CIPPTable -Table AlertLastRun + try { diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertNewRole.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertNewRole.ps1 index 3847a3d21cce..504bb3ea3153 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertNewRole.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertNewRole.ps1 @@ -5,7 +5,7 @@ function Push-CIPPAlertNewRole { $QueueItem, $TriggerMetadata ) - $Deltatable = $QueueItem.DeltaTable + $Deltatable = Get-CIPPTable -Table DeltaCompare try { $Filter = "PartitionKey eq 'AdminDelta' and RowKey eq '{0}'" -f $QueueItem.tenantid $AdminDelta = (Get-CIPPAzDataTableEntity @Deltatable -Filter $Filter).delta | ConvertFrom-Json -ErrorAction SilentlyContinue diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSecDefaultsUpsell.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSecDefaultsUpsell.ps1 index 1d702027bfe4..1380b73b4233 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSecDefaultsUpsell.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertSecDefaultsUpsell.ps1 @@ -5,7 +5,8 @@ function Push-CIPPAlertSecDefaultsUpsell { $QueueItem, $TriggerMetadata ) - $LastRunTable = $QueueItem.LastRunTable + $LastRunTable = Get-CIPPTable -Table AlertLastRun + try { $Filter = "RowKey eq 'SecDefaultsUpsell' and PartitionKey eq '{0}'" -f $QueueItem.tenantid diff --git a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertVppTokenExpiry.ps1 b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertVppTokenExpiry.ps1 index 71844ad0865b..d18dd28dd11d 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertVppTokenExpiry.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertVppTokenExpiry.ps1 @@ -5,7 +5,8 @@ function Push-CIPPAlertVppTokenExpiry { $QueueItem, $TriggerMetadata ) - $LastRunTable = $QueueItem.LastRunTable + $LastRunTable = Get-CIPPTable -Table AlertLastRun + try { $Filter = "RowKey eq 'VppTokenExpiry' and PartitionKey eq '{0}'" -f $QueueItem.tenantid diff --git a/Scheduler_Alert/run.ps1 b/Scheduler_Alert/run.ps1 index d179b21144ae..c35df4f9d1a1 100644 --- a/Scheduler_Alert/run.ps1 +++ b/Scheduler_Alert/run.ps1 @@ -11,16 +11,12 @@ try { $Alerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter - $DeltaTable = Get-CIPPTable -Table DeltaCompare - $LastRunTable = Get-CIPPTable -Table AlertLastRun $IgnoreList = @('Etag', 'PartitionKey', 'Timestamp', 'RowKey', 'tenantid', 'tenant', 'type') $alertList = $Alerts | Select-Object * -ExcludeProperty $IgnoreList foreach ($task in ($AlertList.psobject.members | Where-Object { $_.MemberType -EQ 'NoteProperty' -and $_.value -eq $True }).name) { $QueueItem = [pscustomobject]@{ tenant = $tenant.tenant tenantid = $tenant.tenantid - DeltaTable = $DeltaTable - LastRunTable = $LastRunTable FunctionName = "CIPPAlert$($Task)" } Push-OutputBinding -Name QueueItem -Value $QueueItem From 906c4f281f55cf6b67ebce76f07adf3d5d188c72 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Wed, 3 Jan 2024 01:36:59 +0100 Subject: [PATCH 3/3] version upped --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index b617d997d770..1f1ac7c2f330 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -4.9.0 \ No newline at end of file +4.9.1 \ No newline at end of file