Skip to content

Commit

Permalink
Merge pull request #101 from KelvinTegelaar/dev
Browse files Browse the repository at this point in the history
  • Loading branch information
@JohnDuprey
JohnDuprey authored Jan 28, 2024
2 parents 9c0ffc2 + b0adf6a commit fcaadc3
Show file tree
Hide file tree
Showing 8 changed files with 39 additions and 93 deletions.
2 changes: 1 addition & 1 deletion Modules/CIPPCore/Public/Entrypoints/Invoke-AddSharedMailbox.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Function Invoke-AddSharedMailbox {
}
catch {
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -tenant $($groupobj.tenantid) -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error'
$body = [pscustomobject]@{'Results' = "Failed to create group. $($_.Exception.Message)" }
$body = [pscustomobject]@{'Results' = "Failed to create Shared Mailbox. $($_.Exception.Message)" }

}

Expand Down
12 changes: 5 additions & 7 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxRules.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,7 @@ Function Invoke-ListMailboxRules {
# Interact with query parameters or the body of the request.
$TenantFilter = $Request.Query.TenantFilter

$Table = Get-CIPPTable -TableName cachembxrules
$Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).Addhours(-1)

if (!$Rows) {
Push-OutputBinding -Name mbxrulequeue -Value $TenantFilter
$GraphRequest = [PSCustomObject]@{
Expand All @@ -28,17 +27,16 @@ Function Invoke-ListMailboxRules {
}
} else {
if ($TenantFilter -ne 'AllTenants') {
$Table = Get-CIPPTable -TableName cachembxrules
$Rows = Get-CIPPAzDataTableEntity @Table | Where-Object -Property Timestamp -GT (Get-Date).Addhours(-1)
$GraphRequest = $Rows | Where-Object -Property Tenant -EQ $TenantFilter | ForEach-Object {
$NewObj = $_.Rules | ConvertFrom-Json
$NewObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $TenantFilter
$NewObj
}
} else {
$GraphRequest = $Rows | ForEach-Object {
$TenantName = $_.Tenant
$NewObj = $_.Rules | ConvertFrom-Json
$NewObj | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $TenantName
$NewObj
$GraphRequest = New-ExoRequest -tenantid $tenantFilter -cmdlet 'Get-Mailbox' -Select 'userPrincipalName,GUID' | ForEach-Object {
New-ExoRequest -Anchor $_.UserPrincipalName -tenantid $tenantFilter -cmdlet 'Get-InboxRule' -cmdParams @{Mailbox = $_.GUID }
}
}
}
Expand Down
2 changes: 0 additions & 2 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-ListMailboxRulesAllTenants.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,6 @@ Function Invoke-ListMailboxRulesAllTenants {
try {

$Rules = New-ExoRequest -tenantid $domainName -cmdlet 'Get-Mailbox' | ForEach-Object -Parallel {
Import-Module '.\Modules\AzBobbyTables'
Import-Module '.\Modules\CIPPCore'
New-ExoRequest -Anchor $_.UserPrincipalName -tenantid $domainName -cmdlet 'Get-InboxRule' -cmdParams @{Mailbox = $_.GUID }
}
foreach ($Rule in $Rules) {
Expand Down
16 changes: 14 additions & 2 deletions Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1
View file

Large diffs are not rendered by default.

44 changes: 10 additions & 34 deletions Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAdmins.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,46 +6,22 @@ function Push-CIPPAlertMFAAdmins {
$TriggerMetadata
)
try {
$LastRunTable = Get-CIPPTable -Table AlertLastRun
$Filter = "RowKey eq 'MFAAllAdmins' and PartitionKey eq '{0}'" -f $QueueItem.tenantid
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
$Yesterday = (Get-Date).AddDays(-1)
if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'
$AdminList = (New-GraphGETRequest -uri "https://graph.microsoft.com/beta/directoryRoles?`$expand=members" -tenantid $($QueueItem.tenant) | Where-Object -Property roleTemplateId -NE 'd29b2b05-8046-44ba-8758-1e26182fcf32').members | Where-Object { $_.userPrincipalName -ne $null -and $_.Usertype -eq 'Member' -and $_.accountEnabled -eq $true } | Sort-Object UserPrincipalName -Unique
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
foreach ($Policy in $CAPolicies) {
if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
$DuoActive = $true
}
}
$CAPolicies = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' -tenantid $QueueItem.tenant -ErrorAction Stop)
foreach ($Policy in $CAPolicies) {
if ($policy.grantControls.customAuthenticationFactors -eq 'RequireDuoMfa') {
$DuoActive = $true
}
if (!$DuoActive) {
$AdminList | ForEach-Object {
$CARegistered = $null
try {
New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.ID)/authentication/Methods" -tenantid $($QueueItem.tenant) | ForEach-Object {
if ($_.'@odata.type' -in $StrongMFAMethods) {
$CARegistered = $true
}
}
if ($CARegistered -ne $true) {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Admin $($_.UserPrincipalName) is enabled but does not have any form of MFA configured."
}
} catch {
# Error handling here if needed
}
$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$filter=IsAdmin eq true' -tenantid $($QueueItem.tenant) | Where-Object -Property 'isMfaRegistered' -EQ $false
if ($users) {
Write-AlertMessage -tenant $QueueItem.tenant -message "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
}
} else {
Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
}
$LastRun = @{
RowKey = 'MFAAllAdmins'
PartitionKey = $QueueItem.tenantid
}
Add-CIPPAzDataTableEntity @LastRunTable -Entity $LastRun -Force
}
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for admins for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
Write-LogMessage -message "Failed to check MFA status for Admins: $($_.exception.message)" -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Error
}

}
46 changes: 4 additions & 42 deletions Modules/CIPPCore/Public/Entrypoints/Push-CIPPAlertMFAAlertUsers.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,51 +11,13 @@ function Push-CIPPAlertMFAAlertUsers {
$LastRun = Get-CIPPAzDataTableEntity @LastRunTable -Filter $Filter
$Yesterday = (Get-Date).AddDays(-1)
if (-not $LastRun.Timestamp.DateTime -or ($LastRun.Timestamp.DateTime -le $Yesterday)) {
$users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=userPrincipalName,id,accountEnabled,userType&`$filter=userType eq 'Member' and accountEnabled eq true" -tenantid $($QueueItem.tenant)
Write-Host "found $($users.count) users for $($QueueItem.tenant)"
$StrongMFAMethods = '#microsoft.graph.fido2AuthenticationMethod', '#microsoft.graph.phoneAuthenticationMethod', '#microsoft.graph.passwordlessmicrosoftauthenticatorauthenticationmethod', '#microsoft.graph.softwareOathAuthenticationMethod', '#microsoft.graph.microsoftAuthenticatorAuthenticationMethod'

$UserBatches = [System.Collections.Generic.List[Object]]@()
for ($i = 0; $i -lt $users.count; $i += 20) {
$UserBatches.Add($users[$i..($i + 19)])
$users = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?$filter=isMfaRegistered eq false' -tenantid $($QueueItem.tenant)
if ($users) {
Write-AlertMessage -tenant $QueueItem.tenant -message "The following users do not have MFA registered: $($users.UserPrincipalName -join ', ')"
}

$UserBatches | ForEach-Object -Parallel {
try {
Write-Host "processing batch of $($_.count) users for $($using:QueueItem.tenant)"
Import-Module CippCore
Import-Module AzBobbyTables
$UserBatch = $_
Write-Host "processing batch of $($UserBatch.count) users"
$BatchRequests = $UserBatch | ForEach-Object {
@{
id = $_.id
method = 'GET'
url = "users/$($_.ID)/authentication/Methods"
}
}
$BatchResponses = New-GraphBulkRequest -tenantid $using:QueueItem.tenant -Requests $BatchRequests
foreach ($response in $BatchResponses) {
$UPN = ($UserBatch | Where-Object { $_.id -eq $response.id }).UserPrincipalName
$CARegistered = $false

foreach ($method in $response.body.value) {
if ($method.'@odata.type' -in $using:StrongMFAMethods) {
$CARegistered = $true
break
}
}

if (-not $CARegistered) {
Write-AlertMessage -tenant $using:QueueItem.tenant -message "User $UPN is enabled but does not have any form of MFA configured."
}
}
} catch {
}
} -ThrottleLimit 25
}
} catch {
Write-AlertMessage -tenant $($QueueItem.tenant) -message "Could not get MFA status for users for $($QueueItem.tenant): $(Get-NormalizedError -message $_.Exception.message)"
Write-LogMessage -message "Failed to check MFA status for all users: $($_.exception.message)" -API 'MFA Alerts - Informational' -tenant $QueueItem.tenant -sev Info
}
$LastRun = @{
RowKey = 'MFAAllUsers'
Expand Down
4 changes: 2 additions & 2 deletions Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ function Invoke-CIPPStandardPhishProtection {
} else {
$currentBody = $currentBody + $CSS
Write-Host 'Creating Logon Screen Phising Protection System'
New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0/customCSS" -ContentType 'text/css' -asApp $true -Type PUT -Body $CSS
New-GraphPostRequest -tenantid $tenant -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0/customCSS" -ContentType 'text/css' -asApp $true -Type PUT -Body $currentBody
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Enabled Logon Screen Phishing Protection system' -sev Info
}
} catch {
Expand All @@ -53,4 +53,4 @@ function Invoke-CIPPStandardPhishProtection {
if ($currentBody -like "*$CSS*") { $authstate = $true } else { $authstate = $false }
Add-CIPPBPAField -FieldName 'PhishProtection' -FieldValue [bool]$authstate -StoreAs bool -Tenant $tenant
}
}
}
6 changes: 3 additions & 3 deletions Scheduler_CIPPNotifications/run.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ try {
$JSONBody = @"
{
"message": {
"subject": "$tenant CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
"subject": "CIPP Alert: Alerts found starting at $((Get-Date).AddMinutes(-15))",
"body": {
"contentType": "HTML",
"content": "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log:<br><br>
Expand All @@ -78,12 +78,12 @@ try {
}
"@
New-GraphPostRequest -uri 'https://graph.microsoft.com/v1.0/me/sendMail' -tenantid $env:TenantID -type POST -body ($JSONBody)
Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant $Tenant -sev Debug
Write-LogMessage -API 'Alerts' -message "Sent alerts to: $($Config.email)" -tenant 'All Tenants' -sev Debug
}
}
} catch {
Write-Host "Could not send alerts to email: $($_.Exception.message)"
Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant $Tenant -sev error
Write-LogMessage -API 'Alerts' -message "Could not send alerts to: $($_.Exception.message)" -tenant 'All Tenants' -sev error
}


Expand Down

0 comments on commit fcaadc3

Please sign in to comment.