Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Groups/Invoke-AddGroup.ps1

@@ -11,80 +11,76 @@ Function Invoke-AddGroup {
     param($Request, $TriggerMetadata)
 
     $APIName = $Request.Params.CIPPEndpoint
-    Write-LogMessage -headers $Request.Headers -API $APINAME -message 'Accessed this API' -Sev 'Debug'
+    $SelectedTenants = if ('AllTenants' -in $SelectedTenants) { (Get-Tenants).defaultDomainName } else { $Request.body.tenantFilter.value ? $Request.body.tenantFilter.value : $Request.body.tenantFilter }
+    Write-LogMessage -headers $Request.Headers -API $APIName -message 'Accessed this API' -Sev Debug
 
-    $groupobj = $Request.body
-    $SelectedTenants = $request.body.tenantfilter.value ? $request.body.tenantfilter.value : $request.body.tenantfilter
-    if ('AllTenants' -in $SelectedTenants) { $SelectedTenants = (Get-Tenants).defaultDomainName }
 
-    # Write to the Azure Functions log stream.
-    Write-Host 'PowerShell HTTP trigger function processed a request.'
-    $results = foreach ($tenant in $SelectedTenants) {
+    $GroupObject = $Request.body
+
+    $Results = foreach ($tenant in $SelectedTenants) {
         try {
-            $email = if ($groupobj.primDomain.value) { "$($groupobj.username)@$($groupobj.primDomain.value)" } else { "$($groupobj.username)@$($tenant)" }
-            if ($groupobj.groupType -in 'Generic', 'azurerole', 'dynamic', 'm365') {
+            $Email = if ($GroupObject.primDomain.value) { "$($GroupObject.username)@$($GroupObject.primDomain.value)" } else { "$($GroupObject.username)@$($tenant)" }
+            if ($GroupObject.groupType -in 'Generic', 'azurerole', 'dynamic', 'm365') {
 
-                $BodyToship = [pscustomobject] @{
-                    'displayName'      = $groupobj.Displayname
-                    'description'      = $groupobj.Description
-                    'mailNickname'     = $groupobj.username
+                $BodyParams = [pscustomobject] @{
+                    'displayName'      = $GroupObject.displayName
+                    'description'      = $GroupObject.description
+                    'mailNickname'     = $GroupObject.username
                     mailEnabled        = [bool]$false
                     securityEnabled    = [bool]$true
-                    isAssignableToRole = [bool]($groupobj | Where-Object -Property groupType -EQ 'AzureRole')
+                    isAssignableToRole = [bool]($GroupObject | Where-Object -Property groupType -EQ 'AzureRole')
                 }
-                if ($groupobj.membershipRules) {
-                    $BodyToship | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($groupobj.membershipRules)
-                    $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership')
-                    $BodyToship | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On'
+                if ($GroupObject.membershipRules) {
+                    $BodyParams | Add-Member -NotePropertyName 'membershipRule' -NotePropertyValue ($GroupObject.membershipRules)
+                    $BodyParams | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('DynamicMembership')
+                    $BodyParams | Add-Member -NotePropertyName 'membershipRuleProcessingState' -NotePropertyValue 'On'
                 }
-                if ($groupobj.groupType -eq 'm365') {
-                    $BodyToship | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('Unified')
+                if ($GroupObject.groupType -eq 'm365') {
+                    $BodyParams | Add-Member -NotePropertyName 'groupTypes' -NotePropertyValue @('Unified')
                 }
-                if ($groupobj.owners -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') {
-                    $BodyToship | Add-Member -NotePropertyName 'owners@odata.bind' -NotePropertyValue (($groupobj.AddOwner) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
-                    $bodytoship.'owners@odata.bind' = @($bodytoship.'owners@odata.bind')
+                if ($GroupObject.owners -AND $GroupObject.groupType -in 'generic', 'azurerole', 'security') {
+                    $BodyParams | Add-Member -NotePropertyName 'owners@odata.bind' -NotePropertyValue (($GroupObject.AddOwner) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
+                    $BodyParams.'owners@odata.bind' = @($BodyParams.'owners@odata.bind')
                 }
-                if ($groupobj.members -AND $groupobj.groupType -in 'generic', 'azurerole', 'security') {
-                    $BodyToship | Add-Member -NotePropertyName 'members@odata.bind' -NotePropertyValue (($groupobj.AddMember) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
-                    $BodyToship.'members@odata.bind' = @($BodyToship.'members@odata.bind')
+                if ($GroupObject.members -AND $GroupObject.groupType -in 'generic', 'azurerole', 'security') {
+                    $BodyParams | Add-Member -NotePropertyName 'members@odata.bind' -NotePropertyValue (($GroupObject.AddMember) | ForEach-Object { "https://graph.microsoft.com/v1.0/users/$($_.value)" })
+                    $BodyParams.'members@odata.bind' = @($BodyParams.'members@odata.bind')
                 }
-                $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyToship -Depth 10) -verbose
+                $GraphRequest = New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/groups' -tenantid $tenant -type POST -body (ConvertTo-Json -InputObject $BodyParams -Depth 10) -Verbose
             } else {
-                if ($groupobj.groupType -eq 'dynamicdistribution') {
-                    $Params = @{
-                        Name               = $groupobj.Displayname
-                        RecipientFilter    = $groupobj.membershipRules
-                        PrimarySmtpAddress = $email
+                if ($GroupObject.groupType -eq 'dynamicDistribution') {
+                    $ExoParams = @{
+                        Name               = $GroupObject.displayName
+                        RecipientFilter    = $GroupObject.membershipRules
+                        PrimarySmtpAddress = $Email
                     }
-                    $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DynamicDistributionGroup' -cmdParams $params
+                    $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DynamicDistributionGroup' -cmdParams $ExoParams
                 } else {
-                    $Params = @{
-                        Name                               = $groupobj.Displayname
-                        Alias                              = $groupobj.username
-                        Description                        = $groupobj.Description
-                        PrimarySmtpAddress                 = $email
-                        Type                               = $groupobj.groupType
-                        RequireSenderAuthenticationEnabled = [bool]!$groupobj.AllowExternal
+                    $ExoParams = @{
+                        Name                               = $GroupObject.displayName
+                        Alias                              = $GroupObject.username
+                        Description                        = $GroupObject.description
+                        PrimarySmtpAddress                 = $Email
+                        Type                               = $GroupObject.groupType
+                        RequireSenderAuthenticationEnabled = [bool]!$GroupObject.allowExternal
                     }
-                    $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
+                    $GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $ExoParams
                 }
-                #$GraphRequest = New-ExoRequest -tenantid $tenant -cmdlet 'New-DistributionGroup' -cmdParams $params
-                # At some point add logic to use AddOwner/AddMember for New-DistributionGroup, but idk how we're going to brr that - rvdwegen
             }
-            "Successfully created group $($groupobj.displayname) for $($tenant)"
-            Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $tenant -message "Created group $($groupobj.displayname) with id $($GraphRequest.id)" -Sev 'Info'
+            "Successfully created group $($GroupObject.displayName) for $($tenant)"
+            Write-LogMessage -headers $Request.Headers -API $APIName -tenant $tenant -message "Created group $($GroupObject.displayName) with id $($GraphRequest.id)" -Sev Info
 
         } catch {
-            Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $tenant -message "Group creation API failed. $($_.Exception.Message)" -Sev 'Error'
-            "Failed to create group. $($groupobj.displayname) for $($tenant) $($_.Exception.Message)"
+            $ErrorMessage = Get-CippException -Exception $_
+            Write-LogMessage -headers $Request.Headers -API $APIName -tenant $tenant -message "Group creation API failed. $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+            "Failed to create group. $($GroupObject.displayName) for $($tenant) $($ErrorMessage.NormalizedError)"
         }
     }
-    $body = [pscustomobject]@{'Results' = @($results) }
+    $ResponseBody = [pscustomobject]@{'Results' = @($Results) }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
-            Body       = $Body
+            Body       = $ResponseBody
         })
-
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Invoke-SetAuthMethod.ps1

@@ -5,28 +5,23 @@ function Invoke-SetAuthMethod {
     .ROLE
         Tenant.Administration.ReadWrite
     #>
-    Param(
-        $Request,
-        $TriggerMetadata
-    )
+    Param($Request, $TriggerMetadata)
 
-    $APIName = "Set Authentication Policy"
-    $state = if ($Request.Body.state -eq 'enabled') { $true } else { $false }
-    $Tenantfilter = $Request.Body.TenantFilter
+    $APIName = $Request.Params.CIPPEndpoint
+    $State = if ($Request.Body.state -eq 'enabled') { $true } else { $false }
+    $TenantFilter = $Request.Body.tenantFilter
 
     try {
-        Set-CIPPAuthenticationPolicy -Tenant $Tenantfilter -APIName $APIName -AuthenticationMethodId $($Request.Body.Id) -Enabled $state
+        $Result = Set-CIPPAuthenticationPolicy -Tenant $TenantFilter -APIName $APIName -AuthenticationMethodId $($Request.Body.Id) -Enabled $State -Headers $Request.Headers
         $StatusCode = [HttpStatusCode]::OK
-        $SuccessMessage = "Authentication Policy for $($Request.Body.Id) has been set to $state"
     } catch {
-        $ErrorMsg = Get-NormalizedError -message $($_.Exception.Message)
-        $SuccessMessage = "Function Error: $($_.InvocationInfo.ScriptLineNumber) - $ErrorMsg"
-        $StatusCode = [HttpStatusCode]::BadRequest
+        $Result = $_
+        $StatusCode = [HttpStatusCode]::Forbidden
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = $StatusCode
-            Body       = [pscustomobject]@{'Results' = "$SuccessMessage" }
+            Body       = [pscustomobject]@{'Results' = "$Result" }
         })
-}
+}

Modules/CIPPCore/Public/Set-CIPPAuthenticationPolicy.ps1

@@ -2,14 +2,16 @@ function Set-CIPPAuthenticationPolicy {
     [CmdletBinding(SupportsShouldProcess = $true)]
     param(
         [Parameter(Mandatory = $true)]$Tenant,
-        [Parameter(Mandatory = $true)][ValidateSet('FIDO2', 'MicrosoftAuthenticator', 'SMS', 'TemporaryAccessPass', 'HardwareOATH', 'softwareOath', 'Voice', 'Email', 'x509Certificate')]$AuthenticationMethodId,
+        [Parameter(Mandatory = $true)][ValidateSet('FIDO2', 'MicrosoftAuthenticator', 'SMS', 'TemporaryAccessPass', 'HardwareOATH', 'softwareOath', 'Voice', 'Email', 'x509Certificate', 'QRCodePin')]$AuthenticationMethodId,
         [Parameter(Mandatory = $true)][bool]$Enabled, # true = enabled or false = disabled
         $MicrosoftAuthenticatorSoftwareOathEnabled,
         $TAPMinimumLifetime = 60, #Minutes
         $TAPMaximumLifetime = 480, #minutes
         $TAPDefaultLifeTime = 60, #minutes
         $TAPDefaultLength = 8, #TAP password generated length in chars
         $TAPisUsableOnce = $true,
+        [Parameter()][ValidateRange(1, 395)]$QRCodeLifetimeInDays = 365,
+        [Parameter()][ValidateRange(8, 20)]$QRCodePinLength = 8,
         $APIName = 'Set Authentication Policy',
         $Headers
     )
@@ -56,7 +58,7 @@ function Set-CIPPAuthenticationPolicy {
         'SMS' {
             if ($State -eq 'enabled') {
                 Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error
-                return "Setting $AuthenticationMethodId to enabled is not allowed"
+                throw "Setting $AuthenticationMethodId to enabled is not allowed"
             }
         }
 
@@ -87,39 +89,47 @@ function Set-CIPPAuthenticationPolicy {
             # Disallow enabling voice
             if ($State -eq 'enabled') {
                 Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error
-                return "Setting $AuthenticationMethodId to enabled is not allowed"
+                throw "Setting $AuthenticationMethodId to enabled is not allowed"
             }
         }
 
         # Email OTP
         'Email' {
             if ($State -eq 'enabled') {
                 Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error
-                return "Setting $AuthenticationMethodId to enabled is not allowed"
+                throw "Setting $AuthenticationMethodId to enabled is not allowed"
             }
         }
 
         # Certificate-based authentication
         'x509Certificate' {
             # Nothing special to do here
         }
+
+        # QR code
+        'QRCodePin' {
+            if ($State -eq 'enabled') {
+                Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Setting $AuthenticationMethodId to enabled is not allowed" -sev Error
+                throw "Setting $AuthenticationMethodId to enabled is not allowed"
+            }
+        }
         Default {
             Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Somehow you hit the default case with an input of $AuthenticationMethodId . You probably made a typo in the input for AuthenticationMethodId. It`'s case sensitive." -sev Error
-            return "Somehow you hit the default case with an input of $AuthenticationMethodId . You probably made a typo in the input for AuthenticationMethodId. It`'s case sensitive."
+            throw "Somehow you hit the default case with an input of $AuthenticationMethodId . You probably made a typo in the input for AuthenticationMethodId. It`'s case sensitive."
         }
     }
     # Set state of the authentication method
     try {
         if ($PSCmdlet.ShouldProcess($AuthenticationMethodId, "Set state to $State $OptionalLogMessage")) {
             # Convert body to JSON and send request
-            $null = New-GraphPostRequest -tenantid $Tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -Type patch -Body ($CurrentInfo | ConvertTo-Json -Compress -Depth 10) -ContentType 'application/json'
+            $null = New-GraphPostRequest -tenantid $Tenant -Uri "https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/$AuthenticationMethodId" -Type PATCH -Body (ConvertTo-Json -InputObject $CurrentInfo -Compress -Depth 10) -ContentType 'application/json'
             Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Set $AuthenticationMethodId state to $State $OptionalLogMessage" -sev Info
         }
         return "Set $AuthenticationMethodId state to $State $OptionalLogMessage"
 
     } catch {
         $ErrorMessage = Get-CippException -Exception $_
         Write-LogMessage -headers $Headers -API $APIName -tenant $Tenant -message "Failed to $State $AuthenticationMethodId Support: $ErrorMessage" -sev Error -LogData $ErrorMessage
-        return "Failed to $State $AuthenticationMethodId Support. Error: $($ErrorMessage.NormalizedError)"
+        throw "Failed to $State $AuthenticationMethodId Support. Error: $($ErrorMessage.NormalizedError)"
     }
 }

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1

@@ -36,7 +36,10 @@ function Invoke-CIPPStandardDisableEmail {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'Email authentication method is already disabled.' -sev Info
         } else {
-            Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'Email' -Enabled $false
+            try {
+                Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'Email' -Enabled $false
+            } catch {
+            }
         }
     }
 

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1

@@ -0,0 +1,56 @@
+function Invoke-CIPPStandardDisableQRCodePin {
+    <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) DisableQRCodePin
+    .SYNOPSIS
+        (Label) Disables QR Code Pin as an MFA method
+    .DESCRIPTION
+        (Helptext) This blocks users from using QR Code Pin as an MFA method. If a user only has QR Code Pin as a MFA method, they will be unable to log in.
+        (DocsDescription) Disables QR Code Pin as an MFA method for the tenant. If a user only has QR Code Pin as a MFA method, they will be unable to sign in.
+    .NOTES
+        CAT
+            Entra (AAD) Standards
+        TAG
+            "highimpact"
+        ADDEDCOMPONENT
+        IMPACT
+            High Impact
+        POWERSHELLEQUIVALENT
+            Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
+        RECOMMENDEDBY
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards/entra-aad-standards#high-impact
+    #>
+
+    param($Tenant, $Settings)
+
+    $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/QRCodePin' -tenantid $Tenant
+    $StateIsCorrect = ($CurrentState.state -eq 'disabled')
+
+    If ($Settings.remediate -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is already disabled.' -sev Info
+        } else {
+            try {
+                Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'QRCodePin' -Enabled $false
+            } catch {
+            }
+        }
+    }
+
+    if ($Settings.alert -eq $true) {
+        if ($StateIsCorrect -eq $true) {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is not enabled' -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $tenant -message 'QR Code Pin authentication method is enabled' -sev Alert
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        Add-CIPPBPAField -FieldName 'DisableQRCodePin' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+    }
+}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1

@@ -36,7 +36,10 @@ function Invoke-CIPPStandardDisableSMS {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMS authentication method is already disabled.' -sev Info
         } else {
-            Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'SMS' -Enabled $false
+            try {
+                Set-CIPPAuthenticationPolicy -Tenant $tenant -APIName 'Standards' -AuthenticationMethodId 'SMS' -Enabled $false
+            } catch {
+            }
         }
     }