Merge pull request #51 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: isgq-github01

CIPP-Permissions.json

@@ -80,14 +80,6 @@
     "RunOnProcessor": true,
     "PreferredProcessor": "standards"
   },
-  {
-    "Id": "5113c66d-c040-42df-9565-39dff90ddd55",
-    "Command": "Start-CIPPGraphSubscriptionCleanupTimer",
-    "Description": "Orchestrator to cleanup old Graph subscriptions",
-    "Cron": "0 0 0 * * *",
-    "Priority": 5,
-    "RunOnProcessor": true
-  },
   {
     "Id": "97145a1d-28f0-4bb2-b929-5a43517d23cc",
     "Command": "Start-SchedulerOrchestrator",

CIPPTimers.json

@@ -1722,6 +1722,35 @@
     "powershellEquivalent": "New-ProtectionAlert and Set-ProtectionAlert",
     "recommendedBy": []
   },
+  {
+    "name": "standards.SafeLinksTemplatePolicy",
+    "label": "SafeLinks Policy Template",
+    "cat": "Templates",
+    "multiple": false,
+    "disabledFeatures": {
+      "report": false,
+      "warn": false,
+      "remediate": false
+    },
+    "impact": "Medium Impact",
+    "addedDate": "2025-04-29",
+    "helpText": "Deploy and manage SafeLinks policy templates to protect against malicious URLs in emails and Office documents.",
+    "addedComponent": [
+      {
+        "type": "autoComplete",
+        "multiple": true,
+        "creatable": false,
+        "name": "standards.SafeLinksTemplatePolicy.TemplateIds",
+        "label": "Select SafeLinks Policy Templates",
+        "api": {
+          "url": "/api/ListSafeLinksPolicyTemplates",
+          "labelField": "TemplateName",
+          "valueField": "GUID",
+          "queryKey": "ListSafeLinksPolicyTemplates"
+        }
+      }
+    ]
+  },
   {
     "name": "standards.SafeLinksPolicy",
     "cat": "Defender Standards",

Config/standards.json

@@ -7,21 +7,22 @@ function Add-CIPPGroupMember(
     [string]$APIName = 'Add Group Member'
 ) {
     try {
-        if ($member -like '*#EXT#*') { $member = [System.Web.HttpUtility]::UrlEncode($member) }
-        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($member)" -tenantid $TenantFilter).id
-        $addmemberbody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
+        if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
+        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id
+        $AddMemberBody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
-            $Params = @{ Identity = $GroupId; Member = $member; BypassSecurityGroupManagerCheck = $true }
-            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true
+            $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
+            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
         } else {
-            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $addmemberbody -Verbose
+            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $AddMemberBody -Verbose
         }
-        $Message = "Successfully added user $($Member) to $($GroupId)."
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
-        return $message
+        $Results = "Successfully added user $($Member) to $($GroupId)."
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'Info'
+        return $Results
     } catch {
-        $message = "Failed to add user $($Member) to $($GroupId) - $($_.Exception.Message)"
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $message -Sev 'error' -LogData (Get-CippException -Exception $_)
-        return $message
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = "Failed to add user $($Member) to $($GroupId) - $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'error' -LogData $ErrorMessage
+        throw $Results
     }
 }

Modules/CIPPCore/Public/Add-CIPPGroupMember.ps1

@@ -18,13 +18,22 @@ function Get-CIPPAlertAppSecretExpiry {
         return
     }
 
-    $AlertData = foreach ($App in $applist) {
+    $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+    foreach ($App in $applist) {
         Write-Host "checking $($App.displayName)"
         if ($App.passwordCredentials) {
             foreach ($Credential in $App.passwordCredentials) {
                 if ($Credential.endDateTime -lt (Get-Date).AddDays(30) -and $Credential.endDateTime -gt (Get-Date).AddDays(-7)) {
                     Write-Host ("Application '{0}' has secrets expiring on {1}" -f $App.displayName, $Credential.endDateTime)
-                    @{ DisplayName = $App.displayName; Expires = $Credential.endDateTime }
+
+                    $Message = [PSCustomObject]@{
+                        AppName    = $App.displayName
+                        AppId      = $App.appId
+                        Expires    = $Credential.endDateTime
+                        Tenant     = $TenantFilter
+                    }
+                    $AlertData.Add($Message)
                 }
             }
         }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAppSecretExpiry.ps1

@@ -0,0 +1,31 @@
+function Get-CIPPAlertGlobalAdminNoAltEmail {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+    try {
+        # Get all Global Admin accounts using the role template ID
+        $globalAdmins = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members?`$select=id,displayName,userPrincipalName,otherMails" -tenantid $($TenantFilter) -AsApp $true | Where-Object {
+            $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' -and $_.'@odata.type' -eq '#microsoft.graph.user'
+        }
+
+        # Filter for Global Admins without alternate email addresses
+        $adminsWithoutAltEmail = $globalAdmins | Where-Object {
+            $null -eq $_.otherMails -or $_.otherMails.Count -eq 0
+        }
+
+        if ($adminsWithoutAltEmail.Count -gt 0) {
+            $AlertData = "The following Global Admin accounts do not have an alternate email address set: $($adminsWithoutAltEmail.userPrincipalName -join ', ')"
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        }
+    } catch {
+        Write-LogMessage -message "Failed to check alternate email status for Global Admins: $($_.exception.message)" -API 'Global Admin Alt Email Alerts' -tenant $TenantFilter -sev Error
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminNoAltEmail.ps1

@@ -0,0 +1,25 @@
+function Get-CIPPAlertLowDomainScore {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory)]
+        $TenantFilter,
+        [Alias('input')]
+        [ValidateRange(0, 100)]
+        [int]$InputValue = 70
+    )
+
+    $DomainData = Get-CIPPDomainAnalyser -TenantFilter $TenantFilter
+    $LowScoreDomains = $DomainData | Where-Object {
+        $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne ''
+    } | ForEach-Object {
+        "$($_.Domain): Domain security score is $($_.ScorePercentage)%, which is below the threshold of $InputValue%. Issues: $($_.ScoreExplanation)"
+    }
+
+    if ($LowScoreDomains) {
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $LowScoreDomains
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1

@@ -0,0 +1,77 @@
+function Get-CIPPAlertNewRiskyUsers {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $TenantFilter
+    )
+    $Deltatable = Get-CIPPTable -Table DeltaCompare
+    try {
+        # Check if tenant has P2 capabilities
+        $Capabilities = Get-CIPPTenantCapabilities -TenantFilter $TenantFilter
+        if (-not $Capabilities.AADPremiumService) {
+            Write-AlertMessage -tenant $($TenantFilter) -message 'Tenant does not have Azure AD Premium P2 licensing required for risky users detection'
+            return
+        }
+
+        $Filter = "PartitionKey eq 'RiskyUsersDelta' and RowKey eq '{0}'" -f $TenantFilter
+        $RiskyUsersDelta = (Get-CIPPAzDataTableEntity @Deltatable -Filter $Filter).delta | ConvertFrom-Json -ErrorAction SilentlyContinue
+        
+        # Get current risky users with more detailed information
+        $NewDelta = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskyUsers' -tenantid $TenantFilter) | Select-Object userPrincipalName, riskLevel, riskState, riskDetail, riskLastUpdatedDateTime, isProcessing, history
+        
+        $NewDeltatoSave = $NewDelta | ConvertTo-Json -Depth 10 -Compress -ErrorAction SilentlyContinue | Out-String
+        $DeltaEntity = @{
+            PartitionKey = 'RiskyUsersDelta'
+            RowKey       = [string]$TenantFilter
+            delta        = "$NewDeltatoSave"
+        }
+        Add-CIPPAzDataTableEntity @DeltaTable -Entity $DeltaEntity -Force
+
+        if ($RiskyUsersDelta) {
+            $AlertData = $NewDelta | Where-Object { 
+                $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName 
+            } | ForEach-Object {
+                $riskHistory = if ($_.history) {
+                    $latestHistory = $_.history | Sort-Object -Property riskLastUpdatedDateTime -Descending | Select-Object -First 1
+                    "Previous Risk Level: $($latestHistory.riskLevel), Last Updated: $($latestHistory.riskLastUpdatedDateTime)"
+                }
+                else {
+                    'No previous risk history'
+                }
+                
+                # Map risk level to severity
+                $severity = switch ($_.riskLevel) {
+                    'high' { 'Critical' }
+                    'medium' { 'Warning' }
+                    'low' { 'Info' }
+                    default { 'Info' }
+                }
+                
+                @{
+                    Message = "New risky user detected: $($_.userPrincipalName)"
+                    Details = @{
+                        RiskLevel    = $_.riskLevel
+                        RiskState    = $_.riskState
+                        RiskDetail   = $_.riskDetail
+                        LastUpdated  = $_.riskLastUpdatedDateTime
+                        IsProcessing = $_.isProcessing
+                        RiskHistory  = $riskHistory
+                        Severity     = $severity
+                    }
+                }
+            }
+            
+            if ($AlertData) {
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    }
+    catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Could not get risky users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1

@@ -1,4 +1,3 @@
-
 function Get-CIPPAlertSharepointQuota {
     <#
     .FUNCTIONALITY
@@ -12,10 +11,11 @@ function Get-CIPPAlertSharepointQuota {
         $TenantFilter
     )
     Try {
-            $tenantName = (New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/sites/root' -asApp $true -tenantid $TenantFilter).id.Split('.')[0]
-        $sharepointToken = (Get-GraphToken -scope "https://$($tenantName)-admin.sharepoint.com/.default" -tenantid $TenantFilter)
-        $sharepointToken.Add('accept', 'application/json')
-        $sharepointQuota = (Invoke-RestMethod -Method 'GET' -Headers $sharepointToken -Uri "https://$($tenantName)-admin.sharepoint.com/_api/StorageQuotas()?api-version=1.3.2" -ErrorAction Stop).value
+        $SharePointInfo = Get-SharePointAdminLink -Public $false -tenantFilter $TenantFilter
+        $extraHeaders = @{
+            'Accept' = 'application/json'
+        }
+        $sharepointQuota = (New-GraphGetRequest -extraHeaders $extraHeaders -scope "$($SharePointInfo.AdminUrl)/.default" -tenantid $TenantFilter -uri "$($SharePointInfo.AdminUrl)/_api/StorageQuotas()?api-version=1.3.2")
     } catch {
         return
     }
@@ -31,4 +31,4 @@ function Get-CIPPAlertSharepointQuota {
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
         }
     }
-}
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSharepointQuota.ps1

@@ -0,0 +1,65 @@
+function Get-CIPPAlertVulnerabilities {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        $VulnerabilityRequest = New-GraphGetRequest -tenantid $TenantFilter -uri "https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilitiesByMachine?`$top=999&`$filter=cveId ne null" -scope 'https://api.securitycenter.microsoft.com/.default'
+
+        if ($VulnerabilityRequest) {
+            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+            # Group by CVE ID and create objects for each vulnerability
+            $VulnerabilityGroups = $VulnerabilityRequest | Where-Object { $_.cveId } | Group-Object cveId
+
+            foreach ($Group in $VulnerabilityGroups) {
+                $FirstVuln = $Group.Group | Sort-Object firstSeenTimestamp | Select-Object -First 1
+                $HoursOld = [math]::Round(((Get-Date) - [datetime]$FirstVuln.firstSeenTimestamp).TotalHours)
+
+                # Skip if vulnerability is not old enough
+                if ($HoursOld -lt [int]$InputValue) {
+                    continue
+                }
+
+                $DaysOld = [math]::Round(((Get-Date) - [datetime]$FirstVuln.firstSeenTimestamp).TotalDays)
+                $AffectedDevices = ($Group.Group | Select-Object -ExpandProperty deviceName -Unique) -join ', '
+
+                $VulnerabilityAlert = [PSCustomObject]@{
+                    CVE                  = $Group.Name
+                    Severity             = $FirstVuln.vulnerabilitySeverityLevel
+                    FirstSeenTimestamp   = $FirstVuln.firstSeenTimestamp
+                    LastSeenTimestamp    = $FirstVuln.lastSeenTimestamp
+                    DaysOld              = $DaysOld
+                    HoursOld             = $HoursOld
+                    AffectedDeviceCount  = $Group.Count
+                    AffectedDevices      = $AffectedDevices
+                    SoftwareName         = $FirstVuln.softwareName
+                    SoftwareVendor       = $FirstVuln.softwareVendor
+                    SoftwareVersion      = $FirstVuln.softwareVersion
+                    CVSSScore            = $FirstVuln.cvssScore
+                    ExploitabilityLevel  = $FirstVuln.exploitabilityLevel
+                    RecommendedUpdate    = $FirstVuln.recommendedSecurityUpdate
+                    RecommendedUpdateId  = $FirstVuln.recommendedSecurityUpdateId
+                    RecommendedUpdateUrl = $FirstVuln.recommendedSecurityUpdateUrl
+                    Tenant               = $TenantFilter
+                }
+                $AlertData.Add($VulnerabilityAlert)
+            }
+
+            # Only send alert if we have vulnerabilities that meet the criteria
+            if ($AlertData.Count -gt 0) {
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    } catch {
+        Write-LogMessage -message "Failed to check vulnerabilities: $($_.exception.message)" -API 'Vulnerability Alerts' -tenant $TenantFilter -sev Error
+    }
+}