Merge pull request #47 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: isgq-github01

ConversionTable.csv

@@ -114,6 +114,10 @@ function Add-CIPPDelegatedPermission {
         $OldScope = ($CurrentDelegatedScopes | Where-Object -Property Resourceid -EQ $svcPrincipalId.id)
 
         if (!$OldScope) {
+            if ([string]::IsNullOrEmpty($NewScope) -or $NewScope -eq ' ') {
+                $Results.add("No delegated permissions to add for $($svcPrincipalId.displayName)")
+                continue
+            }
             try {
                 $Createbody = @{
                     clientId    = $ourSVCPrincipal.id
@@ -147,6 +151,13 @@ function Add-CIPPDelegatedPermission {
                 $Results.add("All delegated permissions exist for $($svcPrincipalId.displayName)")
                 continue
             }
+
+            if ([string]::IsNullOrEmpty($NewScope) -or $NewScope -eq ' ') {
+                # No permissions to update
+                $Results.add("No delegated permissions to update for $($svcPrincipalId.displayName)")
+                continue
+            }
+
             $Patchbody = @{
                 scope = "$NewScope"
             } | ConvertTo-Json -Compress

Modules/CIPPCore/Public/Add-CIPPDelegatedPermission.ps1

@@ -13,14 +13,18 @@ function Get-CIPPAlertHuntressRogueApps {
     Param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
-        $InputValue,
+        [bool]$InputValue = $false,
         $TenantFilter
     )
 
     try {
         $RogueApps = Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/huntresslabs/rogueapps/main/public/rogueapps.json'
         $RogueAppFilter = $RogueApps.appId -join "','"
         $ServicePrincipals = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/servicePrincipals?`$filter=appId in ('$RogueAppFilter')" -tenantid $TenantFilter
+        # If IgnoreDisabledApps is true, filter out disabled service principals
+        if ($InputValue) {
+            $ServicePrincipals = $ServicePrincipals | Where-Object { $_.accountEnabled -eq $true }
+        }
 
         if (($ServicePrincipals | Measure-Object).Count -gt 0) {
             $AlertData = foreach ($ServicePrincipal in $ServicePrincipals) {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertHuntressRogueApps.ps1

@@ -8,28 +8,60 @@ function Get-CIPPAlertInactiveLicensedUsers {
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
+        [Parameter(Mandatory = $false)]
+        [switch]$IncludeNeverSignedIn, # Include users who have never signed in (default is to skip them), future use would allow this to be set in an alert configuration
         $TenantFilter
     )
 
     try {
         try {
+            $Lookup = (Get-Date).AddDays(-90).ToUniversalTime()
+
+            # Build base filter - cannot filter assignedLicenses server-side
+            $BaseFilter = if ($InputValue -eq $true) { "accountEnabled eq true" } else { "" }
 
-            $Lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o')
-            $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastNonInteractiveSignInDateTime le $Lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses" -scope 'https://graph.microsoft.com/.default' -tenantid $TenantFilter |
-                Where-Object { $null -ne $_.assignedLicenses.skuId }
+            $Uri = if ($BaseFilter) {
+                "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            } else {
+                "https://graph.microsoft.com/beta/users?`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
+            }
+
+            $GraphRequest = New-GraphGetRequest -uri $Uri -scope 'https://graph.microsoft.com/.default' -tenantid $TenantFilter |
+                Where-Object { $null -ne $_.assignedLicenses -and $_.assignedLicenses.Count -gt 0 }
 
-            # true = only active users
-            if ($InputValue -eq $true) { $GraphRequest = $GraphRequest | Where-Object { $_.accountEnabled -eq $true } }
             $AlertData = foreach ($user in $GraphRequest) {
-                $Message = 'User {0} has been inactive for 90 days, but still has a license assigned.' -f $user.UserPrincipalName
-                $user | Select-Object -Property UserPrincipalName, signInActivity, @{Name = 'Message'; Expression = { $Message } }
+                $lastInteractive = $user.signInActivity.lastSignInDateTime
+                $lastNonInteractive = $user.signInActivity.lastNonInteractiveSignInDateTime
 
-            }
-            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+                # Find most recent sign-in
+                $lastSignIn = $null
+                if ($lastInteractive -and $lastNonInteractive) {
+                    $lastSignIn = if ([DateTime]$lastInteractive -gt [DateTime]$lastNonInteractive) { $lastInteractive } else { $lastNonInteractive }
+                } elseif ($lastInteractive) {
+                    $lastSignIn = $lastInteractive
+                } elseif ($lastNonInteractive) {
+                    $lastSignIn = $lastNonInteractive
+                }
 
-        } catch {}
+                # Check if inactive
+                $isInactive = (-not $lastSignIn) -or ([DateTime]$lastSignIn -le $Lookup)
+                # Skip users who have never signed in by default (unless IncludeNeverSignedIn is specified)
+                if (-not $IncludeNeverSignedIn -and -not $lastSignIn) { continue }
+                # Only process inactive users
+                if ($isInactive) {
+                    if (-not $lastSignIn) {
+                        $Message = 'User {0} has never signed in but still has a license assigned.' -f $user.UserPrincipalName
+                    } else {
+                        $daysSinceSignIn = [Math]::Round(((Get-Date) - [DateTime]$lastSignIn).TotalDays)
+                        $Message = 'User {0} has been inactive for {1} days but still has a license assigned. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
+                    }
 
+                    $user | Select-Object -Property UserPrincipalName, signInActivity, @{Name = 'Message'; Expression = { $Message } }
+                }
+            }
 
+            Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+        } catch {}
     } catch {
         Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
     }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1

@@ -0,0 +1,46 @@
+function Get-CIPPAlertOneDriveQuota {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory)]
+        $TenantFilter,
+        [Alias('input')]
+        [ValidateRange(0,100)]
+        [int]$InputValue = 90
+    )
+
+    try {
+        $Usage = New-GraphGetRequest -tenantid $TenantFilter -uri "https://graph.microsoft.com/beta/reports/getOneDriveUsageAccountDetail(period='D7')?`$format=application/json&`$top=999" -AsApp $true
+        if (!$Usage) {
+            Write-AlertMessage -tenant $($TenantFilter) -message "OneDrive quota Alert: Unable to get OneDrive usage: Error occurred: No data returned from API."
+            return
+        }
+    }
+    catch {
+        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+        Write-AlertMessage -tenant $($TenantFilter) -message "OneDrive quota Alert: Unable to get OneDrive usage: Error occurred: $ErrorMessage"
+        return
+    }
+
+    #Check if the OneDrive quota is over the threshold
+    $OverQuota = $Usage | ForEach-Object {
+        if ($_.StorageUsedInBytes -eq 0 -or $_.storageAllocatedInBytes -eq 0) { return }
+        try {
+            $UsagePercent  = [math]::Round(($_.storageUsedInBytes / $_.storageAllocatedInBytes) * 100)
+        } catch { $UsagePercent = 100 }
+
+        if ($UsagePercent -gt $InputValue) {
+            $GBLeft = [math]::Round(($_.storageAllocatedInBytes - $_.storageUsedInBytes) / 1GB)
+            "$($_.ownerPrincipalName): OneDrive is $UsagePercent% full. OneDrive has $($GBLeft)GB storage left"
+        }
+
+    }
+
+    #If the quota is over the threshold, send an alert
+    if ($OverQuota) {
+        Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $OverQuota
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1

@@ -0,0 +1,39 @@
+function Get-CIPPAlertTERRL {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [Alias('input')]
+        $InputValue,
+        $TenantFilter
+    )
+
+    try {
+        # Set threshold with fallback to 80%
+        $Threshold = if ([string]::IsNullOrWhiteSpace($InputValue)) { 80 } else { [int]$InputValue }
+
+        # Get TERRL status
+        $TerrlStatus = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-LimitsEnforcementStatus'
+
+        if ($TerrlStatus) {
+            $UsagePercentage = [math]::Round(($TerrlStatus.ObservedValue / $TerrlStatus.Threshold) * 100, 2)
+
+            if ($UsagePercentage -gt $Threshold) {
+                $AlertData = [PSCustomObject]@{
+                    UsagePercentage    = $UsagePercentage
+                    CurrentVolume      = $TerrlStatus.ObservedValue
+                    ThresholdLimit     = $TerrlStatus.Threshold
+                    EnforcementEnabled = $TerrlStatus.EnforcementEnabled
+                    Verdict            = $TerrlStatus.Verdict
+                    Message            = 'Tenant is at {0}% of their TERRL limit (using {1} of {2} messages). Tenant Enforcement Status: {3}' -f $UsagePercentage, $TerrlStatus.ObservedValue, $TerrlStatus.Threshold, $TerrlStatus.Verdict
+                }
+                Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+            }
+        }
+    } catch {
+        Write-AlertMessage -tenant $($TenantFilter) -message "Could not get TERRL status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+    }
+}

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertTERRL.ps1

@@ -16,24 +16,34 @@ function Get-CIPPAccessRole {
     Internal
     #>
     [CmdletBinding()]
-    param($Request)
+    param($Request, $Headers)
 
-    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRole'
-    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$($Request.Headers.'x-ms-client-principal-name')'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+    $Headers = $Request.Headers ?? $Headers
 
-    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($request.headers.'x-ms-client-principal')) | ConvertFrom-Json)
+    $CacheAccessUserRoleTable = Get-CIPPTable -tablename 'cacheAccessUserRoles'
+
+    $SwaCreds = ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json)
     $SwaRoles = $SwaCreds.userRoles
+    $Username = $SwaCreds.userDetails
+
+    $CachedRoles = Get-CIPPAzDataTableEntity @CacheAccessUserRoleTable -Filter "PartitionKey eq 'AccessUser' and RowKey eq '$Username'" | Select-Object -ExpandProperty Role | ConvertFrom-Json
+
+    Write-Information "SWA Roles: $($SwaRoles -join ', ')"
+    Write-Information "Cached Roles: $($CachedRoles -join ', ')"
 
     # Combine SWA roles and cached roles into a single deduplicated list
     $AllRoles = [System.Collections.Generic.List[string]]::new()
-    if ($null -ne $SwaRoles) {
-        $AllRoles.AddRange($SwaRoles)
+
+    foreach ($Role in $SwaRoles) {
+        if (-not $AllRoles.Contains($Role)) {
+            $AllRoles.Add($Role)
+        }
     }
-    if ($null -ne $CachedRoles) {
-        $AllRoles.AddRange($CachedRoles)
+    foreach ($Role in $CachedRoles) {
+        if (-not $AllRoles.Contains($Role)) {
+            $AllRoles.Add($Role)
+        }
     }
-
-    # Remove duplicates and ensure we have a clean array
     $CombinedRoles = $AllRoles | Select-Object -Unique
 
     # For debugging