From fac06a448577acb7a1d7abb092786236a0ccbce2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Tue, 9 Jul 2024 22:05:52 +0200 Subject: [PATCH 01/10] Fix wrong release number --- .../Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index 012a8555188e..e6eccf5c9538 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -39,7 +39,7 @@ function Invoke-CIPPStandardDeletedUserRentention { Return } - # Backwards compatibility for pre v5.10.0 + # Backwards compatibility for v5.9.4 and back if ($null -eq $Settings.Days) { $WantedState = 365 } else { From c7e756cf22220c6875e4d9fd98f0889b67b9da73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Wed, 10 Jul 2024 21:25:21 +0200 Subject: [PATCH 02/10] Fix error message for clrImmID --- .../Administration/Users/Invoke-ExecClrImmId.ps1 | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecClrImmId.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecClrImmId.ps1 index 9241f5feae7d..6ebf2e66750b 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecClrImmId.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecClrImmId.ps1 @@ -20,13 +20,13 @@ Function Invoke-ExecClrImmId { Try { $TenantFilter = $Request.Query.TenantFilter $UserID = $Request.Query.ID - $Body = [pscustomobject] @{ - onPremisesImmutableId = $null - } | ConvertTo-Json - $GraphRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body + $Body = [pscustomobject]@{ onPremisesImmutableId = $null } + $Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress + $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body $Results = [pscustomobject]@{'Results' = 'Successfully Cleared ImmutableId' } } catch { - $Results = [pscustomobject]@{'Results' = "Failed. $_.Exception.Message"; colour = 'danger' } + $ErrorMessage = Get-NormalizedError -Message $_.Exception + $Results = [pscustomobject]@{'Results' = "Failed. $ErrorMessage"; colour = 'danger' } $_.Exception } @@ -35,5 +35,4 @@ Function Invoke-ExecClrImmId { StatusCode = [HttpStatusCode]::OK Body = $Results }) - } From 4d436439574fdd1f611630afaf65bedd7aa8e3a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Wed, 10 Jul 2024 21:27:07 +0200 Subject: [PATCH 03/10] Update all comments to support get-help based auto docs --- ...nvoke-CIPPStandardActivityBasedTimeout.ps1 | 60 +++++------- .../Standards/Invoke-CIPPStandardAddDKIM.ps1 | 55 +++++------ .../Invoke-CIPPStandardAnonReportDisable.ps1 | 53 +++++----- .../Invoke-CIPPStandardAntiPhishPolicy.ps1 | 98 +++++++++---------- .../Invoke-CIPPStandardAppDeploy.ps1 | 4 +- .../Invoke-CIPPStandardAtpPolicyForO365.ps1 | 62 ++++++------ .../Standards/Invoke-CIPPStandardAuditLog.ps1 | 57 +++++------ .../Invoke-CIPPStandardAutoExpandArchive.ps1 | 53 +++++----- .../Standards/Invoke-CIPPStandardBookings.ps1 | 55 +++++------ .../Standards/Invoke-CIPPStandardBranding.ps1 | 64 ++++++------ .../Invoke-CIPPStandardCloudMessageRecall.ps1 | 55 +++++------ .../Invoke-CIPPStandardDelegateSentItems.ps1 | 53 +++++----- ...voke-CIPPStandardDeletedUserRentention.ps1 | 51 +++++----- ...PStandardDisableAddShortcutsToOneDrive.ps1 | 55 +++++------ ...ndardDisableAdditionalStorageProviders.ps1 | 59 +++++------ .../Invoke-CIPPStandardDisableAppCreation.ps1 | 57 +++++------ ...nvoke-CIPPStandardDisableBasicAuthSMTP.ps1 | 53 +++++----- .../Invoke-CIPPStandardDisableEmail.ps1 | 51 +++++----- ...StandardDisableExternalCalendarSharing.ps1 | 59 +++++------ ...voke-CIPPStandardDisableGuestDirectory.ps1 | 53 +++++----- .../Invoke-CIPPStandardDisableGuests.ps1 | 51 +++++----- ...voke-CIPPStandardDisableM365GroupUsers.ps1 | 53 +++++----- ...nvoke-CIPPStandardDisableOutlookAddins.ps1 | 59 +++++------ .../Invoke-CIPPStandardDisableReshare.ps1 | 57 +++++------ .../Invoke-CIPPStandardDisableSMS.ps1 | 53 +++++----- ...-CIPPStandardDisableSecurityGroupUsers.ps1 | 51 +++++----- ...CIPPStandardDisableSelfServiceLicenses.ps1 | 49 +++++----- ...IPPStandardDisableSharePointLegacyAuth.ps1 | 57 +++++------ ...nvoke-CIPPStandardDisableSharedMailbox.ps1 | 57 +++++------ .../Invoke-CIPPStandardDisableTNEF.ps1 | 54 +++++----- ...voke-CIPPStandardDisableTenantCreation.ps1 | 57 +++++------ ...voke-CIPPStandardDisableUserSiteCreate.ps1 | 53 +++++----- .../Invoke-CIPPStandardDisableViva.ps1 | 53 +++++----- .../Invoke-CIPPStandardDisableVoice.ps1 | 47 ++++----- ...oke-CIPPStandardDisablex509Certificate.ps1 | 53 +++++----- ...e-CIPPStandardEnableAppConsentRequests.ps1 | 59 +++++------ ...voke-CIPPStandardEnableCustomerLockbox.ps1 | 59 +++++------ .../Invoke-CIPPStandardEnableFIDO2.ps1 | 53 +++++----- ...Invoke-CIPPStandardEnableHardwareOAuth.ps1 | 54 +++++----- ...nvoke-CIPPStandardEnableLitigationHold.ps1 | 55 +++++------ .../Invoke-CIPPStandardEnableMailTips.ps1 | 60 +++++------- ...voke-CIPPStandardEnableMailboxAuditing.ps1 | 59 +++++------ ...voke-CIPPStandardEnableOnlineArchiving.ps1 | 51 +++++----- .../Invoke-CIPPStandardEnablePronouns.ps1 | 51 +++++----- .../Invoke-CIPPStandardExcludedfileExt.ps1 | 53 +++++----- .../Invoke-CIPPStandardExternalMFATrusted.ps1 | 53 +++++----- .../Invoke-CIPPStandardFocusedInbox.ps1 | 55 +++++------ ...PStandardGlobalQuarantineNotifications.ps1 | 55 +++++------ .../Invoke-CIPPStandardLegacyMFACleanup.ps1 | 51 +++++----- .../Invoke-CIPPStandardMailContacts.ps1 | 65 ++++++------ ...Invoke-CIPPStandardMalwareFilterPolicy.ps1 | 78 +++++++-------- .../Invoke-CIPPStandardMessageExpiration.ps1 | 53 +++++----- .../Standards/Invoke-CIPPStandardNudgeMFA.ps1 | 57 +++++------ .../Invoke-CIPPStandardOauthConsent.ps1 | 59 +++++------ .../Invoke-CIPPStandardOauthConsentLowSec.ps1 | 51 +++++----- .../Invoke-CIPPStandardOutBoundSpamAlert.ps1 | 59 +++++------ ...CIPPStandardPWcompanionAppAllowedState.ps1 | 55 +++++------ ...rdPWdisplayAppInformationRequiredState.ps1 | 57 +++++------ ...oke-CIPPStandardPasswordExpireDisabled.ps1 | 59 +++++------ .../Invoke-CIPPStandardPerUserMFA.ps1 | 51 +++++----- .../Invoke-CIPPStandardPhishProtection.ps1 | 57 +++++------ .../Invoke-CIPPStandardRotateDKIM.ps1 | 55 +++++------ .../Invoke-CIPPStandardSPAzureB2B.ps1 | 10 +- .../Invoke-CIPPStandardSPDirectSharing.ps1 | 10 +- ...ke-CIPPStandardSPDisallowInfectedFiles.ps1 | 10 +- .../Invoke-CIPPStandardSPEmailAttestation.ps1 | 10 +- ...e-CIPPStandardSPExternalUserExpiration.ps1 | 10 +- ...nvoke-CIPPStandardSafeAttachmentPolicy.ps1 | 74 +++++++------- .../Invoke-CIPPStandardSafeLinksPolicy.ps1 | 70 ++++++------- .../Invoke-CIPPStandardSafeSendersDisable.ps1 | 55 +++++------ .../Invoke-CIPPStandardSecurityDefaults.ps1 | 53 +++++----- .../Invoke-CIPPStandardSendFromAlias.ps1 | 53 +++++----- ...oke-CIPPStandardSendReceiveLimitTenant.ps1 | 55 +++++------ .../Invoke-CIPPStandardShortenMeetings.ps1 | 57 +++++------ .../Invoke-CIPPStandardSpoofWarn.ps1 | 59 +++++------ .../Standards/Invoke-CIPPStandardTAP.ps1 | 55 +++++------ ...oke-CIPPStandardTeamsMeetingsByDefault.ps1 | 53 +++++----- ...voke-CIPPStandardTenantDefaultTimezone.ps1 | 54 +++++----- .../Invoke-CIPPStandardUndoOauth.ps1 | 51 +++++----- ...CIPPStandardUserReportDestinationEmail.ps1 | 49 +++++----- .../Invoke-CIPPStandardUserSubmissions.ps1 | 55 +++++------ .../Invoke-CIPPStandardallowOAuthTokens.ps1 | 53 +++++----- .../Invoke-CIPPStandardallowOTPTokens.ps1 | 53 +++++----- .../Invoke-CIPPStandardcalDefault.ps1 | 59 +++++------ .../Invoke-CIPPStandarddisableMacSync.ps1 | 51 +++++----- ...voke-CIPPStandardintuneBrandingProfile.ps1 | 76 +++++++------- .../Invoke-CIPPStandardintuneDeviceReg.ps1 | 53 +++++----- ...CIPPStandardintuneDeviceRetirementDays.ps1 | 53 +++++----- .../Invoke-CIPPStandardintuneRequireMFA.ps1 | 49 +++++----- .../Standards/Invoke-CIPPStandardlaps.ps1 | 53 +++++----- .../Invoke-CIPPStandardsharingCapability.ps1 | 57 +++++------ ...e-CIPPStandardsharingDomainRestriction.ps1 | 62 ++++++------ .../Invoke-CIPPStandardunmanagedSync.ps1 | 51 +++++----- 93 files changed, 2207 insertions(+), 2741 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index a09e427fbbf8..98b72c1a1e9e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -1,36 +1,35 @@ function Invoke-CIPPStandardActivityBasedTimeout { <# .FUNCTIONALITY - Internal - .APINAME - ActivityBasedTimeout - .CAT - Global Standards - .TAG - "mediumimpact" - "CIS" - "spo_idle_session_timeout" - .HELPTEXT - Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]} - .LABEL - Enable Activity based Timeout - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Portal or Graph API - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) ActivityBasedTimeout + .SYNOPSIS + (Label) Enable Activity based Timeout + .DESCRIPTION + (Helptext) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps + (DocsDescription) Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps + .NOTES + CAT + Global Standards + TAG + "mediumimpact" + "CIS" + "spo_idle_session_timeout" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Portal or Graph API + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) # Input validation @@ -91,8 +90,3 @@ function Invoke-CIPPStandardActivityBasedTimeout { } } - - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index 5cb6a387ad32..c4c430d99f7c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -1,34 +1,33 @@ function Invoke-CIPPStandardAddDKIM { <# .FUNCTIONALITY - Internal - .APINAME - AddDKIM - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Enables DKIM for all domains that currently support it - .ADDEDCOMPONENT - .LABEL - Enables DKIM for all domains that currently support it - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - New-DkimSigningConfig and Set-DkimSigningConfig - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables DKIM for all domains that currently support it - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) AddDKIM + .SYNOPSIS + (Label) Enables DKIM for all domains that currently support it + .DESCRIPTION + (Helptext) Enables DKIM for all domains that currently support it + (DocsDescription) Enables DKIM for all domains that currently support it + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + New-DkimSigningConfig and Set-DkimSigningConfig + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $AllDomains = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -tenantid $Tenant | Where-Object { $_.supportedServices -contains 'Email' -or $_.id -like '*mail.onmicrosoft.com' }).id @@ -107,7 +106,3 @@ function Invoke-CIPPStandardAddDKIM { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIMState -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 9255be3c1bff..9851c82daf07 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardAnonReportDisable { <# .FUNCTIONALITY - Internal - .APINAME - AnonReportDisable - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly. - .DOCSDESCRIPTION - Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports. - .ADDEDCOMPONENT - .LABEL - Enable Usernames instead of pseudo anonymised names in reports - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true} - .RECOMMENDEDBY - .DOCSDESCRIPTION - Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) AnonReportDisable + .SYNOPSIS + (Label) Enable Usernames instead of pseudo anonymised names in reports + .DESCRIPTION + (Helptext) Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly. + (DocsDescription) Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true} + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true @@ -58,7 +55,3 @@ function Invoke-CIPPStandardAnonReportDisable { Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue $CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 index 3a245863f65b..f9dea367763e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 @@ -1,54 +1,52 @@ function Invoke-CIPPStandardAntiPhishPolicy { - <# - .FUNCTIONALITY - Internal - .APINAME - AntiPhishPolicy - .CAT - Defender Standards - .TAG - "lowimpact" - "CIS" - "mdo_safeattachments" - "mdo_highconfidencespamaction" - "mdo_highconfidencephishaction" - "mdo_phisspamacation" - "mdo_spam_notifications_only_for_admins" - "mdo_antiphishingpolicies" - .HELPTEXT - This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. - .ADDEDCOMPONENT - {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","default":1} - {"type":"boolean","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","default":true} - {"type":"boolean","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","default":true} - {"type":"boolean","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","default":true} - {"type":"boolean","label":"Show user impersonation unusual characters safety tip","name":"standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips","default":true} - {"type":"Select","label":"If the message is detected as spoof by spoof intelligence","name":"standards.AntiPhishPolicy.AuthenticationFailAction","values":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move to Junk Folder","value":"MoveToJmf"}]} - {"type":"Select","label":"Quarantine policy for Spoof","name":"standards.AntiPhishPolicy.SpoofQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} - {"type":"Select","label":"If a message is detected as user impersonation","name":"standards.AntiPhishPolicy.TargetedUserProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} - {"type":"Select","label":"Quarantine policy for user impersonation","name":"standards.AntiPhishPolicy.TargetedUserQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} - {"type":"Select","label":"If a message is detected as domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} - {"type":"Select","label":"Quarantine policy for domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainQuarantineTag","values":[{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"},{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"}]} - {"type":"Select","label":"If Mailbox Intelligence detects an impersonated user","name":"standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} - {"type":"Select","label":"Apply quarantine policy","name":"standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} - .LABEL - Default Anti-Phishing Policy - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-AntiphishPolicy or New-AntiphishPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) AntiPhishPolicy + .SYNOPSIS + (Label) Default Anti-Phishing Policy + .DESCRIPTION + (Helptext) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. + (DocsDescription) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. + .NOTES + CAT + Defender Standards + TAG + "lowimpact" + "CIS" + "mdo_safeattachments" + "mdo_highconfidencespamaction" + "mdo_highconfidencephishaction" + "mdo_phisspamacation" + "mdo_spam_notifications_only_for_admins" + "mdo_antiphishingpolicies" + ADDEDCOMPONENT + {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","default":1} + {"type":"boolean","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","default":true} + {"type":"boolean","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","default":true} + {"type":"boolean","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","default":true} + {"type":"boolean","label":"Show user impersonation unusual characters safety tip","name":"standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips","default":true} + {"type":"Select","label":"If the message is detected as spoof by spoof intelligence","name":"standards.AntiPhishPolicy.AuthenticationFailAction","values":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move to Junk Folder","value":"MoveToJmf"}]} + {"type":"Select","label":"Quarantine policy for Spoof","name":"standards.AntiPhishPolicy.SpoofQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"Select","label":"If a message is detected as user impersonation","name":"standards.AntiPhishPolicy.TargetedUserProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Quarantine policy for user impersonation","name":"standards.AntiPhishPolicy.TargetedUserQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"Select","label":"If a message is detected as domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Quarantine policy for domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainQuarantineTag","values":[{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"},{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"}]} + {"type":"Select","label":"If Mailbox Intelligence detects an impersonated user","name":"standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Apply quarantine policy","name":"standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-AntiphishPolicy or New-AntiphishPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $PolicyName = 'Default Anti-Phishing Policy' @@ -180,7 +178,3 @@ function Invoke-CIPPStandardAntiPhishPolicy { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 index 0b5ba7f47945..e3f950550f71 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardAppDeploy { .COMPONENT (APIName) AppDeploy .SYNOPSIS - Deploy Application + (Label) Deploy Application .DESCRIPTION (Helptext) Deploys selected applications to the tenant. Use a comma separated list of application IDs to deploy multiple applications. Permissions will be copied from the source application. (DocsDescription) Uses the CIPP functionality that deploys applications across an entire tenant base as a standard. @@ -16,8 +16,6 @@ function Invoke-CIPPStandardAppDeploy { "lowimpact" ADDEDCOMPONENT {"type":"input","name":"standards.AppDeploy.appids","label":"Application IDs, comma separated"} - LABEL - Deploy Application IMPACT Low Impact POWERSHELLEQUIVALENT diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 index 3d09454aaaf1..bb1bd639fc75 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 @@ -1,36 +1,34 @@ function Invoke-CIPPStandardAtpPolicyForO365 { - <# - .FUNCTIONALITY - Internal - .APINAME - AtpPolicyForO365 - .CAT - Defender Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. - .ADDEDCOMPONENT - {"type":"boolean","label":"Allow people to click through Protected View even if Safe Documents identified the file as malicious","name":"standards.AtpPolicyForO365.AllowSafeDocsOpen","default":false} - .LABEL - Default Atp Policy For O365 - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-AtpPolicyForO365 - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) AtpPolicyForO365 + .SYNOPSIS + (Label) Default Atp Policy For O365 + .DESCRIPTION + (Helptext) This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. + (DocsDescription) This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. + .NOTES + CAT + Defender Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + {"type":"boolean","label":"Allow people to click through Protected View even if Safe Documents identified the file as malicious","name":"standards.AtpPolicyForO365.AllowSafeDocsOpen","default":false} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-AtpPolicyForO365 + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AtpPolicyForO365' | Select-Object EnableATPForSPOTeamsODB, EnableSafeDocs, AllowSafeDocsOpen @@ -73,7 +71,3 @@ function Invoke-CIPPStandardAtpPolicyForO365 { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index 17d7c440b840..076a9112586a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -1,35 +1,34 @@ function Invoke-CIPPStandardAuditLog { <# .FUNCTIONALITY - Internal - .APINAME - AuditLog - .CAT - Global Standards - .TAG - "lowimpact" - "CIS" - "mip_search_auditlog" - .HELPTEXT - Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. - .ADDEDCOMPONENT - .LABEL - Enable the Unified Audit Log - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Enable-OrganizationCustomization - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) AuditLog + .SYNOPSIS + (Label) Enable the Unified Audit Log + .DESCRIPTION + (Helptext) Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. + (DocsDescription) Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + "CIS" + "mip_search_auditlog" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Enable-OrganizationCustomization + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) Write-Host ($Settings | ConvertTo-Json) $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig' -Select UnifiedAuditLogIngestionEnabled).UnifiedAuditLogIngestionEnabled @@ -75,7 +74,3 @@ function Invoke-CIPPStandardAuditLog { Add-CIPPBPAField -FieldName 'AuditLog' -FieldValue $AuditLogEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 432923a068d1..0aaefee3441c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardAutoExpandArchive { <# .FUNCTIONALITY - Internal - .APINAME - AutoExpandArchive - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Enables auto-expanding archives for the tenant - .DOCSDESCRIPTION - Enables auto-expanding archives for the tenant. Does not enable archives for users. - .ADDEDCOMPONENT - .LABEL - Enable Auto-expanding archives - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -AutoExpandingArchive - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables auto-expanding archives for the tenant - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) AutoExpandArchive + .SYNOPSIS + (Label) Enable Auto-expanding archives + .DESCRIPTION + (Helptext) Enables auto-expanding archives for the tenant + (DocsDescription) Enables auto-expanding archives for the tenant. Does not enable archives for users. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -AutoExpandingArchive + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled @@ -62,7 +59,3 @@ function Invoke-CIPPStandardAutoExpandArchive { Add-CIPPBPAField -FieldName 'AutoExpandingArchive' -FieldValue $CurrentState -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 index b42cf95556c3..593afe1a6b62 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardBookings { <# .FUNCTIONALITY - Internal - .APINAME - Bookings - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. - .DOCSDESCRIPTION - Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.Bookings.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} - .LABEL - Set Bookings state - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -BookingsEnabled - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) Bookings + .SYNOPSIS + (Label) Set Bookings state + .DESCRIPTION + (Helptext) Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. + (DocsDescription) Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.Bookings.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -BookingsEnabled + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').BookingsEnabled @@ -74,7 +71,3 @@ function Invoke-CIPPStandardBookings { } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 index bd53e1c635e7..605256e64581 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 @@ -1,39 +1,37 @@ function Invoke-CIPPStandardBranding { <# .FUNCTIONALITY - Internal - .APINAME - Branding - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the branding for the tenant. This includes the login page, and the Office 365 portal. - .ADDEDCOMPONENT - {"type":"input","name":"standards.Branding.signInPageText","label":"Sign-in page text"} - {"type":"input","name":"standards.Branding.usernameHintText","label":"Username hint Text"} - {"type":"boolean","name":"standards.Branding.hideAccountResetCredentials","label":"Hide self-service password reset"} - {"type":"Select","label":"Visual Template","name":"standards.Branding.layoutTemplateType","values":[{"label":"Full-screen background","value":"default"},{"label":"Parial-screen background","value":"verticalSplit"}]} - {"type":"boolean","name":"standards.Branding.isHeaderShown","label":"Show header"} - {"type":"boolean","name":"standards.Branding.isFooterShown","label":"Show footer"} - .LABEL - Set branding for the tenant - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Portal only - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the branding for the tenant. This includes the login page, and the Office 365 portal. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) Branding + .SYNOPSIS + (Label) Set branding for the tenant + .DESCRIPTION + (Helptext) Sets the branding for the tenant. This includes the login page, and the Office 365 portal. + (DocsDescription) Sets the branding for the tenant. This includes the login page, and the Office 365 portal. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"input","name":"standards.Branding.signInPageText","label":"Sign-in page text"} + {"type":"input","name":"standards.Branding.usernameHintText","label":"Username hint Text"} + {"type":"boolean","name":"standards.Branding.hideAccountResetCredentials","label":"Hide self-service password reset"} + {"type":"Select","label":"Visual Template","name":"standards.Branding.layoutTemplateType","values":[{"label":"Full-screen background","value":"default"},{"label":"Parial-screen background","value":"verticalSplit"}]} + {"type":"boolean","name":"standards.Branding.isHeaderShown","label":"Show header"} + {"type":"boolean","name":"standards.Branding.isFooterShown","label":"Show footer"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Portal only + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $TenantId = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant @@ -98,7 +96,3 @@ function Invoke-CIPPStandardBranding { Add-CIPPBPAField -FieldName 'Branding' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $Tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 index 0c2fcedfcca8..54edbd2f3670 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardCloudMessageRecall { <# .FUNCTIONALITY - Internal - .APINAME - CloudMessageRecall - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud. - .DOCSDESCRIPTION - Sets the default state for Cloud Message Recall for the tenant. By default this is enabled. You can read more about the feature [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714) - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.CloudMessageRecall.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} - .LABEL - Set Cloud Message Recall state - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -MessageRecallEnabled - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) CloudMessageRecall + .SYNOPSIS + (Label) Set Cloud Message Recall state + .DESCRIPTION + (Helptext) Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud. + (DocsDescription) Sets the default state for Cloud Message Recall for the tenant. By default this is enabled. You can read more about the feature [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714) + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.CloudMessageRecall.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -MessageRecallEnabled + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').MessageRecallEnabled @@ -75,7 +72,3 @@ function Invoke-CIPPStandardCloudMessageRecall { } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index 819ba429fa25..b182da26e89c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDelegateSentItems { <# .FUNCTIONALITY - Internal - .APINAME - DelegateSentItems - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder - .DOCSDESCRIPTION - This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail. - .ADDEDCOMPONENT - .LABEL - Set mailbox Sent Items delegation (Sent items for shared mailboxes) - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-Mailbox - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DelegateSentItems + .SYNOPSIS + (Label) Set mailbox Sent Items delegation (Sent items for shared mailboxes) + .DESCRIPTION + (Helptext) Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder + (DocsDescription) This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-Mailbox + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } @@ -77,7 +74,3 @@ function Invoke-CIPPStandardDelegateSentItems { Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Filtered -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index e6eccf5c9538..88d8455b08fe 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -1,29 +1,30 @@ function Invoke-CIPPStandardDeletedUserRentention { <# .FUNCTIONALITY - Internal - .APINAME - DeletedUserRentention - .CAT - SharePoint Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the retention period for deleted users OneDrive to 1 year/365 days - .DOCSDESCRIPTION - When a OneDrive user gets deleted, the personal SharePoint site is saved for 1 year and data can be retrieved from it. - .ADDEDCOMPONENT - .LABEL - Retain a deleted user OneDrive for 1 year - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the retention period for deleted users OneDrive to 1 year/365 days - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DeletedUserRentention + .SYNOPSIS + (Label) Set deleted user retention time in OneDrive + .DESCRIPTION + (Helptext) Sets the retention period for deleted users OneDrive to the specified number of years. The default is 1 year. + (DocsDescription) When a OneDrive user gets deleted, the personal SharePoint site is saved for selected time in years and data can be retrieved from it. + .NOTES + CAT + SharePoint Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","name":"standards.DeletedUserRentention.Days","label":"Retention in years (Default 1)","values":[{"label":"1 year","value":"365"},{"label":"2 years","value":"730"},{"label":"3 years","value":"1095"},{"label":"4 years","value":"1460"},{"label":"5 years","value":"1825"},{"label":"6 years","value":"2190"},{"label":"7 years","value":"2555"},{"label":"8 years","value":"2920"},{"label":"9 years","value":"3285"},{"label":"10 years","value":"3650"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> param($Tenant, $Settings) @@ -78,7 +79,3 @@ function Invoke-CIPPStandardDeletedUserRentention { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index 1cfb91402bca..31d04d0cf86c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -1,34 +1,33 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { <# .FUNCTIONALITY - Internal - .APINAME - DisableAddShortcutsToOneDrive - .CAT - SharePoint Standards - .TAG - "mediumimpact" - .HELPTEXT - When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. - .DISABLEDFEATURES - - .ADDEDCOMPONENT - .LABEL - Disable Add Shortcuts To OneDrive - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Graph API or Portal - .RECOMMENDEDBY - .DOCSDESCRIPTION - When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableAddShortcutsToOneDrive + .SYNOPSIS + (Label) Disable Add Shortcuts To OneDrive + .DESCRIPTION + (Helptext) When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. + (DocsDescription) When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. + .NOTES + CAT + SharePoint Standards + TAG + "mediumimpact" + DISABLEDFEATURES + + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Graph API or Portal + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) If ($Settings.remediate -eq $true) { @@ -121,7 +120,3 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { Write-LogMessage @log } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 index 242a4fa64d3c..bc929660a0f8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardDisableAdditionalStorageProviders { <# .FUNCTIONALITY - Internal - .APINAME - DisableAdditionalStorageProviders - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - "exo_storageproviderrestricted" - .HELPTEXT - Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc. - .DOCSDESCRIPTION - Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact. - .ADDEDCOMPONENT - .LABEL - Disable additional storage providers in OWA - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableAdditionalStorageProviders + .SYNOPSIS + (Label) Disable additional storage providers in OWA + .DESCRIPTION + (Helptext) Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc. + (DocsDescription) Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + "exo_storageproviderrestricted" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $AdditionalStorageProvidersState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' } @@ -64,7 +61,3 @@ function Invoke-CIPPStandardDisableAdditionalStorageProviders { Add-CIPPBPAField -FieldName 'AdditionalStorageProvidersEnabled' -FieldValue $AdditionalStorageProvidersState.AdditionalStorageProvidersEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 index 624f7d20f1f1..a807ec53817e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardDisableAppCreation { <# .FUNCTIONALITY - Internal - .APINAME - DisableAppCreation - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Disables the ability for users to create App registrations in the tenant. - .DOCSDESCRIPTION - Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured. - .ADDEDCOMPONENT - .LABEL - Disable App creation by users - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthorizationPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability for users to create App registrations in the tenant. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableAppCreation + .SYNOPSIS + (Label) Disable App creation by users + .DESCRIPTION + (Helptext) Disables the ability for users to create App registrations in the tenant. + (DocsDescription) Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy?$select=defaultUserRolePermissions' -tenantid $Tenant @@ -64,7 +61,3 @@ function Invoke-CIPPStandardDisableAppCreation { Add-CIPPBPAField -FieldName 'UserAppCreationDisabled' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index ded00502d1e0..8dec7100cd9e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { <# .FUNCTIONALITY - Internal - .APINAME - DisableBasicAuthSMTP - .CAT - Global Standards - .TAG - "mediumimpact" - .HELPTEXT - Disables SMTP AUTH for the organization and all users. This is the default for new tenants. - .DOCSDESCRIPTION - Disables SMTP basic authentication for the tenant and all users with it explicitly enabled. - .ADDEDCOMPONENT - .LABEL - Disable SMTP Basic Authentication - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-TransportConfig -SmtpClientAuthenticationDisabled $true - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables SMTP AUTH for the organization and all users. This is the default for new tenants. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableBasicAuthSMTP + .SYNOPSIS + (Label) Disable SMTP Basic Authentication + .DESCRIPTION + (Helptext) Disables SMTP AUTH for the organization and all users. This is the default for new tenants. + (DocsDescription) Disables SMTP basic authentication for the tenant and all users with it explicitly enabled. + .NOTES + CAT + Global Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-TransportConfig -SmtpClientAuthenticationDisabled $true + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' $SMTPusers = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-CASMailbox' -cmdParams @{ ResultSize = 'Unlimited' } | Where-Object { ($_.SmtpClientAuthenticationDisabled -eq $false) } @@ -94,7 +91,3 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 index 09b6fa9ca8d3..1c27528f003e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardDisableEmail { <# .FUNCTIONALITY - Internal - .APINAME - DisableEmail - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. - .ADDEDCOMPONENT - .LABEL - Disables Email as an MFA method - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableEmail + .SYNOPSIS + (Label) Disables Email as an MFA method + .DESCRIPTION + (Helptext) This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. + (DocsDescription) This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Email' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -51,7 +50,3 @@ function Invoke-CIPPStandardDisableEmail { Add-CIPPBPAField -FieldName 'DisableEmail' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 index 1646b7b36dc1..aa048965fbad 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing { <# .FUNCTIONALITY - Internal - .APINAME - DisableExternalCalendarSharing - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - "exo_individualsharing" - .HELPTEXT - Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed. - .DOCSDESCRIPTION - Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. Only for the default policy, so exclusions can be made if needed by making a new policy and assigning it to users. - .ADDEDCOMPONENT - .LABEL - Disable external calendar sharing - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Get-SharingPolicy | Set-SharingPolicy -Enabled $False - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableExternalCalendarSharing + .SYNOPSIS + (Label) Disable external calendar sharing + .DESCRIPTION + (Helptext) Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed. + (DocsDescription) Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. Only for the default policy, so exclusions can be made if needed by making a new policy and assigning it to users. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + "exo_individualsharing" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Get-SharingPolicy | Set-SharingPolicy -Enabled $False + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SharingPolicy' | Where-Object { $_.Default -eq $true } @@ -66,7 +63,3 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing { Add-CIPPBPAField -FieldName 'ExternalCalendarSharingDisabled' -FieldValue $CurrentInfo.Enabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 62b17aef5b46..8678a5d95591 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableGuestDirectory { <# .FUNCTIONALITY - Internal - .APINAME - DisableGuestDirectory - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory. - .DOCSDESCRIPTION - Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) - .ADDEDCOMPONENT - .LABEL - Restrict guest user access to directory objects - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableGuestDirectory + .SYNOPSIS + (Label) Restrict guest user access to directory objects + .DESCRIPTION + (Helptext) Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory. + (DocsDescription) Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant @@ -62,7 +59,3 @@ function Invoke-CIPPStandardDisableGuestDirectory { Add-CIPPBPAField -FieldName 'DisableGuestDirectory' -FieldValue $CurrentInfo.guestUserRoleId -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index e654cd9b5dc7..bc5ba6148d72 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardDisableGuests { <# .FUNCTIONALITY - Internal - .APINAME - DisableGuests - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - .HELPTEXT - Blocks login for guest users that have not logged in for 90 days - .ADDEDCOMPONENT - .LABEL - Disable Guest accounts that have not logged on for 90 days - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Graph API - .RECOMMENDEDBY - .DOCSDESCRIPTION - Blocks login for guest users that have not logged in for 90 days - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableGuests + .SYNOPSIS + (Label) Disable Guest accounts that have not logged on for 90 days + .DESCRIPTION + (Helptext) Blocks login for guest users that have not logged in for 90 days + (DocsDescription) Blocks login for guest users that have not logged in for 90 days + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Graph API + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $Lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastNonInteractiveSignInDateTime le $Lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } @@ -61,7 +60,3 @@ function Invoke-CIPPStandardDisableGuests { Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $filtered -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index 558ce91bf77f..299397f8ab59 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableM365GroupUsers { <# .FUNCTIONALITY - Internal - .APINAME - DisableM365GroupUsers - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc - .DOCSDESCRIPTION - Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc - .ADDEDCOMPONENT - .LABEL - Disable M365 Group creation by users - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaDirectorySetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableM365GroupUsers + .SYNOPSIS + (Label) Disable M365 Group creation by users + .DESCRIPTION + (Helptext) Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc + (DocsDescription) Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaDirectorySetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' @@ -79,7 +76,3 @@ function Invoke-CIPPStandardDisableM365GroupUsers { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 index 39b2b91a764e..e74fe81dfa22 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardDisableOutlookAddins { <# .FUNCTIONALITY - Internal - .APINAME - DisableOutlookAddins - .CAT - Exchange Standards - .TAG - "mediumimpact" - "CIS" - "exo_outlookaddins" - .HELPTEXT - Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins. - .DOCSDESCRIPTION - Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration. - .ADDEDCOMPONENT - .LABEL - Disable users from installing add-ins in Outlook - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableOutlookAddins + .SYNOPSIS + (Label) Disable users from installing add-ins in Outlook + .DESCRIPTION + (Helptext) Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins. + (DocsDescription) Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + "CIS" + "exo_outlookaddins" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RoleAssignmentPolicy' | Where-Object { $_.IsDefault -eq $true } @@ -82,7 +79,3 @@ function Invoke-CIPPStandardDisableOutlookAddins { Add-CIPPBPAField -FieldName 'DisabledOutlookAddins' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index 26db5c11c88a..b37877ef1ed2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardDisableReshare { <# .FUNCTIONALITY - Internal - .APINAME - DisableReshare - .CAT - SharePoint Standards - .TAG - "highimpact" - "CIS" - .HELPTEXT - Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access - .DOCSDESCRIPTION - Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level - .ADDEDCOMPONENT - .LABEL - Disable Resharing by External Users - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminSharepointSetting - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableReshare + .SYNOPSIS + (Label) Disable Resharing by External Users + .DESCRIPTION + (Helptext) Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access + (DocsDescription) Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -62,7 +59,3 @@ function Invoke-CIPPStandardDisableReshare { Add-CIPPBPAField -FieldName 'DisableReshare' -FieldValue $CurrentInfo.isResharingByExternalUsersEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 index 30454df4cba6..f6ce58e33a56 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableSMS { <# .FUNCTIONALITY - Internal - .APINAME - DisableSMS - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in. - .DOCSDESCRIPTION - Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in. - .ADDEDCOMPONENT - .LABEL - Disables SMS as an MFA method - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableSMS + .SYNOPSIS + (Label) Disables SMS as an MFA method + .DESCRIPTION + (Helptext) This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in. + (DocsDescription) Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/SMS' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -53,7 +50,3 @@ function Invoke-CIPPStandardDisableSMS { Add-CIPPBPAField -FieldName 'DisableSMS' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index df6a6d327447..0db8db2c4cc5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { <# .FUNCTIONALITY - Internal - .APINAME - DisableSecurityGroupUsers - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - .HELPTEXT - Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams - .ADDEDCOMPONENT - .LABEL - Disable Security Group creation by users - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthorizationPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableSecurityGroupUsers + .SYNOPSIS + (Label) Disable Security Group creation by users + .DESCRIPTION + (Helptext) Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams + (DocsDescription) Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthorizationPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant @@ -59,7 +58,3 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { Add-CIPPBPAField -FieldName 'DisableSecurityGroupUsers' -FieldValue $CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 index fa8b5cb537e2..39a0e78629ef 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 @@ -1,27 +1,30 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses { <# .FUNCTIONALITY - Internal - .APINAME - DisableSelfServiceLicenses - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - .HELPTEXT - This standard disables all self service licenses and enables all exclusions - .ADDEDCOMPONENT - .LABEL - Disable Self Service Licensing - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId {productId} -Value "Disabled" - .RECOMMENDEDBY - .DOCSDESCRIPTION - This standard disables all self service licenses and enables all exclusions - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableSelfServiceLicenses + .SYNOPSIS + (Label) Disable Self Service Licensing + .DESCRIPTION + (Helptext) This standard disables all self service licenses and enables all exclusions + (DocsDescription) This standard disables all self service licenses and enables all exclusions + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"input","name":"standards.DisableSelfServiceLicenses.Exclusions","label":"License Ids to exclude from this standard"} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-MsolCompanySettings -AllowAdHocSubscriptions $false + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> param($Tenant, $Settings) @@ -91,7 +94,3 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses { #Add-CIPPBPAField -FieldName '????' -FieldValue "????" -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 index b562d10dbd3e..7665efb69b22 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardDisableSharePointLegacyAuth { <# .FUNCTIONALITY - Internal - .APINAME - DisableSharePointLegacyAuth - .CAT - SharePoint Standards - .TAG - "mediumimpact" - "CIS" - .HELPTEXT - Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication. - .DOCSDESCRIPTION - Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class. - .ADDEDCOMPONENT - .LABEL - Disable legacy basic authentication for SharePoint - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-SPOTenant -LegacyAuthProtocolsEnabled $false - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableSharePointLegacyAuth + .SYNOPSIS + (Label) Disable legacy basic authentication for SharePoint + .DESCRIPTION + (Helptext) Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication. + (DocsDescription) Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class. + .NOTES + CAT + SharePoint Standards + TAG + "mediumimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-SPOTenant -LegacyAuthProtocolsEnabled $false + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings?$select=isLegacyAuthProtocolsEnabled' -tenantid $Tenant -AsApp $true @@ -64,7 +61,3 @@ function Invoke-CIPPStandardDisableSharePointLegacyAuth { Add-CIPPBPAField -FieldName 'SharePointLegacyAuthEnabled' -FieldValue $CurrentInfo.isLegacyAuthProtocolsEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index c60ffd274664..cbc159e30dd8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardDisableSharedMailbox { <# .FUNCTIONALITY - Internal - .APINAME - DisableSharedMailbox - .CAT - Exchange Standards - .TAG - "mediumimpact" - "CIS" - .HELPTEXT - Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes. - .DOCSDESCRIPTION - Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact. - .ADDEDCOMPONENT - .LABEL - Disable Shared Mailbox AAD accounts - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Get-Mailbox & Update-MgUser - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableSharedMailbox + .SYNOPSIS + (Label) Disable Shared Mailbox AAD accounts + .DESCRIPTION + (Helptext) Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes. + (DocsDescription) Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Get-Mailbox & Update-MgUser + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $UserList = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/users?$top=999&$filter=accountEnabled eq true' -Tenantid $tenant -scope 'https://graph.microsoft.com/.default' $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' -and $_.UserPrincipalName -in $UserList.UserPrincipalName }) @@ -65,7 +62,3 @@ function Invoke-CIPPStandardDisableSharedMailbox { Add-CIPPBPAField -FieldName 'DisableSharedMailbox' -FieldValue $SharedMailboxList -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 index 1db22507ede0..256d3ba80dc1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 @@ -1,35 +1,31 @@ function Invoke-CIPPStandardDisableTNEF { <# .FUNCTIONALITY - Internal - .APINAME - DisableTNEF - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. - .DOCSDESCRIPTION - Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019) - .ADDEDCOMPONENT - .LABEL - Disable TNEF/winmail.dat - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableTNEF + .SYNOPSIS + (Label) Disable TNEF/winmail.dat + .DESCRIPTION + (Helptext) Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. + (DocsDescription) Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019) + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param ($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RemoteDomain' -cmdParams @{Identity = 'Default' } @@ -63,7 +59,3 @@ function Invoke-CIPPStandardDisableTNEF { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index 30eef38a9254..34ce20e2c9fc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardDisableTenantCreation { <# .FUNCTIONALITY - Internal - .APINAME - DisableTenantCreation - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. - .DOCSDESCRIPTION - Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants. - .ADDEDCOMPONENT - .LABEL - Disable M365 Tenant creation by users - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthorizationPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableTenantCreation + .SYNOPSIS + (Label) Disable M365 Tenant creation by users + .DESCRIPTION + (Helptext) Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. + (DocsDescription) Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant $State = $CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants @@ -63,7 +60,3 @@ function Invoke-CIPPStandardDisableTenantCreation { Add-CIPPBPAField -FieldName 'DisableTenantCreation' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index b47e17c3ccc6..3f183300bf27 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableUserSiteCreate { <# .FUNCTIONALITY - Internal - .APINAME - DisableUserSiteCreate - .CAT - SharePoint Standards - .TAG - "highimpact" - .HELPTEXT - Disables users from creating new SharePoint sites - .DOCSDESCRIPTION - Disables standard users from creating SharePoint sites, also disables the ability to fully create teams - .ADDEDCOMPONENT - .LABEL - Disable site creation by standard users - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables users from creating new SharePoint sites - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableUserSiteCreate + .SYNOPSIS + (Label) Disable site creation by standard users + .DESCRIPTION + (Helptext) Disables users from creating new SharePoint sites + (DocsDescription) Disables standard users from creating SharePoint sites, also disables the ability to fully create teams + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -62,7 +59,3 @@ function Invoke-CIPPStandardDisableUserSiteCreate { Add-CIPPBPAField -FieldName 'DisableUserSiteCreate' -FieldValue $CurrentInfo.isSiteCreationEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index efc8ef960fa4..1235c3564853 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisableViva { <# .FUNCTIONALITY - Internal - .APINAME - DisableViva - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Disables the daily viva reports for all users. - .DOCSDESCRIPTION - Disables the daily viva reports for all users. - .ADDEDCOMPONENT - .LABEL - Disable daily Insight/Viva reports - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-UserBriefingConfig - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables the daily viva reports for all users. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableViva + .SYNOPSIS + (Label) Disable daily Insight/Viva reports + .DESCRIPTION + (Helptext) Disables the daily viva reports for all users. + (DocsDescription) Disables the daily viva reports for all users. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-UserBriefingConfig + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) try { @@ -71,7 +68,3 @@ function Invoke-CIPPStandardDisableViva { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 index 7d8fc7b30d80..4d274249bae1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 @@ -1,31 +1,28 @@ function Invoke-CIPPStandardDisableVoice { <# .FUNCTIONALITY - Internal - .APINAME - DisableVoice - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in. - .DOCSDESCRIPTION - Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in. - .ADDEDCOMPONENT - .LABEL - Disables Voice call as an MFA method - .IMPACT - High Impact - .DOCSDESCRIPTION - This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) DisableVoice + .SYNOPSIS + (Label) Disables Voice call as an MFA method + .DESCRIPTION + (Helptext) This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in. + (DocsDescription) Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Voice' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -50,7 +47,3 @@ function Invoke-CIPPStandardDisableVoice { Add-CIPPBPAField -FieldName 'DisableVoice' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 index b79fa98643c2..0b463008f7f7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardDisablex509Certificate { <# .FUNCTIONALITY - Internal - .APINAME - Disablex509Certificate - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - This blocks users from using Certificates as an MFA method. - .DOCSDESCRIPTION - This blocks users from using Certificates as an MFA method. - .ADDEDCOMPONENT - .LABEL - Disables Certificates as an MFA method - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - This blocks users from using Certificates as an MFA method. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) Disablex509Certificate + .SYNOPSIS + (Label) Disables Certificates as an MFA method + .DESCRIPTION + (Helptext) This blocks users from using Certificates as an MFA method. + (DocsDescription) This blocks users from using Certificates as an MFA method. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/x509Certificate' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -54,7 +51,3 @@ function Invoke-CIPPStandardDisablex509Certificate { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 4c427bac19d1..607e69c00c3e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardEnableAppConsentRequests { <# .FUNCTIONALITY - Internal - .APINAME - EnableAppConsentRequests - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings - .DOCSDESCRIPTION - Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards - .ADDEDCOMPONENT - {"type":"AdminRolesMultiSelect","label":"App Consent Reviewer Roles","name":"standards.EnableAppConsentRequests.ReviewerRoles"} - .LABEL - Enable App consent admin requests - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAdminConsentRequestPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableAppConsentRequests + .SYNOPSIS + (Label) Enable App consent admin requests + .DESCRIPTION + (Helptext) Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings + (DocsDescription) Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + {"type":"AdminRolesMultiSelect","label":"App Consent Reviewer Roles","name":"standards.EnableAppConsentRequests.ReviewerRoles"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAdminConsentRequestPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant @@ -106,7 +103,3 @@ function Invoke-CIPPStandardEnableAppConsentRequests { Add-CIPPBPAField -FieldName 'EnableAppConsentAdminRequests' -FieldValue $CurrentInfo.isEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 index daabff2b8ccc..e977f041eca5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardEnableCustomerLockbox { <# .FUNCTIONALITY - Internal - .APINAME - EnableCustomerLockbox - .CAT - Global Standards - .TAG - "lowimpact" - "CIS" - "CustomerLockBoxEnabled" - .HELPTEXT - Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data - .DOCSDESCRIPTION - Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data. - .ADDEDCOMPONENT - .LABEL - Enable Customer Lockbox - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -CustomerLockBoxEnabled $true - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableCustomerLockbox + .SYNOPSIS + (Label) Enable Customer Lockbox + .DESCRIPTION + (Helptext) Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data + (DocsDescription) Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + "CIS" + "CustomerLockBoxEnabled" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -CustomerLockBoxEnabled $true + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CustomerLockboxStatus = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').CustomerLockboxEnabled @@ -67,7 +64,3 @@ function Invoke-CIPPStandardEnableCustomerLockbox { Add-CIPPBPAField -FieldName 'CustomerLockboxEnabled' -FieldValue $CustomerLockboxStatus -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index f7111785c042..89314821af23 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardEnableFIDO2 { <# .FUNCTIONALITY - Internal - .APINAME - EnableFIDO2 - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Enables the FIDO2 authenticationMethod for the tenant - .DOCSDESCRIPTION - Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication. - .ADDEDCOMPONENT - .LABEL - Enable FIDO2 capabilities - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the FIDO2 authenticationMethod for the tenant - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableFIDO2 + .SYNOPSIS + (Label) Enable FIDO2 capabilities + .DESCRIPTION + (Helptext) Enables the FIDO2 authenticationMethod for the tenant + (DocsDescription) Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -57,7 +54,3 @@ function Invoke-CIPPStandardEnableFIDO2 { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 index eaf297caf78e..8bef17107b58 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardEnableHardwareOAuth { <# .FUNCTIONALITY - Internal - .APINAME - EnableHardwareOAuth - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes. - .DOCSDESCRIPTION - Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication. - .ADDEDCOMPONENT - .LABEL - Enable Hardware OAuth tokens - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableHardwareOAuth + .SYNOPSIS + (Label) Enable Hardware OAuth tokens + .DESCRIPTION + (Helptext) Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes. + (DocsDescription) Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/HardwareOath' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -55,8 +52,3 @@ function Invoke-CIPPStandardEnableHardwareOAuth { Add-CIPPBPAField -FieldName 'EnableHardwareOAuth' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 index cecc5e565a4f..4394928eb5aa 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardEnableLitigationHold { - <# - .FUNCTIONALITY - Internal - .APINAME - EnableLitigationHold - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Enables litigation hold for all UserMailboxes with a valid license. - .ADDEDCOMPONENT - .LABEL - Enable Litigation Hold for all users - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-Mailbox -LitigationHoldEnabled $true - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables litigation hold for all UserMailboxes with a valid license. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) EnableLitigationHold + .SYNOPSIS + (Label) Enable Litigation Hold for all users + .DESCRIPTION + (Helptext) Enables litigation hold for all UserMailboxes with a valid license. + (DocsDescription) Enables litigation hold for all UserMailboxes with a valid license. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-Mailbox -LitigationHoldEnabled $true + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $MailboxesNoLitHold = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdparams @{ Filter = 'LitigationHoldEnabled -eq "False"'} | Where-Object {$_.PersistedCapabilities -contains "BPOS_S_DlpAddOn" -or $_.PersistedCapabilities -contains "BPOS_S_Enterprise"} @@ -76,7 +75,3 @@ function Invoke-CIPPStandardEnableLitigationHold { Add-CIPPBPAField -FieldName 'EnableLitHold' -FieldValue $filtered -StoreAs json -Tenant $Tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 index 1abee9433d86..1a73089b2763 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 @@ -1,37 +1,35 @@ function Invoke-CIPPStandardEnableMailTips { <# .FUNCTIONALITY - Internal - .APINAME - EnableMailTips - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - "exo_mailtipsenabled" - .HELPTEXT - Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements - .ADDEDCOMPONENT - {"type":"number","name":"standards.EnableMailTips.MailTipsLargeAudienceThreshold","label":"Number of recipients to trigger the large audience MailTip (Default is 25)","placeholder":"Enter a profile name","default":25} - .LABEL - Enable all MailTips - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableMailTips + .SYNOPSIS + (Label) Enable all MailTips + .DESCRIPTION + (Helptext) Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements + (DocsDescription) Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + "exo_mailtipsenabled" + ADDEDCOMPONENT + {"type":"number","name":"standards.EnableMailTips.MailTipsLargeAudienceThreshold","label":"Number of recipients to trigger the large audience MailTip (Default is 25)","placeholder":"Enter a profile name","default":25} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $MailTipsState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig' | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold $StateIsCorrect = if ($MailTipsState.MailTipsAllTipsEnabled -and $MailTipsState.MailTipsExternalRecipientsTipsEnabled -and $MailTipsState.MailTipsGroupMetricsEnabled -and $MailTipsState.MailTipsLargeAudienceThreshold -eq $Settings.MailTipsLargeAudienceThreshold) { $true } else { $false } @@ -66,7 +64,3 @@ function Invoke-CIPPStandardEnableMailTips { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 index e085bb128d8a..45eb620a65ae 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardEnableMailboxAuditing { <# .FUNCTIONALITY - Internal - .APINAME - EnableMailboxAuditing - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - "exo_mailboxaudit" - .HELPTEXT - Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function. - .DOCSDESCRIPTION - Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function. - .ADDEDCOMPONENT - .LABEL - Enable Mailbox auditing - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -AuditDisabled $false - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableMailboxAuditing + .SYNOPSIS + (Label) Enable Mailbox auditing + .DESCRIPTION + (Helptext) Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function. + (DocsDescription) Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + "exo_mailboxaudit" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -AuditDisabled $false + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $AuditState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AuditDisabled @@ -120,7 +117,3 @@ function Invoke-CIPPStandardEnableMailboxAuditing { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index 90a20d59b356..15cd00b97e9c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardEnableOnlineArchiving { <# .FUNCTIONALITY - Internal - .APINAME - EnableOnlineArchiving - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Enables the In-Place Online Archive for all UserMailboxes with a valid license. - .ADDEDCOMPONENT - .LABEL - Enable Online Archive for all users - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Enable-Mailbox -Archive $true - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the In-Place Online Archive for all UserMailboxes with a valid license. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnableOnlineArchiving + .SYNOPSIS + (Label) Enable Online Archive for all users + .DESCRIPTION + (Helptext) Enables the In-Place Online Archive for all UserMailboxes with a valid license. + (DocsDescription) Enables the In-Place Online Archive for all UserMailboxes with a valid license. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Enable-Mailbox -Archive $true + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $MailboxPlans = @( 'ExchangeOnline', 'ExchangeOnlineEnterprise' ) @@ -80,7 +79,3 @@ function Invoke-CIPPStandardEnableOnlineArchiving { Add-CIPPBPAField -FieldName 'EnableOnlineArchiving' -FieldValue $filtered -StoreAs json -Tenant $Tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 index 7d20bcee6666..d67a218334bb 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardEnablePronouns { <# .FUNCTIONALITY - Internal - .APINAME - EnablePronouns - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. - .ADDEDCOMPONENT - .LABEL - Enable Pronouns - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:$true - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) EnablePronouns + .SYNOPSIS + (Label) Enable Pronouns + .DESCRIPTION + (Helptext) Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. + (DocsDescription) Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:$true + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param ($Tenant, $Settings) $Uri = 'https://graph.microsoft.com/v1.0/admin/people/pronouns' @@ -71,7 +70,3 @@ function Invoke-CIPPStandardEnablePronouns { Add-CIPPBPAField -FieldName 'PronounsEnabled' -FieldValue $CurrentState.isEnabledInOrganization -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index 28ab4c8ca495..89c1ab4c6731 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -1,33 +1,32 @@ function Invoke-CIPPStandardExcludedfileExt { <# .FUNCTIONALITY - Internal - .APINAME - ExcludedfileExt - .CAT - SharePoint Standards - .TAG - "highimpact" - .HELPTEXT - Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. - .ADDEDCOMPONENT - {"type":"input","name":"standards.ExcludedfileExt.ext","label":"Extensions, Comma separated"} - .LABEL - Exclude File Extensions from Syncing - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) ExcludedfileExt + .SYNOPSIS + (Label) Exclude File Extensions from Syncing + .DESCRIPTION + (Helptext) Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. + (DocsDescription) Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + ADDEDCOMPONENT + {"type":"input","name":"standards.ExcludedfileExt.ext","label":"Extensions, Comma separated"} + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true $Exts = ($Settings.ext -replace ' ', '') -split ',' @@ -77,7 +76,3 @@ function Invoke-CIPPStandardExcludedfileExt { Add-CIPPBPAField -FieldName 'ExcludedfileExt' -FieldValue $CurrentInfo.excludedFileExtensionsForSyncApp -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 index 619455fdb0e7..7f3fc99018b3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 @@ -1,33 +1,32 @@ function Invoke-CIPPStandardExternalMFATrusted { <# .FUNCTIONALITY - Internal - .APINAME - ExternalMFATrusted - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.ExternalMFATrusted.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} - .LABEL - Sets the Cross-tenant access setting to trust external MFA - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyCrossTenantAccessPolicyDefault - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) ExternalMFATrusted + .SYNOPSIS + (Label) Sets the Cross-tenant access setting to trust external MFA + .DESCRIPTION + (Helptext) Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. + (DocsDescription) Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ExternalMFATrusted.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyCrossTenantAccessPolicyDefault + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $ExternalMFATrusted = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default?$select=inboundTrust' -tenantid $Tenant) @@ -73,7 +72,3 @@ function Invoke-CIPPStandardExternalMFATrusted { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 index 9a9655ac22a4..c1e67448cef0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardFocusedInbox { <# .FUNCTIONALITY - Internal - .APINAME - FocusedInbox - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the default Focused Inbox state for the tenant. This can be overridden by the user. - .DOCSDESCRIPTION - Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see [Microsoft's documentation.](https://support.microsoft.com/en-us/office/focused-inbox-for-outlook-f445ad7f-02f4-4294-a82e-71d8964e3978) - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.FocusedInbox.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} - .LABEL - Set Focused Inbox state - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -FocusedInboxOn $true or $false - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the default Focused Inbox state for the tenant. This can be overridden by the user. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) FocusedInbox + .SYNOPSIS + (Label) Set Focused Inbox state + .DESCRIPTION + (Helptext) Sets the default Focused Inbox state for the tenant. This can be overridden by the user. + (DocsDescription) Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see [Microsoft's documentation.](https://support.microsoft.com/en-us/office/focused-inbox-for-outlook-f445ad7f-02f4-4294-a82e-71d8964e3978) + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.FocusedInbox.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -FocusedInboxOn $true or $false + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) # Input validation @@ -72,7 +69,3 @@ function Invoke-CIPPStandardFocusedInbox { Add-CIPPBPAField -FieldName 'FocusedInboxCorrectState' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 index a99543882349..aa835e4e51f2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardGlobalQuarantineNotifications { <# .FUNCTIONALITY - Internal - .APINAME - GlobalQuarantineNotifications - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users. - .DOCSDESCRIPTION - Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.GlobalQuarantineNotifications.NotificationInterval","values":[{"label":"4 hours","value":"04:00:00"},{"label":"1 day/Daily","value":"1.00:00:00"},{"label":"7 days/Weekly","value":"7.00:00:00"}]} - .LABEL - Set Global Quarantine Notification Interval - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-QuarantinePolicy -EndUserSpamNotificationFrequency - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) GlobalQuarantineNotifications + .SYNOPSIS + (Label) Set Global Quarantine Notification Interval + .DESCRIPTION + (Helptext) Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users. + (DocsDescription) Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.GlobalQuarantineNotifications.NotificationInterval","values":[{"label":"4 hours","value":"04:00:00"},{"label":"1 day/Daily","value":"1.00:00:00"},{"label":"7 days/Weekly","value":"7.00:00:00"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-QuarantinePolicy -EndUserSpamNotificationFrequency + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param ($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-QuarantinePolicy' -cmdParams @{ QuarantinePolicyType = 'GlobalQuarantinePolicy' } @@ -82,7 +79,3 @@ function Invoke-CIPPStandardGlobalQuarantineNotifications { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 index 282d7ebc4778..ca0ba11aa346 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 @@ -1,37 +1,32 @@ function Invoke-CIPPStandardLegacyMFACleanup { <# .FUNCTIONALITY - Internal - .APINAME - LegacyMFACleanup - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - .HELPTEXT - This standard currently does not function and can be safely disabled - .ADDEDCOMPONENT - .LABEL - Remove Legacy MFA if SD or CA is active - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-MsolUser -StrongAuthenticationRequirements $null - .RECOMMENDEDBY - .DOCSDESCRIPTION - This standard currently does not function and can be safely disabled - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) LegacyMFACleanup + .SYNOPSIS + (Label) Remove Legacy MFA if SD or CA is active + .DESCRIPTION + (Helptext) This standard currently does not function and can be safely disabled + (DocsDescription) This standard currently does not function and can be safely disabled + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-MsolUser -StrongAuthenticationRequirements $null + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message 'Per User MFA APIs have been disabled.' -sev Info } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index 724357d3ef55..001ff63dce34 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -1,40 +1,37 @@ function Invoke-CIPPStandardMailContacts { <# .FUNCTIONALITY - Internal - .APINAME - MailContacts - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. - .DOCSDESCRIPTION - Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. - .DISABLEDFEATURES - - .ADDEDCOMPONENT - {"type":"input","name":"standards.MailContacts.GeneralContact","label":"General Contact"} - {"type":"input","name":"standards.MailContacts.SecurityContact","label":"Security Contact"} - {"type":"input","name":"standards.MailContacts.MarketingContact","label":"Marketing Contact"} - {"type":"input","name":"standards.MailContacts.TechContact","label":"Technical Contact"} - .LABEL - Set contact e-mails - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-MsolCompanyContactInformation - .RECOMMENDEDBY - .DOCSDESCRIPTION - Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) MailContacts + .SYNOPSIS + (Label) Set contact e-mails + .DESCRIPTION + (Helptext) Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. + (DocsDescription) Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + DISABLEDFEATURES + + ADDEDCOMPONENT + {"type":"input","name":"standards.MailContacts.GeneralContact","label":"General Contact"} + {"type":"input","name":"standards.MailContacts.SecurityContact","label":"Security Contact"} + {"type":"input","name":"standards.MailContacts.MarketingContact","label":"Marketing Contact"} + {"type":"input","name":"standards.MailContacts.TechContact","label":"Technical Contact"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-MsolCompanyContactInformation + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -tenantid $Tenant @@ -95,7 +92,3 @@ function Invoke-CIPPStandardMailContacts { Add-CIPPBPAField -FieldName 'MailContacts' -FieldValue $CurrentInfo -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 index 79fa04d4c3fc..c865022210a4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 @@ -1,44 +1,42 @@ function Invoke-CIPPStandardMalwareFilterPolicy { - <# - .FUNCTIONALITY - Internal - .APINAME - MalwareFilterPolicy - .CAT - Defender Standards - .TAG - "lowimpact" - "CIS" - "mdo_zapspam" - "mdo_zapphish" - "mdo_zapmalware" - .HELPTEXT - This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. - .ADDEDCOMPONENT - {"type":"Select","label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","values":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]} - {"type":"Select","label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} - {"type":"boolean","label":"Enable Internal Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"} - {"type":"input","name":"standards.MalwareFilterPolicy.InternalSenderAdminAddress","label":"Internal Sender Admin Address"} - {"type":"boolean","label":"Enable External Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"} - {"type":"input","name":"standards.MalwareFilterPolicy.ExternalSenderAdminAddress","label":"External Sender Admin Address"} - .LABEL - Default Malware Filter Policy - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-MalwareFilterPolicy or New-MalwareFilterPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) MalwareFilterPolicy + .SYNOPSIS + (Label) Default Malware Filter Policy + .DESCRIPTION + (Helptext) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. + (DocsDescription) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. + .NOTES + CAT + Defender Standards + TAG + "lowimpact" + "CIS" + "mdo_zapspam" + "mdo_zapphish" + "mdo_zapmalware" + ADDEDCOMPONENT + {"type":"Select","label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","values":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"boolean","label":"Enable Internal Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"} + {"type":"input","name":"standards.MalwareFilterPolicy.InternalSenderAdminAddress","label":"Internal Sender Admin Address"} + {"type":"boolean","label":"Enable External Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"} + {"type":"input","name":"standards.MalwareFilterPolicy.ExternalSenderAdminAddress","label":"External Sender Admin Address"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-MalwareFilterPolicy or New-MalwareFilterPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $PolicyName = 'Default Malware Policy' @@ -154,7 +152,3 @@ function Invoke-CIPPStandardMalwareFilterPolicy { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 index b5012d7aefea..686b7796e6bd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardMessageExpiration { <# .FUNCTIONALITY - Internal - .APINAME - MessageExpiration - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the transport message configuration to timeout a message at 12 hours. - .DOCSDESCRIPTION - Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours. - .ADDEDCOMPONENT - .LABEL - Lower Transport Message Expiration to 12 hours - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-TransportConfig -MessageExpirationTimeout 12.00:00:00 - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the transport message configuration to timeout a message at 12 hours. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) MessageExpiration + .SYNOPSIS + (Label) Lower Transport Message Expiration to 12 hours + .DESCRIPTION + (Helptext) Sets the transport message configuration to timeout a message at 12 hours. + (DocsDescription) Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-TransportConfig -MessageExpirationTimeout 12.00:00:00 + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $MessageExpiration = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig').messageExpiration @@ -60,7 +57,3 @@ function Invoke-CIPPStandardMessageExpiration { Add-CIPPBPAField -FieldName 'messageExpiration' -FieldValue $MessageExpiration -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index 116b3d4ed40f..069d25550518 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardNudgeMFA { <# .FUNCTIONALITY - Internal - .APINAME - NudgeMFA - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the state of the registration campaign for the tenant - .DOCSDESCRIPTION - Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.NudgeMFA.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} - {"type":"number","name":"standards.NudgeMFA.snoozeDurationInDays","label":"Number of days to allow users to skip registering Authenticator (0-14, default is 1)","default":1} - .LABEL - Sets the state for the request to setup Authenticator - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthenticationMethodPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the state of the registration campaign for the tenant - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) NudgeMFA + .SYNOPSIS + (Label) Sets the state for the request to setup Authenticator + .DESCRIPTION + (Helptext) Sets the state of the registration campaign for the tenant + (DocsDescription) Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.NudgeMFA.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + {"type":"number","name":"standards.NudgeMFA.snoozeDurationInDays","label":"Number of days to allow users to skip registering Authenticator (0-14, default is 1)","default":1} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthenticationMethodPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant @@ -85,7 +82,3 @@ function Invoke-CIPPStandardNudgeMFA { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 036bd6f011d0..2654b914836d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardOauthConsent { <# .FUNCTIONALITY - Internal - .APINAME - OauthConsent - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - "CIS" - .HELPTEXT - Disables users from being able to consent to applications, except for those specified in the field below - .DOCSDESCRIPTION - Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications. - .ADDEDCOMPONENT - {"type":"input","name":"standards.OauthConsent.AllowedApps","label":"Allowed application IDs, comma separated"} - .LABEL - Require admin consent for applications (Prevent OAuth phishing) - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthorizationPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables users from being able to consent to applications, except for those specified in the field below - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) OauthConsent + .SYNOPSIS + (Label) Require admin consent for applications (Prevent OAuth phishing) + .DESCRIPTION + (Helptext) Disables users from being able to consent to applications, except for those specified in the field below + (DocsDescription) Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications. + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + "CIS" + ADDEDCOMPONENT + {"type":"input","name":"standards.OauthConsent.AllowedApps","label":"Allowed application IDs, comma separated"} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($tenant, $settings) $State = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant $StateIsCorrect = if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { $true } else { $false } @@ -75,7 +72,3 @@ function Invoke-CIPPStandardOauthConsent { Add-CIPPBPAField -FieldName 'OauthConsent' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index ba94c4f77843..b30070a34da5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -1,33 +1,30 @@ function Invoke-CIPPStandardOauthConsentLowSec { <# .FUNCTIONALITY - Internal - .APINAME - OauthConsentLowSec - .CAT - Entra (AAD) Standards - .TAG - "mediumimpact" - .HELPTEXT - Sets the default oauth consent level so users can consent to applications that have low risks. - .DOCSDESCRIPTION - Allows users to consent to applications with low assigned risk. - .LABEL - Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure) - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthorizationPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the default oauth consent level so users can consent to applications that have low risks. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) OauthConsentLowSec + .SYNOPSIS + (Label) Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure) + .DESCRIPTION + (Helptext) Sets the default oauth consent level so users can consent to applications that have low risks. + (DocsDescription) Allows users to consent to applications with low assigned risk. + .NOTES + CAT + Entra (AAD) Standards + TAG + "mediumimpact" + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) If ($Settings.remediate -eq $true) { @@ -59,7 +56,3 @@ function Invoke-CIPPStandardOauthConsentLowSec { Add-CIPPBPAField -FieldName 'OauthConsentLowSec' -FieldValue $State.permissionGrantPolicyIdsAssignedToDefaultUserRole -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index 8ab6cab3d30e..ea5d4d413e31 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardOutBoundSpamAlert { <# .FUNCTIONALITY - Internal - .APINAME - OutBoundSpamAlert - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Set the Outbound Spam Alert e-mail address - .DOCSDESCRIPTION - Sets the e-mail address to which outbound spam alerts are sent. - .ADDEDCOMPONENT - {"type":"input","name":"standards.OutBoundSpamAlert.OutboundSpamContact","label":"Outbound spam contact"} - .LABEL - Set Outbound Spam Alert e-mail - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-HostedOutboundSpamFilterPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Set the Outbound Spam Alert e-mail address - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) OutBoundSpamAlert + .SYNOPSIS + (Label) Set Outbound Spam Alert e-mail + .DESCRIPTION + (Helptext) Set the Outbound Spam Alert e-mail address + (DocsDescription) Sets the e-mail address to which outbound spam alerts are sent. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + {"type":"input","name":"standards.OutBoundSpamAlert.OutboundSpamContact","label":"Outbound spam contact"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-HostedOutboundSpamFilterPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-HostedOutboundSpamFilterPolicy' -useSystemMailbox $true @@ -64,7 +61,3 @@ function Invoke-CIPPStandardOutBoundSpamAlert { Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue $CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index 8148322ca651..dda360cf1b01 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { <# .FUNCTIONALITY - Internal - .APINAME - PWcompanionAppAllowedState - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication. - .DOCSDESCRIPTION - Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.PWcompanionAppAllowedState.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} - .LABEL - Set Authenticator Lite state - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) PWcompanionAppAllowedState + .SYNOPSIS + (Label) Set Authenticator Lite state + .DESCRIPTION + (Helptext) Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication. + (DocsDescription) Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.PWcompanionAppAllowedState.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) @@ -85,7 +82,3 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index 83b2b276195e..2ba267e34744 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -1,36 +1,33 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { <# .FUNCTIONALITY - Internal - .APINAME - PWdisplayAppInformationRequiredState - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name. - .DOCSDESCRIPTION - Allows users to use Passwordless with Number Matching and adds location information from the last request - .ADDEDCOMPONENT - .LABEL - Enable Passwordless with Location information and Number Matching - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) PWdisplayAppInformationRequiredState + .SYNOPSIS + (Label) Enable Passwordless with Location information and Number Matching + .DESCRIPTION + (Helptext) Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name. + (DocsDescription) Allows users to use Passwordless with Number Matching and adds location information from the last request + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -55,7 +52,3 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { Add-CIPPBPAField -FieldName 'PWdisplayAppInformationRequiredState' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index c4b2bff28cd7..001ba177caff 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardPasswordExpireDisabled { <# .FUNCTIONALITY - Internal - .APINAME - PasswordExpireDisabled - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - "CIS" - "PWAgePolicyNew" - .HELPTEXT - Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user. - .DOCSDESCRIPTION - Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements. - .ADDEDCOMPONENT - .LABEL - Do not expire passwords - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgDomain - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) PasswordExpireDisabled + .SYNOPSIS + (Label) Do not expire passwords + .DESCRIPTION + (Helptext) Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user. + (DocsDescription) Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + "CIS" + "PWAgePolicyNew" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgDomain + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains' -tenantid $Tenant $DomainswithoutPassExpire = $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' @@ -72,7 +69,3 @@ function Invoke-CIPPStandardPasswordExpireDisabled { Add-CIPPBPAField -FieldName 'PasswordExpireDisabled' -FieldValue $DomainswithoutPassExpire -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 index 5f08753147f6..32301d96f50c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardPerUserMFA { <# .FUNCTIONALITY - Internal - .APINAME - PerUserMFA - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - Enables per user MFA for all users. - .ADDEDCOMPONENT - .LABEL - Enables per user MFA for all users. - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Graph API - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables per user MFA for all users. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) PerUserMFA + .SYNOPSIS + (Label) Enables per user MFA for all users. + .DESCRIPTION + (Helptext) Enables per user MFA for all users. + (DocsDescription) Enables per user MFA for all users. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Graph API + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$top=999&`$select=UserPrincipalName,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.AccountEnabled -EQ $true } @@ -63,7 +62,3 @@ function Invoke-CIPPStandardPerUserMFA { Add-CIPPBPAField -FieldName 'LegacyMFAUsers' -FieldValue $UsersWithoutMFA -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 index 1ed18b3104f5..9632d3ba7129 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 @@ -1,35 +1,34 @@ function Invoke-CIPPStandardPhishProtection { <# .FUNCTIONALITY - Internal - .APINAME - PhishProtection - .CAT - Global Standards - .TAG - "lowimpact" - .HELPTEXT - Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. - .ADDEDCOMPONENT - .LABEL - Enable Phishing Protection system via branding CSS - .IMPACT - Low Impact - .DISABLEDFEATURES - - .POWERSHELLEQUIVALENT - Portal only - .RECOMMENDEDBY - "CIPP" - .DOCSDESCRIPTION - Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) PhishProtection + .SYNOPSIS + (Label) Enable Phishing Protection system via branding CSS + .DESCRIPTION + (Helptext) Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. + (DocsDescription) Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + DISABLEDFEATURES + + POWERSHELLEQUIVALENT + Portal only + RECOMMENDEDBY + "CIPP" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $TenantId = Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant @@ -83,7 +82,3 @@ function Invoke-CIPPStandardPhishProtection { Add-CIPPBPAField -FieldName 'PhishProtection' -FieldValue $authstate -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index 135d55c06641..18fbc9babace 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -1,34 +1,33 @@ function Invoke-CIPPStandardRotateDKIM { <# .FUNCTIONALITY - Internal - .APINAME - RotateDKIM - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Rotate DKIM keys that are 1024 bit to 2048 bit - .ADDEDCOMPONENT - .LABEL - Rotate DKIM keys that are 1024 bit to 2048 bit - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Rotate-DkimSigningConfig - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Rotate DKIM keys that are 1024 bit to 2048 bit - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) RotateDKIM + .SYNOPSIS + (Label) Rotate DKIM keys that are 1024 bit to 2048 bit + .DESCRIPTION + (Helptext) Rotate DKIM keys that are 1024 bit to 2048 bit + (DocsDescription) Rotate DKIM keys that are 1024 bit to 2048 bit + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Rotate-DkimSigningConfig + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -Eq 1024 -and $_.Enabled -eq $true } @@ -62,7 +61,3 @@ function Invoke-CIPPStandardRotateDKIM { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIM -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1 index 940bad58b135..712772b92b1d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSPAzureB2B { .COMPONENT (APIName) SPAzureB2B .SYNOPSIS - Enable SharePoint and OneDrive integration with Azure AD B2B + (Label) Enable SharePoint and OneDrive integration with Azure AD B2B .DESCRIPTION (Helptext) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled (DocsDescription) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled @@ -16,8 +16,6 @@ function Invoke-CIPPStandardSPAzureB2B { "lowimpact" "CIS" ADDEDCOMPONENT - LABEL - Enable SharePoint and OneDrive integration with Azure AD B2B IMPACT Low Impact POWERSHELLEQUIVALENT @@ -26,8 +24,10 @@ function Invoke-CIPPStandardSPAzureB2B { "CIS 3.0" UPDATECOMMENTBLOCK Run the Tools\Update-StandardsComments.ps1 script to update this comment block - #> - + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards + #> + param($Tenant, $Settings) $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant | Select-Object -Property EnableAzureADB2BIntegration diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1 index 9cfaf3c10317..9678a7cf5719 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSPDirectSharing { .COMPONENT (APIName) SPDirectSharing .SYNOPSIS - Default sharing to Direct users + (Label) Default sharing to Direct users .DESCRIPTION (Helptext) Ensure default link sharing is set to Direct in SharePoint and OneDrive (DocsDescription) Ensure default link sharing is set to Direct in SharePoint and OneDrive @@ -16,8 +16,6 @@ function Invoke-CIPPStandardSPDirectSharing { "mediumimpact" "CIS" ADDEDCOMPONENT - LABEL - Default sharing to Direct users IMPACT Medium Impact POWERSHELLEQUIVALENT @@ -26,8 +24,10 @@ function Invoke-CIPPStandardSPDirectSharing { "CIS 3.0" UPDATECOMMENTBLOCK Run the Tools\Update-StandardsComments.ps1 script to update this comment block - #> - + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards + #> + param($Tenant, $Settings) $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant | Select-Object -Property DefaultSharingLinkType diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1 index 42f3498e4a3e..f4103cf7268b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSPDisallowInfectedFiles { .COMPONENT (APIName) SPDisallowInfectedFiles .SYNOPSIS - Disallow downloading infected files from SharePoint + (Label) Disallow downloading infected files from SharePoint .DESCRIPTION (Helptext) Ensure Office 365 SharePoint infected files are disallowed for download (DocsDescription) Ensure Office 365 SharePoint infected files are disallowed for download @@ -16,8 +16,6 @@ function Invoke-CIPPStandardSPDisallowInfectedFiles { "lowimpact" "CIS" ADDEDCOMPONENT - LABEL - Disallow downloading infected files from SharePoint IMPACT Low Impact POWERSHELLEQUIVALENT @@ -26,8 +24,10 @@ function Invoke-CIPPStandardSPDisallowInfectedFiles { "CIS 3.0" UPDATECOMMENTBLOCK Run the Tools\Update-StandardsComments.ps1 script to update this comment block - #> - + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards + #> + param($Tenant, $Settings) $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant | Select-Object -Property DisallowInfectedFileDownload diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1 index 140c65607780..733168b7c98e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSPEmailAttestation { .COMPONENT (APIName) SPEmailAttestation .SYNOPSIS - Require reauthentication with verification code + (Label) Require reauthentication with verification code .DESCRIPTION (Helptext) Ensure reauthentication with verification code is restricted (DocsDescription) Ensure reauthentication with verification code is restricted @@ -17,8 +17,6 @@ function Invoke-CIPPStandardSPEmailAttestation { "CIS" ADDEDCOMPONENT {"type":"number","name":"standards.SPEmailAttestation.Days","label":"Require reauth every X Days (Default 15)"} - LABEL - Require reauthentication with verification code IMPACT Medium Impact POWERSHELLEQUIVALENT @@ -27,8 +25,10 @@ function Invoke-CIPPStandardSPEmailAttestation { "CIS 3.0" UPDATECOMMENTBLOCK Run the Tools\Update-StandardsComments.ps1 script to update this comment block - #> - + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards + #> + param($Tenant, $Settings) $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant | Select-Object -Property EmailAttestationReAuthDays, EmailAttestationRequired diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1 index f05818c0d120..5d7b40a65c14 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1 @@ -5,7 +5,7 @@ function Invoke-CIPPStandardSPExternalUserExpiration { .COMPONENT (APIName) SPExternalUserExpiration .SYNOPSIS - Set guest access to expire automatically + (Label) Set guest access to expire automatically .DESCRIPTION (Helptext) Ensure guest access to a site or OneDrive will expire automatically (DocsDescription) Ensure guest access to a site or OneDrive will expire automatically @@ -17,8 +17,6 @@ function Invoke-CIPPStandardSPExternalUserExpiration { "CIS" ADDEDCOMPONENT {"type":"number","name":"standards.SPExternalUserExpiration.Days","label":"Days until expiration (Default 60)"} - LABEL - Set guest access to expire automatically IMPACT Medium Impact POWERSHELLEQUIVALENT @@ -27,8 +25,10 @@ function Invoke-CIPPStandardSPExternalUserExpiration { "CIS 3.0" UPDATECOMMENTBLOCK Run the Tools\Update-StandardsComments.ps1 script to update this comment block - #> - + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards + #> + param($Tenant, $Settings) $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant | Select-Object -Property ExternalUserExpireInDays, ExternalUserExpirationRequired diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 index dc080914f7b8..26cb8e67ad79 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 @@ -1,42 +1,40 @@ function Invoke-CIPPStandardSafeAttachmentPolicy { - <# - .FUNCTIONALITY - Internal - .APINAME - SafeAttachmentPolicy - .CAT - Defender Standards - .TAG - "lowimpact" - "CIS" - "mdo_safedocuments" - "mdo_commonattachmentsfilter" - "mdo_safeattachmentpolicy" - .HELPTEXT - This creates a Safe Attachment policy - .ADDEDCOMPONENT - {"type":"Select","label":"Action","name":"standards.SafeAttachmentPolicy.Action","values":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]} - {"type":"Select","label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} - {"type":"boolean","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"} - {"type":"input","name":"standards.SafeAttachmentPolicy.RedirectAddress","label":"Redirect Address"} - .LABEL - Default Safe Attachment Policy - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - This creates a Safe Attachment policy - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) SafeAttachmentPolicy + .SYNOPSIS + (Label) Default Safe Attachment Policy + .DESCRIPTION + (Helptext) This creates a Safe Attachment policy + (DocsDescription) This creates a Safe Attachment policy + .NOTES + CAT + Defender Standards + TAG + "lowimpact" + "CIS" + "mdo_safedocuments" + "mdo_commonattachmentsfilter" + "mdo_safeattachmentpolicy" + ADDEDCOMPONENT + {"type":"Select","label":"Action","name":"standards.SafeAttachmentPolicy.Action","values":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]} + {"type":"Select","label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"boolean","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"} + {"type":"input","name":"standards.SafeAttachmentPolicy.RedirectAddress","label":"Redirect Address"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $PolicyName = 'Default Safe Attachment Policy' @@ -137,7 +135,3 @@ function Invoke-CIPPStandardSafeAttachmentPolicy { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 index 92220f54e19c..ea21cb1ac464 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 @@ -1,40 +1,38 @@ function Invoke-CIPPStandardSafeLinksPolicy { - <# - .FUNCTIONALITY - Internal - .APINAME - SafeLinksPolicy - .CAT - Defender Standards - .TAG - "lowimpact" - "CIS" - "mdo_safelinksforemail" - "mdo_safelinksforOfficeApps" - .HELPTEXT - This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders - .ADDEDCOMPONENT - {"type":"boolean","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"} - {"type":"boolean","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"} - {"type":"boolean","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"} - .LABEL - Default SafeLinks Policy - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-SafeLinksPolicy or New-SafeLinksPolicy - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) SafeLinksPolicy + .SYNOPSIS + (Label) Default SafeLinks Policy + .DESCRIPTION + (Helptext) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders + (DocsDescription) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders + .NOTES + CAT + Defender Standards + TAG + "lowimpact" + "CIS" + "mdo_safelinksforemail" + "mdo_safelinksforOfficeApps" + ADDEDCOMPONENT + {"type":"boolean","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"} + {"type":"boolean","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"} + {"type":"boolean","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-SafeLinksPolicy or New-SafeLinksPolicy + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $PolicyName = 'Default SafeLinks Policy' @@ -147,7 +145,3 @@ function Invoke-CIPPStandardSafeLinksPolicy { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index de39be25829d..e13957c32d89 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -1,34 +1,33 @@ function Invoke-CIPPStandardSafeSendersDisable { <# .FUNCTIONALITY - Internal - .APINAME - SafeSendersDisable - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. - .ADDEDCOMPONENT - .DISABLEDFEATURES - - .LABEL - Remove Safe Senders to prevent SPF bypass - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-MailboxJunkEmailConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) SafeSendersDisable + .SYNOPSIS + (Label) Remove Safe Senders to prevent SPF bypass + .DESCRIPTION + (Helptext) Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. + (DocsDescription) Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + DISABLEDFEATURES + + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-MailboxJunkEmailConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) If ($Settings.remediate -eq $true) { @@ -62,7 +61,3 @@ function Invoke-CIPPStandardSafeSendersDisable { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index d563d8c1fd4e..b6982ad21a02 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardSecurityDefaults { <# .FUNCTIONALITY - Internal - .APINAME - SecurityDefaults - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access. - .DOCSDESCRIPTION - Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft. - .ADDEDCOMPONENT - .LABEL - Enable Security Defaults - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - [Read more here](https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/) - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) SecurityDefaults + .SYNOPSIS + (Label) Enable Security Defaults + .DESCRIPTION + (Helptext) Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access. + (DocsDescription) Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft. + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + [Read more here](https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/) + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) @@ -62,7 +59,3 @@ function Invoke-CIPPStandardSecurityDefaults { Add-CIPPBPAField -FieldName 'SecurityDefaults' -FieldValue $SecureDefaultsState.IsEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index 14b551316e11..d50ad6c5fcfd 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardSendFromAlias { <# .FUNCTIONALITY - Internal - .APINAME - SendFromAlias - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Enables the ability for users to send from their alias addresses. - .DOCSDESCRIPTION - Allows users to change the 'from' address to any set in their Azure AD Profile. - .ADDEDCOMPONENT - .LABEL - Allow users to send from their alias addresses - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-Mailbox - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the ability for users to send from their alias addresses. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) SendFromAlias + .SYNOPSIS + (Label) Allow users to send from their alias addresses + .DESCRIPTION + (Helptext) Enables the ability for users to send from their alias addresses. + (DocsDescription) Allows users to change the 'from' address to any set in their Azure AD Profile. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-Mailbox + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').SendFromAliasEnabled @@ -59,7 +56,3 @@ function Invoke-CIPPStandardSendFromAlias { Add-CIPPBPAField -FieldName 'SendFromAlias' -FieldValue $CurrentInfo -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index a9ba445828ed..60e66edace87 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -1,34 +1,33 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { <# .FUNCTIONALITY - Internal - .APINAME - SendReceiveLimitTenant - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB - .ADDEDCOMPONENT - {"type":"number","name":"standards.SendReceiveLimitTenant.SendLimit","label":"Send limit in MB (Default is 35)","default":35} - {"type":"number","name":"standards.SendReceiveLimitTenant.ReceiveLimit","label":"Receive Limit in MB (Default is 36)","default":36} - .LABEL - Set send/receive size limits - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-MailboxPlan - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) SendReceiveLimitTenant + .SYNOPSIS + (Label) Set send/receive size limits + .DESCRIPTION + (Helptext) Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB + (DocsDescription) Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"number","name":"standards.SendReceiveLimitTenant.SendLimit","label":"Send limit in MB (Default is 35)","default":35} + {"type":"number","name":"standards.SendReceiveLimitTenant.ReceiveLimit","label":"Receive Limit in MB (Default is 36)","default":36} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-MailboxPlan + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) # Input validation @@ -88,7 +87,3 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { Add-CIPPBPAField -FieldName 'SendReceiveLimit' -FieldValue $NotSetCorrectly -StoreAs json -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 index 3fe19fbad3c4..82b784d75fd8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 @@ -1,35 +1,34 @@ function Invoke-CIPPStandardShortenMeetings { <# .FUNCTIONALITY - Internal - .APINAME - ShortenMeetings - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.ShortenMeetings.ShortenEventScopeDefault","values":[{"label":"Disabled/None","value":"None"},{"label":"End early","value":"EndEarly"},{"label":"Start late","value":"StartLate"}]} - {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy","label":"Minutes to reduce short calendar events by (Default is 5)","default":5} - {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy","label":"Minutes to reduce long calendar events by (Default is 10)","default":10} - .LABEL - Set shorten meetings state - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) ShortenMeetings + .SYNOPSIS + (Label) Set shorten meetings state + .DESCRIPTION + (Helptext) Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. + (DocsDescription) Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ShortenMeetings.ShortenEventScopeDefault","values":[{"label":"Disabled/None","value":"None"},{"label":"End early","value":"EndEarly"},{"label":"Start late","value":"StartLate"}]} + {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy","label":"Minutes to reduce short calendar events by (Default is 5)","default":5} + {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy","label":"Minutes to reduce long calendar events by (Default is 10)","default":10} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) # Input validation @@ -82,7 +81,3 @@ function Invoke-CIPPStandardShortenMeetings { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index 17e4762e44f8..9f780f3aa60e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardSpoofWarn { <# .FUNCTIONALITY - Internal - .APINAME - SpoofWarn - .CAT - Exchange Standards - .TAG - "lowimpact" - "CIS" - .HELPTEXT - Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA - .DOCSDESCRIPTION - Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on [Microsoft's Exchange Team Blog.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098) - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.SpoofWarn.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} - .LABEL - Enable or disable 'external' warning in Outlook - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - et-ExternalInOutlook –Enabled $true or $false - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) SpoofWarn + .SYNOPSIS + (Label) Enable or disable 'external' warning in Outlook + .DESCRIPTION + (Helptext) Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA + (DocsDescription) Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on [Microsoft's Exchange Team Blog.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098) + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + "CIS" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.SpoofWarn.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + et-ExternalInOutlook –Enabled $true or $false + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook') @@ -74,7 +71,3 @@ function Invoke-CIPPStandardSpoofWarn { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index fc53152bb426..b1598efd7ad1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardTAP { <# .FUNCTIONALITY - Internal - .APINAME - TAP - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon. - .DOCSDESCRIPTION - Enables Temporary Password generation for the tenant. - .ADDEDCOMPONENT - {"type":"Select","label":"Select TAP Lifetime","name":"standards.TAP.config","values":[{"label":"Only Once","value":"true"},{"label":"Multiple Logons","value":"false"}]} - .LABEL - Enable Temporary Access Passwords - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) TAP + .SYNOPSIS + (Label) Enable Temporary Access Passwords + .DESCRIPTION + (Helptext) Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon. + (DocsDescription) Enables Temporary Password generation for the tenant. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select TAP Lifetime","name":"standards.TAP.config","values":[{"label":"Only Once","value":"true"},{"label":"Multiple Logons","value":"false"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant @@ -61,7 +58,3 @@ function Invoke-CIPPStandardTAP { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 index 7945d9e4a2f3..aa4920153c3f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 @@ -1,33 +1,32 @@ function Invoke-CIPPStandardTeamsMeetingsByDefault { <# .FUNCTIONALITY - Internal - .APINAME - TeamsMeetingsByDefault - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.TeamsMeetingsByDefault.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} - .LABEL - Set Teams Meetings by default state - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) TeamsMeetingsByDefault + .SYNOPSIS + (Label) Set Teams Meetings by default state + .DESCRIPTION + (Helptext) Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. + (DocsDescription) Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.TeamsMeetingsByDefault.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').OnlineMeetingsByDefaultEnabled @@ -70,7 +69,3 @@ function Invoke-CIPPStandardTeamsMeetingsByDefault { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 index 180b8323ca23..a7012b7c1cc2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 @@ -1,34 +1,32 @@ function Invoke-CIPPStandardTenantDefaultTimezone { <# .FUNCTIONALITY - Internal - .APINAME - TenantDefaultTimezone - .CAT - SharePoint Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the default timezone for the tenant. This will be used for all new users and sites. - .ADDEDCOMPONENT - {"type":"TimezoneSelect","name":"standards.TenantDefaultTimezone.Timezone","label":"Timezone"} - .LABEL - Set Default Timezone for Tenant - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the default timezone for the tenant. This will be used for all new users and sites. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) TenantDefaultTimezone + .SYNOPSIS + (Label) Set Default Timezone for Tenant + .DESCRIPTION + (Helptext) Sets the default timezone for the tenant. This will be used for all new users and sites. + (DocsDescription) Sets the default timezone for the tenant. This will be used for all new users and sites. + .NOTES + CAT + SharePoint Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"TimezoneSelect","name":"standards.TenantDefaultTimezone.Timezone","label":"Timezone"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -68,7 +66,3 @@ function Invoke-CIPPStandardTenantDefaultTimezone { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index f662a8f200f3..3d546d2fc76a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardUndoOauth { <# .FUNCTIONALITY - Internal - .APINAME - UndoOauth - .CAT - Entra (AAD) Standards - .TAG - "highimpact" - .HELPTEXT - Disables App consent and set to Allow user consent for apps - .ADDEDCOMPONENT - .LABEL - Undo App Consent Standard - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgPolicyAuthorizationPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables App consent and set to Allow user consent for apps - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) UndoOauth + .SYNOPSIS + (Label) Undo App Consent Standard + .DESCRIPTION + (Helptext) Disables App consent and set to Allow user consent for apps + (DocsDescription) Disables App consent and set to Allow user consent for apps + .NOTES + CAT + Entra (AAD) Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy?$select=permissionGrantPolicyIdsAssignedToDefaultUserRole' $State = if ($CurrentState.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-legacy') { $true } else { $false } @@ -60,7 +59,3 @@ function Invoke-CIPPStandardUndoOauth { Add-CIPPBPAField -FieldName 'UndoOauth' -FieldValue $State -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 index 98466f02cec4..810de7f28a52 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 @@ -1,31 +1,32 @@ function Invoke-CIPPStandardUserReportDestinationEmail { <# .FUNCTIONALITY - Internal - .APINAME - UserReportDestinationEmail - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. - .ADDEDCOMPONENT - {"type":"input","name":"standards.UserReportDestinationEmail.Email","label":"Destination email address"} - .LABEL - Set the destination email for user reported emails - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - New-ReportSubmissionRule or Set-ReportSubmissionRule - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) UserReportDestinationEmail + .SYNOPSIS + (Label) Set the destination email for user reported emails + .DESCRIPTION + (Helptext) Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. + (DocsDescription) Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"input","name":"standards.UserReportDestinationEmail.Email","label":"Destination email address"} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + New-ReportSubmissionRule or Set-ReportSubmissionRule + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - param($Tenant, $Settings) # Input validation @@ -75,5 +76,3 @@ function Invoke-CIPPStandardUserReportDestinationEmail { Add-CIPPBPAField -FieldName 'UserReportDestinationEmail' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index 4e1c15e55651..9fec83930945 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -1,35 +1,32 @@ function Invoke-CIPPStandardUserSubmissions { <# .FUNCTIONALITY - Internal - .APINAME - UserSubmissions - .CAT - Exchange Standards - .TAG - "mediumimpact" - .HELPTEXT - Set the state of the spam submission button in Outlook - .DOCSDESCRIPTION - Set the state of the built-in Report button in Outlook. This gives the users the ability to report emails as spam or phish. - .ADDEDCOMPONENT - {"type":"Select","label":"Select value","name":"standards.UserSubmissions.state","values":[{"label":"Enabled","value":"enable"},{"label":"Disabled","value":"disable"}]} - .LABEL - Set the state of the built-in Report button in Outlook - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Set the state of the spam submission button in Outlook - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) UserSubmissions + .SYNOPSIS + (Label) Set the state of the built-in Report button in Outlook + .DESCRIPTION + (Helptext) Set the state of the spam submission button in Outlook + (DocsDescription) Set the state of the built-in Report button in Outlook. This gives the users the ability to report emails as spam or phish. + .NOTES + CAT + Exchange Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.UserSubmissions.state","values":[{"label":"Enabled","value":"enable"},{"label":"Disabled","value":"disable"}]} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' @@ -100,7 +97,3 @@ function Invoke-CIPPStandardUserSubmissions { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index 1c26284c9315..025b51f48c31 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardallowOAuthTokens { <# .FUNCTIONALITY - Internal - .APINAME - allowOAuthTokens - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Allows you to use any software OAuth token generator - .DOCSDESCRIPTION - Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method. - .ADDEDCOMPONENT - .LABEL - Enable OTP Software OAuth tokens - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Allows you to use any software OAuth token generator - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) allowOAuthTokens + .SYNOPSIS + (Label) Enable OTP Software OAuth tokens + .DESCRIPTION + (Helptext) Allows you to use any software OAuth token generator + (DocsDescription) Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant @@ -65,7 +62,3 @@ function Invoke-CIPPStandardallowOAuthTokens { } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 57dd7c7adb49..50890ca483d5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardallowOTPTokens { <# .FUNCTIONALITY - Internal - .APINAME - allowOTPTokens - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Allows you to use MS authenticator OTP token generator - .DOCSDESCRIPTION - Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients. - .ADDEDCOMPONENT - .LABEL - Enable OTP via Authenticator - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration - .RECOMMENDEDBY - .DOCSDESCRIPTION - Allows you to use MS authenticator OTP token generator - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) allowOTPTokens + .SYNOPSIS + (Label) Enable OTP via Authenticator + .DESCRIPTION + (Helptext) Allows you to use MS authenticator OTP token generator + (DocsDescription) Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant @@ -53,7 +50,3 @@ function Invoke-CIPPStandardallowOTPTokens { } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index e716d72e8651..d3609ffc7f11 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -1,37 +1,34 @@ function Invoke-CIPPStandardcalDefault { <# .FUNCTIONALITY - Internal - .APINAME - calDefault - .CAT - Exchange Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the default sharing level for the default calendar, for all users - .DOCSDESCRIPTION - Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels [here.](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps#-accessrights) - .DISABLEDFEATURES - - .ADDEDCOMPONENT - {"type":"Select","label":"Select Sharing Level","name":"standards.calDefault.permissionlevel","values":[{"label":"Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.","value":"Owner"},{"label":"Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.","value":"PublishingEditor"},{"label":"Editor - The user can create items in the folder. The contents of the folder do not appear.","value":"Editor"},{"label":"Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.","value":"PublishingAuthor"},{"label":"Author - The user can create and read items, and modify and delete items that they create.","value":"Author"},{"label":"Non Editing Author - The user has full read access and create items. Can can delete only own items.","value":"NonEditingAuthor"},{"label":"Reviewer - The user can read all items in the folder.","value":"Reviewer"},{"label":"Contributor - The user can create items and folders.","value":"Contributor"},{"label":"Availability Only - Indicates that the user can view only free/busy time within the calendar.","value":"AvailabilityOnly"},{"label":"Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.","value":"LimitedDetails"},{"label":"None - The user has no permissions on the folder.","value":"none"}]} - .LABEL - Set Sharing Level for Default calendar - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Set-MailboxFolderPermission - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the default sharing level for the default calendar, for all users - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) calDefault + .SYNOPSIS + (Label) Set Sharing Level for Default calendar + .DESCRIPTION + (Helptext) Sets the default sharing level for the default calendar, for all users + (DocsDescription) Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels [here.](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps#-accessrights) + .NOTES + CAT + Exchange Standards + TAG + "lowimpact" + DISABLEDFEATURES + + ADDEDCOMPONENT + {"type":"Select","label":"Select Sharing Level","name":"standards.calDefault.permissionlevel","values":[{"label":"Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.","value":"Owner"},{"label":"Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.","value":"PublishingEditor"},{"label":"Editor - The user can create items in the folder. The contents of the folder do not appear.","value":"Editor"},{"label":"Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.","value":"PublishingAuthor"},{"label":"Author - The user can create and read items, and modify and delete items that they create.","value":"Author"},{"label":"Non Editing Author - The user has full read access and create items. Can can delete only own items.","value":"NonEditingAuthor"},{"label":"Reviewer - The user can read all items in the folder.","value":"Reviewer"},{"label":"Contributor - The user can create items and folders.","value":"Contributor"},{"label":"Availability Only - Indicates that the user can view only free/busy time within the calendar.","value":"AvailabilityOnly"},{"label":"Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.","value":"LimitedDetails"},{"label":"None - The user has no permissions on the folder.","value":"none"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-MailboxFolderPermission + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings, $QueueItem) # Input validation @@ -106,7 +103,3 @@ function Invoke-CIPPStandardcalDefault { Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully set default calendar permissions for $SuccessCounter out of $TotalMailboxes mailboxes." -sev Info } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index 42f8977f066e..cc887e54f176 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandarddisableMacSync { <# .FUNCTIONALITY - Internal - .APINAME - disableMacSync - .CAT - SharePoint Standards - .TAG - "highimpact" - .HELPTEXT - Disables the ability for Mac devices to sync with OneDrive. - .ADDEDCOMPONENT - .LABEL - Do not allow Mac devices to sync using OneDrive - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Disables the ability for Mac devices to sync with OneDrive. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) disableMacSync + .SYNOPSIS + (Label) Do not allow Mac devices to sync using OneDrive + .DESCRIPTION + (Helptext) Disables the ability for Mac devices to sync with OneDrive. + (DocsDescription) Disables the ability for Mac devices to sync with OneDrive. + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -60,7 +59,3 @@ function Invoke-CIPPStandarddisableMacSync { Add-CIPPBPAField -FieldName 'MacSync' -FieldValue $CurrentInfo.isMacSyncAppEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 index 1a15822c6e38..7d3591aeb1c9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 @@ -1,43 +1,41 @@ function Invoke-CIPPStandardintuneBrandingProfile { - <# - .FUNCTIONALITY - Internal - .APINAME - intuneBrandingProfile - .CAT - Intune Standards - .TAG - "lowimpact" - .HELPTEXT - Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. - .ADDEDCOMPONENT - {"type":"input","name":"standards.intuneBrandingProfile.displayName","label":"Organization name"} - {"type":"boolean","name":"standards.intuneBrandingProfile.showLogo","label":"Show logo"} - {"type":"boolean","name":"standards.intuneBrandingProfile.showDisplayNameNextToLogo","label":"Show organization name next to logo"} - {"type":"input","name":"standards.intuneBrandingProfile.contactITName","label":"Contact IT name"} - {"type":"input","name":"standards.intuneBrandingProfile.contactITPhoneNumber","label":"Contact IT phone number"} - {"type":"input","name":"standards.intuneBrandingProfile.contactITEmailAddress","label":"Contact IT email address"} - {"type":"input","name":"standards.intuneBrandingProfile.contactITNotes","label":"Contact IT notes"} - {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteName","label":"Online support site name"} - {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteUrl","label":"Online support site URL"} - {"type":"input","name":"standards.intuneBrandingProfile.privacyUrl","label":"Privacy statement URL"} - .LABEL - Set Intune Company Portal branding profile - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Graph API - .RECOMMENDEDBY - .DOCSDESCRIPTION - Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) intuneBrandingProfile + .SYNOPSIS + (Label) Set Intune Company Portal branding profile + .DESCRIPTION + (Helptext) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. + (DocsDescription) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. + .NOTES + CAT + Intune Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"input","name":"standards.intuneBrandingProfile.displayName","label":"Organization name"} + {"type":"boolean","name":"standards.intuneBrandingProfile.showLogo","label":"Show logo"} + {"type":"boolean","name":"standards.intuneBrandingProfile.showDisplayNameNextToLogo","label":"Show organization name next to logo"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITName","label":"Contact IT name"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITPhoneNumber","label":"Contact IT phone number"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITEmailAddress","label":"Contact IT email address"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITNotes","label":"Contact IT notes"} + {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteName","label":"Online support site name"} + {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteUrl","label":"Online support site URL"} + {"type":"input","name":"standards.intuneBrandingProfile.privacyUrl","label":"Privacy statement URL"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Graph API + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/' -tenantid $Tenant -AsApp $true @@ -99,7 +97,3 @@ function Invoke-CIPPStandardintuneBrandingProfile { Add-CIPPBPAField -FieldName 'intuneBrandingProfile' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index 9dbcdbba602c..120655ef7368 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -1,33 +1,32 @@ function Invoke-CIPPStandardintuneDeviceReg { <# .FUNCTIONALITY - Internal - .APINAME - intuneDeviceReg - .CAT - Intune Standards - .TAG - "mediumimpact" - .HELPTEXT - sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users - .ADDEDCOMPONENT - {"type":"number","name":"standards.intuneDeviceReg.max","label":"Maximum devices (Enter 2147483647 for unlimited.)"} - .LABEL - Set Maximum Number of Devices per user - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyDeviceRegistrationPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) intuneDeviceReg + .SYNOPSIS + (Label) Set Maximum Number of Devices per user + .DESCRIPTION + (Helptext) sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users + (DocsDescription) sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users + .NOTES + CAT + Intune Standards + TAG + "mediumimpact" + ADDEDCOMPONENT + {"type":"number","name":"standards.intuneDeviceReg.max","label":"Maximum devices (Enter 2147483647 for unlimited.)"} + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyDeviceRegistrationPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant $StateIsCorrect = if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { $true } else { $false } @@ -63,7 +62,3 @@ function Invoke-CIPPStandardintuneDeviceReg { Add-CIPPBPAField -FieldName 'intuneDeviceReg' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index 1ea419e2639d..b745d4001823 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -1,33 +1,32 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { <# .FUNCTIONALITY - Internal - .APINAME - intuneDeviceRetirementDays - .CAT - Intune Standards - .TAG - "lowimpact" - .HELPTEXT - A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. - .ADDEDCOMPONENT - {"type":"number","name":"standards.intuneDeviceRetirementDays.days","label":"Maximum days (0 equals disabled)"} - .LABEL - Set inactive device retirement days - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Graph API - .RECOMMENDEDBY - .DOCSDESCRIPTION - A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) intuneDeviceRetirementDays + .SYNOPSIS + (Label) Set inactive device retirement days + .DESCRIPTION + (Helptext) A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. + (DocsDescription) A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. + .NOTES + CAT + Intune Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"number","name":"standards.intuneDeviceRetirementDays.days","label":"Maximum days (0 equals disabled)"} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Graph API + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -tenantid $Tenant) @@ -63,7 +62,3 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { Add-CIPPBPAField -FieldName 'intuneDeviceRetirementDays' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 79c0d352d1c9..0d62ae33b793 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -1,31 +1,30 @@ function Invoke-CIPPStandardintuneRequireMFA { <# .FUNCTIONALITY - Internal - .APINAME - intuneRequireMFA - .CAT - Intune Standards - .TAG - "mediumimpact" - .HELPTEXT - Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. - .LABEL - Require Multifactor Authentication to register or join devices with Microsoft Entra - .IMPACT - Medium Impact - .POWERSHELLEQUIVALENT - Update-MgBetaPolicyDeviceRegistrationPolicy - .RECOMMENDEDBY - .DOCSDESCRIPTION - Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) intuneRequireMFA + .SYNOPSIS + (Label) Require Multifactor Authentication to register or join devices with Microsoft Entra + .DESCRIPTION + (Helptext) Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. + (DocsDescription) Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. + .NOTES + CAT + Intune Standards + TAG + "mediumimpact" + IMPACT + Medium Impact + POWERSHELLEQUIVALENT + Update-MgBetaPolicyDeviceRegistrationPolicy + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant @@ -60,7 +59,3 @@ function Invoke-CIPPStandardintuneRequireMFA { Add-CIPPBPAField -FieldName 'intuneRequireMFA' -FieldValue $RequireMFA -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index b159a5d5796f..2aef8abb64a6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -1,34 +1,31 @@ function Invoke-CIPPStandardlaps { <# .FUNCTIONALITY - Internal - .APINAME - laps - .CAT - Entra (AAD) Standards - .TAG - "lowimpact" - .HELPTEXT - Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default. - .DOCSDESCRIPTION - Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD. - .ADDEDCOMPONENT - .LABEL - Enable LAPS on the tenant - .IMPACT - Low Impact - .POWERSHELLEQUIVALENT - Portal or Graph API - .RECOMMENDEDBY - .DOCSDESCRIPTION - Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) laps + .SYNOPSIS + (Label) Enable LAPS on the tenant + .DESCRIPTION + (Helptext) Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default. + (DocsDescription) Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD. + .NOTES + CAT + Entra (AAD) Standards + TAG + "lowimpact" + ADDEDCOMPONENT + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Portal or Graph API + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant @@ -62,7 +59,3 @@ function Invoke-CIPPStandardlaps { Add-CIPPBPAField -FieldName 'laps' -FieldValue $PreviousSetting.localAdminPassword.isEnabled -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 1f0f3f7e9f5d..9dd41b467644 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -1,35 +1,34 @@ function Invoke-CIPPStandardsharingCapability { <# .FUNCTIONALITY - Internal - .APINAME - sharingCapability - .CAT - SharePoint Standards - .TAG - "highimpact" - "CIS" - .HELPTEXT - Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level - .ADDEDCOMPONENT - {"type":"Select","label":"Select Sharing Level","name":"standards.sharingCapability.Level","values":[{"label":"Users can share only with people in the organization. No external sharing is allowed.","value":"disabled"},{"label":"Users can share with new and existing guests. Guests must sign in or provide a verification code.","value":"externalUserSharingOnly"},{"label":"Users can share with anyone by using links that do not require sign-in.","value":"externalUserAndGuestSharing"},{"label":"Users can share with existing guests (those already in the directory of the organization).","value":"existingExternalUserSharingOnly"}]} - .LABEL - Set Sharing Level for OneDrive and Sharepoint - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgBetaAdminSharepointSetting - .RECOMMENDEDBY - "CIS" - .DOCSDESCRIPTION - Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) sharingCapability + .SYNOPSIS + (Label) Set Sharing Level for OneDrive and Sharepoint + .DESCRIPTION + (Helptext) Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level + (DocsDescription) Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + "CIS" + ADDEDCOMPONENT + {"type":"Select","label":"Select Sharing Level","name":"standards.sharingCapability.Level","values":[{"label":"Users can share only with people in the organization. No external sharing is allowed.","value":"disabled"},{"label":"Users can share with new and existing guests. Guests must sign in or provide a verification code.","value":"externalUserSharingOnly"},{"label":"Users can share with anyone by using links that do not require sign-in.","value":"externalUserAndGuestSharing"},{"label":"Users can share with existing guests (those already in the directory of the organization).","value":"existingExternalUserSharingOnly"}]} + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + RECOMMENDEDBY + "CIS" + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -70,7 +69,3 @@ function Invoke-CIPPStandardsharingCapability { } } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 index c148a249f8e0..5fe6efe90b5c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 @@ -1,36 +1,34 @@ function Invoke-CIPPStandardsharingDomainRestriction { - <# - .FUNCTIONALITY - Internal - .APINAME - sharingDomainRestriction - .CAT - SharePoint Standards - .TAG - "highimpact" - "CIS" - .HELPTEXT - Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. - .ADDEDCOMPONENT - {"type":"Select","name":"standards.sharingDomainRestriction.Mode","label":"Limit external sharing by domains","values":[{"label":"Off","value":"none"},{"label":"Restirct sharing to specific domains","value":"allowList"},{"label":"Block sharing to specific domains","value":"blockList"}]} - {"type":"input","name":"standards.sharingDomainRestriction.Domains","label":"Domains to allow/block, comma separated"} - .LABEL - Restrict sharing to a specific domain - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) sharingDomainRestriction + .SYNOPSIS + (Label) Restrict sharing to a specific domain + .DESCRIPTION + (Helptext) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. + (DocsDescription) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + "CIS" + ADDEDCOMPONENT + {"type":"Select","name":"standards.sharingDomainRestriction.Mode","label":"Limit external sharing by domains","values":[{"label":"Off","value":"none"},{"label":"Restirct sharing to specific domains","value":"allowList"},{"label":"Block sharing to specific domains","value":"blockList"}]} + {"type":"input","name":"standards.sharingDomainRestriction.Domains","label":"Domains to allow/block, comma separated"} + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - - param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -88,7 +86,3 @@ function Invoke-CIPPStandardsharingDomainRestriction { Add-CIPPBPAField -FieldName 'sharingDomainRestriction' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant } } - - - - diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index cc7f13e36fa8..7ffad1a2bc47 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -1,32 +1,31 @@ function Invoke-CIPPStandardunmanagedSync { <# .FUNCTIONALITY - Internal - .APINAME - unmanagedSync - .CAT - SharePoint Standards - .TAG - "highimpact" - .HELPTEXT - The unmanaged Sync standard has been temporarily disabled and does nothing. - .ADDEDCOMPONENT - .LABEL - Only allow users to sync OneDrive from AAD joined devices - .IMPACT - High Impact - .POWERSHELLEQUIVALENT - Update-MgAdminSharepointSetting - .RECOMMENDEDBY - .DOCSDESCRIPTION - The unmanaged Sync standard has been temporarily disabled and does nothing. - .UPDATECOMMENTBLOCK - Run the Tools\Update-StandardsComments.ps1 script to update this comment block + Internal + .COMPONENT + (APIName) unmanagedSync + .SYNOPSIS + (Label) Only allow users to sync OneDrive from AAD joined devices + .DESCRIPTION + (Helptext) The unmanaged Sync standard has been temporarily disabled and does nothing. + (DocsDescription) The unmanaged Sync standard has been temporarily disabled and does nothing. + .NOTES + CAT + SharePoint Standards + TAG + "highimpact" + ADDEDCOMPONENT + IMPACT + High Impact + POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + RECOMMENDEDBY + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + .LINK + https://docs.cipp.app/user-documentation/tenant/standards/edit-standards #> - - - param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -59,7 +58,3 @@ function Invoke-CIPPStandardunmanagedSync { Add-CIPPBPAField -FieldName 'unmanagedSync' -FieldValue $CurrentInfo.isUnmanagedSyncAppForTenantRestricted -StoreAs bool -Tenant $tenant } } - - - - From 975c26f0a8e07c7a752d2b7e3095d76299f35bba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 11 Jul 2024 17:54:52 +0200 Subject: [PATCH 04/10] Fix string to int comparison --- .../Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index a9ba445828ed..211280ced58f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -32,13 +32,13 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { param($Tenant, $Settings) # Input validation - if ($Settings.SendLimit -lt 1 -or $Settings.SendLimit -gt 150) { + if ([Int32]$Settings.SendLimit -lt 1 -or [Int32]$Settings.SendLimit -gt 150) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SendReceiveLimitTenant: Invalid SendLimit parameter set' -sev Error Return } # Input validation - if ($Settings.ReceiveLimit -lt 1 -or $Settings.ReceiveLimit -gt 150) { + if ([Int32]$Settings.ReceiveLimit -lt 1 -or [Int32]$Settings.ReceiveLimit -gt 150) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'SendReceiveLimitTenant: Invalid ReceiveLimit parameter set' -sev Error Return } From 1c199e744ce4a19c4f7f9bfc0f4252582b905b05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 11 Jul 2024 17:55:15 +0200 Subject: [PATCH 05/10] This should not be here, why did i add it? --- .../Invoke-CIPPStandardallowOAuthTokens.ps1 | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index 1c26284c9315..db4e886330a5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -34,18 +34,6 @@ function Invoke-CIPPStandardallowOAuthTokens { $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } - if ($Settings.report -eq $true) { - Add-CIPPBPAField -FieldName 'softwareOath' -FieldValue $State -StoreAs bool -Tenant $tenant - } - - # Input validation - if (([string]::IsNullOrWhiteSpace($Settings.state) -or $Settings.state -eq 'Select a value') -and ($Settings.remediate -eq $true -or $Settings.alert -eq $true)) { - Write-LogMessage -API 'Standards' -tenant $tenant -message 'allowOAuthTokens: Invalid state parameter set' -sev Error - Return - } - - - If ($Settings.remediate -eq $true) { if ($State) { Write-LogMessage -API 'Standards' -tenant $tenant -message 'Software OTP/oAuth tokens is already enabled.' -sev Info @@ -63,6 +51,9 @@ function Invoke-CIPPStandardallowOAuthTokens { } } + if ($Settings.report -eq $true) { + Add-CIPPBPAField -FieldName 'softwareOath' -FieldValue $State -StoreAs bool -Tenant $tenant + } } From 85946dba4487fb7944fa7b74509226c4f139ad19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 11 Jul 2024 21:02:48 +0200 Subject: [PATCH 06/10] Fix TAP not being generated cause of user not fully created --- .../Users/Invoke-ExecJITAdmin.ps1 | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 index 458656041088..5a792e66ccd1 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 @@ -11,7 +11,8 @@ Function Invoke-ExecJITAdmin { param($Request, $TriggerMetadata) $APIName = 'ExecJITAdmin' - Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug' + $User = $Request.Headers.'x-ms-client-principal' + Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug' if ($Request.Query.Action -eq 'List') { $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } @@ -61,14 +62,14 @@ Function Invoke-ExecJITAdmin { if ($Request.Body.UserId -match '^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}$') { $Username = (New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Request.Body.UserId)" -tenantid $Request.Body.TenantFilter).userPrincipalName } - Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info' + Write-LogMessage -user $User -API $APINAME -message "Executing JIT Admin for $Username" -Sev 'Info' $Start = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate)).DateTime.ToLocalTime() $Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime() $Results = [System.Collections.Generic.List[string]]::new() if ($Request.Body.useraction -eq 'create') { - Write-LogMessage -user $Request.Headers.'x-ms-client-principal' -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info' + Write-LogMessage -user $User -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info' Write-Information "Creating JIT Admin user $($Request.Body.UserPrincipalName)" $JITAdmin = @{ User = @{ @@ -86,7 +87,7 @@ Function Invoke-ExecJITAdmin { if (!$Request.Body.UseTAP) { $Results.Add("Password: $($CreateResult.password)") } - $Results.Add("JIT Expires: $($Expiration)") + $Results.Add("JIT Admin Expires: $($Expiration)") Start-Sleep -Seconds 1 } @@ -97,11 +98,24 @@ Function Invoke-ExecJITAdmin { startDateTime = [System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate).DateTime } $TapBody = ConvertTo-Json -Depth 5 -InputObject $TapParams + Write-Information $Username + Write-Information $TapBody } else { $TapBody = '{}' } Write-Information "https://graph.microsoft.com/beta/users/$Username/authentication/temporaryAccessPassMethods" - $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody + # Retry creating the TAP up to 5 times, since it can fail due to the user not being fully created yet + $Retries = 0 + do { + try { + $TapRequest = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$($Username)/authentication/temporaryAccessPassMethods" -tenantid $Request.Body.TenantFilter -type POST -body $TapBody + } catch { + Start-Sleep -Seconds 2 + Write-Information 'ERROR: Failed to create TAP, retrying' + Write-Information ( ConvertTo-Json -Depth 5 -InputObject (Get-CippException -Exception $_)) + } + $Retries++ + } while ( $null -eq $TapRequest.temporaryAccessPass -and $Retries -le 5 ) $TempPass = $TapRequest.temporaryAccessPass $PasswordExpiration = $TapRequest.LifetimeInMinutes @@ -109,6 +123,8 @@ Function Invoke-ExecJITAdmin { $PasswordLink = New-PwPushLink -Payload $TempPass if ($PasswordLink) { $Password = $PasswordLink + } else { + $Password = $TempPass } $Results.Add("Temporary Access Pass: $Password") $Results.Add("This TAP is usable starting at $($TapRequest.startDateTime) UTC for the next $PasswordExpiration minutes") From d6a2adf1085f1a295ccfd0f27a2185decd716396 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 11 Jul 2024 22:13:51 +0200 Subject: [PATCH 07/10] Add schema at creation --- .../Administration/Users/Invoke-ExecJITAdmin.ps1 | 11 ++++++----- Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 | 11 +++++++++-- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 index 5a792e66ccd1..6ec43458e29c 100644 --- a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Identity/Administration/Users/Invoke-ExecJITAdmin.ps1 @@ -12,6 +12,7 @@ Function Invoke-ExecJITAdmin { $APIName = 'ExecJITAdmin' $User = $Request.Headers.'x-ms-client-principal' + Write-LogMessage -user $User -API $APINAME -message 'Accessed this API' -Sev 'Debug' if ($Request.Query.Action -eq 'List') { @@ -68,7 +69,7 @@ Function Invoke-ExecJITAdmin { $Expiration = ([System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.EndDate)).DateTime.ToLocalTime() $Results = [System.Collections.Generic.List[string]]::new() - if ($Request.Body.useraction -eq 'create') { + if ($Request.Body.useraction -eq 'Create') { Write-LogMessage -user $User -API $APINAME -message "Creating JIT Admin user $($Request.Body.UserPrincipalName)" -Sev 'Info' Write-Information "Creating JIT Admin user $($Request.Body.UserPrincipalName)" $JITAdmin = @{ @@ -98,8 +99,6 @@ Function Invoke-ExecJITAdmin { startDateTime = [System.DateTimeOffset]::FromUnixTimeSeconds($Request.Body.StartDate).DateTime } $TapBody = ConvertTo-Json -Depth 5 -InputObject $TapParams - Write-Information $Username - Write-Information $TapBody } else { $TapBody = '{}' } @@ -163,7 +162,9 @@ Function Invoke-ExecJITAdmin { } } Add-CIPPScheduledTask -Task $TaskBody -hidden $false - Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration + if ($Request.Body.useraction -ne 'Create') { + Set-CIPPUserJITAdminProperties -TenantFilter $Request.Body.TenantFilter -UserId $Request.Body.UserId -Expiration $Expiration + } $Results.Add("Scheduling JIT Admin enable task for $Username") } else { $Results.Add("Executing JIT Admin enable task for $Username") @@ -192,7 +193,7 @@ Function Invoke-ExecJITAdmin { } ScheduledTime = $Request.Body.EndDate } - Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false + $null = Add-CIPPScheduledTask -Task $DisableTaskBody -hidden $false $Results.Add("Scheduling JIT Admin $($Request.Body.ExpireAction) task for $Username") $Body = @{ Results = @($Results) diff --git a/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 b/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 index e25bf6443acd..dcb9e525bdc5 100644 --- a/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 +++ b/Modules/CIPPCore/Public/Set-CIPPUserJITAdmin.ps1 @@ -50,6 +50,8 @@ function Set-CIPPUserJITAdmin { switch ($Action) { 'Create' { $Password = New-passwordString + $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } + $Body = @{ givenName = $User.FirstName surname = $User.LastName @@ -62,6 +64,10 @@ function Set-CIPPUserJITAdmin { forceChangePasswordNextSignInWithMfa = $false password = $Password } + $Schema.id = @{ + jitAdminEnabled = $false + jitAdminExpiration = $Expiration.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ') + } } $Json = ConvertTo-Json -Depth 5 -InputObject $Body try { @@ -135,9 +141,10 @@ function Set-CIPPUserJITAdmin { Set-CIPPUserJITAdminProperties -TenantFilter $TenantFilter -UserId $User.UserPrincipalName -Clear | Out-Null return "Disabled user $($UserObj.displayName) ($($UserObj.userPrincipalName))" } catch { - return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $($_.Exception.Message)" + $ErrrorMessage = Get-NormalizedError -Message $_.Exception.Message + return "Error disabling user $($UserObj.displayName) ($($UserObj.userPrincipalName)): $ErrrorMessage" } } } } -} \ No newline at end of file +} From d8371d7c3b66518fbcbcdae82e20501caf824f7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Thu, 11 Jul 2024 22:41:10 +0200 Subject: [PATCH 08/10] Default domain at the top --- Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1 index 149eb8fa9a04..ccc23f75aad7 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListDomains.ps1 @@ -21,7 +21,7 @@ Function Invoke-ListDomains { $TenantFilter = $Request.Query.TenantFilter try { - $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault + $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $TenantFilter | Select-Object id, isdefault, isinitial | Sort-Object isdefault -Descending $StatusCode = [HttpStatusCode]::OK } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message From b7cba8141f8de08302dd1a79479ea0fbbcadc5c5 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 12 Jul 2024 15:19:20 +0200 Subject: [PATCH 09/10] add support for api driven tasks which come in as json. --- Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 index d1ecc6f090a8..fdad4ca88b95 100644 --- a/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 +++ b/Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1 @@ -19,12 +19,11 @@ function Add-CIPPScheduledTask { $propertiesToCheck = @('Webhook', 'Email', 'PSA') $PostExecution = ($propertiesToCheck | Where-Object { $task.PostExecution.$_ -eq $true }) -join ',' $Parameters = [System.Collections.Hashtable]@{} - foreach ($Key in $task.Parameters.Keys) { + foreach ($Key in $task.Parameters.PSObject.Properties.Name) { $Param = $task.Parameters.$Key - if ($Param.Key) { + if ($Param -is [System.Collections.IDictionary]) { $ht = @{} - foreach ($p in $Param) { - Write-Host $p.Key + foreach ($p in $Param.GetEnumerator()) { $ht[$p.Key] = $p.Value } $Parameters[$Key] = [PSCustomObject]$ht @@ -32,6 +31,7 @@ function Add-CIPPScheduledTask { $Parameters[$Key] = $Param } } + $Parameters = ($Parameters | ConvertTo-Json -Depth 10 -Compress) $AdditionalProperties = [System.Collections.Hashtable]@{} foreach ($Prop in $task.AdditionalProperties) { From 0ca56a5ea4ffde44cf242ff0f663ab82f16a4b89 Mon Sep 17 00:00:00 2001 From: KelvinTegelaar Date: Fri, 12 Jul 2024 15:21:04 +0200 Subject: [PATCH 10/10] version up --- version_latest.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_latest.txt b/version_latest.txt index 090ea9dad19f..1aa5e414fd3a 100644 --- a/version_latest.txt +++ b/version_latest.txt @@ -1 +1 @@ -6.0.3 +6.0.4