Skip to content

Commit ae92127

Browse files
Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev
2 parents 2b3a7bb + a8e7aa5 commit ae92127

3 files changed

Lines changed: 208 additions & 9 deletions

File tree

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
function Invoke-ExecSetCASMailbox {
2+
<#
3+
.FUNCTIONALITY
4+
Entrypoint
5+
.ROLE
6+
Exchange.Mailbox.ReadWrite
7+
#>
8+
[CmdletBinding()]
9+
param($Request, $TriggerMetadata)
10+
11+
$APIName = $Request.Params.CIPPEndpoint
12+
$Headers = $Request.Headers
13+
14+
$TenantFilter = $Request.Body.tenantFilter
15+
$Identity = $Request.Body.Identity
16+
$DisplayName = $Request.Body.DisplayName ?? $Identity
17+
18+
# The CAS protocols we allow toggling. Note SmtpClientAuthenticationDisabled is inverted:
19+
# $true means SMTP client authentication is DISABLED for the mailbox.
20+
$ValidProtocols = @(
21+
'OWAEnabled'
22+
'ECPEnabled'
23+
'IMAPEnabled'
24+
'POPEnabled'
25+
'MAPIEnabled'
26+
'EWSEnabled'
27+
'ActiveSyncEnabled'
28+
'SmtpClientAuthenticationDisabled'
29+
)
30+
31+
# Build the cmdlet parameters from any valid protocol values supplied in the body.
32+
$CmdParams = @{ Identity = $Identity }
33+
foreach ($Protocol in $ValidProtocols) {
34+
if ($null -ne $Request.Body.$Protocol) {
35+
$CmdParams[$Protocol] = [System.Convert]::ToBoolean($Request.Body.$Protocol)
36+
}
37+
}
38+
39+
# SMTP client authentication can only be turned off via this endpoint. Drop an enable
40+
# attempt (SmtpClientAuthenticationDisabled = $false) but still apply the other protocols.
41+
$Warnings = [System.Collections.Generic.List[string]]::new()
42+
if ($CmdParams.ContainsKey('SmtpClientAuthenticationDisabled') -and $CmdParams['SmtpClientAuthenticationDisabled'] -eq $false) {
43+
$null = $CmdParams.Remove('SmtpClientAuthenticationDisabled')
44+
$Warnings.Add('SMTP Client Authentication can only be disabled, not enabled, and was left unchanged.')
45+
}
46+
47+
# Nothing left to apply: return the warning if we dropped one, otherwise a generic message.
48+
if ($CmdParams.Keys.Count -le 1) {
49+
$Results = $Warnings.Count -gt 0 ? ($Warnings -join ' ') : 'No CAS protocol settings were supplied.'
50+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'Info'
51+
return ([HttpResponseContext]@{
52+
StatusCode = [HttpStatusCode]::BadRequest
53+
Body = @{ 'Results' = $Results }
54+
})
55+
}
56+
57+
# Human readable summary of the change(s) for logging and the API result.
58+
$ChangeSummary = ($CmdParams.GetEnumerator() | Where-Object { $_.Key -ne 'Identity' } | ForEach-Object {
59+
'{0} = {1}' -f $_.Key, $_.Value
60+
}) -join ', '
61+
62+
try {
63+
$null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Set-CASMailbox' -cmdParams $CmdParams
64+
$Results = "Successfully set CAS settings for $DisplayName ($ChangeSummary)"
65+
if ($Warnings.Count -gt 0) {
66+
$Results = '{0}. {1}' -f $Results, ($Warnings -join ' ')
67+
}
68+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev Info
69+
$StatusCode = [HttpStatusCode]::OK
70+
} catch {
71+
$ErrorMessage = Get-CippException -Exception $_
72+
$Results = "Failed to set CAS settings for $DisplayName. Error: $($ErrorMessage.NormalizedError)"
73+
Write-LogMessage -Headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev Error -LogData $ErrorMessage
74+
$StatusCode = [HttpStatusCode]::InternalServerError
75+
}
76+
77+
return ([HttpResponseContext]@{
78+
StatusCode = $StatusCode
79+
Body = @{ 'Results' = $Results }
80+
})
81+
}

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Email-Exchange/Reports/Invoke-ListMailboxCAS.ps1

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,7 @@ function Invoke-ListMailboxCAS {
1010
# Interact with query parameters or the body of the request.
1111
$TenantFilter = $Request.Query.TenantFilter
1212
try {
13-
$GraphRequest = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-CasMailbox' | Select-Object @{ Name = 'displayName'; Expression = { $_.'DisplayName' } },
14-
@{ Name = 'primarySmtpAddress'; Expression = { $_.'PrimarySMTPAddress' } },
15-
@{ Name = 'ecpenabled'; Expression = { $_.'ECPEnabled' } },
16-
@{ Name = 'owaenabled'; Expression = { $_.'OWAEnabled' } },
17-
@{ Name = 'imapenabled'; Expression = { $_.'IMAPEnabled' } },
18-
@{ Name = 'popenabled'; Expression = { $_.'POPEnabled' } },
19-
@{ Name = 'mapienabled'; Expression = { $_.'MAPIEnabled' } },
20-
@{ Name = 'ewsenabled'; Expression = { $_.'EWSEnabled' } },
21-
@{ Name = 'activesyncenabled'; Expression = { $_.'ActiveSyncEnabled' } }
13+
$GraphRequest = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-CasMailbox' | Select-Object DisplayName, PrimarySmtpAddress, Guid, ECPEnabled, OWAEnabled, IMAPEnabled, POPEnabled, MAPIEnabled, EWSEnabled, ActiveSyncEnabled, SmtpClientAuthenticationDisabled
2214
$StatusCode = [HttpStatusCode]::OK
2315
} catch {
2416
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
function Invoke-CIPPStandardEmailAsAlternateLoginId {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) EmailAsAlternateLoginId
7+
.SYNOPSIS
8+
(Label) Configure Email as alternate login ID
9+
.DESCRIPTION
10+
(Helptext) Configures the tenant-wide Email as alternate login ID setting in Home Realm Discovery policy.
11+
(DocsDescription) Sets the Home Realm Discovery policy AlternateIdLogin setting to enable or disable using email as an alternate sign-in ID.
12+
.NOTES
13+
CAT
14+
Entra (AAD) Standards
15+
TAG
16+
EXECUTIVETEXT
17+
Controls whether users can sign in with email as an alternate identifier, allowing organizations to align sign-in behavior with their identity strategy and reduce authentication ambiguity.
18+
ADDEDCOMPONENT
19+
{"type":"switch","name":"standards.EmailAsAlternateLoginId.Enabled","label":"Enable Email as Alternate Login ID","defaultValue":false}
20+
IMPACT
21+
Medium Impact
22+
ADDEDDATE
23+
2026-06-03
24+
POWERSHELLEQUIVALENT
25+
Invoke-MgGraphRequest https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/
26+
RECOMMENDEDBY
27+
"CIPP"
28+
UPDATECOMMENTBLOCK
29+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
30+
.LINK
31+
https://docs.cipp.app/user-documentation/tenant/standards/alignment/templates/available-standards
32+
#>
33+
34+
param($Tenant, $Settings)
35+
36+
$DesiredEnabledValue = $Settings.Enabled.value ?? $Settings.Enabled ?? $false
37+
$DesiredEnabled = if ($DesiredEnabledValue -is [bool]) {
38+
$DesiredEnabledValue
39+
} elseif ($DesiredEnabledValue -is [string]) {
40+
$DesiredEnabledValue -eq 'true'
41+
} else {
42+
[bool]$DesiredEnabledValue
43+
}
44+
$DesiredStatus = if ($DesiredEnabled) { 'enabled' } else { 'disabled' }
45+
46+
try {
47+
$Policies = @(New-GraphGetRequest -Uri 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies' -tenantid $Tenant)
48+
} catch {
49+
$ErrorMessage = Get-CippException -Exception $_
50+
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the EmailAsAlternateLoginId state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
51+
return
52+
}
53+
54+
$CurrentPolicy = @($Policies | Where-Object { $_.isOrganizationDefault -eq $true }) | Select-Object -First 1
55+
$CurrentDefinition = if ($CurrentPolicy.definition) {
56+
($CurrentPolicy.definition | Select-Object -First 1) | ConvertFrom-Json -ErrorAction SilentlyContinue
57+
} else {
58+
$null
59+
}
60+
$CurrentEnabledRaw = $CurrentDefinition.HomeRealmDiscoveryPolicy.AlternateIdLogin.Enabled
61+
$PolicyExists = $null -ne $CurrentPolicy
62+
$HasExplicitSetting = $null -ne $CurrentEnabledRaw
63+
$CurrentEnabled = if ($null -eq $CurrentEnabledRaw) { $false } else { [bool]$CurrentEnabledRaw }
64+
$StateIsCorrect = $PolicyExists -and $HasExplicitSetting -and ($CurrentEnabled -eq $DesiredEnabled)
65+
66+
$CurrentValue = [PSCustomObject]@{
67+
AlternateIdLoginEnabled = $CurrentEnabled
68+
PolicyExists = $PolicyExists
69+
HasExplicitSetting = $HasExplicitSetting
70+
}
71+
$ExpectedValue = [PSCustomObject]@{
72+
AlternateIdLoginEnabled = $DesiredEnabled
73+
PolicyExists = $true
74+
HasExplicitSetting = $true
75+
}
76+
77+
if ($Settings.remediate -eq $true) {
78+
if ($StateIsCorrect) {
79+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is already $DesiredStatus." -sev Info
80+
} else {
81+
try {
82+
$PolicyDefinition = @{
83+
HomeRealmDiscoveryPolicy = @{
84+
AlternateIdLogin = @{
85+
Enabled = $DesiredEnabled
86+
}
87+
}
88+
} | ConvertTo-Json -Depth 10 -Compress
89+
90+
$Body = @{
91+
definition = @($PolicyDefinition)
92+
isOrganizationDefault = $true
93+
displayName = 'HomeRealmDiscoveryPolicy'
94+
} | ConvertTo-Json -Depth 10 -Compress
95+
96+
if ($PolicyExists) {
97+
$RequestUri = "https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/$($CurrentPolicy.id)"
98+
$RequestType = 'PATCH'
99+
} else {
100+
$RequestUri = 'https://graph.microsoft.com/v1.0/policies/homeRealmDiscoveryPolicies/'
101+
$RequestType = 'POST'
102+
}
103+
104+
New-GraphPostRequest -tenantid $Tenant -Uri $RequestUri -Type $RequestType -Body $Body | Out-Null
105+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Email as alternate login ID to $DesiredStatus." -sev Info
106+
} catch {
107+
$ErrorMessage = Get-CippException -Exception $_
108+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Email as alternate login ID to $DesiredStatus. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
109+
}
110+
}
111+
}
112+
113+
if ($Settings.alert -eq $true) {
114+
if ($StateIsCorrect) {
115+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is $DesiredStatus." -sev Info
116+
} else {
117+
Write-StandardsAlert -message "Email as alternate login ID is not $DesiredStatus." -object $CurrentValue -tenant $Tenant -standardName 'EmailAsAlternateLoginId' -standardId $Settings.standardId
118+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Email as alternate login ID is not $DesiredStatus." -sev Info
119+
}
120+
}
121+
122+
if ($Settings.report -eq $true) {
123+
Set-CIPPStandardsCompareField -FieldName 'standards.EmailAsAlternateLoginId' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
124+
Add-CIPPBPAField -FieldName 'EmailAsAlternateLoginId' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
125+
}
126+
}

0 commit comments

Comments
 (0)