Merge pull request #46 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/GraphRequests/Get-GraphRequestList.ps1

@@ -80,7 +80,8 @@ function Get-GraphRequestList {
         [string]$ReverseTenantLookupProperty = 'tenantId',
         [boolean]$AsApp = $false,
         [string]$Caller = 'Get-GraphRequestList',
-        [switch]$UseBatchExpand
+        [switch]$UseBatchExpand,
+        [switch]$RawJsonArray
     )
 
     $SingleTenantThreshold = 8000
@@ -423,6 +424,22 @@ function Get-GraphRequestList {
             }
         }
     } else {
+        if ($RawJsonArray.IsPresent) {
+            # Fast path: concatenate raw JSON strings without deserialization. This is much faster and uses less memory when no post-processing is needed, especially for large datasets.
+            $JsonParts = [System.Collections.Generic.List[string]]::new()
+            foreach ($Row in $Rows) {
+                if ($Row.Data) {
+                    $d = $Row.Data.Trim()
+                    if ($d.Length -gt 2 -and $d[0] -eq '[' -and $d[-1] -eq ']') {
+                        $JsonParts.Add($d.Substring(1, $d.Length - 2))
+                    } elseif ($d.Length -gt 0 -and $d -ne '[]') {
+                        $JsonParts.Add($d)
+                    }
+                }
+            }
+            return '[' + ($JsonParts -join ',') + ']'
+        }
+
         foreach ($Row in $Rows) {
             if ($Row.Data) {
                 try {

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ListGraphRequest.ps1

@@ -122,13 +122,38 @@ function Invoke-ListGraphRequest {
 
     $Metadata = $GraphRequestParams
 
+    # Use raw JSON passthrough for AllTenants cached results when no post-processing is needed.
+    $UseRawJson = $Request.Query.TenantFilter -eq 'AllTenants' -and
+                  -not $Request.Query.ListProperties -and
+                  -not $Request.Query.Sort -and
+                  -not $Request.Query.QueueId
+
     try {
+        if ($UseRawJson) {
+            $GraphRequestParams.RawJsonArray = $true
+        }
         $Results = Get-GraphRequestList @GraphRequestParams
 
         if ($script:LastGraphResponseHeaders) {
             $Metadata.GraphHeaders = $script:LastGraphResponseHeaders
         }
 
+        # RawJsonArray returns a JSON string directly — skip object-level processing
+        if ($UseRawJson -and $Results -is [string] -and $Results.StartsWith('[')) {
+            if ($Request.Headers.'x-ms-coldstart' -eq 1) {
+                $Metadata.ColdStart = $true
+            }
+            $MetadataJson = ConvertTo-Json -InputObject $Metadata -Depth 5 -Compress
+            $GraphRequestData = '{"Results":' + $Results + ',"Metadata":' + $MetadataJson + '}'
+            $StatusCode = [HttpStatusCode]::OK
+
+            return ([HttpResponseContext]@{
+                    StatusCode  = $StatusCode
+                    ContentType = 'application/json'
+                    Body        = $GraphRequestData
+                })
+        }
+
         if ($Results | Where-Object { $_.PSObject.Properties.Name -contains 'nextLink' }) {
             if (![string]::IsNullOrEmpty($Results.nextLink) -and $Request.Query.TenantFilter -ne 'AllTenants') {
                 Write-Host "NextLink: $($Results.nextLink | Where-Object { $_ } | Select-Object -Last 1)"

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Email-Exchange/Spamfilter/Invoke-ExecQuarantineManagement.ps1

@@ -12,17 +12,53 @@ function Invoke-ExecQuarantineManagement {
     # Interact with query parameters or the body of the request.
     try {
         $TenantFilter = $Request.Body.tenantFilter | Select-Object -First 1
-        $params = @{
-            AllowSender  = [boolean]$Request.Body.AllowSender
-            ReleaseToAll = $true
-            ActionType   = ($Request.Body.Type | Select-Object -First 1)
+        $ActionType = $Request.Body.Type | Select-Object -First 1
+        $AllowSender = $Request.Body.AllowSender -eq $true
+        $params = @{}
+
+        if ($ActionType -eq 'Release') {
+            $params['ReleaseToAll'] = $true
+        } else {
+            $params['ActionType'] = $ActionType
         }
+
         if ($Request.Body.Identity -is [string]) {
             $params['Identity'] = $Request.Body.Identity
         } else {
             $params['Identities'] = $Request.Body.Identity
+            $params['Identity'] = '000'
         }
-        New-ExoRequest -tenantid $TenantFilter -cmdlet 'Release-QuarantineMessage' -cmdParams $Params
+        New-ExoRequest -tenantid $TenantFilter -cmdlet 'Release-QuarantineMessage' -cmdParams $params
+
+        # AllowSender via HostedContentFilterPolicy since -AllowSender switch fails in REST API
+        if ($AllowSender) {
+            try {
+                $SenderAddress = $Request.Body.SenderAddress
+                $PolicyName = $Request.Body.PolicyName
+                if ([string]::IsNullOrEmpty($SenderAddress) -or [string]::IsNullOrEmpty($PolicyName)) {
+                    if ($Request.Body.Identity -is [string]) {
+                        $QuarantineMessage = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ Identity = $Request.Body.Identity }
+                        if ([string]::IsNullOrEmpty($SenderAddress)) { $SenderAddress = $QuarantineMessage.SenderAddress }
+                        if ([string]::IsNullOrEmpty($PolicyName)) { $PolicyName = $QuarantineMessage.PolicyName }
+                    }
+                }
+                if (-not [string]::IsNullOrEmpty($SenderAddress) -and -not [string]::IsNullOrEmpty($PolicyName)) {
+                    $CurrentPolicy = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-HostedContentFilterPolicy' -cmdParams @{ Identity = $PolicyName }
+                    $CurrentSenders = @($CurrentPolicy.AllowedSenders.Sender.Address | Where-Object { $_ })
+                    if ($SenderAddress -notin $CurrentSenders) {
+                        $UpdatedSenders = @($CurrentSenders + $SenderAddress)
+                        New-ExoRequest -tenantid $TenantFilter -cmdlet 'Set-HostedContentFilterPolicy' -cmdParams @{
+                            Identity       = $PolicyName
+                            AllowedSenders = $UpdatedSenders
+                        }
+                    }
+                    Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $TenantFilter -message "Added $SenderAddress to allowed senders on policy $PolicyName" -Sev 'Info'
+                }
+            } catch {
+                Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $TenantFilter -message "Failed to add sender to allow list: $($_.Exception.Message)" -Sev 'Error' -LogData $_
+            }
+        }
+
         $Results = [pscustomobject]@{'Results' = "Successfully processed $($Request.Body.Identity)" }
         Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $TenantFilter -message "Successfully processed Quarantine ID $($Request.Body.Identity)" -Sev 'Info'
     } catch {

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1

@@ -16,6 +16,9 @@ function Invoke-CIPPStandardActivityBasedTimeout {
             "CIS M365 5.0 (1.3.2)"
             "spo_idle_session_timeout"
             "NIST CSF 2.0 (PR.AA-03)"
+            "ZTNA21813"
+            "ZTNA21814"
+            "ZTNA21815"
         EXECUTIVETEXT
             Automatically logs out inactive users from Microsoft 365 applications after a specified time period to prevent unauthorized access to company data on unattended devices. This security measure protects against data breaches when employees leave workstations unlocked.
         ADDEDCOMPONENT

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1

@@ -14,6 +14,8 @@ function Invoke-CIPPStandardAddDKIM {
             Exchange Standards
         TAG
             "CIS M365 5.0 (2.1.9)"
+            "ORCA108"
+            "CISAMSEXO31"
         EXECUTIVETEXT
             Enables email authentication technology that digitally signs outgoing emails to verify they actually came from your organization. This prevents email spoofing, improves email deliverability, and protects the company's reputation by ensuring recipients can trust emails from your domains.
         ADDEDCOMPONENT
@@ -26,6 +28,12 @@ function Invoke-CIPPStandardAddDKIM {
         RECOMMENDEDBY
             "CIS"
             "CIPP"
+        REQUIREDCAPABILITIES
+            "EXCHANGE_S_STANDARD"
+            "EXCHANGE_S_ENTERPRISE"
+            "EXCHANGE_S_STANDARD_GOV"
+            "EXCHANGE_S_ENTERPRISE_GOV"
+            "EXCHANGE_LITE"
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAddDMARCToMOERA.ps1

@@ -7,8 +7,8 @@ function Invoke-CIPPStandardAddDMARCToMOERA {
     .SYNOPSIS
         (Label) Enables DMARC on MOERA (onmicrosoft.com) domains
     .DESCRIPTION
-        (Helptext) Note: requires 'Domain Name Administrator' GDAP role. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default value is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
-        (DocsDescription) Note: requires 'Domain Name Administrator' GDAP role. Adds a DMARC record to MOERA (onmicrosoft.com) domains. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default record is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
+        (Helptext) ** Remediation is not available ** Note: requires 'Domain Name Administrator' GDAP role. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default value is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
+        (DocsDescription) \*\* Remediation is not available \*\* Note: requires 'Domain Name Administrator' GDAP role. Adds a DMARC record to MOERA (onmicrosoft.com) domains. This should be enabled even if the MOERA (onmicrosoft.com) domains is not used for sending. Enabling this prevents email spoofing. The default record is 'v=DMARC1; p=reject;' recommended because the domain is only used within M365 and reporting is not needed. Omitting pct tag default to 100%
     .NOTES
         CAT
             Global Standards
@@ -29,6 +29,8 @@ function Invoke-CIPPStandardAddDMARCToMOERA {
         RECOMMENDEDBY
             "CIS"
             "Microsoft"
+        DISABLEDFEATURES
+            {"remediate":true}
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1

@@ -22,9 +22,32 @@ function Invoke-CIPPStandardAntiPhishPolicy {
             "mdo_phishthresholdlevel"
             "CIS M365 5.0 (2.1.7)"
             "NIST CSF 2.0 (DE.CM-09)"
+            "ORCA104"
+            "ORCA115"
+            "ORCA180"
+            "ORCA220"
+            "ORCA221"
+            "ORCA222"
+            "ORCA223"
+            "ORCA228"
+            "ORCA229"
+            "ORCA230"
+            "ORCA233"
+            "ORCA234"
+            "ORCA235"
+            "ORCA239"
+            "ORCA242"
+            "ORCA243"
+            "ORCA244"
+            "ZTNA21784"
+            "ZTNA21817"
+            "ZTNA21819"
+            "CISAMSEXO111"
+            "CISAMSEXO112"
+            "CISAMSEXO113"
         ADDEDCOMPONENT
             {"type":"textField","name":"standards.AntiPhishPolicy.name","label":"Policy Name","required":true,"defaultValue":"CIPP Default Anti-Phishing Policy"}
-            {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","defaultValue":1}
+            {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","defaultValue":1,"validators":{"min":{"value":1,"message":"Minimum value is 1"},"max":{"value":4,"message":"Maximum value is 4"}}}
             {"type":"switch","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","defaultValue":true}
             {"type":"switch","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","defaultValue":true}
             {"type":"switch","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","defaultValue":true}
@@ -45,6 +68,12 @@ function Invoke-CIPPStandardAntiPhishPolicy {
             Set-AntiPhishPolicy or New-AntiPhishPolicy
         RECOMMENDEDBY
             "CIS"
+        REQUIREDCAPABILITIES
+            "EXCHANGE_S_STANDARD"
+            "EXCHANGE_S_ENTERPRISE"
+            "EXCHANGE_S_STANDARD_GOV"
+            "EXCHANGE_S_ENTERPRISE_GOV"
+            "EXCHANGE_LITE"
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAntiSpamSafeList.ps1

@@ -25,6 +25,12 @@ function Invoke-CIPPStandardAntiSpamSafeList {
         POWERSHELLEQUIVALENT
             Set-HostedConnectionFilterPolicy "Default" -EnableSafeList \$true
         RECOMMENDEDBY
+        REQUIREDCAPABILITIES
+            "EXCHANGE_S_STANDARD"
+            "EXCHANGE_S_ENTERPRISE"
+            "EXCHANGE_S_STANDARD_GOV"
+            "EXCHANGE_S_ENTERPRISE_GOV"
+            "EXCHANGE_LITE"
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAppManagementPolicy.ps1

@@ -16,10 +16,10 @@ function Invoke-CIPPStandardAppManagementPolicy {
         EXECUTIVETEXT
             Enforces credential restrictions on application registrations and service principals to limit how secrets and certificates are created and how long they remain valid. This reduces the risk of long-lived or unmanaged credentials being used to access your tenant.
         ADDEDCOMPONENT
-            {"type":"autoComplete","multiple":false,"creatable":false,"label":"Password Addition","name":"standards.AppManagementPolicy.passwordCredentialsPasswordAddition","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
-            {"type":"autoComplete","multiple":false,"creatable":false,"label":"Custom Password","name":"standards.AppManagementPolicy.passwordCredentialsCustomPasswordAddition","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
-            {"type":"number","label":"Password Credentials Max Lifetime (Days)","name":"standards.AppManagementPolicy.passwordCredentialsMaxLifetime"}
-            {"type":"number","label":"Key Credentials Max Lifetime (Days)","name":"standards.AppManagementPolicy.keyCredentialsMaxLifetime"}
+            {"type":"autoComplete","multiple":false,"creatable":false,"required":false,"name":"standards.AppManagementPolicy.passwordCredentialsPasswordAddition","label":"Disable Password Addition","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
+            {"type":"autoComplete","multiple":false,"creatable":false,"required":false,"name":"standards.AppManagementPolicy.passwordCredentialsCustomPasswordAddition","label":"Disable Custom Password","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
+            {"type":"number","required":false,"name":"standards.AppManagementPolicy.passwordCredentialsMaxLifetime","label":"Password Credentials Max Lifetime (Days)"}
+            {"type":"number","required":false,"name":"standards.AppManagementPolicy.keyCredentialsMaxLifetime","label":"Key Credentials Max Lifetime (Days)"}
         IMPACT
             Medium Impact
         ADDEDDATE

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardAssignmentFilterTemplate.ps1

@@ -24,6 +24,12 @@ function Invoke-CIPPStandardAssignmentFilterTemplate {
             Creates standardized assignment filters with predefined settings. These templates ensure consistent assignment filter configurations across the organization, streamlining assignment management.
         ADDEDCOMPONENT
             {"type":"autoComplete","name":"assignmentFilterTemplate","label":"Select Assignment Filter Template","api":{"url":"/api/ListAssignmentFilterTemplates","labelField":"Displayname","altLabelField":"displayName","valueField":"GUID","queryKey":"ListAssignmentFilterTemplates"}}
+        REQUIREDCAPABILITIES
+            "INTUNE_A"
+            "MDM_Services"
+            "EMS"
+            "SCCM"
+            "MICROSOFTINTUNEPLAN1"
         UPDATECOMMENTBLOCK
             Run the Tools\Update-StandardsComments.ps1 script to update this comment block
     .LINK