ISGQ only - enable EWS on shared mailbox

isgq-github01 · isgq-github01 · commit 8165b244b045 · 2026-04-15T16:14:00.000+10:00
diff --git a/Config/standards.json b/Config/standards.json
@@ -39,6 +39,20 @@
     "powershellEquivalent": "Set-MsolCompanyContactInformation",
     "recommendedBy": []
   },
+  {
+    "name": "standards.EnableEWSOnSharedMailbox",
+    "cat": "Exchange Standards",
+    "tag": [],
+    "helpText": "Enable EWS on shared mailboxes, required for some backup products to continue functioning.",
+    "docsDescription": "Enable EWS on shared mailboxes, required for some backup products to continue functioning.",
+    "executiveText": "Enable EWS on shared mailboxes, required for some backup products to continue functioning.",
+    "label": "Enable EWS on Shared Mailboxes",
+    "disabledFeatures": { "report": true, "warn": true, "remediate": false },
+    "impact": "Medium Impact",
+    "impactColour": "warning",
+    "addedDate": "2026-04-15",
+    "powershellEquivalent": "Set-CASMailbox -Identity 'sharedmailbox@domain.com' -EwsEnabled $true & Set-OrganizationConfig -EwsEnabled $true"
+  },
   {
     "name": "standards.DeployMailContact",
     "cat": "Exchange Standards",
@@ -4779,7 +4793,7 @@
           }
         ]
       },
-            {
+      {
         "type": "switch",
         "name": "standards.TeamsGlobalMeetingPolicy.AllowPSTNUsersToBypassLobby",
         "label": "Allow dial-in users to bypass lobby"
@@ -5106,10 +5120,7 @@
         "condition": {
           "field": "standards.TeamsFederationConfiguration.DomainControl.value",
           "compareType": "isOneOf",
-          "compareValue": [
-            "AllowSpecificExternal",
-            "BlockSpecificExternal"
-          ]
+          "compareValue": ["AllowSpecificExternal", "BlockSpecificExternal"]
         }
       }
     ],
@@ -5847,34 +5858,22 @@
     "name": "standards.DeployCheckChromeExtension",
     "cat": "Intune Standards",
     "tag": [],
-    "helpText": "Deploys the Check by CyberDrain browser extension via a Win32 script app in Intune for both Chrome and Edge browsers with configurable settings. Chrome ID: benimdeioplgkhanklclahllklceahbe, Edge ID: knepjpocdagponkonnbggpcnhnaikajg",
-    "docsDescription": "Creates an Intune Win32 script application that writes registry keys to install and configure the Check by CyberDrain browser extension on managed devices for both Google Chrome and Microsoft Edge browsers. Uses a PowerShell detection script to enforce configuration drift — when settings change in CIPP the app is automatically redeployed.",
-    "executiveText": "Automatically deploys the Check by CyberDrain browser extension across all company devices with configurable security and branding settings, ensuring consistent security monitoring and compliance capabilities. This extension provides enhanced security features and monitoring tools that help protect against threats while maintaining user productivity.",
+    "helpText": "Deploys the Check Chrome extension via Intune OMA-URI custom policies for both Chrome and Edge browsers with configurable settings. Chrome ID: benimdeioplgkhanklclahllklceahbe, Edge ID: knepjpocdagponkonnbggpcnhnaikajg",
+    "docsDescription": "Creates Intune OMA-URI custom policies that automatically install and configure the Check Chrome extension on managed devices for both Google Chrome and Microsoft Edge browsers. This ensures the extension is deployed consistently across all corporate devices with customizable settings.",
+    "executiveText": "Automatically deploys the Check browser extension across all company devices with configurable security and branding settings, ensuring consistent security monitoring and compliance capabilities. This extension provides enhanced security features and monitoring tools that help protect against threats while maintaining user productivity.",
     "addedComponent": [
-      {
-        "type": "switch",
-        "name": "standards.DeployCheckChromeExtension.showNotifications",
-        "label": "Show notifications",
-        "defaultValue": true
-      },
       {
         "type": "switch",
         "name": "standards.DeployCheckChromeExtension.enableValidPageBadge",
         "label": "Enable valid page badge",
-        "defaultValue": false
+        "defaultValue": true
       },
       {
         "type": "switch",
         "name": "standards.DeployCheckChromeExtension.enablePageBlocking",
         "label": "Enable page blocking",
         "defaultValue": true
       },
-      {
-        "type": "switch",
-        "name": "standards.DeployCheckChromeExtension.forceToolbarPin",
-        "label": "Force pin extension to toolbar",
-        "defaultValue": false
-      },
       {
         "type": "switch",
         "name": "standards.DeployCheckChromeExtension.enableCippReporting",
@@ -5886,68 +5885,27 @@
         "name": "standards.DeployCheckChromeExtension.customRulesUrl",
         "label": "Custom Rules URL",
         "placeholder": "https://YOUR-CIPP-SERVER-URL/rules.json",
-        "helperText": "Enter the URL for custom rules if you have them. This should point to a JSON file with the same structure as the rules.json used for CIPP reporting.",
         "required": false
       },
       {
         "type": "number",
         "name": "standards.DeployCheckChromeExtension.updateInterval",
         "label": "Update interval (hours)",
-        "defaultValue": 24
+        "defaultValue": 12
       },
       {
         "type": "switch",
         "name": "standards.DeployCheckChromeExtension.enableDebugLogging",
         "label": "Enable debug logging",
         "defaultValue": false
       },
-      {
-        "type": "switch",
-        "name": "standards.DeployCheckChromeExtension.enableGenericWebhook",
-        "label": "Enable generic webhook",
-        "defaultValue": false
-      },
-      {
-        "type": "textField",
-        "name": "standards.DeployCheckChromeExtension.webhookUrl",
-        "label": "Webhook URL",
-        "placeholder": "https://webhook.example.com/endpoint",
-        "required": false
-      },
-      {
-        "type": "autoComplete",
-        "multiple": true,
-        "creatable": true,
-        "required": false,
-        "name": "standards.DeployCheckChromeExtension.webhookEvents",
-        "label": "Webhook Events",
-        "placeholder": "e.g. pageBlocked, pageAllowed"
-      },
-      {
-        "type": "autoComplete",
-        "multiple": true,
-        "creatable": true,
-        "required": false,
-        "freeSolo": true,
-        "name": "standards.DeployCheckChromeExtension.urlAllowlist",
-        "label": "URL Allowlist",
-        "placeholder": "e.g. https://example.com/*",
-        "helperText": "Enter URLs to allowlist in the extension. Press enter to add each URL. Wildcards are allowed. This should be used for sites that are being blocked by the extension but are known to be safe."
-      },
       {
         "type": "textField",
         "name": "standards.DeployCheckChromeExtension.companyName",
         "label": "Company Name",
         "placeholder": "YOUR-COMPANY",
         "required": false
       },
-      {
-        "type": "textField",
-        "name": "standards.DeployCheckChromeExtension.companyURL",
-        "label": "Company URL",
-        "placeholder": "https://yourcompany.com",
-        "required": false
-      },
       {
         "type": "textField",
         "name": "standards.DeployCheckChromeExtension.productName",
@@ -5966,7 +5924,7 @@
         "type": "textField",
         "name": "standards.DeployCheckChromeExtension.primaryColor",
         "label": "Primary Color",
-        "placeholder": "#F77F00",
+        "placeholder": "#0044CC",
         "required": false
       },
       {
@@ -5978,7 +5936,7 @@
       },
       {
         "name": "AssignTo",
-        "label": "Who should this app be assigned to?",
+        "label": "Who should this policy be assigned to?",
         "type": "radio",
         "options": [
           {
@@ -6010,11 +5968,11 @@
         "label": "Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed."
       }
     ],
-    "label": "Deploy Check by CyberDrain Browser Extension",
+    "label": "Deploy Check Chrome Extension",
     "impact": "Low Impact",
     "impactColour": "info",
     "addedDate": "2025-09-18",
-    "powershellEquivalent": "Add-CIPPW32ScriptApplication",
+    "powershellEquivalent": "New-GraphPostRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies'",
     "recommendedBy": ["CIPP"]
   },
   {
@@ -6081,62 +6039,5 @@
     "impactColour": "info",
     "addedDate": "2025-11-19",
     "powershellEquivalent": "New-GraphPostRequest to /beta/security/secureScoreControlProfiles/{id}"
-  },
-  {
-    "name": "standards.ColleagueImpersonationAlert",
-    "cat": "Exchange Standards",
-    "tag": [
-      "Exchange",
-      "Security",
-      "Transport Rules"
-    ],
-    "helpText": "Creates/updates 5x Exchange Online transport rules (A-E, F-J, K-O, P-T, U-Z) that prepend an HTML disclaimer banner to inbound emails where the sender display name matches a mailbox in the organisation. Accepted tenant domains are always exempt automatically. Inactive users are removed and enabled users are added. Any manually configured sender or domain exemptions already present on existing rules are preserved.",
-    "docsDescription": "Creates five Exchange Online transport rules grouped by the first letter of user display names (A-E, F-J, K-O, P-T, U-Z). Each rule fires when an external sender's From header matches a display name in that group, prepends a configurable HTML warning banner, and skips emails from accepted organisational domains. Any manually configured sender or domain exemptions on existing rules are preserved when the standard runs. The disclaimer HTML is fully customisable via the standard settings.",
-    "executiveText": "Protects staff from display-name impersonation attacks by injecting a visible warning banner on emails that appear to come from a colleague but originate externally. Rules are maintained automatically across all letter groups and updated whenever the standard runs.",
-    "addedComponent": [
-      {
-        "type": "heading",
-        "label": "Alert Banner (HTML)",
-        "required": false
-      },
-      {
-        "type": "textField",
-        "name": "standards.ColleagueImpersonationAlert.disclaimerHtml",
-        "label": "Disclaimer HTML – Paste the full HTML for the warning banner",
-        "required": true
-      },
-      {
-        "type": "heading",
-        "label": "Keyword Exclusions (Exclude certain users by keywords)",
-        "required": false
-      },
-      {
-        "type": "autoComplete",
-        "name": "standards.ColleagueImpersonationAlert.excludedMailboxes",
-        "label": "Exclude mailboxes by keywords for example any Displayname starting with (Leaver)",
-        "multiple": true,
-        "creatable": true,
-        "required": false
-      },
-      {
-        "type": "heading",
-        "label": "Exempt Senders (Email Accounts)",
-        "required": false
-      },
-      {
-        "type": "autoComplete",
-        "name": "standards.ColleagueImpersonationAlert.additionalExemptSenders",
-        "label": "Additional exempt sender addresses",
-        "multiple": true,
-        "creatable": true,
-        "required": false
-      }
-    ],
-    "label": "Colleague Impersonation Alert Transport Rules",
-    "impact": "Medium Impact",
-    "impactColour": "warning",
-    "addedDate": "2026-03-22",
-    "powershellEquivalent": "New-TransportRule / Set-TransportRule",
-    "recommendedBy": []
   }
 ]
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableEWSOnSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableEWSOnSharedMailbox.ps1
@@ -0,0 +1,93 @@
+function Invoke-CIPPStandardEnableEWSOnSharedMailbox {
+  <#
+    .FUNCTIONALITY
+        Internal
+    .COMPONENT
+        (APIName) EnableEWSOnSharedMailbox
+    .SYNOPSIS
+        (Label) ISGQ only - Enable EWS on shared mailboxes accounts
+    .DESCRIPTION
+        (Helptext) Enable EWS on shared mailboxes, required for CW Backup to continue functioning. Can kill off from October 2026.
+        (DocsDescription) Enable EWS on shared mailboxes, required for some backup products to continue functioning. Can kill off from October 2026.
+    .NOTES
+        CAT
+            Exchange Standards
+        TAG
+
+        EXECUTIVETEXT
+            Enable EWS on shared mailboxes, required for some backup products to continue functioning. Can kill off from October 2026.
+        ADDEDCOMPONENT
+        IMPACT
+            Medium Impact
+        ADDEDDATE
+            2026-04-15
+        POWERSHELLEQUIVALENT
+            Set-CASMailbox -Identity "sharedmailbox@domain.com" -EwsEnabled $true & Set-OrganizationConfig -EwsEnabled $true
+        RECOMMENDEDBY
+
+        UPDATECOMMENTBLOCK
+            Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+    .LINK
+        https://docs.cipp.app/user-documentation/tenant/standards/list-standards
+    #>
+
+  param($Tenant, $Settings)
+
+  try {
+    $SharedMailboxList = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{filter = "RecipientTypeDetails -eq 'SharedMailbox'" }
+  }
+  catch {
+    $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+    Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the SharedMailbox for $Tenant. Error: $ErrorMessage" -Sev Error
+    return
+  }
+
+  if ($Settings.remediate -eq $true) {
+    if ($SharedMailboxList.Count -gt 0) {
+      $AuditState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').EwsEnabled
+      if (!($AuditState)) {
+        New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OrganizationConfig' -cmdParams @{EwsEnabled = $true }
+      }
+      $Request = $SharedMailboxList | ForEach-Object {
+        @{
+          CmdletInput = @{
+            CmdletName = 'Set-CASMailbox'
+            Parameters = @{Identity = $_.UserPrincipalName; EwsEnabled = $true }
+          }
+        }
+      }
+
+      $BatchResults = New-ExoBulkRequest -tenantid $tenant -cmdletArray @($Request)
+      $BatchResults | ForEach-Object {
+        if ($_.error) {
+          $ErrorMessage = Get-NormalizedError -Message $_.error
+          Write-Host "Failed to enable EWS for $($_.target). Error: $ErrorMessage"
+          Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable EWS for $($_.target). Error: $ErrorMessage" -sev Error
+        }
+      }
+
+    }
+
+    <#if ($Settings.alert -eq $true) {
+
+        if ($SharedMailboxList) {
+            Write-StandardsAlert -message "Shared mailboxes with enabled accounts: $($SharedMailboxList.Count)" -object $SharedMailboxList -tenant $Tenant -standardName 'DisableSharedMailbox' -standardId $Settings.standardId
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message "Shared mailboxes with enabled accounts: $($SharedMailboxList.Count)" -sev Info
+        } else {
+            Write-LogMessage -API 'Standards' -tenant $Tenant -message 'All Entra accounts for shared mailboxes are disabled.' -sev Info
+        }
+    }
+
+    if ($Settings.report -eq $true) {
+        $State = $SharedMailboxList ? $SharedMailboxList : @()
+
+        $CurrentValue = [PSCustomObject]@{
+            DisableSharedMailbox = @($State)
+        }
+        $ExpectedValue = [PSCustomObject]@{
+            DisableSharedMailbox = @()
+        }
+
+    Set-CIPPStandardsCompareField -FieldName 'standards.EnableEWSOnSharedMailbox' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -Tenant $Tenant#>
+  }
+}
