Skip to content

Commit 8cd8d1d

Browse files
committed
Fix for ORCA107 and add Exchange Global Quarantine policy to cache
1 parent cc84a49 commit 8cd8d1d

3 files changed

Lines changed: 49 additions & 16 deletions

File tree

Config/CIPPDBCacheTypes.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,11 @@
214214
"friendlyName": "Exchange Quarantine Policy",
215215
"description": "Exchange Online quarantine policy"
216216
},
217+
{
218+
"type": "ExoGlobalQuarantinePolicy",
219+
"friendlyName": "Exchange Global Quarantine Policy",
220+
"description": "Exchange Online tenant-wide Global Quarantine policy (end-user notification settings)"
221+
},
217222
{
218223
"type": "ExoRemoteDomain",
219224
"friendlyName": "Exchange Remote Domain",

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheExoQuarantinePolicy.ps1

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,4 +29,18 @@ function Set-CIPPDBCacheExoQuarantinePolicy {
2929
} catch {
3030
Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache Quarantine policy data: $($_.Exception.Message)" -sev Error
3131
}
32+
33+
try {
34+
Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Exchange Global Quarantine policy' -sev Debug
35+
36+
$GlobalQuarantinePolicy = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantinePolicy' -cmdParams @{ QuarantinePolicyType = 'GlobalQuarantinePolicy' }
37+
if ($GlobalQuarantinePolicy) {
38+
Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ExoGlobalQuarantinePolicy' -Data $GlobalQuarantinePolicy -AddCount
39+
Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Cached Global Quarantine policy' -sev Debug
40+
}
41+
$GlobalQuarantinePolicy = $null
42+
43+
} catch {
44+
Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache Global Quarantine policy data: $($_.Exception.Message)" -sev Error
45+
}
3246
}

Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA107.ps1

Lines changed: 30 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -6,45 +6,59 @@ function Invoke-CippTestORCA107 {
66
param($Tenant)
77

88
try {
9-
$Policies = Get-CIPPTestData -TenantFilter $Tenant -Type 'ExoQuarantinePolicy'
9+
$Policies = Get-CIPPTestData -TenantFilter $Tenant -Type 'ExoGlobalQuarantinePolicy'
1010

1111
if (-not $Policies) {
1212
Add-CippTestResult -TenantFilter $Tenant -TestId 'ORCA107' -TestType 'Identity' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing required licenses or data collection not yet completed.' -Risk 'Low' -Name 'End-user spam notification is enabled' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Quarantine'
1313
return
1414
}
1515

16+
# Exo returns EndUserSpamNotificationFrequency as an ISO 8601 duration string ('PT4H', 'P1D', 'P7D').
17+
# 'PT0S' or null means notifications are disabled. The placeholder policy name 'DefaultGlobalPolicy'
18+
# indicates the global policy has never been configured.
1619
$FailedPolicies = [System.Collections.Generic.List[object]]::new()
1720
$PassedPolicies = [System.Collections.Generic.List[object]]::new()
1821

1922
foreach ($Policy in $Policies) {
20-
if ($Policy.EndUserSpamNotificationFrequency -gt 0) {
21-
$PassedPolicies.Add($Policy) | Out-Null
23+
$Frequency = $Policy.EndUserSpamNotificationFrequency
24+
$IsConfigured = $Policy.Name -ne 'DefaultGlobalPolicy'
25+
$IsEnabled = $false
26+
if ($IsConfigured -and $Frequency) {
27+
try {
28+
$TimeSpan = [System.Xml.XmlConvert]::ToTimeSpan([string]$Frequency)
29+
$IsEnabled = $TimeSpan.TotalSeconds -gt 0
30+
} catch {
31+
$IsEnabled = $false
32+
}
33+
}
34+
35+
$DisplayFrequency = if ($Frequency) { [string]$Frequency } else { 'Not set' }
36+
$Annotated = $Policy | Select-Object *, @{ Name = 'DisplayFrequency'; Expression = { $DisplayFrequency } }
37+
38+
if ($IsEnabled) {
39+
$PassedPolicies.Add($Annotated) | Out-Null
2240
} else {
23-
$FailedPolicies.Add($Policy) | Out-Null
41+
$FailedPolicies.Add($Annotated) | Out-Null
2442
}
2543
}
2644

2745
if ($FailedPolicies.Count -eq 0 -and $PassedPolicies.Count -gt 0) {
2846
$Status = 'Passed'
29-
$Result = [System.Text.StringBuilder]::new("All quarantine policies have end-user spam notifications enabled.`n`n")
30-
$null = $Result.Append("**Compliant Policies:** $($PassedPolicies.Count)`n`n")
31-
$null = $Result.Append("| Policy Name | Notification Frequency (days) |`n")
32-
$null = $Result.Append("|------------|-------------------------------|`n")
47+
$Result = [System.Text.StringBuilder]::new("The Global Quarantine policy has end-user spam notifications enabled.`n`n")
48+
$null = $Result.Append("| Policy Name | Notification Frequency |`n")
49+
$null = $Result.Append("|------------|------------------------|`n")
3350
foreach ($Policy in $PassedPolicies) {
34-
$null = $Result.Append("| $($Policy.Identity) | $($Policy.EndUserSpamNotificationFrequency) |`n")
51+
$null = $Result.Append("| $($Policy.Identity) | $($Policy.DisplayFrequency) |`n")
3552
}
36-
} elseif ($PassedPolicies.Count -eq 0) {
37-
$Status = 'Failed'
38-
$Result = [System.Text.StringBuilder]::new("No quarantine policies have end-user spam notifications enabled.`n`n")
3953
} else {
4054
$Status = 'Failed'
41-
$Result = [System.Text.StringBuilder]::new("$($FailedPolicies.Count) quarantine policies do not have end-user spam notifications enabled.`n`n")
42-
$null = $Result.Append("**Non-Compliant Policies:** $($FailedPolicies.Count)`n`n")
55+
$Result = [System.Text.StringBuilder]::new("The Global Quarantine policy does not have end-user spam notifications enabled.`n`n")
4356
$null = $Result.Append("| Policy Name | Notification Frequency |`n")
44-
$null = $Result.Append("|------------|----------------------|`n")
57+
$null = $Result.Append("|------------|------------------------|`n")
4558
foreach ($Policy in $FailedPolicies) {
46-
$null = $Result.Append("| $($Policy.Identity) | Disabled |`n")
59+
$null = $Result.Append("| $($Policy.Identity) | $($Policy.DisplayFrequency) |`n")
4760
}
61+
$null = $Result.Append("`n**Remediation:** Configure the Global Quarantine policy with a notification frequency (e.g. PT4H, P1D, or P7D) via `Set-QuarantinePolicy -EndUserSpamNotificationFrequency`.")
4862
}
4963

5064
Add-CippTestResult -TenantFilter $Tenant -TestId 'ORCA107' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'Low' -Name 'End-user spam notification is enabled' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Quarantine'

0 commit comments

Comments
 (0)