Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev

Author: JohnDuprey

Config/CIPPDBCacheTypes.json

@@ -244,6 +244,16 @@
     "friendlyName": "Exchange Tenant Allow/Block List",
     "description": "Exchange Online tenant allow/block list"
   },
+  {
+    "type": "ExoInboundConnector",
+    "friendlyName": "Exchange Inbound Connectors",
+    "description": "Exchange Online inbound connectors (includes enhanced filtering settings)"
+  },
+  {
+    "type": "ExoProtectionAlert",
+    "friendlyName": "Exchange Protection Alerts",
+    "description": "Microsoft 365 protection alert policies (Security & Compliance endpoint)"
+  },
   {
     "type": "Mailboxes",
     "friendlyName": "Mailboxes",

Modules/CIPPCore/Public/Invoke-CIPPDBCacheCollection.ps1

@@ -87,6 +87,8 @@ function Invoke-CIPPDBCacheCollection {
             'ExoAdminAuditLogConfig'
             'ExoPresetSecurityPolicy'
             'ExoTenantAllowBlockList'
+            'ExoInboundConnector'
+            'ExoProtectionAlert'
             'OwaMailboxPolicy'
             'ReportSubmissionPolicy'
             'ExoTransportConfig'

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheExoInboundConnector.ps1

@@ -0,0 +1,32 @@
+function Set-CIPPDBCacheExoInboundConnector {
+    <#
+    .SYNOPSIS
+        Caches Exchange Online inbound connectors
+
+    .PARAMETER TenantFilter
+        The tenant to cache inbound connector data for
+
+    .PARAMETER QueueId
+        The queue ID to update with total tasks (optional)
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [string]$QueueId
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Exchange inbound connectors' -sev Debug
+
+        $InboundConnectors = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-InboundConnector'
+        if ($InboundConnectors) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ExoInboundConnector' -Data $InboundConnectors -AddCount
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($InboundConnectors.Count) inbound connectors" -sev Debug
+        }
+        $InboundConnectors = $null
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache inbound connector data: $($_.Exception.Message)" -sev Error
+    }
+}

Modules/CIPPDB/Public/DBCache/Set-CIPPDBCacheExoProtectionAlert.ps1

@@ -0,0 +1,36 @@
+function Set-CIPPDBCacheExoProtectionAlert {
+    <#
+    .SYNOPSIS
+        Caches Exchange Online / Purview protection alert policies
+
+    .DESCRIPTION
+        Calls Get-ProtectionAlert via the Security & Compliance PowerShell endpoint
+        (requires the -Compliance switch on New-ExoRequest).
+
+    .PARAMETER TenantFilter
+        The tenant to cache protection alert data for
+
+    .PARAMETER QueueId
+        The queue ID to update with total tasks (optional)
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$TenantFilter,
+        [string]$QueueId
+    )
+
+    try {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Exchange protection alerts' -sev Debug
+
+        $ProtectionAlerts = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-ProtectionAlert' -Compliance
+        if ($ProtectionAlerts) {
+            Add-CIPPDbItem -TenantFilter $TenantFilter -Type 'ExoProtectionAlert' -Data $ProtectionAlerts -AddCount
+            Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($ProtectionAlerts.Count) protection alerts" -sev Debug
+        }
+        $ProtectionAlerts = $null
+
+    } catch {
+        Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to cache protection alert data: $($_.Exception.Message)" -sev Error
+    }
+}

Modules/CIPPStandards/Public/Standards/Invoke-CIPPStandardSpamFilterPolicy.ps1

@@ -7,8 +7,8 @@ function Invoke-CIPPStandardSpamFilterPolicy {
     .SYNOPSIS
         (Label) Default Spam Filter Policy
     .DESCRIPTION
-        (Helptext) This standard creates a Spam filter policy similar to the default strict policy.
-        (DocsDescription) This standard creates a Spam filter policy similar to the default strict policy, the following settings are configured to on by default: IncreaseScoreWithNumericIps, IncreaseScoreWithRedirectToOtherPort, MarkAsSpamEmptyMessages, MarkAsSpamJavaScriptInHtml, MarkAsSpamSpfRecordHardFail, MarkAsSpamFromAddressAuthFail, MarkAsSpamNdrBackscatter, MarkAsSpamBulkMail, InlineSafetyTipsEnabled, PhishZapEnabled, SpamZapEnabled
+        (Helptext) This standard creates a Spam filter policy aligned with the Microsoft Strict preset.
+        (DocsDescription) This standard creates a Spam filter policy aligned with the Microsoft Strict preset. All Advanced Spam Filter (ASF) settings are left Off per Microsoft guidance (ASF is deprecated and prevents false-positive reporting). The following settings are configured On by default: MarkAsSpamBulkMail, InlineSafetyTipsEnabled, PhishZapEnabled, SpamZapEnabled.
     .NOTES
         CAT
             Defender Standards
@@ -127,20 +127,20 @@ function Invoke-CIPPStandardSpamFilterPolicy {
         ($CurrentState.BulkThreshold -eq [int]$Settings.BulkThreshold) -and
         ($CurrentState.QuarantineRetentionPeriod -eq 30) -and
         ($CurrentState.IncreaseScoreWithImageLinks -eq $IncreaseScoreWithImageLinks) -and
-        ($CurrentState.IncreaseScoreWithNumericIps -eq 'On') -and
-        ($CurrentState.IncreaseScoreWithRedirectToOtherPort -eq 'On') -and
+        ($CurrentState.IncreaseScoreWithNumericIps -eq 'Off') -and
+        ($CurrentState.IncreaseScoreWithRedirectToOtherPort -eq 'Off') -and
         ($CurrentState.IncreaseScoreWithBizOrInfoUrls -eq $IncreaseScoreWithBizOrInfoUrls) -and
-        ($CurrentState.MarkAsSpamEmptyMessages -eq 'On') -and
-        ($CurrentState.MarkAsSpamJavaScriptInHtml -eq 'On') -and
+        ($CurrentState.MarkAsSpamEmptyMessages -eq 'Off') -and
+        ($CurrentState.MarkAsSpamJavaScriptInHtml -eq 'Off') -and
         ($CurrentState.MarkAsSpamFramesInHtml -eq $MarkAsSpamFramesInHtml) -and
         ($CurrentState.MarkAsSpamObjectTagsInHtml -eq $MarkAsSpamObjectTagsInHtml) -and
         ($CurrentState.MarkAsSpamEmbedTagsInHtml -eq $MarkAsSpamEmbedTagsInHtml) -and
         ($CurrentState.MarkAsSpamFormTagsInHtml -eq $MarkAsSpamFormTagsInHtml) -and
         ($CurrentState.MarkAsSpamWebBugsInHtml -eq $MarkAsSpamWebBugsInHtml) -and
         ($CurrentState.MarkAsSpamSensitiveWordList -eq $MarkAsSpamSensitiveWordList) -and
-        ($CurrentState.MarkAsSpamSpfRecordHardFail -eq 'On') -and
-        ($CurrentState.MarkAsSpamFromAddressAuthFail -eq 'On') -and
-        ($CurrentState.MarkAsSpamNdrBackscatter -eq 'On') -and
+        ($CurrentState.MarkAsSpamSpfRecordHardFail -eq 'Off') -and
+        ($CurrentState.MarkAsSpamFromAddressAuthFail -eq 'Off') -and
+        ($CurrentState.MarkAsSpamNdrBackscatter -eq 'Off') -and
         ($CurrentState.MarkAsSpamBulkMail -eq 'On') -and
         ($CurrentState.InlineSafetyTipsEnabled -eq $true) -and
         ($CurrentState.PhishZapEnabled -eq $true) -and
@@ -183,20 +183,20 @@ function Invoke-CIPPStandardSpamFilterPolicy {
                 BulkThreshold                        = [int]$Settings.BulkThreshold
                 QuarantineRetentionPeriod            = 30
                 IncreaseScoreWithImageLinks          = $IncreaseScoreWithImageLinks
-                IncreaseScoreWithNumericIps          = 'On'
-                IncreaseScoreWithRedirectToOtherPort = 'On'
+                IncreaseScoreWithNumericIps          = 'Off'
+                IncreaseScoreWithRedirectToOtherPort = 'Off'
                 IncreaseScoreWithBizOrInfoUrls       = $IncreaseScoreWithBizOrInfoUrls
-                MarkAsSpamEmptyMessages              = 'On'
-                MarkAsSpamJavaScriptInHtml           = 'On'
+                MarkAsSpamEmptyMessages              = 'Off'
+                MarkAsSpamJavaScriptInHtml           = 'Off'
                 MarkAsSpamFramesInHtml               = $MarkAsSpamFramesInHtml
                 MarkAsSpamObjectTagsInHtml           = $MarkAsSpamObjectTagsInHtml
                 MarkAsSpamEmbedTagsInHtml            = $MarkAsSpamEmbedTagsInHtml
                 MarkAsSpamFormTagsInHtml             = $MarkAsSpamFormTagsInHtml
                 MarkAsSpamWebBugsInHtml              = $MarkAsSpamWebBugsInHtml
                 MarkAsSpamSensitiveWordList          = $MarkAsSpamSensitiveWordList
-                MarkAsSpamSpfRecordHardFail          = 'On'
-                MarkAsSpamFromAddressAuthFail        = 'On'
-                MarkAsSpamNdrBackscatter             = 'On'
+                MarkAsSpamSpfRecordHardFail          = 'Off'
+                MarkAsSpamFromAddressAuthFail        = 'Off'
+                MarkAsSpamNdrBackscatter             = 'Off'
                 MarkAsSpamBulkMail                   = 'On'
                 InlineSafetyTipsEnabled              = $true
                 PhishZapEnabled                      = $true

Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA102.ps1

@@ -54,12 +54,28 @@ function Invoke-CippTestORCA102 {
             $null = $Result.Append("**Non-Compliant Policies:** $($FailedPolicies.Count)`n`n")
             $null = $Result.Append("| Policy Name | Enabled ASF Options |`n")
             $null = $Result.Append("|------------|---------------------|`n")
+            $ASFSettingMap = [ordered]@{
+                IncreaseScoreWithImageLinks          = 'ImageLinks'
+                IncreaseScoreWithNumericIps          = 'NumericIPs'
+                IncreaseScoreWithRedirectToOtherPort = 'RedirectToOtherPort'
+                IncreaseScoreWithBizOrInfoUrls       = 'BizOrInfoUrls'
+                MarkAsSpamEmptyMessages              = 'EmptyMessages'
+                MarkAsSpamJavaScriptInHtml           = 'JavaScript'
+                MarkAsSpamFramesInHtml               = 'Frames'
+                MarkAsSpamObjectTagsInHtml           = 'ObjectTags'
+                MarkAsSpamEmbedTagsInHtml            = 'EmbedTags'
+                MarkAsSpamFormTagsInHtml             = 'FormTags'
+                MarkAsSpamWebBugsInHtml              = 'WebBugs'
+                MarkAsSpamSensitiveWordList          = 'SensitiveWordList'
+                MarkAsSpamSpfRecordHardFail          = 'SpfRecordHardFail'
+                MarkAsSpamFromAddressAuthFail        = 'FromAddressAuthFail'
+                MarkAsSpamNdrBackscatter             = 'NdrBackscatter'
+            }
             foreach ($Policy in $FailedPolicies) {
                 $EnabledOptions = [System.Collections.Generic.List[string]]::new()
-                if ($Policy.IncreaseScoreWithImageLinks -eq 'On') { $EnabledOptions.Add('ImageLinks') | Out-Null }
-                if ($Policy.IncreaseScoreWithNumericIps -eq 'On') { $EnabledOptions.Add('NumericIPs') | Out-Null }
-                if ($Policy.MarkAsSpamEmptyMessages -eq 'On') { $EnabledOptions.Add('EmptyMessages') | Out-Null }
-                if ($Policy.MarkAsSpamJavaScriptInHtml -eq 'On') { $EnabledOptions.Add('JavaScript') | Out-Null }
+                foreach ($Property in $ASFSettingMap.Keys) {
+                    if ($Policy.$Property -eq 'On') { $EnabledOptions.Add($ASFSettingMap[$Property]) | Out-Null }
+                }
                 $null = $Result.Append("| $($Policy.Identity) | $($EnabledOptions -join ', ') |`n")
             }
         }

Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA103.ps1

@@ -20,17 +20,17 @@ function Invoke-CippTestORCA103 {
             $IsCompliant = $true
             $Issues = [System.Collections.Generic.List[string]]::new()
 
-            if ($Policy.RecipientLimitExternalPerHour -ne 500) {
+            if ($Policy.RecipientLimitExternalPerHour -le 0 -or $Policy.RecipientLimitExternalPerHour -gt 500) {
                 $IsCompliant = $false
-                $Issues.Add("RecipientLimitExternalPerHour: $($Policy.RecipientLimitExternalPerHour) (should be 500)") | Out-Null
+                $Issues.Add("RecipientLimitExternalPerHour: $($Policy.RecipientLimitExternalPerHour) (should be between 1 and 500)") | Out-Null
             }
-            if ($Policy.RecipientLimitInternalPerHour -ne 1000) {
+            if ($Policy.RecipientLimitInternalPerHour -le 0 -or $Policy.RecipientLimitInternalPerHour -gt 1000) {
                 $IsCompliant = $false
-                $Issues.Add("RecipientLimitInternalPerHour: $($Policy.RecipientLimitInternalPerHour) (should be 1000)") | Out-Null
+                $Issues.Add("RecipientLimitInternalPerHour: $($Policy.RecipientLimitInternalPerHour) (should be between 1 and 1000)") | Out-Null
             }
-            if ($Policy.ActionWhenThresholdReached -ne 'BlockUserForToday') {
+            if ($Policy.ActionWhenThresholdReached -ne 'BlockUser') {
                 $IsCompliant = $false
-                $Issues.Add("ActionWhenThresholdReached: $($Policy.ActionWhenThresholdReached) (should be BlockUserForToday)") | Out-Null
+                $Issues.Add("ActionWhenThresholdReached: $($Policy.ActionWhenThresholdReached) (should be BlockUser)") | Out-Null
             }
 
             if ($IsCompliant) {

Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA113.ps1

@@ -13,39 +13,45 @@ function Invoke-CippTestORCA113 {
             return
         }
 
+        # Exclude the Built-In Protection preset — Microsoft owns it and intentionally allows click-through on the baseline.
+        $CustomPolicies = $SafeLinksPolicies | Where-Object {
+            $_.IsBuiltInProtection -ne $true
+        }
+
         $FailedPolicies = [System.Collections.Generic.List[object]]::new()
         $PassedPolicies = [System.Collections.Generic.List[object]]::new()
 
-        foreach ($Policy in $SafeLinksPolicies) {
-            if ($Policy.DoNotAllowClickThrough -eq $true) {
-                $PassedPolicies.Add($Policy)
+        foreach ($Policy in $CustomPolicies) {
+            if ($Policy.AllowClickThrough -eq $false) {
+                $PassedPolicies.Add($Policy) | Out-Null
             } else {
-                $FailedPolicies.Add($Policy)
+                $FailedPolicies.Add($Policy) | Out-Null
             }
         }
 
-        if ($FailedPolicies.Count -eq 0) {
+        if ($PassedPolicies.Count -gt 0 -and $FailedPolicies.Count -eq 0) {
             $Status = 'Passed'
-            $Result = [System.Text.StringBuilder]::new("All Safe Links policies have click-through disabled (DoNotAllowClickThrough = true).`n`n")
+            $Result = [System.Text.StringBuilder]::new("All custom Safe Links policies have click-through disabled (AllowClickThrough = false).`n`n")
             $null = $Result.Append("**Compliant Policies:** $($PassedPolicies.Count)`n`n")
-            if ($PassedPolicies.Count -gt 0) {
-                $null = $Result.Append("| Policy Name | DoNotAllowClickThrough |`n")
-                $null = $Result.Append("|------------|----------------------|`n")
-                foreach ($Policy in $PassedPolicies) {
-                    $null = $Result.Append("| $($Policy.Identity) | $($Policy.DoNotAllowClickThrough) |`n")
-                }
+            $null = $Result.Append("| Policy Name | AllowClickThrough |`n")
+            $null = $Result.Append("|------------|-------------------|`n")
+            foreach ($Policy in $PassedPolicies) {
+                $null = $Result.Append("| $($Policy.Identity) | $($Policy.AllowClickThrough) |`n")
             }
+        } elseif ($PassedPolicies.Count -eq 0 -and $FailedPolicies.Count -eq 0) {
+            $Status = 'Failed'
+            $Result = [System.Text.StringBuilder]::new("No custom Safe Links policies are configured. The Built-In Protection policy allows click-through by design.`n`n**Remediation:** Create a custom Safe Links policy with `AllowClickThrough = `$false`.")
         } else {
             $Status = 'Failed'
-            $Result = [System.Text.StringBuilder]::new("Some Safe Links policies allow click-through, which reduces protection.`n`n")
+            $Result = [System.Text.StringBuilder]::new("$($FailedPolicies.Count) custom Safe Links policies allow click-through, which reduces protection.`n`n")
             $null = $Result.Append("**Failed Policies:** $($FailedPolicies.Count) | **Passed Policies:** $($PassedPolicies.Count)`n`n")
             $null = $Result.Append("### Non-Compliant Policies`n`n")
-            $null = $Result.Append("| Policy Name | DoNotAllowClickThrough | Recommended |`n")
-            $null = $Result.Append("|------------|----------------------|-------------|`n")
+            $null = $Result.Append("| Policy Name | AllowClickThrough | Recommended |`n")
+            $null = $Result.Append("|------------|-------------------|-------------|`n")
             foreach ($Policy in $FailedPolicies) {
-                $null = $Result.Append("| $($Policy.Identity) | $($Policy.DoNotAllowClickThrough) | true |`n")
+                $null = $Result.Append("| $($Policy.Identity) | $($Policy.AllowClickThrough) | false |`n")
             }
-            $null = $Result.Append("`n**Remediation:** Disable click-through (set DoNotAllowClickThrough to true) to prevent users from bypassing Safe Links protection.")
+            $null = $Result.Append("`n**Remediation:** Set AllowClickThrough to false to prevent users from bypassing Safe Links protection.")
         }
 
         Add-CippTestResult -TenantFilter $Tenant -TestId 'ORCA113' -TestType 'Identity' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'AllowClickThrough is disabled in Safe Links policies' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Safe Links'

Modules/CIPPTests/Public/Tests/ORCA/Identity/Invoke-CippTestORCA179.ps1

@@ -13,21 +13,29 @@ function Invoke-CippTestORCA179 {
             return
         }
 
+        # Exclude the Built-In Protection preset — Microsoft scopes it to external senders by design.
+        $CustomPolicies = $Policies | Where-Object {
+            $_.IsBuiltInProtection -ne $true
+        }
+
         $FailedPolicies = [System.Collections.Generic.List[object]]::new()
         $PassedPolicies = [System.Collections.Generic.List[object]]::new()
 
-        foreach ($Policy in $Policies) {
+        foreach ($Policy in $CustomPolicies) {
             if ($Policy.EnableForInternalSenders -eq $true) {
                 $PassedPolicies.Add($Policy) | Out-Null
             } else {
                 $FailedPolicies.Add($Policy) | Out-Null
             }
         }
 
-        if ($FailedPolicies.Count -eq 0) {
+        if ($PassedPolicies.Count -gt 0 -and $FailedPolicies.Count -eq 0) {
             $Status = 'Passed'
-            $Result = [System.Text.StringBuilder]::new("All Safe Links policies are enabled for internal senders.`n`n")
+            $Result = [System.Text.StringBuilder]::new("All custom Safe Links policies are enabled for internal senders.`n`n")
             $null = $Result.Append("**Compliant Policies:** $($PassedPolicies.Count)")
+        } elseif ($PassedPolicies.Count -eq 0 -and $FailedPolicies.Count -eq 0) {
+            $Status = 'Failed'
+            $Result = [System.Text.StringBuilder]::new("No custom Safe Links policies are configured. The Built-In Protection policy does not cover internal senders.`n`n**Remediation:** Create a custom Safe Links policy with `EnableForInternalSenders = `$true`.")
         } else {
             $Status = 'Failed'
             $Result = [System.Text.StringBuilder]::new("$($FailedPolicies.Count) Safe Links policies are not enabled for internal senders.`n`n")