Skip to content

Commit ee5b862

Browse files
Merge branch 'dev' of https://github.com/KelvinTegelaar/CIPP-API into dev
2 parents 7baeb92 + 57cab3b commit ee5b862

4 files changed

Lines changed: 159 additions & 27 deletions

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1

Lines changed: 27 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -45,41 +45,54 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
4545
throw $Message
4646
}
4747

48-
4948
if ($settings.exclusions -like '*;*') {
5049
$exclusions = $settings.Exclusions -split (';')
5150
} else {
5251
$exclusions = $settings.Exclusions -split (',')
5352
}
5453

54+
$CurrentValues = $selfServiceItems | Select-Object -Property productName, productId, policyValue
55+
5556
$ExpectedValues = [System.Collections.Generic.List[PSCustomObject]]::new()
57+
5658
foreach ($Item in $selfServiceItems) {
59+
5760
if ($Item.productId -in $exclusions) {
58-
$Item.policyValue = "Enabled"
59-
$ExpectedValues.add(($Item | Select-Object -Property productName, productId, policyValue))
60-
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Exclusion present for self-service license '$($Item.productName) - $($Item.productId)'"
61+
$desiredPolicyValue = "Enabled"
62+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Exclusion present for self-service license '$($Item.productName) - $($Item.productId)'"
6163
}
6264
else {
63-
$Item.policyValue = "Disabled"
64-
$ExpectedValues.add(($Item | Select-Object -Property productName, productId, policyValue))
65+
$desiredPolicyValue = "Disabled"
6566
}
66-
}
6767

68-
$CurrentValues = $selfServiceItems | Select-Object -Property productName, productId, policyValue
68+
$ExpectedValues.Add([PSCustomObject]@{
69+
productName = $Item.productName
70+
productId = $Item.productId
71+
policyValue = $desiredPolicyValue
72+
})
73+
}
6974

7075
if ($settings.remediate) {
76+
7177
$Compare = Compare-Object -ReferenceObject $ExpectedValues -DifferenceObject $CurrentValues -Property productName, productId, policyValue
7278

7379
if (!$Compare) {
7480
Write-LogMessage -API 'Standards' -tenant $Tenant -message 'self service licenses are already set correctly.' -sev Info
7581
}
7682
else {
77-
$NeedsUpdate = $Compare | Where-Object {$_.SideIndicator -eq "<="}
83+
84+
$NeedsUpdate = $Compare | Where-Object { $_.SideIndicator -eq "<=" }
85+
7886
foreach ($Item in $NeedsUpdate) {
7987
try {
80-
$body = @{policyValue=$Item.policyValue} | ConvertTo-Json -Compress
88+
89+
$currentItem = $CurrentValues | Where-Object { $_.productId -eq $Item.productId } | Select-Object -First 1
90+
$currentValue = if ($currentItem) { $currentItem.policyValue } else { "<unknown>" }
91+
92+
$body = @{ policyValue = $Item.policyValue } | ConvertTo-Json -Compress
8193
New-GraphPOSTRequest -scope 'aeb86249-8ea3-49e2-900b-54cc8e308f85/.default' -uri "https://licensing.m365.microsoft.com/v1.0/policies/AllowSelfServicePurchase/products/$($Item.productId)" -tenantid $Tenant -body $body -type PUT
82-
Write-LogMessage -API 'Standards' -tenant $tenant -message "Changed Self Service status for product '$($Item.productName) - $($Item.productId)' to '$($Item.policyValue)'"
94+
95+
Write-LogMessage -API 'Standards' -tenant $tenant -message "Changed Self Service status for product '$($Item.productName) - $($Item.productId)' from '$currentValue' to '$($Item.policyValue)'" -sev Info
8396
} catch {
8497
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to set product status for '$($Item.productName) - $($Item.productId)' with body $($body) for reason: $($_.Exception.Message)" -sev Error
8598
}
@@ -100,12 +113,13 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
100113
}
101114

102115
if ($Settings.report -eq $true) {
116+
103117
$StateIsCorrect = !(Compare-Object -ReferenceObject $ExpectedValues -DifferenceObject $CurrentValues -Property productName, productId, policyValue)
104118

105119
$ExpectedValuesHash = @{}
106120
foreach ($Item in $ExpectedValues) {
107121
$ExpectedValuesHash[$Item.productName] = [PSCustomObject]@{
108-
Id = $Item.productId
122+
Id = $Item.productId
109123
Value = $Item.policyValue
110124
}
111125
}
@@ -114,7 +128,7 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
114128
$CurrentValuesHash = @{}
115129
foreach ($Item in $CurrentValues) {
116130
$CurrentValuesHash[$Item.productName] = [PSCustomObject]@{
117-
Id = $Item.productId
131+
Id = $Item.productId
118132
Value = $Item.policyValue
119133
}
120134
}

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ function Invoke-CIPPStandardOutBoundSpamAlert {
7676
Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue $CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant
7777
$CurrentValue = @{
7878
NotifyOutboundSpam = $CurrentInfo.NotifyOutboundSpam
79-
NotifyOutboundSpamRecipients = $CurrentInfo.NotifyOutboundSpamRecipients
79+
NotifyOutboundSpamRecipients = ($CurrentInfo.NotifyOutboundSpamRecipients -join ', ')
8080
}
8181
$ExpectedValue = @{
8282
NotifyOutboundSpam = $true

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1

Lines changed: 30 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -70,8 +70,11 @@ function Invoke-CIPPStandardUserSubmissions {
7070
$PolicyIsCorrect = ($PolicyState.EnableReportToMicrosoft -eq $true) -and
7171
($PolicyState.ReportJunkToCustomizedAddress -eq $false) -and
7272
($PolicyState.ReportNotJunkToCustomizedAddress -eq $false) -and
73-
($PolicyState.ReportPhishToCustomizedAddress -eq $false)
74-
$RuleIsCorrect = $true
73+
($PolicyState.ReportPhishToCustomizedAddress -eq $false) -and
74+
($PolicyState.ReportJunkAddresses.Count -eq 0) -and
75+
($PolicyState.ReportNotJunkAddresses.Count -eq 0) -and
76+
($PolicyState.ReportPhishAddresses.Count -eq 0)
77+
$RuleIsCorrect = ($RuleState.length -eq 0) -or ($RuleState.State -ne 'Enabled')
7578
} else {
7679
$PolicyIsCorrect = ($PolicyState.EnableReportToMicrosoft -eq $true) -and
7780
($PolicyState.ReportJunkToCustomizedAddress -eq $true) -and
@@ -91,8 +94,11 @@ function Invoke-CIPPStandardUserSubmissions {
9194
$PolicyIsCorrect = ($PolicyState.EnableReportToMicrosoft -eq $false) -and
9295
($PolicyState.ReportJunkToCustomizedAddress -eq $false) -and
9396
($PolicyState.ReportNotJunkToCustomizedAddress -eq $false) -and
94-
($PolicyState.ReportPhishToCustomizedAddress -eq $false)
95-
$RuleIsCorrect = $true
97+
($PolicyState.ReportPhishToCustomizedAddress -eq $false) -and
98+
($PolicyState.ReportJunkAddresses.Count -eq 0) -and
99+
($PolicyState.ReportNotJunkAddresses.Count -eq 0) -and
100+
($PolicyState.ReportPhishAddresses.Count -eq 0)
101+
$RuleIsCorrect = ($RuleState.length -eq 0) -or ($RuleState.State -ne 'Enabled')
96102
}
97103
}
98104

@@ -132,8 +138,11 @@ function Invoke-CIPPStandardUserSubmissions {
132138
$PolicyParams = @{
133139
EnableReportToMicrosoft = $false
134140
ReportJunkToCustomizedAddress = $false
141+
ReportJunkAddresses = $null
135142
ReportNotJunkToCustomizedAddress = $false
143+
ReportNotJunkAddresses = $null
136144
ReportPhishToCustomizedAddress = $false
145+
ReportPhishAddresses = $null
137146
}
138147
}
139148

@@ -177,6 +186,14 @@ function Invoke-CIPPStandardUserSubmissions {
177186
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to enable User Submission rule. Error: $($ErrorMessage.NormalizedError)" -sev Error
178187
}
179188
}
189+
} elseif ($RuleState.length -gt 0 -and $RuleState.State -eq 'Enabled') {
190+
try {
191+
$null = New-ExoRequest -tenantid $Tenant -cmdlet 'Remove-ReportSubmissionRule' -cmdParams @{ Identity = 'DefaultReportSubmissionRule' } -UseSystemMailbox $true
192+
Write-LogMessage -API 'Standards' -tenant $Tenant -message 'User Submission rule removed.' -sev Info
193+
} catch {
194+
$ErrorMessage = Get-CippException -Exception $_
195+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to remove User Submission rule. Error: $($ErrorMessage.NormalizedError)" -sev Error
196+
}
180197
}
181198
}
182199
}
@@ -211,23 +228,23 @@ function Invoke-CIPPStandardUserSubmissions {
211228
ReportJunkToCustomizedAddress = $PolicyState.ReportJunkToCustomizedAddress
212229
ReportNotJunkToCustomizedAddress = $PolicyState.ReportNotJunkToCustomizedAddress
213230
ReportPhishToCustomizedAddress = $PolicyState.ReportPhishToCustomizedAddress
214-
ReportJunkAddresses = $PolicyState.ReportJunkAddresses
215-
ReportNotJunkAddresses = $PolicyState.ReportNotJunkAddresses
216-
ReportPhishAddresses = $PolicyState.ReportPhishAddresses
231+
ReportJunkAddresses = @($PolicyState.ReportJunkAddresses)
232+
ReportNotJunkAddresses = @($PolicyState.ReportNotJunkAddresses)
233+
ReportPhishAddresses = @($PolicyState.ReportPhishAddresses)
217234
RuleState = @{
218-
State = $RuleState.State
219-
SentTo = $RuleState.SentTo
235+
State = if ($RuleState.length -eq 0) { 'Disabled' } else { $RuleState.State }
236+
SentTo = if ($RuleState.length -eq 0) { $null } else { @($RuleState.SentTo) }
220237
}
221238
}
222239
$ExpectedValue = @{
223240
EnableReportToMicrosoft = $state -eq 'enable'
224241
ReportJunkToCustomizedAddress = if ([string]::IsNullOrWhiteSpace($Email)) { $false } else { $true }
225242
ReportNotJunkToCustomizedAddress = if ([string]::IsNullOrWhiteSpace($Email)) { $false } else { $true }
226243
ReportPhishToCustomizedAddress = if ([string]::IsNullOrWhiteSpace($Email)) { $false } else { $true }
227-
ReportJunkAddresses = if ([string]::IsNullOrWhiteSpace($Email)) { $null } else { @($Email) }
228-
ReportNotJunkAddresses = if ([string]::IsNullOrWhiteSpace($Email)) { $null } else { @($Email) }
229-
ReportPhishAddresses = if ([string]::IsNullOrWhiteSpace($Email)) { $null } else { @($Email) }
230-
RuleState = if ([string]::IsNullOrWhiteSpace($Email)) {
244+
ReportJunkAddresses = @(if (-not [string]::IsNullOrWhiteSpace($Email)) { $Email })
245+
ReportNotJunkAddresses = @(if (-not [string]::IsNullOrWhiteSpace($Email)) { $Email })
246+
ReportPhishAddresses = @(if (-not [string]::IsNullOrWhiteSpace($Email)) { $Email })
247+
RuleState = if ([string]::IsNullOrWhiteSpace($Email) -or $state -eq 'disable') {
231248
@{
232249
State = 'Disabled'
233250
SentTo = $null
Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
function Invoke-CIPPStandardintuneDeviceRegLocalAdmins {
2+
<#
3+
.FUNCTIONALITY
4+
Internal
5+
.COMPONENT
6+
(APIName) intuneDeviceRegLocalAdmins
7+
.SYNOPSIS
8+
(Label) Configure local administrator rights for users joining devices
9+
.DESCRIPTION
10+
(Helptext) Controls whether users who register Microsoft Entra joined devices are granted local administrator rights on those devices and if Global Administrators are added as local admins.
11+
(DocsDescription) Configures the Device Registration Policy local administrator behavior for registering users. When enabled, users who register devices are not granted local administrator rights, you can also configure if Global Administrators are added as local admins.
12+
.NOTES
13+
CAT
14+
Entra (AAD) Standards
15+
TAG
16+
EXECUTIVETEXT
17+
Controls whether employees who enroll devices automatically receive local administrator access. Disabling registering-user admin rights follows least-privilege principles and reduces security risk from over-privileged endpoints.
18+
ADDEDCOMPONENT
19+
{"type":"switch","name":"standards.intuneDeviceRegLocalAdmins.disableRegisteringUsers","label":"Disable registering users as local administrators","defaultValue":true}
20+
{"type":"switch","name":"standards.intuneDeviceRegLocalAdmins.enableGlobalAdmins","label":"Allow Global Administrators to be local administrators","defaultValue":true}
21+
IMPACT
22+
Medium Impact
23+
ADDEDDATE
24+
2026-02-23
25+
POWERSHELLEQUIVALENT
26+
Update-MgBetaPolicyDeviceRegistrationPolicy
27+
RECOMMENDEDBY
28+
UPDATECOMMENTBLOCK
29+
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
30+
.LINK
31+
https://docs.cipp.app/user-documentation/tenant/standards/list-standards
32+
#>
33+
34+
param($Tenant, $Settings)
35+
36+
try {
37+
$PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant
38+
} catch {
39+
$ErrorMessage = Get-CippException -Exception $_
40+
Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the intuneDeviceRegLocalAdmins state for $Tenant. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
41+
return
42+
}
43+
# Current M365 Config
44+
$CurrentOdataType = $PreviousSetting.azureADJoin.localAdmins.registeringUsers.'@odata.type'
45+
$CurrentEnableGlobalAdmins = [bool]$PreviousSetting.azureADJoin.localAdmins.enableGlobalAdmins
46+
47+
# Standards Config
48+
$DisableRegisteringUsers = [bool]$Settings.disableRegisteringUsers
49+
$EnableGlobalAdmins = [bool]$Settings.enableGlobalAdmins
50+
51+
# State comparison
52+
$DesiredOdataType = if ($DisableRegisteringUsers) { '#microsoft.graph.noDeviceRegistrationMembership' } else { '#microsoft.graph.allDeviceRegistrationMembership' }
53+
$StateIsCorrect = ($CurrentOdataType -eq $DesiredOdataType) -and ($CurrentEnableGlobalAdmins -eq $EnableGlobalAdmins)
54+
$DesiredStateText = if ($DisableRegisteringUsers) { 'disabled' } else { 'enabled' }
55+
$DesiredGlobalAdminsText = if ($EnableGlobalAdmins) { 'enabled' } else { 'disabled' }
56+
57+
if ($Settings.remediate -eq $true) {
58+
if ($StateIsCorrect -eq $true) {
59+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Local administrator settings are already configured (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)." -sev Info
60+
} else {
61+
try {
62+
$PreviousSetting.azureADJoin.localAdmins.registeringUsers = @{ '@odata.type' = $DesiredOdataType }
63+
$PreviousSetting.azureADJoin.localAdmins.enableGlobalAdmins = $EnableGlobalAdmins
64+
$NewBody = ConvertTo-Json -Compress -InputObject $PreviousSetting -Depth 10
65+
New-GraphPostRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -Type PUT -Body $NewBody -ContentType 'application/json'
66+
$CurrentOdataType = $DesiredOdataType
67+
$CurrentEnableGlobalAdmins = $EnableGlobalAdmins
68+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set local administrator settings (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)." -sev Info
69+
} catch {
70+
$ErrorMessage = Get-CippException -Exception $_
71+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set local administrator settings (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText). Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
72+
}
73+
}
74+
}
75+
76+
if ($Settings.alert -eq $true) {
77+
if ($StateIsCorrect -eq $true) {
78+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Local administrator settings are configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)." -sev Info
79+
} else {
80+
Write-StandardsAlert -message "Local administrator settings are not configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)" -object @{ current = @{ registeringUsers = $CurrentOdataType; enableGlobalAdmins = $CurrentEnableGlobalAdmins }; desired = @{ registeringUsers = $DesiredOdataType; enableGlobalAdmins = $EnableGlobalAdmins } } -tenant $Tenant -standardName 'intuneDeviceRegLocalAdmins' -standardId $Settings.standardId
81+
Write-LogMessage -API 'Standards' -tenant $Tenant -message "Local administrator settings are not configured as expected (registering users: $DesiredStateText, global admins: $DesiredGlobalAdminsText)." -sev Info
82+
}
83+
}
84+
85+
if ($Settings.report -eq $true) {
86+
$CurrentValue = @{
87+
registeringUsers = @{
88+
'@odata.type' = $CurrentOdataType
89+
}
90+
enableGlobalAdmins = $CurrentEnableGlobalAdmins
91+
}
92+
$ExpectedValue = @{
93+
registeringUsers = @{
94+
'@odata.type' = $DesiredOdataType
95+
}
96+
enableGlobalAdmins = $EnableGlobalAdmins
97+
}
98+
Set-CIPPStandardsCompareField -FieldName 'standards.intuneDeviceRegLocalAdmins' -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
99+
Add-CIPPBPAField -FieldName 'intuneDeviceRegLocalAdmins' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
100+
}
101+
}

0 commit comments

Comments
 (0)