diff --git a/.editorconfig b/.editorconfig
index b0c2c5085172..eecafcffcb70 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -8,12 +8,12 @@ insert_final_newline = true
[*.{ps1, psd1, psm1}]
indent_size = 4
-end_of_line = crlf
+end_of_line = lf
trim_trailing_whitespace = true
[*.json]
indent_size = 2
-end_of_line = crlf
+end_of_line = lf
trim_trailing_whitespace = true
[*.{md, txt}]
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000000..6b7b1bb62a3f
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,13 @@
+* text=lf
+
+*.txt text eol=crlf
+*.md text eol=crlf
+
+*.ps1 text eol=lf
+*.psd1 text eol=lf
+*.psm1 text eol=lf
+
+*.json text eol=lf
+
+*.png binary
+*.jpg binary
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1
index 335d860c6200..22ac25cb001a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1
@@ -19,6 +19,8 @@ function Invoke-CIPPStandardActivityBasedTimeout {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select value","name":"standards.ActivityBasedTimeout.timeout","options":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2022-04-13
POWERSHELLEQUIVALENT
Portal or Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1
index a57df85e9e4a..9625f199fec9 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardAddDKIM {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-03-14
POWERSHELLEQUIVALENT
New-DkimSigningConfig and Set-DkimSigningConfig
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1
index 23fbae4dc8f8..c44bafe196c3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardAnonReportDisable {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = \$true}
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1
index 8e3eee48d96c..9f577250c442 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1
@@ -1,221 +1,223 @@
-function Invoke-CIPPStandardAntiPhishPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) AntiPhishPolicy
- .SYNOPSIS
- (Label) Default Anti-Phishing Policy
- .DESCRIPTION
- (Helptext) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips.
- (DocsDescription) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips.
- .NOTES
- CAT
- Defender Standards
- TAG
- "CIS"
- "mdo_safeattachments"
- "mdo_highconfidencespamaction"
- "mdo_highconfidencephishaction"
- "mdo_phisspamacation"
- "mdo_spam_notifications_only_for_admins"
- "mdo_antiphishingpolicies"
- "mdo_phishthresholdlevel"
- ADDEDCOMPONENT
- {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","default":1}
- {"type":"switch","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","default":true}
- {"type":"switch","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","default":true}
- {"type":"switch","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","default":true}
- {"type":"switch","label":"Show user impersonation unusual characters safety tip","name":"standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips","default":true}
- {"type":"select","multiple":false,"label":"If the message is detected as spoof by spoof intelligence","name":"standards.AntiPhishPolicy.AuthenticationFailAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move to Junk Folder","value":"MoveToJmf"}]}
- {"type":"select","multiple":false,"label":"Quarantine policy for Spoof","name":"standards.AntiPhishPolicy.SpoofQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"select","multiple":false,"label":"If a message is detected as user impersonation","name":"standards.AntiPhishPolicy.TargetedUserProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
- {"type":"select","multiple":false,"label":"Quarantine policy for user impersonation","name":"standards.AntiPhishPolicy.TargetedUserQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"select","multiple":false,"label":"If a message is detected as domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
- {"type":"select","multiple":false,"label":"Quarantine policy for domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainQuarantineTag","options":[{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"},{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"}]}
- {"type":"select","multiple":false,"label":"If Mailbox Intelligence detects an impersonated user","name":"standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
- {"type":"select","multiple":false,"label":"Apply quarantine policy","name":"standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-AntiphishPolicy or New-AntiphishPolicy
- RECOMMENDEDBY
- "CIS"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AntiPhishPolicy'
-
- $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
- $ServicePlans = $ServicePlans.servicePlans.servicePlanName
- $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
- Write-Information "MDOLicensed: $MDOLicensed"
-
- $PolicyList = @('CIPP Default Anti-Phishing Policy','Default Anti-Phishing Policy')
- $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' | Where-Object -Property Name -In $PolicyList
- if ($null -eq $ExistingPolicy.Name) {
- $PolicyName = $PolicyList[0]
- } else {
- $PolicyName = $ExistingPolicy.Name
- }
- $RuleList = @( 'CIPP Default Anti-Phishing Rule','CIPP Default Anti-Phishing Policy')
- $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishRule' | Where-Object -Property Name -In $RuleList
- if ($null -eq $ExistingRule.Name) {
- $RuleName = $RuleList[0]
- } else {
- $RuleName = $ExistingRule.Name
- }
-
- $CurrentState = $ExistingPolicy |
- Select-Object Name, Enabled, PhishThresholdLevel, EnableMailboxIntelligence, EnableMailboxIntelligenceProtection, EnableSpoofIntelligence, EnableFirstContactSafetyTips, EnableSimilarUsersSafetyTips, EnableSimilarDomainsSafetyTips, EnableUnusualCharactersSafetyTips, EnableUnauthenticatedSender, EnableViaTag, AuthenticationFailAction, SpoofQuarantineTag, MailboxIntelligenceProtectionAction, MailboxIntelligenceQuarantineTag, TargetedUserProtectionAction, TargetedUserQuarantineTag, TargetedDomainProtectionAction, TargetedDomainQuarantineTag, EnableOrganizationDomainsProtection
-
- if ($MDOLicensed) {
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.Enabled -eq $true) -and
- ($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
- ($CurrentState.EnableMailboxIntelligence -eq $true) -and
- ($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
- ($CurrentState.EnableSpoofIntelligence -eq $true) -and
- ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
- ($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
- ($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
- ($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
- ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
- ($CurrentState.EnableViaTag -eq $true) -and
- ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
- ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
- ($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
- ($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
- ($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
- ($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
- ($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
- ($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
- ($CurrentState.EnableOrganizationDomainsProtection -eq $true)
- } else {
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.Enabled -eq $true) -and
- ($CurrentState.EnableSpoofIntelligence -eq $true) -and
- ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
- ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
- ($CurrentState.EnableViaTag -eq $true) -and
- ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
- ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag)
- }
-
- $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
-
- $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishRule' |
- Where-Object -Property Name -EQ $RuleName |
- Select-Object Name, AntiPhishPolicy, Priority, RecipientDomainIs
-
- $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
- ($RuleState.AntiPhishPolicy -eq $PolicyName) -and
- ($RuleState.Priority -eq 0) -and
- (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy already correctly configured' -sev Info
- } else {
- if ($MDOLicensed) {
- $cmdparams = @{
- Enabled = $true
- PhishThresholdLevel = $Settings.PhishThresholdLevel
- EnableMailboxIntelligence = $true
- EnableMailboxIntelligenceProtection = $true
- EnableSpoofIntelligence = $true
- EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
- EnableSimilarUsersSafetyTips = $Settings.EnableSimilarUsersSafetyTips
- EnableSimilarDomainsSafetyTips = $Settings.EnableSimilarDomainsSafetyTips
- EnableUnusualCharactersSafetyTips = $Settings.EnableUnusualCharactersSafetyTips
- EnableUnauthenticatedSender = $true
- EnableViaTag = $true
- AuthenticationFailAction = $Settings.AuthenticationFailAction
- SpoofQuarantineTag = $Settings.SpoofQuarantineTag
- MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
- MailboxIntelligenceQuarantineTag = $Settings.MailboxIntelligenceQuarantineTag
- TargetedUserProtectionAction = $Settings.TargetedUserProtectionAction
- TargetedUserQuarantineTag = $Settings.TargetedUserQuarantineTag
- TargetedDomainProtectionAction = $Settings.TargetedDomainProtectionAction
- TargetedDomainQuarantineTag = $Settings.TargetedDomainQuarantineTag
- EnableOrganizationDomainsProtection = $true
- }
- } else {
- $cmdparams = @{
- Enabled = $true
- EnableSpoofIntelligence = $true
- EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
- EnableUnauthenticatedSender = $true
- EnableViaTag = $true
- AuthenticationFailAction = $Settings.AuthenticationFailAction
- SpoofQuarantineTag = $Settings.SpoofQuarantineTag
- }
- }
-
- if ($CurrentState.Name -eq $PolicyName) {
- try {
- $cmdparams.Add('Identity', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AntiPhishPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Anti-phishing policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Anti-phishing policy $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-AntiPhishPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Anti-phishing policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Anti-phishing policy $PolicyName." -sev Error -LogData $_
- }
- }
- }
-
- if ($RuleStateIsCorrect -eq $false) {
- $cmdparams = @{
- Priority = 0
- RecipientDomainIs = $AcceptedDomains.Name
- }
-
- if ($RuleState.AntiPhishPolicy -ne $PolicyName) {
- $cmdparams.Add('AntiPhishPolicy', $PolicyName)
- }
-
- if ($RuleState.Name -eq $RuleName) {
- try {
- $cmdparams.Add('Identity', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AntiPhishRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Anti-phishing rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Anti-phishing rule $RuleName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-AntiPhishRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Anti-phishing rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Anti-phishing rule $RuleName." -sev Error -LogData $_
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'AntiPhishPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-
-}
+function Invoke-CIPPStandardAntiPhishPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) AntiPhishPolicy
+ .SYNOPSIS
+ (Label) Default Anti-Phishing Policy
+ .DESCRIPTION
+ (Helptext) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips.
+ (DocsDescription) This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips.
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ "CIS"
+ "mdo_safeattachments"
+ "mdo_highconfidencespamaction"
+ "mdo_highconfidencephishaction"
+ "mdo_phisspamacation"
+ "mdo_spam_notifications_only_for_admins"
+ "mdo_antiphishingpolicies"
+ "mdo_phishthresholdlevel"
+ ADDEDCOMPONENT
+ {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","defaultValue":1}
+ {"type":"switch","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","defaultValue":true}
+ {"type":"switch","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","defaultValue":true}
+ {"type":"switch","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","defaultValue":true}
+ {"type":"switch","label":"Show user impersonation unusual characters safety tip","name":"standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips","defaultValue":true}
+ {"type":"select","multiple":false,"label":"If the message is detected as spoof by spoof intelligence","name":"standards.AntiPhishPolicy.AuthenticationFailAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move to Junk Folder","value":"MoveToJmf"}]}
+ {"type":"select","multiple":false,"label":"Quarantine policy for Spoof","name":"standards.AntiPhishPolicy.SpoofQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"select","multiple":false,"label":"If a message is detected as user impersonation","name":"standards.AntiPhishPolicy.TargetedUserProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
+ {"type":"select","multiple":false,"label":"Quarantine policy for user impersonation","name":"standards.AntiPhishPolicy.TargetedUserQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"select","multiple":false,"label":"If a message is detected as domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
+ {"type":"select","multiple":false,"label":"Quarantine policy for domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainQuarantineTag","options":[{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"},{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"}]}
+ {"type":"select","multiple":false,"label":"If Mailbox Intelligence detects an impersonated user","name":"standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction","options":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]}
+ {"type":"select","multiple":false,"label":"Apply quarantine policy","name":"standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-03-25
+ POWERSHELLEQUIVALENT
+ Set-AntiphishPolicy or New-AntiphishPolicy
+ RECOMMENDEDBY
+ "CIS"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AntiPhishPolicy'
+
+ $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
+ $ServicePlans = $ServicePlans.servicePlans.servicePlanName
+ $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
+ Write-Information "MDOLicensed: $MDOLicensed"
+
+ $PolicyList = @('CIPP Default Anti-Phishing Policy','Default Anti-Phishing Policy')
+ $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishPolicy' | Where-Object -Property Name -In $PolicyList
+ if ($null -eq $ExistingPolicy.Name) {
+ $PolicyName = $PolicyList[0]
+ } else {
+ $PolicyName = $ExistingPolicy.Name
+ }
+ $RuleList = @( 'CIPP Default Anti-Phishing Rule','CIPP Default Anti-Phishing Policy')
+ $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishRule' | Where-Object -Property Name -In $RuleList
+ if ($null -eq $ExistingRule.Name) {
+ $RuleName = $RuleList[0]
+ } else {
+ $RuleName = $ExistingRule.Name
+ }
+
+ $CurrentState = $ExistingPolicy |
+ Select-Object Name, Enabled, PhishThresholdLevel, EnableMailboxIntelligence, EnableMailboxIntelligenceProtection, EnableSpoofIntelligence, EnableFirstContactSafetyTips, EnableSimilarUsersSafetyTips, EnableSimilarDomainsSafetyTips, EnableUnusualCharactersSafetyTips, EnableUnauthenticatedSender, EnableViaTag, AuthenticationFailAction, SpoofQuarantineTag, MailboxIntelligenceProtectionAction, MailboxIntelligenceQuarantineTag, TargetedUserProtectionAction, TargetedUserQuarantineTag, TargetedDomainProtectionAction, TargetedDomainQuarantineTag, EnableOrganizationDomainsProtection
+
+ if ($MDOLicensed) {
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.Enabled -eq $true) -and
+ ($CurrentState.PhishThresholdLevel -eq $Settings.PhishThresholdLevel) -and
+ ($CurrentState.EnableMailboxIntelligence -eq $true) -and
+ ($CurrentState.EnableMailboxIntelligenceProtection -eq $true) -and
+ ($CurrentState.EnableSpoofIntelligence -eq $true) -and
+ ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
+ ($CurrentState.EnableSimilarUsersSafetyTips -eq $Settings.EnableSimilarUsersSafetyTips) -and
+ ($CurrentState.EnableSimilarDomainsSafetyTips -eq $Settings.EnableSimilarDomainsSafetyTips) -and
+ ($CurrentState.EnableUnusualCharactersSafetyTips -eq $Settings.EnableUnusualCharactersSafetyTips) -and
+ ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
+ ($CurrentState.EnableViaTag -eq $true) -and
+ ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
+ ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag) -and
+ ($CurrentState.MailboxIntelligenceProtectionAction -eq $Settings.MailboxIntelligenceProtectionAction) -and
+ ($CurrentState.MailboxIntelligenceQuarantineTag -eq $Settings.MailboxIntelligenceQuarantineTag) -and
+ ($CurrentState.TargetedUserProtectionAction -eq $Settings.TargetedUserProtectionAction) -and
+ ($CurrentState.TargetedUserQuarantineTag -eq $Settings.TargetedUserQuarantineTag) -and
+ ($CurrentState.TargetedDomainProtectionAction -eq $Settings.TargetedDomainProtectionAction) -and
+ ($CurrentState.TargetedDomainQuarantineTag -eq $Settings.TargetedDomainQuarantineTag) -and
+ ($CurrentState.EnableOrganizationDomainsProtection -eq $true)
+ } else {
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.Enabled -eq $true) -and
+ ($CurrentState.EnableSpoofIntelligence -eq $true) -and
+ ($CurrentState.EnableFirstContactSafetyTips -eq $Settings.EnableFirstContactSafetyTips) -and
+ ($CurrentState.EnableUnauthenticatedSender -eq $true) -and
+ ($CurrentState.EnableViaTag -eq $true) -and
+ ($CurrentState.AuthenticationFailAction -eq $Settings.AuthenticationFailAction) -and
+ ($CurrentState.SpoofQuarantineTag -eq $Settings.SpoofQuarantineTag)
+ }
+
+ $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
+
+ $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AntiPhishRule' |
+ Where-Object -Property Name -EQ $RuleName |
+ Select-Object Name, AntiPhishPolicy, Priority, RecipientDomainIs
+
+ $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
+ ($RuleState.AntiPhishPolicy -eq $PolicyName) -and
+ ($RuleState.Priority -eq 0) -and
+ (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy already correctly configured' -sev Info
+ } else {
+ if ($MDOLicensed) {
+ $cmdparams = @{
+ Enabled = $true
+ PhishThresholdLevel = $Settings.PhishThresholdLevel
+ EnableMailboxIntelligence = $true
+ EnableMailboxIntelligenceProtection = $true
+ EnableSpoofIntelligence = $true
+ EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
+ EnableSimilarUsersSafetyTips = $Settings.EnableSimilarUsersSafetyTips
+ EnableSimilarDomainsSafetyTips = $Settings.EnableSimilarDomainsSafetyTips
+ EnableUnusualCharactersSafetyTips = $Settings.EnableUnusualCharactersSafetyTips
+ EnableUnauthenticatedSender = $true
+ EnableViaTag = $true
+ AuthenticationFailAction = $Settings.AuthenticationFailAction
+ SpoofQuarantineTag = $Settings.SpoofQuarantineTag
+ MailboxIntelligenceProtectionAction = $Settings.MailboxIntelligenceProtectionAction
+ MailboxIntelligenceQuarantineTag = $Settings.MailboxIntelligenceQuarantineTag
+ TargetedUserProtectionAction = $Settings.TargetedUserProtectionAction
+ TargetedUserQuarantineTag = $Settings.TargetedUserQuarantineTag
+ TargetedDomainProtectionAction = $Settings.TargetedDomainProtectionAction
+ TargetedDomainQuarantineTag = $Settings.TargetedDomainQuarantineTag
+ EnableOrganizationDomainsProtection = $true
+ }
+ } else {
+ $cmdparams = @{
+ Enabled = $true
+ EnableSpoofIntelligence = $true
+ EnableFirstContactSafetyTips = $Settings.EnableFirstContactSafetyTips
+ EnableUnauthenticatedSender = $true
+ EnableViaTag = $true
+ AuthenticationFailAction = $Settings.AuthenticationFailAction
+ SpoofQuarantineTag = $Settings.SpoofQuarantineTag
+ }
+ }
+
+ if ($CurrentState.Name -eq $PolicyName) {
+ try {
+ $cmdparams.Add('Identity', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AntiPhishPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Anti-phishing policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Anti-phishing policy $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-AntiPhishPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Anti-phishing policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Anti-phishing policy $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($RuleStateIsCorrect -eq $false) {
+ $cmdparams = @{
+ Priority = 0
+ RecipientDomainIs = $AcceptedDomains.Name
+ }
+
+ if ($RuleState.AntiPhishPolicy -ne $PolicyName) {
+ $cmdparams.Add('AntiPhishPolicy', $PolicyName)
+ }
+
+ if ($RuleState.Name -eq $RuleName) {
+ try {
+ $cmdparams.Add('Identity', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AntiPhishRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Anti-phishing rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Anti-phishing rule $RuleName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-AntiPhishRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Anti-phishing rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Anti-phishing rule $RuleName." -sev Error -LogData $_
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Anti-phishing policy is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'AntiPhishPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiSpamSafeList.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiSpamSafeList.ps1
index 077877e36b32..3ea9d244aedc 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiSpamSafeList.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiSpamSafeList.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardAntiSpamSafeList {
{"type":"switch","name":"standards.AntiSpamSafeList.EnableSafeList","label":"Enable Safe List"}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2025-02-15
POWERSHELLEQUIVALENT
Set-HostedConnectionFilterPolicy "Default" -EnableSafeList \$true
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1
index 4e6802efeb33..183feb83dfee 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAppDeploy.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardAppDeploy {
{"type":"textField","name":"standards.AppDeploy.appids","label":"Application IDs, comma separated"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-07-07
POWERSHELLEQUIVALENT
Portal or Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1
index f7e369859105..45cd930a4cda 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1
@@ -1,74 +1,76 @@
-function Invoke-CIPPStandardAtpPolicyForO365 {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) AtpPolicyForO365
- .SYNOPSIS
- (Label) Default Atp Policy For O365
- .DESCRIPTION
- (Helptext) This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.
- (DocsDescription) This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.
- .NOTES
- CAT
- Defender Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- {"type":"switch","label":"Allow people to click through Protected View even if Safe Documents identified the file as malicious","name":"standards.AtpPolicyForO365.AllowSafeDocsOpen","default":false,"required":false}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-AtpPolicyForO365
- RECOMMENDEDBY
- "CIS"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AtpPolicyForO365'
-
- $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AtpPolicyForO365' |
- Select-Object EnableATPForSPOTeamsODB, EnableSafeDocs, AllowSafeDocsOpen
-
- $StateIsCorrect = ($CurrentState.EnableATPForSPOTeamsODB -eq $true) -and
- ($CurrentState.EnableSafeDocs -eq $true) -and
- ($CurrentState.AllowSafeDocsOpen -eq $Settings.AllowSafeDocsOpen)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 already set.' -sev Info
- } else {
- $cmdparams = @{
- EnableATPForSPOTeamsODB = $true
- EnableSafeDocs = $true
- AllowSafeDocsOpen = $Settings.AllowSafeDocsOpen
- }
-
- try {
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AtpPolicyForO365' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Atp Policy For O365' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Atp Policy For O365. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'AtpPolicyForO365' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-
-}
+function Invoke-CIPPStandardAtpPolicyForO365 {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) AtpPolicyForO365
+ .SYNOPSIS
+ (Label) Default Atp Policy For O365
+ .DESCRIPTION
+ (Helptext) This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.
+ (DocsDescription) This creates a Atp policy that enables Defender for Office 365 for SharePoint, OneDrive and Microsoft Teams.
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ {"type":"switch","label":"Allow people to click through Protected View even if Safe Documents identified the file as malicious","name":"standards.AtpPolicyForO365.AllowSafeDocsOpen","defaultValue":false,"required":false}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-03-25
+ POWERSHELLEQUIVALENT
+ Set-AtpPolicyForO365
+ RECOMMENDEDBY
+ "CIS"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'AtpPolicyForO365'
+
+ $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AtpPolicyForO365' |
+ Select-Object EnableATPForSPOTeamsODB, EnableSafeDocs, AllowSafeDocsOpen
+
+ $StateIsCorrect = ($CurrentState.EnableATPForSPOTeamsODB -eq $true) -and
+ ($CurrentState.EnableSafeDocs -eq $true) -and
+ ($CurrentState.AllowSafeDocsOpen -eq $Settings.AllowSafeDocsOpen)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 already set.' -sev Info
+ } else {
+ $cmdparams = @{
+ EnableATPForSPOTeamsODB = $true
+ EnableSafeDocs = $true
+ AllowSafeDocsOpen = $Settings.AllowSafeDocsOpen
+ }
+
+ try {
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-AtpPolicyForO365' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Atp Policy For O365' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Atp Policy For O365. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Atp Policy For O365 is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'AtpPolicyForO365' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1
index c2ce718ae008..33f1ef104ac3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardAuditLog {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Enable-OrganizationCustomization
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuthMethodsSettings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuthMethodsSettings.ps1
index 18ab2554d4a5..d09843d89e70 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuthMethodsSettings.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuthMethodsSettings.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardAuthMethodsSettings {
{"type":"autoComplete","multiple":false,"creatable":false,"required":false,"name":"standards.AuthMethodsSettings.SystemCredential","label":"System Credential Preferences","options":[{"label":"Microsoft managed","value":"default"},{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2025-02-10
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoAddProxy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoAddProxy.ps1
index 7ad0a6b2e11f..964706df5ae3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoAddProxy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoAddProxy.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardAutoAddProxy {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2025-02-07
POWERSHELLEQUIVALENT
Set-Mailbox -EmailAddresses @{add=\$EmailAddress}
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1
index 9945f982b524..bad412af24fd 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardAutoExpandArchive {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-OrganizationConfig -AutoExpandingArchive
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1
index 94c7890adacf..4a6e949c4523 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardBookings {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.Bookings.state","options":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-05-31
POWERSHELLEQUIVALENT
Set-OrganizationConfig -BookingsEnabled
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1
index d4190433c941..76365a928281 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1
@@ -22,6 +22,8 @@ function Invoke-CIPPStandardBranding {
{"type":"switch","name":"standards.Branding.isFooterShown","label":"Show footer"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-05-13
POWERSHELLEQUIVALENT
Portal only
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1
index def36fadcb5e..3345291f41d3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardCloudMessageRecall {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.CloudMessageRecall.state","options":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-05-31
POWERSHELLEQUIVALENT
Set-OrganizationConfig -MessageRecallEnabled
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1
index 4f3dcd23bad6..03105df1c8b5 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardConditionalAccessTemplate.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardConditionalAccessTemplate {
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-30
ADDEDCOMPONENT
{"type":"autoComplete","name":"TemplateList","multiple":false,"label":"Select Conditional Access Template","api":{"url":"/api/ListCATemplates","labelField":"displayName","valueField":"GUID","queryKey":"ListCATemplates"}}
{"name":"state","label":"What state should we deploy this template in?","type":"radio","options":[{"value":"donotchange","label":"Do not change state"},{"value":"Enabled","label":"Set to enabled"},{"value":"Disabled","label":"Set to disabled"},{"value":"enabledForReportingButNotEnforced","label":"Set to report only"}]}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1
index a1c724a7167d..b6035cb0cd9a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDelegateSentItems {
{"type":"switch","label":"Include user mailboxes","name":"standards.DelegateSentItems.IncludeUserMailboxes"}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-Mailbox
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1
index 428327b1fe99..75929ccdc116 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDeletedUserRentention {
{"type":"autoComplete","multiple":false,"name":"standards.DeletedUserRentention.Days","label":"Retention time (Default 30 days)","options":[{"label":"30 days","value":"30"},{"label":"90 days","value":"90"},{"label":"1 year","value":"365"},{"label":"2 years","value":"730"},{"label":"3 years","value":"1095"},{"label":"4 years","value":"1460"},{"label":"5 years","value":"1825"},{"label":"6 years","value":"2190"},{"label":"7 years","value":"2555"},{"label":"8 years","value":"2920"},{"label":"9 years","value":"3285"},{"label":"10 years","value":"3650"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgBetaAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1
index f488fd9e1e94..bf7928089d8f 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Add Shortcuts To OneDrive button state","name":"standards.DisableAddShortcutsToOneDrive.state","options":[{"label":"Disabled","value":"true"},{"label":"Enabled","value":"false"}]}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-07-25
POWERSHELLEQUIVALENT
Set-SPOTenant -DisableAddShortcutsToOneDrive \$true or \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1
index 0335b7dcace4..e295651f6165 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardDisableAdditionalStorageProviders {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-17
POWERSHELLEQUIVALENT
Get-OwaMailboxPolicy \| Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled \$False
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1
index 295d5e9b87f8..d22a1f88b8fa 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableAppCreation {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-03-20
POWERSHELLEQUIVALENT
Update-MgPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1
index eb4de11a619a..feab61d0ee06 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-TransportConfig -SmtpClientAuthenticationDisabled \$true
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1
index b810f67f6c82..b85b0777b6f1 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableEmail {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1
index 8270a259292b..780a8177da55 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-08
POWERSHELLEQUIVALENT
Get-SharingPolicy \| Set-SharingPolicy -Enabled \$False
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1
index e0ecf6b19586..d0661ab6a34b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableGuestDirectory {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-05-04
POWERSHELLEQUIVALENT
Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b'
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1
index b17a84ee81f3..3271feda4b05 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableGuests {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2022-10-20
POWERSHELLEQUIVALENT
Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1
index b241ae9e19ca..12614ae0090e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableM365GroupUsers {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-07-17
POWERSHELLEQUIVALENT
Update-MgBetaDirectorySetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1
index e011c6b46878..36dc84459f06 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardDisableOutlookAddins {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-02-05
POWERSHELLEQUIVALENT
Get-ManagementRoleAssignment \| Remove-ManagementRoleAssignment
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1
index ae8b46922a0a..98ce2c9b1158 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableQRCodePin.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableQRCodePin {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2024-02-10
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1
index 158c1fa7010b..8cdba0d63a8b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableReshare {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgBetaAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1
index 5c79181d7879..b8e21c804f95 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableSMS {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1
index 8f8643dacadc..0912dbce54bd 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2022-07-17
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1
index 64eab6788d6a..6829d04564ab 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses {
{"type":"textField","name":"standards.DisableSelfServiceLicenses.Exclusions","label":"License Ids to exclude from this standard","required":false}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-MsolCompanySettings -AllowAdHocSubscriptions \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1
index a9e5d0d8c51c..f38bc79e6637 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardDisableSharePointLegacyAuth {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-02-05
POWERSHELLEQUIVALENT
Set-SPOTenant -LegacyAuthProtocolsEnabled \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1
index b3825fe36b83..071a8d12d38e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableSharedMailbox {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Get-Mailbox & Update-MgUser
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1
index 293ce18f7762..450882ec1bbe 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableTNEF {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-04-26
POWERSHELLEQUIVALENT
Set-RemoteDomain -Identity 'Default' -TNEFEnabled \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1
index a167603091de..34192ba11dd3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardDisableTenantCreation {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-11-29
POWERSHELLEQUIVALENT
Update-MgPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1
index 442a48ad6c2f..d437a3780e50 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableUserSiteCreate {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1
index ac7b6b207575..b09e560e43c9 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableViva {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-05-25
POWERSHELLEQUIVALENT
Set-UserBriefingConfig
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1
index db80a2e91e8e..b892cf34202e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisableVoice {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1
index d6fcb84c2d08..b07f36a401af 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardDisablex509Certificate {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEXODisableAutoForwarding.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEXODisableAutoForwarding.ps1
index d2ab1cf7088d..224b1e81963f 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEXODisableAutoForwarding.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEXODisableAutoForwarding.ps1
@@ -19,6 +19,8 @@ function Invoke-CIPPStandardEXODisableAutoForwarding {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2024-07-26
POWERSHELLEQUIVALENT
Set-HostedOutboundSpamFilterPolicy -AutoForwardingMode 'Off'
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1
index 7db52549e3dc..e82f0032a277 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardEnableAppConsentRequests {
{"type":"AdminRolesMultiSelect","label":"App Consent Reviewer Roles","name":"standards.EnableAppConsentRequests.ReviewerRoles"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-11-27
POWERSHELLEQUIVALENT
Update-MgPolicyAdminConsentRequestPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1
index ef686a9cccb1..b64f8062db19 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardEnableCustomerLockbox {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-08
POWERSHELLEQUIVALENT
Set-OrganizationConfig -CustomerLockBoxEnabled \$true
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1
index bed8799542aa..88e68f9581c9 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardEnableFIDO2 {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-12-08
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1
index 811d20565c9f..f7a90138c7f3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardEnableHardwareOAuth {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1
index 549a0d8b1590..f872be29d6ef 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1
@@ -1,77 +1,79 @@
-function Invoke-CIPPStandardEnableLitigationHold {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) EnableLitigationHold
- .SYNOPSIS
- (Label) Enable Litigation Hold for all users
- .DESCRIPTION
- (Helptext) Enables litigation hold for all UserMailboxes with a valid license.
- (DocsDescription) Enables litigation hold for all UserMailboxes with a valid license.
- .NOTES
- CAT
- Exchange Standards
- TAG
- ADDEDCOMPONENT
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-Mailbox -LitigationHoldEnabled \$true
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/exchange-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'EnableLitigationHold'
-
- $MailboxesNoLitHold = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdparams @{ Filter = 'LitigationHoldEnabled -eq "False"' } | Where-Object { $_.PersistedCapabilities -contains 'BPOS_S_DlpAddOn' -or $_.PersistedCapabilities -contains 'BPOS_S_Enterprise' }
-
- If ($Settings.remediate -eq $true) {
-
- if ($null -eq $MailboxesNoLitHold) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Litigation Hold already enabled for all accounts' -sev Info
- } else {
- try {
- $Request = $MailboxesNoLitHold | ForEach-Object {
- @{
- CmdletInput = @{
- CmdletName = 'Set-Mailbox'
- Parameters = @{ Identity = $_.UserPrincipalName; LitigationHoldEnabled = $true }
- }
- }
- }
-
- $BatchResults = New-ExoBulkRequest -tenantid $tenant -cmdletArray @($Request)
- $BatchResults | ForEach-Object {
- if ($_.error) {
- $ErrorMessage = Get-NormalizedError -Message $_.error
- Write-Host "Failed to Enable Litigation Hold for $($_.Target). Error: $ErrorMessage"
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Litigation Hold for $($_.Target). Error: $ErrorMessage" -sev Error
- }
- }
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to Enable Litigation Hold for all accounts. Error: $ErrorMessage" -sev Error
- }
- }
-
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($MailboxesNoLitHold) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Mailboxes without Litigation Hold: $($MailboxesNoLitHold.Count)" -sev Alert
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'All mailboxes have Litigation Hold enabled' -sev Info
- }
- }
-
- if ($Settings.report -eq $true) {
- $filtered = $MailboxesNoLitHold | Select-Object -Property UserPrincipalName
- Add-CIPPBPAField -FieldName 'EnableLitHold' -FieldValue $filtered -StoreAs json -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardEnableLitigationHold {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) EnableLitigationHold
+ .SYNOPSIS
+ (Label) Enable Litigation Hold for all users
+ .DESCRIPTION
+ (Helptext) Enables litigation hold for all UserMailboxes with a valid license.
+ (DocsDescription) Enables litigation hold for all UserMailboxes with a valid license.
+ .NOTES
+ CAT
+ Exchange Standards
+ TAG
+ ADDEDCOMPONENT
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-06-25
+ POWERSHELLEQUIVALENT
+ Set-Mailbox -LitigationHoldEnabled \$true
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/exchange-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'EnableLitigationHold'
+
+ $MailboxesNoLitHold = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdparams @{ Filter = 'LitigationHoldEnabled -eq "False"' } | Where-Object { $_.PersistedCapabilities -contains 'BPOS_S_DlpAddOn' -or $_.PersistedCapabilities -contains 'BPOS_S_Enterprise' }
+
+ If ($Settings.remediate -eq $true) {
+
+ if ($null -eq $MailboxesNoLitHold) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Litigation Hold already enabled for all accounts' -sev Info
+ } else {
+ try {
+ $Request = $MailboxesNoLitHold | ForEach-Object {
+ @{
+ CmdletInput = @{
+ CmdletName = 'Set-Mailbox'
+ Parameters = @{ Identity = $_.UserPrincipalName; LitigationHoldEnabled = $true }
+ }
+ }
+ }
+
+ $BatchResults = New-ExoBulkRequest -tenantid $tenant -cmdletArray @($Request)
+ $BatchResults | ForEach-Object {
+ if ($_.error) {
+ $ErrorMessage = Get-NormalizedError -Message $_.error
+ Write-Host "Failed to Enable Litigation Hold for $($_.Target). Error: $ErrorMessage"
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to Enable Litigation Hold for $($_.Target). Error: $ErrorMessage" -sev Error
+ }
+ }
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to Enable Litigation Hold for all accounts. Error: $ErrorMessage" -sev Error
+ }
+ }
+
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($MailboxesNoLitHold) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Mailboxes without Litigation Hold: $($MailboxesNoLitHold.Count)" -sev Alert
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'All mailboxes have Litigation Hold enabled' -sev Info
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ $filtered = $MailboxesNoLitHold | Select-Object -Property UserPrincipalName
+ Add-CIPPBPAField -FieldName 'EnableLitHold' -FieldValue $filtered -StoreAs json -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1
index 022142a0a3c0..f7fa667ef7e5 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1
@@ -16,9 +16,11 @@ function Invoke-CIPPStandardEnableMailTips {
"CIS"
"exo_mailtipsenabled"
ADDEDCOMPONENT
- {"type":"number","name":"standards.EnableMailTips.MailTipsLargeAudienceThreshold","label":"Number of recipients to trigger the large audience MailTip (Default is 25)","placeholder":"Enter a profile name","default":25}
+ {"type":"number","name":"standards.EnableMailTips.MailTipsLargeAudienceThreshold","label":"Number of recipients to trigger the large audience MailTip (Default is 25)","placeholder":"Enter a profile name","defaultValue":25}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-14
POWERSHELLEQUIVALENT
Set-OrganizationConfig
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1
index ec82ce508ce8..e65bd27e986b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardEnableMailboxAuditing {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-08
POWERSHELLEQUIVALENT
Set-OrganizationConfig -AuditDisabled \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1
index 8c26ecb9ef1e..32d76c87d284 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardEnableOnlineArchiving {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-20
POWERSHELLEQUIVALENT
Enable-Mailbox -Archive \$true
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1
index 532c133fc736..1023eecb109e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardEnablePronouns {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-06-05
POWERSHELLEQUIVALENT
Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:\$true
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1
index c2b6154f2d99..93fcf7958b3e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardExcludedfileExt {
{"type":"textField","name":"standards.ExcludedfileExt.ext","label":"Extensions, Comma separated"}
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1
index 4525d093a6e2..6aa494364001 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardExternalMFATrusted {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select value","name":"standards.ExternalMFATrusted.state","options":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-03-26
POWERSHELLEQUIVALENT
Update-MgBetaPolicyCrossTenantAccessPolicyDefault
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1
index 652a5ab72466..34aa1a51fe1d 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardFocusedInbox {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.FocusedInbox.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-04-26
POWERSHELLEQUIVALENT
Set-OrganizationConfig -FocusedInboxOn \$true or \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1
index 882ef5efd6c6..1e973ef9daeb 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardGlobalQuarantineNotifications {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.GlobalQuarantineNotifications.NotificationInterval","options":[{"label":"4 hours","value":"04:00:00"},{"label":"1 day/Daily","value":"1.00:00:00"},{"label":"7 days/Weekly","value":"7.00:00:00"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-05-03
POWERSHELLEQUIVALENT
Set-QuarantinePolicy -EndUserSpamNotificationFrequency
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1
index 698f42063b2f..c36603c329b4 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGroupTemplate.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardGroupTemplate {
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-12-30
ADDEDCOMPONENT
{"type":"autoComplete","name":"groupTemplate","label":"Select Group Template","api":{"url":"/api/ListGroupTemplates","labelField":"Displayname","valueField":"GUID","queryKey":"ListGroupTemplates"}}
UPDATECOMMENTBLOCK
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGuestInvite.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGuestInvite.ps1
index cb3d745d17e5..4119652649a9 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGuestInvite.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGuestInvite.ps1
@@ -1,76 +1,78 @@
-function Invoke-CIPPStandardGuestInvite {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) GuestInvite
- .SYNOPSIS
- (Label) Guest Invite setting
- .DESCRIPTION
- (Helptext) This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
- (DocsDescription) This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
- .NOTES
- CAT
- Entra (AAD) Standards
- TAG
- ADDEDCOMPONENT
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Who can send invites?","name":"standards.GuestInvite.allowInvitesFrom","options":[{"label":"Everyone","value":"everyone"},{"label":"Admins, Guest inviters and All Members","value":"adminsGuestInvitersAndAllMembers"},{"label":"Admins and Guest inviters","value":"adminsAndGuestInviters"},{"label":"None","value":"none"}]}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
-
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/entra-aad-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
-
- $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant
-
- # Input validation and value handling
- $AllowInvitesFromValue = $Settings.allowInvitesFrom.value ?? $Settings.allowInvitesFrom
- if (([string]::IsNullOrWhiteSpace($AllowInvitesFromValue) -or $AllowInvitesFromValue -eq 'Select a value') -and ($Settings.remediate -eq $true -or $Settings.alert -eq $true)) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'GuestInvite: Invalid allowInvitesFrom parameter set' -sev Error
- Return
- }
-
- $StateIsCorrect = ($CurrentState.allowInvitesFrom -eq $AllowInvitesFromValue)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Guest Invite settings is already applied correctly.' -Sev Info
- } else {
- try {
- $GraphRequest = @{
- tenantID = $Tenant
- uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
- AsApp = $false
- Type = 'PATCH'
- ContentType = 'application/json; charset=utf-8'
- Body = [pscustomobject]@{
- allowInvitesFrom = $AllowInvitesFromValue
- } | ConvertTo-Json -Compress
- }
- New-GraphPostRequest @GraphRequest
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Successfully updated Guest Invite setting to $AllowInvitesFromValue" -Sev Info
- } catch {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to update Guest Invite setting to $AllowInvitesFromValue" -Sev Error -LogData $_
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest Invite settings is enabled.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest Invite settings is not enabled.' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'GuestInvite' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-}
+function Invoke-CIPPStandardGuestInvite {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) GuestInvite
+ .SYNOPSIS
+ (Label) Guest Invite setting
+ .DESCRIPTION
+ (Helptext) This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
+ (DocsDescription) This setting controls who can invite guests to your directory to collaborate on resources secured by your company, such as SharePoint sites or Azure resources.
+ .NOTES
+ CAT
+ Entra (AAD) Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Who can send invites?","name":"standards.GuestInvite.allowInvitesFrom","options":[{"label":"Everyone","value":"everyone"},{"label":"Admins, Guest inviters and All Members","value":"adminsGuestInvitersAndAllMembers"},{"label":"Admins and Guest inviters","value":"adminsAndGuestInviters"},{"label":"None","value":"none"}]}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-11-12
+ POWERSHELLEQUIVALENT
+
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/entra-aad-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+
+ $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant
+
+ # Input validation and value handling
+ $AllowInvitesFromValue = $Settings.allowInvitesFrom.value ?? $Settings.allowInvitesFrom
+ if (([string]::IsNullOrWhiteSpace($AllowInvitesFromValue) -or $AllowInvitesFromValue -eq 'Select a value') -and ($Settings.remediate -eq $true -or $Settings.alert -eq $true)) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'GuestInvite: Invalid allowInvitesFrom parameter set' -sev Error
+ Return
+ }
+
+ $StateIsCorrect = ($CurrentState.allowInvitesFrom -eq $AllowInvitesFromValue)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Guest Invite settings is already applied correctly.' -Sev Info
+ } else {
+ try {
+ $GraphRequest = @{
+ tenantID = $Tenant
+ uri = 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy'
+ AsApp = $false
+ Type = 'PATCH'
+ ContentType = 'application/json; charset=utf-8'
+ Body = [pscustomobject]@{
+ allowInvitesFrom = $AllowInvitesFromValue
+ } | ConvertTo-Json -Compress
+ }
+ New-GraphPostRequest @GraphRequest
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Successfully updated Guest Invite setting to $AllowInvitesFromValue" -Sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to update Guest Invite setting to $AllowInvitesFromValue" -Sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest Invite settings is enabled.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Guest Invite settings is not enabled.' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'GuestInvite' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneComplianceSettings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneComplianceSettings.ps1
index 6340b7f3e0d1..9342c223041d 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneComplianceSettings.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneComplianceSettings.ps1
@@ -1,77 +1,79 @@
-function Invoke-CIPPStandardIntuneComplianceSettings {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) IntuneComplianceSettings
- .SYNOPSIS
- (Label) Set Intune Compliance Settings
- .DESCRIPTION
- (Helptext) Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.
- (DocsDescription) Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.
- .NOTES
- CAT
- Intune Standards
- TAG
- ADDEDCOMPONENT
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.IntuneComplianceSettings.secureByDefault","label":"Mark devices with no compliance policy as","options":[{"label":"Compliant","value":"false"},{"label":"Non-Compliant","value":"true"}]}
- {"type":"number","name":"standards.IntuneComplianceSettings.deviceComplianceCheckinThresholdDays","label":"Compliance status validity period (days)"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
-
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
- #>
-
- param($Tenant, $Settings)
-
- $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/settings' -tenantid $Tenant
-
- if ($null -eq $Settings.deviceComplianceCheckinThresholdDays) { $Settings.deviceComplianceCheckinThresholdDays = $CurrentState.deviceComplianceCheckinThresholdDays }
- $SecureByDefault = $Settings.secureByDefault.value ?? $Settings.secureByDefault
- $StateIsCorrect = ($CurrentState.secureByDefault -eq $SecureByDefault) -and
- ($CurrentState.deviceComplianceCheckinThresholdDays -eq $Settings.deviceComplianceCheckinThresholdDays)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is already applied correctly.' -Sev Info
- } else {
- try {
- $GraphRequest = @{
- tenantID = $Tenant
- uri = 'https://graph.microsoft.com/beta/deviceManagement'
- AsApp = $true
- Type = 'PATCH'
- ContentType = 'application/json; charset=utf-8'
- Body = [pscustomobject]@{
- settings = [pscustomobject]@{
- secureByDefault = $SecureByDefault
- deviceComplianceCheckinThresholdDays = $Settings.deviceComplianceCheckinThresholdDays
- }
- } | ConvertTo-Json -Compress
- }
- New-GraphPostRequest @GraphRequest
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully updated InTune Compliance settings.' -Sev Info
- } catch {
- $ErrorMessage = Get-CippException -Exception $_
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Failed to update InTune Compliance settings.' -Sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is enabled.' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is not enabled.' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'IntuneComplianceSettings' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardIntuneComplianceSettings {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) IntuneComplianceSettings
+ .SYNOPSIS
+ (Label) Set Intune Compliance Settings
+ .DESCRIPTION
+ (Helptext) Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.
+ (DocsDescription) Sets the mark devices with no compliance policy assigned as compliance/non compliant and Compliance status validity period.
+ .NOTES
+ CAT
+ Intune Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.IntuneComplianceSettings.secureByDefault","label":"Mark devices with no compliance policy as","options":[{"label":"Compliant","value":"false"},{"label":"Non-Compliant","value":"true"}]}
+ {"type":"number","name":"standards.IntuneComplianceSettings.deviceComplianceCheckinThresholdDays","label":"Compliance status validity period (days)"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-11-12
+ POWERSHELLEQUIVALENT
+
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+
+ $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/settings' -tenantid $Tenant
+
+ if ($null -eq $Settings.deviceComplianceCheckinThresholdDays) { $Settings.deviceComplianceCheckinThresholdDays = $CurrentState.deviceComplianceCheckinThresholdDays }
+ $SecureByDefault = $Settings.secureByDefault.value ?? $Settings.secureByDefault
+ $StateIsCorrect = ($CurrentState.secureByDefault -eq $SecureByDefault) -and
+ ($CurrentState.deviceComplianceCheckinThresholdDays -eq $Settings.deviceComplianceCheckinThresholdDays)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is already applied correctly.' -Sev Info
+ } else {
+ try {
+ $GraphRequest = @{
+ tenantID = $Tenant
+ uri = 'https://graph.microsoft.com/beta/deviceManagement'
+ AsApp = $true
+ Type = 'PATCH'
+ ContentType = 'application/json; charset=utf-8'
+ Body = [pscustomobject]@{
+ settings = [pscustomobject]@{
+ secureByDefault = $SecureByDefault
+ deviceComplianceCheckinThresholdDays = $Settings.deviceComplianceCheckinThresholdDays
+ }
+ } | ConvertTo-Json -Compress
+ }
+ New-GraphPostRequest @GraphRequest
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully updated InTune Compliance settings.' -Sev Info
+ } catch {
+ $ErrorMessage = Get-CippException -Exception $_
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Failed to update InTune Compliance settings.' -Sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is enabled.' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'InTune Compliance settings is not enabled.' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'IntuneComplianceSettings' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
index 0fd4635ec0cc..361073a2f21f 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1
@@ -18,10 +18,13 @@ function Invoke-CIPPStandardIntuneTemplate {
IMPACT
High Impact
+ ADDEDDATE
+ 2023-12-30
ADDEDCOMPONENT
{"type":"autoComplete","multiple":false,"creatable":false,"name":"TemplateList","label":"Select Intune Template","api":{"url":"/api/ListIntuneTemplates","labelField":"Displayname","valueField":"GUID","queryKey":"languages"}}
{"name":"AssignTo","label":"Who should this template be assigned to?","type":"radio","options":[{"label":"Do not assign","value":"On"},{"label":"Assign to all users","value":"allLicensedUsers"},{"label":"Assign to all devices","value":"AllDevices"},{"label":"Assign to all users and devices","value":"AllDevicesAndUsers"},{"label":"Assign to Custom Group","value":"customGroup"}]}
{"type":"textField","required":false,"name":"customGroup","label":"Enter the custom group name if you selected 'Assign to Custom Group'. Wildcards are allowed."}
+ {"name":"excludeGroup","label":"Exclude Groups","type":"textField","required":false,"helpText":"Enter the group name to exclude from the assignment. Wildcards are allowed."}
UPDATECOMMENTBLOCK
Run the Tools\Update-StandardsComments.ps1 script to update this comment block
.LINK
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1
index 5715f6f16b9d..94409b104bbb 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardLegacyMFACleanup {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-MsolUser -StrongAuthenticationRequirements \$null
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMDMScope.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMDMScope.ps1
index 81e588624756..c778a17d4d7b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMDMScope.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMDMScope.ps1
@@ -1,124 +1,126 @@
-function Invoke-CIPPStandardMDMScope {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) MDMScope
- .SYNOPSIS
- (Label) Configure MDM user scope
- .DESCRIPTION
- (Helptext) Configures the MDM user scope. This also sets the terms of use, discovery and compliance URL to default URLs.
- (DocsDescription) Configures the MDM user scope. This also sets the terms of use URL, discovery URL and compliance URL to default values.
- .NOTES
- CAT
- Intune Standards
- TAG
- ADDEDCOMPONENT
- {"name":"appliesTo","label":"MDM User Scope?","type":"radio","options":[{"label":"All","value":"all"},{"label":"None","value":"none"},{"label":"Custom Group","value":"selected"}]}
- {"type":"textField","name":"standards.MDMScope.customGroup","label":"Custom Group Name","required":false}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Graph API
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
- #>
-
- param($Tenant, $Settings)
-
- $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000?$expand=includedGroups' -tenantid $Tenant
-
- $StateIsCorrect = ($CurrentInfo.termsOfUseUrl -eq 'https://portal.manage.microsoft.com/TermsofUse.aspx') -and
- ($CurrentInfo.discoveryUrl -eq 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc') -and
- ($CurrentInfo.complianceUrl -eq 'https://portal.manage.microsoft.com/?portalAction=Compliance') -and
- ($CurrentInfo.appliesTo -eq $Settings.appliesTo) -and
- ($Settings.appliesTo -ne 'selected' -or ($CurrentInfo.includedGroups.displayName -contains $Settings.customGroup))
-
- If ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope already correctly configured' -sev Info
- } else {
- $GraphParam = @{
- tenantid = $tenant
- Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
- ContentType = 'application/json; charset=utf-8'
- asApp = $false
- type = 'PATCH'
- AddedHeaders = @{'Accept-Language' = 0 }
- Body = @{
- 'termsOfUseUrl' = 'https://portal.manage.microsoft.com/TermsofUse.aspx'
- 'discoveryUrl' = 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc'
- 'complianceUrl' = 'https://portal.manage.microsoft.com/?portalAction=Compliance'
- } | ConvertTo-Json
- }
-
- try {
- New-GraphPostRequest @GraphParam
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully configured MDM Scope' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to configure MDM Scope." -sev Error -LogData $ErrorMessage
- }
-
- # Workaround for MDM Scope Assignment error: "Could not set MDM Scope for [TENANT]: Simultaneous patch requests on both the appliesTo and URL properties are currently not supported."
- if ($Settings.appliesTo -ne 'selected') {
- $GraphParam = @{
- tenantid = $tenant
- Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
- ContentType = 'application/json; charset=utf-8'
- asApp = $false
- type = 'PATCH'
- AddedHeaders = @{'Accept-Language' = 0 }
- Body = @{
- 'appliesTo' = $Settings.appliesTo
- } | ConvertTo-Json
- }
-
- try {
- New-GraphPostRequest @GraphParam
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.appliesTo) to MDM Scope" -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.appliesTo) to MDM Scope." -sev Error -LogData $ErrorMessage
- }
- } else {
- $GroupID = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/groups?`$top=999&`$select=id,displayName&`$filter=displayName eq '$($Settings.customGroup)'" -tenantid $tenant -asApp $true).id
- $GraphParam = @{
- tenantid = $tenant
- Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000/includedGroups/$ref'
- ContentType = 'application/json; charset=utf-8'
- asApp = $false
- type = 'POST'
- AddedHeaders = @{'Accept-Language' = 0 }
- Body = @{
- '@odata.id' = "https://graph.microsoft.com/odata/groups('$GroupID')"
- } | ConvertTo-Json
- }
-
- try {
- New-GraphPostRequest @GraphParam
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.customGroup) to MDM Scope" -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.customGroup) to MDM Scope" -sev Error -LogData $ErrorMessage
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true -eq $true) {
- if ($StateIsCorrect) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is correctly configured' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is not correctly configured' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'MDMScope' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-
-}
+function Invoke-CIPPStandardMDMScope {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) MDMScope
+ .SYNOPSIS
+ (Label) Configure MDM user scope
+ .DESCRIPTION
+ (Helptext) Configures the MDM user scope. This also sets the terms of use, discovery and compliance URL to default URLs.
+ (DocsDescription) Configures the MDM user scope. This also sets the terms of use URL, discovery URL and compliance URL to default values.
+ .NOTES
+ CAT
+ Intune Standards
+ TAG
+ ADDEDCOMPONENT
+ {"name":"appliesTo","label":"MDM User Scope?","type":"radio","options":[{"label":"All","value":"all"},{"label":"None","value":"none"},{"label":"Custom Group","value":"selected"}]}
+ {"type":"textField","name":"standards.MDMScope.customGroup","label":"Custom Group Name","required":false}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2025-02-18
+ POWERSHELLEQUIVALENT
+ Graph API
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+
+ $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000?$expand=includedGroups' -tenantid $Tenant
+
+ $StateIsCorrect = ($CurrentInfo.termsOfUseUrl -eq 'https://portal.manage.microsoft.com/TermsofUse.aspx') -and
+ ($CurrentInfo.discoveryUrl -eq 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc') -and
+ ($CurrentInfo.complianceUrl -eq 'https://portal.manage.microsoft.com/?portalAction=Compliance') -and
+ ($CurrentInfo.appliesTo -eq $Settings.appliesTo) -and
+ ($Settings.appliesTo -ne 'selected' -or ($CurrentInfo.includedGroups.displayName -contains $Settings.customGroup))
+
+ If ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope already correctly configured' -sev Info
+ } else {
+ $GraphParam = @{
+ tenantid = $tenant
+ Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
+ ContentType = 'application/json; charset=utf-8'
+ asApp = $false
+ type = 'PATCH'
+ AddedHeaders = @{'Accept-Language' = 0 }
+ Body = @{
+ 'termsOfUseUrl' = 'https://portal.manage.microsoft.com/TermsofUse.aspx'
+ 'discoveryUrl' = 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc'
+ 'complianceUrl' = 'https://portal.manage.microsoft.com/?portalAction=Compliance'
+ } | ConvertTo-Json
+ }
+
+ try {
+ New-GraphPostRequest @GraphParam
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully configured MDM Scope' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to configure MDM Scope." -sev Error -LogData $ErrorMessage
+ }
+
+ # Workaround for MDM Scope Assignment error: "Could not set MDM Scope for [TENANT]: Simultaneous patch requests on both the appliesTo and URL properties are currently not supported."
+ if ($Settings.appliesTo -ne 'selected') {
+ $GraphParam = @{
+ tenantid = $tenant
+ Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000'
+ ContentType = 'application/json; charset=utf-8'
+ asApp = $false
+ type = 'PATCH'
+ AddedHeaders = @{'Accept-Language' = 0 }
+ Body = @{
+ 'appliesTo' = $Settings.appliesTo
+ } | ConvertTo-Json
+ }
+
+ try {
+ New-GraphPostRequest @GraphParam
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.appliesTo) to MDM Scope" -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.appliesTo) to MDM Scope." -sev Error -LogData $ErrorMessage
+ }
+ } else {
+ $GroupID = (New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/groups?`$top=999&`$select=id,displayName&`$filter=displayName eq '$($Settings.customGroup)'" -tenantid $tenant -asApp $true).id
+ $GraphParam = @{
+ tenantid = $tenant
+ Uri = 'https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000/includedGroups/$ref'
+ ContentType = 'application/json; charset=utf-8'
+ asApp = $false
+ type = 'POST'
+ AddedHeaders = @{'Accept-Language' = 0 }
+ Body = @{
+ '@odata.id' = "https://graph.microsoft.com/odata/groups('$GroupID')"
+ } | ConvertTo-Json
+ }
+
+ try {
+ New-GraphPostRequest @GraphParam
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Successfully assigned $($Settings.customGroup) to MDM Scope" -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to assign $($Settings.customGroup) to MDM Scope" -sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true -eq $true) {
+ if ($StateIsCorrect) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is correctly configured' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'MDM Scope is not correctly configured' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'MDMScope' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1
index e62f75091cdc..bdff96e5f284 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1
@@ -20,6 +20,8 @@ function Invoke-CIPPStandardMailContacts {
{"type":"textField","name":"standards.MailContacts.TechContact","label":"Technical Contact","required":false}
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-03-13
POWERSHELLEQUIVALENT
Set-MsolCompanyContactInformation
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1
index 16deab23d1b5..0ef4dda2994a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1
@@ -1,171 +1,173 @@
-function Invoke-CIPPStandardMalwareFilterPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) MalwareFilterPolicy
- .SYNOPSIS
- (Label) Default Malware Filter Policy
- .DESCRIPTION
- (Helptext) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.
- (DocsDescription) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.
- .NOTES
- CAT
- Defender Standards
- TAG
- "CIS"
- "mdo_zapspam"
- "mdo_zapphish"
- "mdo_zapmalware"
- ADDEDCOMPONENT
- {"type":"select","multiple":false,"label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","options":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]}
- {"type":"textField","name":"standards.MalwareFilterPolicy.OptionalFileTypes","required":false,"label":"Optional File Types, Comma separated"}
- {"type":"select","multiple":false,"label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"switch","label":"Enable Internal Sender Admin Notifications","required":false,"name":"standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"}
- {"type":"textField","name":"standards.MalwareFilterPolicy.InternalSenderAdminAddress","required":false,"label":"Internal Sender Admin Address"}
- {"type":"switch","label":"Enable External Sender Admin Notifications","required":false,"name":"standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"}
- {"type":"textField","name":"standards.MalwareFilterPolicy.ExternalSenderAdminAddress","required":false,"label":"External Sender Admin Address"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-MalwareFilterPolicy or New-MalwareFilterPolicy
- RECOMMENDEDBY
- "CIS"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'MalwareFilterPolicy'
-
- $PolicyList = @('CIPP Default Malware Policy','Default Malware Policy')
- $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' | Where-Object -Property Name -In $PolicyList
- if ($null -eq $ExistingPolicy.Name) {
- $PolicyName = $PolicyList[0]
- } else {
- $PolicyName = $ExistingPolicy.Name
- }
- $RuleList = @( 'CIPP Default Malware Rule','CIPP Default Malware Policy')
- $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' | Where-Object -Property Name -In $RuleList
- if ($null -eq $ExistingRule.Name) {
- $RuleName = $RuleList[0]
- } else {
- $RuleName = $ExistingRule.Name
- }
-
- $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' |
- Where-Object -Property Name -EQ $PolicyName |
- Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress
-
- $DefaultFileTypes = @('ace', 'ani', 'apk', 'app', 'appx', 'arj', 'bat', 'cab', 'cmd', 'com', 'deb', 'dex', 'dll', 'docm', 'elf', 'exe', 'hta', 'img', 'iso', 'jar', 'jnlp', 'kext', 'lha', 'lib', 'library', 'lnk', 'lzh', 'macho', 'msc', 'msi', 'msix', 'msp', 'mst', 'pif', 'ppa', 'ppam', 'reg', 'rev', 'scf', 'scr', 'sct', 'sys', 'uif', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh', 'xll', 'xz', 'z')
-
- if ($null -eq $Settings.OptionalFileTypes) {
- $ExpectedFileTypes = $DefaultFileTypes
- } else {
- $ExpectedFileTypes = $DefaultFileTypes + @($Settings.OptionalFileTypes.Split(',').Trim())
- }
-
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.EnableFileFilter -eq $true) -and
- ($CurrentState.FileTypeAction -eq $Settings.FileTypeAction) -and
- (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and
- ($CurrentState.ZapEnabled -eq $true) -and
- ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
- ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and
- (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and
- ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and
- (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress))
-
- $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
-
- $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' |
- Where-Object -Property Name -EQ $RuleName |
- Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs
-
- $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
- ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and
- ($RuleState.Priority -eq 0) -and
- (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
-
- if ($Settings.remediate -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy already correctly configured' -sev Info
- } else {
- $cmdparams = @{
- EnableFileFilter = $true
- FileTypes = $ExpectedFileTypes
- FileTypeAction = $Settings.FileTypeAction
- ZapEnabled = $true
- QuarantineTag = $Settings.QuarantineTag
- EnableInternalSenderAdminNotifications = $Settings.EnableInternalSenderAdminNotifications
- InternalSenderAdminAddress = $Settings.InternalSenderAdminAddress
- EnableExternalSenderAdminNotifications = $Settings.EnableExternalSenderAdminNotifications
- ExternalSenderAdminAddress = $Settings.ExternalSenderAdminAddress
- }
-
- if ($CurrentState.Name -eq $PolicyName) {
- try {
- $cmdparams.Add('Identity', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MalwareFilterPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Malware Filter policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Malware Filter policy $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-MalwareFilterPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Malware Filter policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Malware Filter policy $PolicyName." -sev Error -LogData $_
- }
- }
- }
-
- if ($RuleStateIsCorrect -eq $false) {
- $cmdparams = @{
- Priority = 0
- RecipientDomainIs = $AcceptedDomains.Name
- }
-
- if ($RuleState.MalwareFilterPolicy -ne $PolicyName) {
- $cmdparams.Add('MalwareFilterPolicy', $PolicyName)
- }
-
- if ($RuleState.Name -eq $RuleName) {
- try {
- $cmdparams.Add('Identity', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MalwareFilterRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Malware Filter rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Malware Filter Rule $RuleName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-MalwareFilterRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Malware Filter rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Malware Filter rule $RuleName." -sev Error -LogData $_
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'MalwareFilterPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-
-}
+function Invoke-CIPPStandardMalwareFilterPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) MalwareFilterPolicy
+ .SYNOPSIS
+ (Label) Default Malware Filter Policy
+ .DESCRIPTION
+ (Helptext) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.
+ (DocsDescription) This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware.
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ "CIS"
+ "mdo_zapspam"
+ "mdo_zapphish"
+ "mdo_zapmalware"
+ ADDEDCOMPONENT
+ {"type":"select","multiple":false,"label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","options":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]}
+ {"type":"textField","name":"standards.MalwareFilterPolicy.OptionalFileTypes","required":false,"label":"Optional File Types, Comma separated"}
+ {"type":"select","multiple":false,"label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"switch","label":"Enable Internal Sender Admin Notifications","required":false,"name":"standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"}
+ {"type":"textField","name":"standards.MalwareFilterPolicy.InternalSenderAdminAddress","required":false,"label":"Internal Sender Admin Address"}
+ {"type":"switch","label":"Enable External Sender Admin Notifications","required":false,"name":"standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"}
+ {"type":"textField","name":"standards.MalwareFilterPolicy.ExternalSenderAdminAddress","required":false,"label":"External Sender Admin Address"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-03-25
+ POWERSHELLEQUIVALENT
+ Set-MalwareFilterPolicy or New-MalwareFilterPolicy
+ RECOMMENDEDBY
+ "CIS"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'MalwareFilterPolicy'
+
+ $PolicyList = @('CIPP Default Malware Policy','Default Malware Policy')
+ $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' | Where-Object -Property Name -In $PolicyList
+ if ($null -eq $ExistingPolicy.Name) {
+ $PolicyName = $PolicyList[0]
+ } else {
+ $PolicyName = $ExistingPolicy.Name
+ }
+ $RuleList = @( 'CIPP Default Malware Rule','CIPP Default Malware Policy')
+ $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' | Where-Object -Property Name -In $RuleList
+ if ($null -eq $ExistingRule.Name) {
+ $RuleName = $RuleList[0]
+ } else {
+ $RuleName = $ExistingRule.Name
+ }
+
+ $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' |
+ Where-Object -Property Name -EQ $PolicyName |
+ Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress
+
+ $DefaultFileTypes = @('ace', 'ani', 'apk', 'app', 'appx', 'arj', 'bat', 'cab', 'cmd', 'com', 'deb', 'dex', 'dll', 'docm', 'elf', 'exe', 'hta', 'img', 'iso', 'jar', 'jnlp', 'kext', 'lha', 'lib', 'library', 'lnk', 'lzh', 'macho', 'msc', 'msi', 'msix', 'msp', 'mst', 'pif', 'ppa', 'ppam', 'reg', 'rev', 'scf', 'scr', 'sct', 'sys', 'uif', 'vb', 'vbe', 'vbs', 'vxd', 'wsc', 'wsf', 'wsh', 'xll', 'xz', 'z')
+
+ if ($null -eq $Settings.OptionalFileTypes) {
+ $ExpectedFileTypes = $DefaultFileTypes
+ } else {
+ $ExpectedFileTypes = $DefaultFileTypes + @($Settings.OptionalFileTypes.Split(',').Trim())
+ }
+
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.EnableFileFilter -eq $true) -and
+ ($CurrentState.FileTypeAction -eq $Settings.FileTypeAction) -and
+ (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and
+ ($CurrentState.ZapEnabled -eq $true) -and
+ ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
+ ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and
+ (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and
+ ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and
+ (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress))
+
+ $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
+
+ $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' |
+ Where-Object -Property Name -EQ $RuleName |
+ Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs
+
+ $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
+ ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and
+ ($RuleState.Priority -eq 0) -and
+ (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+
+ if ($Settings.remediate -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy already correctly configured' -sev Info
+ } else {
+ $cmdparams = @{
+ EnableFileFilter = $true
+ FileTypes = $ExpectedFileTypes
+ FileTypeAction = $Settings.FileTypeAction
+ ZapEnabled = $true
+ QuarantineTag = $Settings.QuarantineTag
+ EnableInternalSenderAdminNotifications = $Settings.EnableInternalSenderAdminNotifications
+ InternalSenderAdminAddress = $Settings.InternalSenderAdminAddress
+ EnableExternalSenderAdminNotifications = $Settings.EnableExternalSenderAdminNotifications
+ ExternalSenderAdminAddress = $Settings.ExternalSenderAdminAddress
+ }
+
+ if ($CurrentState.Name -eq $PolicyName) {
+ try {
+ $cmdparams.Add('Identity', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MalwareFilterPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Malware Filter policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Malware Filter policy $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-MalwareFilterPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Malware Filter policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Malware Filter policy $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($RuleStateIsCorrect -eq $false) {
+ $cmdparams = @{
+ Priority = 0
+ RecipientDomainIs = $AcceptedDomains.Name
+ }
+
+ if ($RuleState.MalwareFilterPolicy -ne $PolicyName) {
+ $cmdparams.Add('MalwareFilterPolicy', $PolicyName)
+ }
+
+ if ($RuleState.Name -eq $RuleName) {
+ try {
+ $cmdparams.Add('Identity', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-MalwareFilterRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Malware Filter rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Malware Filter Rule $RuleName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-MalwareFilterRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Malware Filter rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Malware Filter rule $RuleName." -sev Error -LogData $_
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Malware Filter Policy is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'MalwareFilterPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1
index b79ae37cebe4..22da3819e8f9 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardMessageExpiration {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-02-23
POWERSHELLEQUIVALENT
Set-TransportConfig -MessageExpirationTimeout 12.00:00:00
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1
index 1def2f369951..b97689a2f960 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1
@@ -15,9 +15,11 @@ function Invoke-CIPPStandardNudgeMFA {
TAG
ADDEDCOMPONENT
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select value","name":"standards.NudgeMFA.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
- {"type":"number","name":"standards.NudgeMFA.snoozeDurationInDays","label":"Number of days to allow users to skip registering Authenticator (0-14, default is 1)","default":1}
+ {"type":"number","name":"standards.NudgeMFA.snoozeDurationInDays","label":"Number of days to allow users to skip registering Authenticator (0-14, default is 1)","defaultValue":1}
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-12-08
POWERSHELLEQUIVALENT
Update-MgPolicyAuthenticationMethodPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1
index 275f4b6dcf03..c1bdb39fa96b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardOauthConsent {
{"type":"textField","name":"standards.OauthConsent.AllowedApps","label":"Allowed application IDs, comma separated","required":false}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Update-MgPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1
index 4573a7875eeb..9ab97150d1e3 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardOauthConsentLowSec {
"IntegratedApps"
IMPACT
Medium Impact
+ ADDEDDATE
+ 2022-08-16
POWERSHELLEQUIVALENT
Update-MgPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1
index 695f9f5e7759..098a85d27f3e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardOutBoundSpamAlert {
{"type":"textField","name":"standards.OutBoundSpamAlert.OutboundSpamContact","label":"Outbound spam contact"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-05-03
POWERSHELLEQUIVALENT
Set-HostedOutboundSpamFilterPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1
index e21c27e1fe7c..f7efdc7d203c 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select value","name":"standards.PWcompanionAppAllowedState.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-05-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1
index 87e717b10887..142732c5b0cf 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1
index c629902a52b0..f21def0d2784 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardPasswordExpireDisabled {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Update-MgDomain
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1
index 8df7ac45f4e5..8e028d5a4eaa 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardPerUserMFA {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2024-06-14
POWERSHELLEQUIVALENT
Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1
index 33670894bd76..d250edcd3b66 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardPhishProtection {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-01-22
DISABLEDFEATURES
POWERSHELLEQUIVALENT
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1
index 0453733541e6..9b8db4155929 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardProfilePhotos {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select value","name":"standards.ProfilePhotos.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2025-01-19
POWERSHELLEQUIVALENT
Set-OrganizationConfig -ProfilePhotoOptions EnablePhotos and Update-MgBetaAdminPeople
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardQuarantineRequestAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardQuarantineRequestAlert.ps1
index 8eafb2c45768..84a5376bb816 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardQuarantineRequestAlert.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardQuarantineRequestAlert.ps1
@@ -1,87 +1,89 @@
-function Invoke-CIPPStandardQuarantineRequestAlert {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) QuarantineRequestAlert
- .SYNOPSIS
- (Label) Quarantine Release Request Alert
- .DESCRIPTION
- (Helptext) Sets a e-mail address to alert when a User requests to release a quarantined message.
- (DocsDescription) Sets a e-mail address to alert when a User requests to release a quarantined message. This is useful for monitoring and ensuring that the correct messages are released.
- .NOTES
- CAT
- Defender Standards
- TAG
- ADDEDCOMPONENT
- {"type":"textField","name":"standards.QuarantineRequestAlert.NotifyUser","label":"E-mail to receive the alert"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- New-ProtectionAlert and Set-ProtectionAlert
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param ($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'QuarantineRequestAlert'
-
- $PolicyName = 'CIPP User requested to release a quarantined message'
-
- $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-ProtectionAlert' -Compliance |
- Where-Object { $_.Name -eq $PolicyName } |
- Select-Object -Property *
-
- $StateIsCorrect = ($CurrentState.NotifyUser -contains $Settings.NotifyUser)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is configured correctly' -sev Info
- } else {
- $cmdparams = @{
- 'NotifyUser' = $Settings.NotifyUser
- 'Category' = 'ThreatManagement'
- 'Operation' = 'QuarantineRequestReleaseMessage'
- 'Severity' = 'Informational'
- 'AggregationType' = 'None'
- }
-
- if ($CurrentState.Name -eq $PolicyName) {
- try {
- $cmdparams['Identity'] = $PolicyName
- New-ExoRequest -TenantId $Tenant -cmdlet 'Set-ProtectionAlert' -Compliance -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully configured Quarantine Request Alert' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to configure Quarantine Request Alert. Error: $ErrorMessage" -sev Error
- }
- } else {
- try {
- $cmdparams['name'] = $PolicyName
- $cmdparams['ThreatType'] = 'Activity'
-
- New-ExoRequest -TenantId $Tenant -cmdlet 'New-ProtectionAlert' -Compliance -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully created Quarantine Request Alert' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to create Quarantine Request Alert. Error: $ErrorMessage" -sev Error
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is disabled' -sev Info
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'QuarantineRequestAlert' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardQuarantineRequestAlert {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) QuarantineRequestAlert
+ .SYNOPSIS
+ (Label) Quarantine Release Request Alert
+ .DESCRIPTION
+ (Helptext) Sets a e-mail address to alert when a User requests to release a quarantined message.
+ (DocsDescription) Sets a e-mail address to alert when a User requests to release a quarantined message. This is useful for monitoring and ensuring that the correct messages are released.
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"textField","name":"standards.QuarantineRequestAlert.NotifyUser","label":"E-mail to receive the alert"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-15
+ POWERSHELLEQUIVALENT
+ New-ProtectionAlert and Set-ProtectionAlert
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param ($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'QuarantineRequestAlert'
+
+ $PolicyName = 'CIPP User requested to release a quarantined message'
+
+ $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-ProtectionAlert' -Compliance |
+ Where-Object { $_.Name -eq $PolicyName } |
+ Select-Object -Property *
+
+ $StateIsCorrect = ($CurrentState.NotifyUser -contains $Settings.NotifyUser)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is configured correctly' -sev Info
+ } else {
+ $cmdparams = @{
+ 'NotifyUser' = $Settings.NotifyUser
+ 'Category' = 'ThreatManagement'
+ 'Operation' = 'QuarantineRequestReleaseMessage'
+ 'Severity' = 'Informational'
+ 'AggregationType' = 'None'
+ }
+
+ if ($CurrentState.Name -eq $PolicyName) {
+ try {
+ $cmdparams['Identity'] = $PolicyName
+ New-ExoRequest -TenantId $Tenant -cmdlet 'Set-ProtectionAlert' -Compliance -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully configured Quarantine Request Alert' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to configure Quarantine Request Alert. Error: $ErrorMessage" -sev Error
+ }
+ } else {
+ try {
+ $cmdparams['name'] = $PolicyName
+ $cmdparams['ThreatType'] = 'Activity'
+
+ New-ExoRequest -TenantId $Tenant -cmdlet 'New-ProtectionAlert' -Compliance -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully created Quarantine Request Alert' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to create Quarantine Request Alert. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Quarantine Request Alert is disabled' -sev Info
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'QuarantineRequestAlert' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRetentionPolicyTag.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRetentionPolicyTag.ps1
index 2e749da720f2..346b100e04c6 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRetentionPolicyTag.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRetentionPolicyTag.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardRetentionPolicyTag {
{"type":"number","name":"standards.RetentionPolicyTag.AgeLimitForRetention","label":"Retention Days","required":true}
IMPACT
High Impact
+ ADDEDDATE
+ 2025-02-02
POWERSHELLEQUIVALENT
Set-RetentionPolicyTag
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1
index 71dd3abde10f..1421b89997b0 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardRotateDKIM {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-03-14
POWERSHELLEQUIVALENT
Rotate-DkimSigningConfig
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1
index 63a6e0d431cb..e447a74ab4af 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPAzureB2B.ps1
@@ -1,67 +1,69 @@
-function Invoke-CIPPStandardSPAzureB2B {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPAzureB2B
- .SYNOPSIS
- (Label) Enable SharePoint and OneDrive integration with Azure AD B2B
- .DESCRIPTION
- (Helptext) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
- (DocsDescription) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -EnableAzureADB2BIntegration \$true
- RECOMMENDEDBY
- "CIS 3.0"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPAzureB2B'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property EnableAzureADB2BIntegration
-
- $StateIsCorrect = ($CurrentState.EnableAzureADB2BIntegration -eq $true)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is already enabled' -Sev Info
- } else {
- $Properties = @{
- EnableAzureADB2BIntegration = $true
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set the SharePoint Azure B2B to enabled' -Sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set the SharePoint Azure B2B to enabled. Error: $ErrorMessage" -Sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is enabled' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is not enabled' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'AzureB2B' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-}
+function Invoke-CIPPStandardSPAzureB2B {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPAzureB2B
+ .SYNOPSIS
+ (Label) Enable SharePoint and OneDrive integration with Azure AD B2B
+ .DESCRIPTION
+ (Helptext) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
+ (DocsDescription) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-09
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -EnableAzureADB2BIntegration \$true
+ RECOMMENDEDBY
+ "CIS 3.0"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPAzureB2B'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property EnableAzureADB2BIntegration
+
+ $StateIsCorrect = ($CurrentState.EnableAzureADB2BIntegration -eq $true)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is already enabled' -Sev Info
+ } else {
+ $Properties = @{
+ EnableAzureADB2BIntegration = $true
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set the SharePoint Azure B2B to enabled' -Sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set the SharePoint Azure B2B to enabled. Error: $ErrorMessage" -Sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is enabled' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Azure B2B is not enabled' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'AzureB2B' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1
index ba1d39eef96e..9852c5536afb 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDirectSharing.ps1
@@ -1,68 +1,70 @@
-function Invoke-CIPPStandardSPDirectSharing {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPDirectSharing
- .SYNOPSIS
- (Label) Default sharing to Direct users
- .DESCRIPTION
- (Helptext) Ensure default link sharing is set to Direct in SharePoint and OneDrive
- (DocsDescription) Ensure default link sharing is set to Direct in SharePoint and OneDrive
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -DefaultSharingLinkType Direct
- RECOMMENDEDBY
- "CIS 3.0"
- "CIPP"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDirectSharing'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property DefaultSharingLinkType
-
- $StateIsCorrect = ($CurrentState.DefaultSharingLinkType -eq 'Direct' -or $CurrentState.DefaultSharingLinkType -eq 1)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is already enabled' -Sev Info
- } else {
- $Properties = @{
- DefaultSharingLinkType = 1
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set the SharePoint Sharing Restriction to Direct' -Sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set the SharePoint Sharing Restriction to Direct. Error: $ErrorMessage" -Sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is enabled' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is not enabled' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'DirectSharing' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-}
+function Invoke-CIPPStandardSPDirectSharing {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPDirectSharing
+ .SYNOPSIS
+ (Label) Default sharing to Direct users
+ .DESCRIPTION
+ (Helptext) Ensure default link sharing is set to Direct in SharePoint and OneDrive
+ (DocsDescription) Ensure default link sharing is set to Direct in SharePoint and OneDrive
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-09
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -DefaultSharingLinkType Direct
+ RECOMMENDEDBY
+ "CIS"
+ "CIPP"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDirectSharing'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property DefaultSharingLinkType
+
+ $StateIsCorrect = ($CurrentState.DefaultSharingLinkType -eq 'Direct' -or $CurrentState.DefaultSharingLinkType -eq 1)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is already enabled' -Sev Info
+ } else {
+ $Properties = @{
+ DefaultSharingLinkType = 1
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set the SharePoint Sharing Restriction to Direct' -Sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set the SharePoint Sharing Restriction to Direct. Error: $ErrorMessage" -Sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is enabled' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint Sharing Restriction is not enabled' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'DirectSharing' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisableLegacyWorkflows.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisableLegacyWorkflows.ps1
index 7dd4ab37ffa1..a4034f2c66aa 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisableLegacyWorkflows.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisableLegacyWorkflows.ps1
@@ -1,68 +1,70 @@
-function Invoke-CIPPStandardSPDisableLegacyWorkflows {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPDisableLegacyWorkflows
- .SYNOPSIS
- (Label) Disable Legacy Workflows
- .DESCRIPTION
- (Helptext) Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.
- (DocsDescription) Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.
- .NOTES
- CAT
- SharePoint Standards
- TAG
- ADDEDCOMPONENT
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -DisableWorkflow2010 \$true -DisableWorkflow2013 \$true -DisableBackToClassic \$true
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
- #>
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDisableLegacyWorkflows'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property *
-
- $StateIsCorrect = ($CurrentState.StopNew2010Workflows -eq $true) -and
- ($CurrentState.StopNew2013Workflows -eq $true) -and
- ($CurrentState.DisableBackToClassic -eq $true)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are already disabled.' -Sev Info
- } else {
- $Properties = @{
- StopNew2010Workflows = $true
- StopNew2013Workflows = $true
- DisableBackToClassic = $true
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully disabled Legacy Workflows' -Sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to disable Legacy Workflows. Error: $ErrorMessage" -Sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are disabled' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are enabled' -Sev Info
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SPDisableLegacyWorkflows' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardSPDisableLegacyWorkflows {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPDisableLegacyWorkflows
+ .SYNOPSIS
+ (Label) Disable Legacy Workflows
+ .DESCRIPTION
+ (Helptext) Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.
+ (DocsDescription) Disables the creation of new SharePoint 2010 and 2013 classic workflows and removes the 'Return to classic SharePoint' link on modern SharePoint list and library pages.
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ ADDEDCOMPONENT
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-15
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -DisableWorkflow2010 \$true -DisableWorkflow2013 \$true -DisableBackToClassic \$true
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
+ #>
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDisableLegacyWorkflows'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property *
+
+ $StateIsCorrect = ($CurrentState.StopNew2010Workflows -eq $true) -and
+ ($CurrentState.StopNew2013Workflows -eq $true) -and
+ ($CurrentState.DisableBackToClassic -eq $true)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are already disabled.' -Sev Info
+ } else {
+ $Properties = @{
+ StopNew2010Workflows = $true
+ StopNew2013Workflows = $true
+ DisableBackToClassic = $true
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully disabled Legacy Workflows' -Sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to disable Legacy Workflows. Error: $ErrorMessage" -Sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are disabled' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Legacy Workflows are enabled' -Sev Info
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SPDisableLegacyWorkflows' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1
index 0f2c2ecead49..03c34ec3b768 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPDisallowInfectedFiles.ps1
@@ -1,68 +1,70 @@
-function Invoke-CIPPStandardSPDisallowInfectedFiles {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPDisallowInfectedFiles
- .SYNOPSIS
- (Label) Disallow downloading infected files from SharePoint
- .DESCRIPTION
- (Helptext) Ensure Office 365 SharePoint infected files are disallowed for download
- (DocsDescription) Ensure Office 365 SharePoint infected files are disallowed for download
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -DisallowInfectedFileDownload \$true
- RECOMMENDEDBY
- "CIS 3.0"
- "CIPP"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDisallowInfectedFiles'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property DisallowInfectedFileDownload
-
- $StateIsCorrect = ($CurrentState.DisallowInfectedFileDownload -eq $true)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are already disallowed.' -Sev Info
- } else {
- $Properties = @{
- DisallowInfectedFileDownload = $true
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Successfully disallowed downloading SharePoint infected files.' -Sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $tenant -Message "Failed to disallow downloading Sharepoint infected files. Error: $ErrorMessage" -Sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are disallowed.' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are allowed.' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SPDisallowInfectedFiles' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardSPDisallowInfectedFiles {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPDisallowInfectedFiles
+ .SYNOPSIS
+ (Label) Disallow downloading infected files from SharePoint
+ .DESCRIPTION
+ (Helptext) Ensure Office 365 SharePoint infected files are disallowed for download
+ (DocsDescription) Ensure Office 365 SharePoint infected files are disallowed for download
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-09
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -DisallowInfectedFileDownload \$true
+ RECOMMENDEDBY
+ "CIS"
+ "CIPP"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPDisallowInfectedFiles'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property DisallowInfectedFileDownload
+
+ $StateIsCorrect = ($CurrentState.DisallowInfectedFileDownload -eq $true)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are already disallowed.' -Sev Info
+ } else {
+ $Properties = @{
+ DisallowInfectedFileDownload = $true
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Successfully disallowed downloading SharePoint infected files.' -Sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $tenant -Message "Failed to disallow downloading Sharepoint infected files. Error: $ErrorMessage" -Sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are disallowed.' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $tenant -Message 'Downloading Sharepoint infected files are allowed.' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SPDisallowInfectedFiles' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1
index 0170bd7286cc..a3b808415c65 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPEmailAttestation.ps1
@@ -1,71 +1,73 @@
-function Invoke-CIPPStandardSPEmailAttestation {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPEmailAttestation
- .SYNOPSIS
- (Label) Require re-authentication with verification code
- .DESCRIPTION
- (Helptext) Ensure re-authentication with verification code is restricted
- (DocsDescription) Ensure re-authentication with verification code is restricted
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- {"type":"number","name":"standards.SPEmailAttestation.Days","label":"Require re-authentication every X Days (Default 15)"}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -EmailAttestationRequired \$true -EmailAttestationReAuthDays 15
- RECOMMENDEDBY
- "CIS 3.0"
- "CIPP"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPEmailAttestation'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property EmailAttestationReAuthDays, EmailAttestationRequired
-
- $StateIsCorrect = ($CurrentState.EmailAttestationReAuthDays -eq $Settings.Days) -and
- ($CurrentState.EmailAttestationRequired -eq $true)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Sharepoint reauthentication with verification code is already restricted.' -Sev Info
- } else {
- $Properties = @{
- EmailAttestationReAuthDays = $Settings.Days
- EmailAttestationRequired = $true
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set reauthentication with verification code restriction.' -Sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set reauthentication with verification code restriction. Error: $ErrorMessage" -Sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Reauthentication with verification code is restricted.' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Reauthentication with verification code is not restricted.' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SPEmailAttestation' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardSPEmailAttestation {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPEmailAttestation
+ .SYNOPSIS
+ (Label) Require re-authentication with verification code
+ .DESCRIPTION
+ (Helptext) Ensure re-authentication with verification code is restricted
+ (DocsDescription) Ensure re-authentication with verification code is restricted
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ {"type":"number","name":"standards.SPEmailAttestation.Days","label":"Require re-authentication every X Days (Default 15)"}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-09
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -EmailAttestationRequired \$true -EmailAttestationReAuthDays 15
+ RECOMMENDEDBY
+ "CIS"
+ "CIPP"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPEmailAttestation'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property EmailAttestationReAuthDays, EmailAttestationRequired
+
+ $StateIsCorrect = ($CurrentState.EmailAttestationReAuthDays -eq $Settings.Days) -and
+ ($CurrentState.EmailAttestationRequired -eq $true)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Sharepoint reauthentication with verification code is already restricted.' -Sev Info
+ } else {
+ $Properties = @{
+ EmailAttestationReAuthDays = $Settings.Days
+ EmailAttestationRequired = $true
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set reauthentication with verification code restriction.' -Sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set reauthentication with verification code restriction. Error: $ErrorMessage" -Sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Reauthentication with verification code is restricted.' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Reauthentication with verification code is not restricted.' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SPEmailAttestation' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1
index 28276672d6c3..b2f7db4c3f68 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPExternalUserExpiration.ps1
@@ -1,70 +1,72 @@
-function Invoke-CIPPStandardSPExternalUserExpiration {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SPExternalUserExpiration
- .SYNOPSIS
- (Label) Set guest access to expire automatically
- .DESCRIPTION
- (Helptext) Ensure guest access to a site or OneDrive will expire automatically
- (DocsDescription) Ensure guest access to a site or OneDrive will expire automatically
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- {"type":"number","name":"standards.SPExternalUserExpiration.Days","label":"Days until expiration (Default 60)"}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired \$True
- RECOMMENDEDBY
- "CIS 3.0"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPExternalUserExpiration'
-
- $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
- Select-Object -Property ExternalUserExpireInDays, ExternalUserExpirationRequired
-
- $StateIsCorrect = ($CurrentState.ExternalUserExpireInDays -eq $Settings.Days) -and
- ($CurrentState.ExternalUserExpirationRequired -eq $true)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint External User Expiration is already enabled.' -Sev Info
- } else {
- $Properties = @{
- ExternalUserExpireInDays = $Settings.Days
- ExternalUserExpirationRequired = $true
- }
-
- try {
- Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set External User Expiration' -Sev Info
- } catch {
- $ErrorMessage = Get-CippException -Exception $_
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set External User Expiration. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'External User Expiration is enabled' -Sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'External User Expiration is not enabled' -Sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'ExternalUserExpiration' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+function Invoke-CIPPStandardSPExternalUserExpiration {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SPExternalUserExpiration
+ .SYNOPSIS
+ (Label) Set guest access to expire automatically
+ .DESCRIPTION
+ (Helptext) Ensure guest access to a site or OneDrive will expire automatically
+ (DocsDescription) Ensure guest access to a site or OneDrive will expire automatically
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ {"type":"number","name":"standards.SPExternalUserExpiration.Days","label":"Days until expiration (Default 60)"}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-09
+ POWERSHELLEQUIVALENT
+ Set-SPOTenant -ExternalUserExpireInDays 30 -ExternalUserExpirationRequired \$True
+ RECOMMENDEDBY
+ "CIS 3.0"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SPExternalUserExpiration'
+
+ $CurrentState = Get-CIPPSPOTenant -TenantFilter $Tenant |
+ Select-Object -Property ExternalUserExpireInDays, ExternalUserExpirationRequired
+
+ $StateIsCorrect = ($CurrentState.ExternalUserExpireInDays -eq $Settings.Days) -and
+ ($CurrentState.ExternalUserExpirationRequired -eq $true)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'SharePoint External User Expiration is already enabled.' -Sev Info
+ } else {
+ $Properties = @{
+ ExternalUserExpireInDays = $Settings.Days
+ ExternalUserExpirationRequired = $true
+ }
+
+ try {
+ Get-CIPPSPOTenant -TenantFilter $Tenant | Set-CIPPSPOTenant -Properties $Properties
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully set External User Expiration' -Sev Info
+ } catch {
+ $ErrorMessage = Get-CippException -Exception $_
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to set External User Expiration. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'External User Expiration is enabled' -Sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'External User Expiration is not enabled' -Sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'ExternalUserExpiration' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPSyncButtonState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPSyncButtonState.ps1
index 03b66cfe0c3e..bd4b5a81e7b2 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPSyncButtonState.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSPSyncButtonState.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardSPSyncButtonState {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"SharePoint Sync Button state","name":"standards.SPSyncButtonState.state","options":[{"label":"Disabled","value":"true"},{"label":"Enabled","value":"false"}]}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-07-26
POWERSHELLEQUIVALENT
Set-SPOTenant -HideSyncButtonOnTeamSite \$true or \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1
index 32799e32d5b0..3ad9eb6b025b 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1
@@ -1,169 +1,171 @@
-function Invoke-CIPPStandardSafeAttachmentPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SafeAttachmentPolicy
- .SYNOPSIS
- (Label) Default Safe Attachment Policy
- .DESCRIPTION
- (Helptext) This creates a Safe Attachment policy
- (DocsDescription) This creates a Safe Attachment policy
- .NOTES
- CAT
- Defender Standards
- TAG
- "CIS"
- "mdo_safedocuments"
- "mdo_commonattachmentsfilter"
- "mdo_safeattachmentpolicy"
- ADDEDCOMPONENT
- {"type":"select","multiple":false,"label":"Safe Attachment Action","name":"standards.SafeAttachmentPolicy.SafeAttachmentAction","options":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]}
- {"type":"select","multiple":false,"label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"switch","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"}
- {"type":"textField","name":"standards.SafeAttachmentPolicy.RedirectAddress","label":"Redirect Address","required":false}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy
- RECOMMENDEDBY
- "CIS"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SafeAttachmentPolicy'
-
- $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
- $ServicePlans = $ServicePlans.servicePlans.servicePlanName
- $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
-
- if ($MDOLicensed) {
- $PolicyList = @('CIPP Default Safe Attachment Policy','Default Safe Attachment Policy')
- $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentPolicy' | Where-Object -Property Name -In $PolicyList
- if ($null -eq $ExistingPolicy.Name) {
- $PolicyName = $PolicyList[0]
- } else {
- $PolicyName = $ExistingPolicy.Name
- }
- $RuleList = @( 'CIPP Default Safe Attachment Rule','CIPP Default Safe Attachment Policy')
- $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentRule' | Where-Object -Property Name -In $RuleList
- if ($null -eq $ExistingRule.Name) {
- $RuleName = $RuleList[0]
- } else {
- $RuleName = $ExistingRule.Name
- }
-
- $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentPolicy' |
- Where-Object -Property Name -EQ $PolicyName |
- Select-Object Name, Enable, Action, QuarantineTag, Redirect, RedirectAddress
-
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.Enable -eq $true) -and
- ($CurrentState.Action -eq $Settings.SafeAttachmentAction) -and
- ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
- ($CurrentState.Redirect -eq $Settings.Redirect) -and
- (($null -eq $Settings.RedirectAddress) -or ($CurrentState.RedirectAddress -eq $Settings.RedirectAddress))
-
- $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
-
- $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentRule' |
- Where-Object -Property Name -EQ $RuleName |
- Select-Object Name, SafeAttachmentPolicy, Priority, RecipientDomainIs
-
- $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
- ($RuleState.SafeAttachmentPolicy -eq $PolicyName) -and
- ($RuleState.Priority -eq 0) -and
- (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
-
- if ($Settings.remediate -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy already correctly configured' -sev Info
- } else {
- $cmdparams = @{
- Enable = $true
- Action = $Settings.SafeAttachmentAction
- QuarantineTag = $Settings.QuarantineTag
- Redirect = $Settings.Redirect
- RedirectAddress = $Settings.RedirectAddress
- }
-
- if ($CurrentState.Name -eq $PolicyName) {
- try {
- $cmdparams.Add('Identity', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeAttachmentPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Safe Attachment policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Safe Attachment policy $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeAttachmentPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Safe Attachment policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment policy $PolicyName." -sev Error -LogData $_
- }
- }
- }
-
- if ($RuleStateIsCorrect -eq $false) {
- $cmdparams = @{
- Priority = 0
- RecipientDomainIs = $AcceptedDomains.Name
- }
-
- if ($RuleState.SafeAttachmentPolicy -ne $PolicyName) {
- $cmdparams.Add('SafeAttachmentPolicy', $PolicyName)
- }
-
- if ($RuleState.Name -eq $RuleName) {
- try {
- $cmdparams.Add('Identity', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeAttachmentRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Safe Attachment rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Safe Attachment rule $RuleName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeAttachmentRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Safe Attachment rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment rule $RuleName." -sev Error -LogData $_
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
- } else {
- if ($Settings.remediate -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment policy: Tenant does not have Microsoft Defender for Office 365 license" -sev Error
- }
-
- if ($Settings.alert -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -sev Alert
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant
- }
- }
-}
+function Invoke-CIPPStandardSafeAttachmentPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SafeAttachmentPolicy
+ .SYNOPSIS
+ (Label) Default Safe Attachment Policy
+ .DESCRIPTION
+ (Helptext) This creates a Safe Attachment policy
+ (DocsDescription) This creates a Safe Attachment policy
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ "CIS"
+ "mdo_safedocuments"
+ "mdo_commonattachmentsfilter"
+ "mdo_safeattachmentpolicy"
+ ADDEDCOMPONENT
+ {"type":"select","multiple":false,"label":"Safe Attachment Action","name":"standards.SafeAttachmentPolicy.SafeAttachmentAction","options":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]}
+ {"type":"select","multiple":false,"label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"switch","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"}
+ {"type":"textField","name":"standards.SafeAttachmentPolicy.RedirectAddress","label":"Redirect Address","required":false}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-03-25
+ POWERSHELLEQUIVALENT
+ Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy
+ RECOMMENDEDBY
+ "CIS"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SafeAttachmentPolicy'
+
+ $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
+ $ServicePlans = $ServicePlans.servicePlans.servicePlanName
+ $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
+
+ if ($MDOLicensed) {
+ $PolicyList = @('CIPP Default Safe Attachment Policy','Default Safe Attachment Policy')
+ $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentPolicy' | Where-Object -Property Name -In $PolicyList
+ if ($null -eq $ExistingPolicy.Name) {
+ $PolicyName = $PolicyList[0]
+ } else {
+ $PolicyName = $ExistingPolicy.Name
+ }
+ $RuleList = @( 'CIPP Default Safe Attachment Rule','CIPP Default Safe Attachment Policy')
+ $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentRule' | Where-Object -Property Name -In $RuleList
+ if ($null -eq $ExistingRule.Name) {
+ $RuleName = $RuleList[0]
+ } else {
+ $RuleName = $ExistingRule.Name
+ }
+
+ $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentPolicy' |
+ Where-Object -Property Name -EQ $PolicyName |
+ Select-Object Name, Enable, Action, QuarantineTag, Redirect, RedirectAddress
+
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.Enable -eq $true) -and
+ ($CurrentState.Action -eq $Settings.SafeAttachmentAction) -and
+ ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and
+ ($CurrentState.Redirect -eq $Settings.Redirect) -and
+ (($null -eq $Settings.RedirectAddress) -or ($CurrentState.RedirectAddress -eq $Settings.RedirectAddress))
+
+ $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
+
+ $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeAttachmentRule' |
+ Where-Object -Property Name -EQ $RuleName |
+ Select-Object Name, SafeAttachmentPolicy, Priority, RecipientDomainIs
+
+ $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
+ ($RuleState.SafeAttachmentPolicy -eq $PolicyName) -and
+ ($RuleState.Priority -eq 0) -and
+ (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+
+ if ($Settings.remediate -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy already correctly configured' -sev Info
+ } else {
+ $cmdparams = @{
+ Enable = $true
+ Action = $Settings.SafeAttachmentAction
+ QuarantineTag = $Settings.QuarantineTag
+ Redirect = $Settings.Redirect
+ RedirectAddress = $Settings.RedirectAddress
+ }
+
+ if ($CurrentState.Name -eq $PolicyName) {
+ try {
+ $cmdparams.Add('Identity', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeAttachmentPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Safe Attachment policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Safe Attachment policy $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeAttachmentPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Safe Attachment policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment policy $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($RuleStateIsCorrect -eq $false) {
+ $cmdparams = @{
+ Priority = 0
+ RecipientDomainIs = $AcceptedDomains.Name
+ }
+
+ if ($RuleState.SafeAttachmentPolicy -ne $PolicyName) {
+ $cmdparams.Add('SafeAttachmentPolicy', $PolicyName)
+ }
+
+ if ($RuleState.Name -eq $RuleName) {
+ try {
+ $cmdparams.Add('Identity', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeAttachmentRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Safe Attachment rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update Safe Attachment rule $RuleName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeAttachmentRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created Safe Attachment rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment rule $RuleName." -sev Error -LogData $_
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+ } else {
+ if ($Settings.remediate -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create Safe Attachment policy: Tenant does not have Microsoft Defender for Office 365 license" -sev Error
+ }
+
+ if ($Settings.alert -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Safe Attachment Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -sev Alert
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SafeAttachmentPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant
+ }
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1
index 830fc109a688..a9ad0f3cbd8d 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1
@@ -1,177 +1,179 @@
-function Invoke-CIPPStandardSafeLinksPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SafeLinksPolicy
- .SYNOPSIS
- (Label) Default SafeLinks Policy
- .DESCRIPTION
- (Helptext) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders
- (DocsDescription) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders
- .NOTES
- CAT
- Defender Standards
- TAG
- "CIS"
- "mdo_safelinksforemail"
- "mdo_safelinksforOfficeApps"
- ADDEDCOMPONENT
- {"type":"switch","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"}
- {"type":"switch","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"}
- {"type":"switch","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-SafeLinksPolicy or New-SafeLinksPolicy
- RECOMMENDEDBY
- "CIS"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SafeLinksPolicy'
-
- $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
- $ServicePlans = $ServicePlans.servicePlans.servicePlanName
- $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
-
- if ($MDOLicensed) {
- $PolicyList = @('CIPP Default SafeLinks Policy','Default SafeLinks Policy')
- $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksPolicy' | Where-Object -Property Name -In $PolicyList
- if ($null -eq $ExistingPolicy.Name) {
- $PolicyName = $PolicyList[0]
- } else {
- $PolicyName = $ExistingPolicy.Name
- }
- $RuleList = @( 'CIPP Default SafeLinks Rule','CIPP Default SafeLinks Policy')
- $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksRule' | Where-Object -Property Name -In $RuleList
- if ($null -eq $ExistingRule.Name) {
- $RuleName = $RuleList[0]
- } else {
- $RuleName = $ExistingRule.Name
- }
-
- $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksPolicy' |
- Where-Object -Property Name -EQ $PolicyName |
- Select-Object Name, EnableSafeLinksForEmail, EnableSafeLinksForTeams, EnableSafeLinksForOffice, TrackClicks, AllowClickThrough, ScanUrls, EnableForInternalSenders, DeliverMessageAfterScan, DisableUrlRewrite, EnableOrganizationBranding
-
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.EnableSafeLinksForEmail -eq $true) -and
- ($CurrentState.EnableSafeLinksForTeams -eq $true) -and
- ($CurrentState.EnableSafeLinksForOffice -eq $true) -and
- ($CurrentState.TrackClicks -eq $true) -and
- ($CurrentState.ScanUrls -eq $true) -and
- ($CurrentState.EnableForInternalSenders -eq $true) -and
- ($CurrentState.DeliverMessageAfterScan -eq $true) -and
- ($CurrentState.AllowClickThrough -eq $Settings.AllowClickThrough) -and
- ($CurrentState.DisableUrlRewrite -eq $Settings.DisableUrlRewrite) -and
- ($CurrentState.EnableOrganizationBranding -eq $Settings.EnableOrganizationBranding)
-
- $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
-
- $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksRule' |
- Where-Object -Property Name -EQ $RuleName |
- Select-Object Name, SafeLinksPolicy, Priority, RecipientDomainIs
-
- $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
- ($RuleState.SafeLinksPolicy -eq $PolicyName) -and
- ($RuleState.Priority -eq 0) -and
- (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
-
- if ($Settings.remediate -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy already correctly configured' -sev Info
- } else {
- $cmdparams = @{
- EnableSafeLinksForEmail = $true
- EnableSafeLinksForTeams = $true
- EnableSafeLinksForOffice = $true
- TrackClicks = $true
- ScanUrls = $true
- EnableForInternalSenders = $true
- DeliverMessageAfterScan = $true
- AllowClickThrough = $Settings.AllowClickThrough
- DisableUrlRewrite = $Settings.DisableUrlRewrite
- EnableOrganizationBranding = $Settings.EnableOrganizationBranding
- }
-
- if ($CurrentState.Name -eq $Policyname) {
- try {
- $cmdparams.Add('Identity', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeLinksPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated SafeLink policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update SafeLink policy $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $PolicyName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeLinksPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created SafeLink policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink policy $PolicyName." -sev Error -LogData $_
- }
- }
- }
-
- if ($RuleStateIsCorrect -eq $false) {
- $cmdparams = @{
- Priority = 0
- RecipientDomainIs = $AcceptedDomains.Name
- }
-
- if ($RuleState.SafeLinksPolicy -ne $PolicyName) {
- $cmdparams.Add('SafeLinksPolicy', $PolicyName)
- }
-
- if ($RuleState.Name -eq $RuleName) {
- try {
- $cmdparams.Add('Identity', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeLinksRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated SafeLink rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update SafeLink rule $RuleName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdparams.Add('Name', $RuleName)
- New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeLinksRule' -cmdparams $cmdparams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created SafeLink rule $RuleName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink rule $RuleName." -sev Error -LogData $_
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SafeLinksPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
- }
- } else {
- if ($Settings.remediate -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink policy: Tenant does not have Microsoft Defender for Office 365 license" -sev Error
- }
-
- if ($Settings.alert -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -sev Alert
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SafeLinksPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant
- }
- }
-}
+function Invoke-CIPPStandardSafeLinksPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SafeLinksPolicy
+ .SYNOPSIS
+ (Label) Default SafeLinks Policy
+ .DESCRIPTION
+ (Helptext) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders
+ (DocsDescription) This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ "CIS"
+ "mdo_safelinksforemail"
+ "mdo_safelinksforOfficeApps"
+ ADDEDCOMPONENT
+ {"type":"switch","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"}
+ {"type":"switch","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"}
+ {"type":"switch","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-03-25
+ POWERSHELLEQUIVALENT
+ Set-SafeLinksPolicy or New-SafeLinksPolicy
+ RECOMMENDEDBY
+ "CIS"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SafeLinksPolicy'
+
+ $ServicePlans = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/subscribedSkus?$select=servicePlans' -tenantid $Tenant
+ $ServicePlans = $ServicePlans.servicePlans.servicePlanName
+ $MDOLicensed = $ServicePlans -contains "ATP_ENTERPRISE"
+
+ if ($MDOLicensed) {
+ $PolicyList = @('CIPP Default SafeLinks Policy','Default SafeLinks Policy')
+ $ExistingPolicy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksPolicy' | Where-Object -Property Name -In $PolicyList
+ if ($null -eq $ExistingPolicy.Name) {
+ $PolicyName = $PolicyList[0]
+ } else {
+ $PolicyName = $ExistingPolicy.Name
+ }
+ $RuleList = @( 'CIPP Default SafeLinks Rule','CIPP Default SafeLinks Policy')
+ $ExistingRule = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksRule' | Where-Object -Property Name -In $RuleList
+ if ($null -eq $ExistingRule.Name) {
+ $RuleName = $RuleList[0]
+ } else {
+ $RuleName = $ExistingRule.Name
+ }
+
+ $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksPolicy' |
+ Where-Object -Property Name -EQ $PolicyName |
+ Select-Object Name, EnableSafeLinksForEmail, EnableSafeLinksForTeams, EnableSafeLinksForOffice, TrackClicks, AllowClickThrough, ScanUrls, EnableForInternalSenders, DeliverMessageAfterScan, DisableUrlRewrite, EnableOrganizationBranding
+
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.EnableSafeLinksForEmail -eq $true) -and
+ ($CurrentState.EnableSafeLinksForTeams -eq $true) -and
+ ($CurrentState.EnableSafeLinksForOffice -eq $true) -and
+ ($CurrentState.TrackClicks -eq $true) -and
+ ($CurrentState.ScanUrls -eq $true) -and
+ ($CurrentState.EnableForInternalSenders -eq $true) -and
+ ($CurrentState.DeliverMessageAfterScan -eq $true) -and
+ ($CurrentState.AllowClickThrough -eq $Settings.AllowClickThrough) -and
+ ($CurrentState.DisableUrlRewrite -eq $Settings.DisableUrlRewrite) -and
+ ($CurrentState.EnableOrganizationBranding -eq $Settings.EnableOrganizationBranding)
+
+ $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain'
+
+ $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SafeLinksRule' |
+ Where-Object -Property Name -EQ $RuleName |
+ Select-Object Name, SafeLinksPolicy, Priority, RecipientDomainIs
+
+ $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and
+ ($RuleState.SafeLinksPolicy -eq $PolicyName) -and
+ ($RuleState.Priority -eq 0) -and
+ (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+
+ if ($Settings.remediate -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy already correctly configured' -sev Info
+ } else {
+ $cmdparams = @{
+ EnableSafeLinksForEmail = $true
+ EnableSafeLinksForTeams = $true
+ EnableSafeLinksForOffice = $true
+ TrackClicks = $true
+ ScanUrls = $true
+ EnableForInternalSenders = $true
+ DeliverMessageAfterScan = $true
+ AllowClickThrough = $Settings.AllowClickThrough
+ DisableUrlRewrite = $Settings.DisableUrlRewrite
+ EnableOrganizationBranding = $Settings.EnableOrganizationBranding
+ }
+
+ if ($CurrentState.Name -eq $Policyname) {
+ try {
+ $cmdparams.Add('Identity', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeLinksPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated SafeLink policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update SafeLink policy $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $PolicyName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeLinksPolicy' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created SafeLink policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink policy $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($RuleStateIsCorrect -eq $false) {
+ $cmdparams = @{
+ Priority = 0
+ RecipientDomainIs = $AcceptedDomains.Name
+ }
+
+ if ($RuleState.SafeLinksPolicy -ne $PolicyName) {
+ $cmdparams.Add('SafeLinksPolicy', $PolicyName)
+ }
+
+ if ($RuleState.Name -eq $RuleName) {
+ try {
+ $cmdparams.Add('Identity', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'Set-SafeLinksRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated SafeLink rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to update SafeLink rule $RuleName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdparams.Add('Name', $RuleName)
+ New-ExoRequest -tenantid $Tenant -cmdlet 'New-SafeLinksRule' -cmdparams $cmdparams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Created SafeLink rule $RuleName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink rule $RuleName." -sev Error -LogData $_
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SafeLinksPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+ } else {
+ if ($Settings.remediate -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to create SafeLink policy: Tenant does not have Microsoft Defender for Office 365 license" -sev Error
+ }
+
+ if ($Settings.alert -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'SafeLink Policy is not enabled: Tenant does not have Microsoft Defender for Office 365 license' -sev Alert
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SafeLinksPolicy' -FieldValue $false -StoreAs bool -Tenant $tenant
+ }
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1
index cc20e9cd1950..c68ec98e4a0a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardSafeSendersDisable {
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-10-26
POWERSHELLEQUIVALENT
Set-MailboxJunkEmailConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1
index 1086d7bc1be8..90e2db0be9df 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardSecurityDefaults {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2021-11-19
POWERSHELLEQUIVALENT
[Read more here](https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/)
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1
index df66513ff40c..766b57bf21c0 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardSendFromAlias {
ADDEDCOMPONENT
IMPACT
Medium Impact
+ ADDEDDATE
+ 2022-05-25
POWERSHELLEQUIVALENT
Set-Mailbox
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1
index a3973401f009..90616d76e459 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1
@@ -14,10 +14,12 @@ function Invoke-CIPPStandardSendReceiveLimitTenant {
Exchange Standards
TAG
ADDEDCOMPONENT
- {"type":"number","name":"standards.SendReceiveLimitTenant.SendLimit","label":"Send limit in MB (Default is 35)","default":35}
- {"type":"number","name":"standards.SendReceiveLimitTenant.ReceiveLimit","label":"Receive Limit in MB (Default is 36)","default":36}
+ {"type":"number","name":"standards.SendReceiveLimitTenant.SendLimit","label":"Send limit in MB (Default is 35)","defaultValue":35}
+ {"type":"number","name":"standards.SendReceiveLimitTenant.ReceiveLimit","label":"Receive Limit in MB (Default is 36)","defaultValue":36}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-11-16
POWERSHELLEQUIVALENT
Set-MailboxPlan
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1
index 6eec8093a260..f1e267db8efd 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1
@@ -15,10 +15,12 @@ function Invoke-CIPPStandardShortenMeetings {
TAG
ADDEDCOMPONENT
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.ShortenMeetings.ShortenEventScopeDefault","options":[{"label":"Disabled/None","value":"None"},{"label":"End early","value":"EndEarly"},{"label":"Start late","value":"StartLate"}]}
- {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy","label":"Minutes to reduce short calendar events by (Default is 5)","default":5}
- {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy","label":"Minutes to reduce long calendar events by (Default is 10)","default":10}
+ {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy","label":"Minutes to reduce short calendar events by (Default is 5)","defaultValue":5}
+ {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy","label":"Minutes to reduce long calendar events by (Default is 10)","defaultValue":10}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-05-27
POWERSHELLEQUIVALENT
Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpamFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpamFilterPolicy.ps1
index 953c72248cf9..3c5bc4a59466 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpamFilterPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpamFilterPolicy.ps1
@@ -1,187 +1,189 @@
-function Invoke-CIPPStandardSpamFilterPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) SpamFilterPolicy
- .SYNOPSIS
- (Label) Default Spam Filter Policy
- .DESCRIPTION
- (Helptext) This standard creates a Spam filter policy similar to the default strict policy.
- (DocsDescription) This standard creates a Spam filter policy similar to the default strict policy.
- .NOTES
- CAT
- Defender Standards
- TAG
- ADDEDCOMPONENT
- {"type":"number","label":"Bulk email threshold (Default 7)","name":"standards.SpamFilterPolicy.BulkThreshold","default":7}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Spam Action","name":"standards.SpamFilterPolicy.SpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Spam Quarantine Tag","name":"standards.SpamFilterPolicy.SpamQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Spam Action","name":"standards.SpamFilterPolicy.HighConfidenceSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Spam Quarantine Tag","name":"standards.SpamFilterPolicy.HighConfidenceSpamQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Bulk Spam Action","name":"standards.SpamFilterPolicy.BulkSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Bulk Quarantine Tag","name":"standards.SpamFilterPolicy.BulkQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Phish Spam Action","name":"standards.SpamFilterPolicy.PhishSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Phish Quarantine Tag","name":"standards.SpamFilterPolicy.PhishQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Phish Quarantine Tag","name":"standards.SpamFilterPolicy.HighConfidencePhishQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SpamFilterPolicy'
-
- $PolicyName = 'CIPP Default Spam Filter Policy'
-
- $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-HostedContentFilterPolicy' |
- Where-Object -Property Name -EQ $PolicyName |
- Select-Object -Property *
-
- $SpamAction = $Settings.SpamAction.value ?? $Settings.SpamAction
- $SpamQuarantineTag = $Settings.SpamQuarantineTag.value ?? $Settings.SpamQuarantineTag
- $HighConfidenceSpamAction = $Settings.HighConfidenceSpamAction.value ?? $Settings.HighConfidenceSpamAction
- $HighConfidenceSpamQuarantineTag = $Settings.HighConfidenceSpamQuarantineTag.value ?? $Settings.HighConfidenceSpamQuarantineTag
- $BulkSpamAction = $Settings.BulkSpamAction.value ?? $Settings.BulkSpamAction
- $BulkQuarantineTag = $Settings.BulkQuarantineTag.value ?? $Settings.BulkQuarantineTag
- $PhishSpamAction = $Settings.PhishSpamAction.value ?? $Settings.PhishSpamAction
- $PhishQuarantineTag = $Settings.PhishQuarantineTag.value ?? $Settings.PhishQuarantineTag
- $HighConfidencePhishQuarantineTag = $Settings.HighConfidencePhishQuarantineTag.value ?? $Settings.HighConfidencePhishQuarantineTag
-
- $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
- ($CurrentState.SpamAction -eq $SpamAction) -and
- ($CurrentState.SpamQuarantineTag -eq $SpamQuarantineTag) -and
- ($CurrentState.HighConfidenceSpamAction -eq $HighConfidenceSpamAction) -and
- ($CurrentState.HighConfidenceSpamQuarantineTag -eq $HighConfidenceSpamQuarantineTag) -and
- ($CurrentState.BulkSpamAction -eq $BulkSpamAction) -and
- ($CurrentState.BulkQuarantineTag -eq $BulkQuarantineTag) -and
- ($CurrentState.PhishSpamAction -eq $PhishSpamAction) -and
- ($CurrentState.PhishQuarantineTag -eq $PhishQuarantineTag) -and
- ($CurrentState.HighConfidencePhishAction -eq 'Quarantine') -and
- ($CurrentState.HighConfidencePhishQuarantineTag -eq $HighConfidencePhishQuarantineTag) -and
- ($CurrentState.BulkThreshold -eq $Settings.BulkThreshold) -and
- ($CurrentState.QuarantineRetentionPeriod -eq 30) -and
- ($CurrentState.IncreaseScoreWithNumericIps -eq 'On') -and
- ($CurrentState.IncreaseScoreWithRedirectToOtherPort -eq 'On') -and
- ($CurrentState.MarkAsSpamEmptyMessages -eq 'On') -and
- ($CurrentState.MarkAsSpamJavaScriptInHtml -eq 'On') -and
- ($CurrentState.MarkAsSpamSpfRecordHardFail -eq 'On') -and
- ($CurrentState.MarkAsSpamFromAddressAuthFail -eq 'On') -and
- ($CurrentState.MarkAsSpamNdrBackscatter -eq 'On') -and
- ($CurrentState.MarkAsSpamBulkMail -eq 'On') -and
- ($CurrentState.InlineSafetyTipsEnabled -eq $true) -and
- ($CurrentState.PhishZapEnabled -eq $true) -and
- ($CurrentState.SpamZapEnabled -eq $true)
-
- $AcceptedDomains = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-AcceptedDomain'
-
- $RuleState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-HostedContentFilterRule' |
- Where-Object -Property Name -EQ $PolicyName |
- Select-Object -Property *
-
- $RuleStateIsCorrect = ($RuleState.Name -eq $PolicyName) -and
- ($RuleState.HostedContentFilterPolicy -eq $PolicyName) -and
- ($RuleState.Priority -eq 0) -and
- (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy already correctly configured' -sev Info
- } else {
- $cmdparams = @{
- SpamAction = $SpamAction
- SpamQuarantineTag = $SpamQuarantineTag
- HighConfidenceSpamAction = $HighConfidenceSpamAction
- HighConfidenceSpamQuarantineTag = $HighConfidenceSpamQuarantineTag
- BulkSpamAction = $BulkSpamAction
- BulkQuarantineTag = $BulkQuarantineTag
- PhishSpamAction = $PhishSpamAction
- PhishQuarantineTag = $PhishQuarantineTag
- HighConfidencePhishAction = 'Quarantine'
- HighConfidencePhishQuarantineTag = $HighConfidencePhishQuarantineTag
- BulkThreshold = $Settings.BulkThreshold
- QuarantineRetentionPeriod = 30
- IncreaseScoreWithNumericIps = 'On'
- IncreaseScoreWithRedirectToOtherPort = 'On'
- MarkAsSpamEmptyMessages = 'On'
- MarkAsSpamJavaScriptInHtml = 'On'
- MarkAsSpamSpfRecordHardFail = 'On'
- MarkAsSpamFromAddressAuthFail = 'On'
- MarkAsSpamNdrBackscatter = 'On'
- MarkAsSpamBulkMail = 'On'
- InlineSafetyTipsEnabled = $true
- PhishZapEnabled = $true
- SpamZapEnabled = $true
- }
- Write-Host '================== DEBUG =================='
- Write-Host $cmdParams
-
- if ($CurrentState.Name -eq $PolicyName) {
- try {
- $cmdParams.Add('Identity', $PolicyName)
- $null = New-ExoRequest -TenantId $Tenant -cmdlet 'Set-HostedContentFilterPolicy' -cmdParams $cmdParams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Updated Spam Filter policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to update Spam Filter policy $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdParams.Add('Name', $PolicyName)
- $null = New-ExoRequest -TenantId $Tenant -cmdlet 'New-HostedContentFilterPolicy' -cmdParams $cmdParams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Created Spam Filter policy $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to create Spam Filter policy $PolicyName." -sev Error -LogData $_
- }
- }
- }
-
- if ($RuleStateIsCorrect -eq $false) {
- $cmdParams = @{
- Priority = 0
- RecipientDomainIs = $AcceptedDomains.Name
- }
-
- if ($RuleState.HostedContentFilterPolicy -ne $PolicyName) {
- $cmdParams.Add('HostedContentFilterPolicy', $PolicyName)
- }
-
- if ($RuleState.Name -eq $PolicyName) {
- try {
- $cmdParams.Add('Identity', "$PolicyName")
- $null = New-ExoRequest -TenantId $Tenant -cmdlet 'Set-HostedContentFilterRule' -cmdParams $cmdParams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Updated Spam Filter rule $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to update Spam Filter rule $PolicyName." -sev Error -LogData $_
- }
- } else {
- try {
- $cmdParams.Add('Name', "$PolicyName")
- $null = New-ExoRequest -TenantId $Tenant -cmdlet 'New-HostedContentFilterRule' -cmdParams $cmdParams -UseSystemMailbox $true
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Created Spam Filter rule $PolicyName." -sev Info
- } catch {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to create Spam Filter rule $PolicyName." -sev Error -LogData $_
- }
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
-
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy is enabled' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy is not enabled' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'SpamFilterPolicy' -FieldValue $StateIsCorrect -StoreAs [bool] -Tenant $Tenant
- }
-
-}
+function Invoke-CIPPStandardSpamFilterPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) SpamFilterPolicy
+ .SYNOPSIS
+ (Label) Default Spam Filter Policy
+ .DESCRIPTION
+ (Helptext) This standard creates a Spam filter policy similar to the default strict policy.
+ (DocsDescription) This standard creates a Spam filter policy similar to the default strict policy.
+ .NOTES
+ CAT
+ Defender Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"number","label":"Bulk email threshold (Default 7)","name":"standards.SpamFilterPolicy.BulkThreshold","defaultValue":7}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Spam Action","name":"standards.SpamFilterPolicy.SpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Spam Quarantine Tag","name":"standards.SpamFilterPolicy.SpamQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Spam Action","name":"standards.SpamFilterPolicy.HighConfidenceSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Spam Quarantine Tag","name":"standards.SpamFilterPolicy.HighConfidenceSpamQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Bulk Spam Action","name":"standards.SpamFilterPolicy.BulkSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Bulk Quarantine Tag","name":"standards.SpamFilterPolicy.BulkQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Phish Spam Action","name":"standards.SpamFilterPolicy.PhishSpamAction","options":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move message to Junk Email folder","value":"MoveToJmf"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"Phish Quarantine Tag","name":"standards.SpamFilterPolicy.PhishQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"label":"High Confidence Phish Quarantine Tag","name":"standards.SpamFilterPolicy.HighConfidencePhishQuarantineTag","options":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-15
+ POWERSHELLEQUIVALENT
+ New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/defender-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'SpamFilterPolicy'
+
+ $PolicyName = 'CIPP Default Spam Filter Policy'
+
+ $CurrentState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-HostedContentFilterPolicy' |
+ Where-Object -Property Name -EQ $PolicyName |
+ Select-Object -Property *
+
+ $SpamAction = $Settings.SpamAction.value ?? $Settings.SpamAction
+ $SpamQuarantineTag = $Settings.SpamQuarantineTag.value ?? $Settings.SpamQuarantineTag
+ $HighConfidenceSpamAction = $Settings.HighConfidenceSpamAction.value ?? $Settings.HighConfidenceSpamAction
+ $HighConfidenceSpamQuarantineTag = $Settings.HighConfidenceSpamQuarantineTag.value ?? $Settings.HighConfidenceSpamQuarantineTag
+ $BulkSpamAction = $Settings.BulkSpamAction.value ?? $Settings.BulkSpamAction
+ $BulkQuarantineTag = $Settings.BulkQuarantineTag.value ?? $Settings.BulkQuarantineTag
+ $PhishSpamAction = $Settings.PhishSpamAction.value ?? $Settings.PhishSpamAction
+ $PhishQuarantineTag = $Settings.PhishQuarantineTag.value ?? $Settings.PhishQuarantineTag
+ $HighConfidencePhishQuarantineTag = $Settings.HighConfidencePhishQuarantineTag.value ?? $Settings.HighConfidencePhishQuarantineTag
+
+ $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and
+ ($CurrentState.SpamAction -eq $SpamAction) -and
+ ($CurrentState.SpamQuarantineTag -eq $SpamQuarantineTag) -and
+ ($CurrentState.HighConfidenceSpamAction -eq $HighConfidenceSpamAction) -and
+ ($CurrentState.HighConfidenceSpamQuarantineTag -eq $HighConfidenceSpamQuarantineTag) -and
+ ($CurrentState.BulkSpamAction -eq $BulkSpamAction) -and
+ ($CurrentState.BulkQuarantineTag -eq $BulkQuarantineTag) -and
+ ($CurrentState.PhishSpamAction -eq $PhishSpamAction) -and
+ ($CurrentState.PhishQuarantineTag -eq $PhishQuarantineTag) -and
+ ($CurrentState.HighConfidencePhishAction -eq 'Quarantine') -and
+ ($CurrentState.HighConfidencePhishQuarantineTag -eq $HighConfidencePhishQuarantineTag) -and
+ ($CurrentState.BulkThreshold -eq $Settings.BulkThreshold) -and
+ ($CurrentState.QuarantineRetentionPeriod -eq 30) -and
+ ($CurrentState.IncreaseScoreWithNumericIps -eq 'On') -and
+ ($CurrentState.IncreaseScoreWithRedirectToOtherPort -eq 'On') -and
+ ($CurrentState.MarkAsSpamEmptyMessages -eq 'On') -and
+ ($CurrentState.MarkAsSpamJavaScriptInHtml -eq 'On') -and
+ ($CurrentState.MarkAsSpamSpfRecordHardFail -eq 'On') -and
+ ($CurrentState.MarkAsSpamFromAddressAuthFail -eq 'On') -and
+ ($CurrentState.MarkAsSpamNdrBackscatter -eq 'On') -and
+ ($CurrentState.MarkAsSpamBulkMail -eq 'On') -and
+ ($CurrentState.InlineSafetyTipsEnabled -eq $true) -and
+ ($CurrentState.PhishZapEnabled -eq $true) -and
+ ($CurrentState.SpamZapEnabled -eq $true)
+
+ $AcceptedDomains = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-AcceptedDomain'
+
+ $RuleState = New-ExoRequest -TenantId $Tenant -cmdlet 'Get-HostedContentFilterRule' |
+ Where-Object -Property Name -EQ $PolicyName |
+ Select-Object -Property *
+
+ $RuleStateIsCorrect = ($RuleState.Name -eq $PolicyName) -and
+ ($RuleState.HostedContentFilterPolicy -eq $PolicyName) -and
+ ($RuleState.Priority -eq 0) -and
+ (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name))
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy already correctly configured' -sev Info
+ } else {
+ $cmdparams = @{
+ SpamAction = $SpamAction
+ SpamQuarantineTag = $SpamQuarantineTag
+ HighConfidenceSpamAction = $HighConfidenceSpamAction
+ HighConfidenceSpamQuarantineTag = $HighConfidenceSpamQuarantineTag
+ BulkSpamAction = $BulkSpamAction
+ BulkQuarantineTag = $BulkQuarantineTag
+ PhishSpamAction = $PhishSpamAction
+ PhishQuarantineTag = $PhishQuarantineTag
+ HighConfidencePhishAction = 'Quarantine'
+ HighConfidencePhishQuarantineTag = $HighConfidencePhishQuarantineTag
+ BulkThreshold = $Settings.BulkThreshold
+ QuarantineRetentionPeriod = 30
+ IncreaseScoreWithNumericIps = 'On'
+ IncreaseScoreWithRedirectToOtherPort = 'On'
+ MarkAsSpamEmptyMessages = 'On'
+ MarkAsSpamJavaScriptInHtml = 'On'
+ MarkAsSpamSpfRecordHardFail = 'On'
+ MarkAsSpamFromAddressAuthFail = 'On'
+ MarkAsSpamNdrBackscatter = 'On'
+ MarkAsSpamBulkMail = 'On'
+ InlineSafetyTipsEnabled = $true
+ PhishZapEnabled = $true
+ SpamZapEnabled = $true
+ }
+ Write-Host '================== DEBUG =================='
+ Write-Host $cmdParams
+
+ if ($CurrentState.Name -eq $PolicyName) {
+ try {
+ $cmdParams.Add('Identity', $PolicyName)
+ $null = New-ExoRequest -TenantId $Tenant -cmdlet 'Set-HostedContentFilterPolicy' -cmdParams $cmdParams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Updated Spam Filter policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to update Spam Filter policy $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdParams.Add('Name', $PolicyName)
+ $null = New-ExoRequest -TenantId $Tenant -cmdlet 'New-HostedContentFilterPolicy' -cmdParams $cmdParams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Created Spam Filter policy $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to create Spam Filter policy $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+
+ if ($RuleStateIsCorrect -eq $false) {
+ $cmdParams = @{
+ Priority = 0
+ RecipientDomainIs = $AcceptedDomains.Name
+ }
+
+ if ($RuleState.HostedContentFilterPolicy -ne $PolicyName) {
+ $cmdParams.Add('HostedContentFilterPolicy', $PolicyName)
+ }
+
+ if ($RuleState.Name -eq $PolicyName) {
+ try {
+ $cmdParams.Add('Identity', "$PolicyName")
+ $null = New-ExoRequest -TenantId $Tenant -cmdlet 'Set-HostedContentFilterRule' -cmdParams $cmdParams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Updated Spam Filter rule $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to update Spam Filter rule $PolicyName." -sev Error -LogData $_
+ }
+ } else {
+ try {
+ $cmdParams.Add('Name', "$PolicyName")
+ $null = New-ExoRequest -TenantId $Tenant -cmdlet 'New-HostedContentFilterRule' -cmdParams $cmdParams -UseSystemMailbox $true
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Created Spam Filter rule $PolicyName." -sev Info
+ } catch {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message "Failed to create Spam Filter rule $PolicyName." -sev Error -LogData $_
+ }
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy is enabled' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -Tenant $Tenant -message 'Spam Filter Policy is not enabled' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'SpamFilterPolicy' -FieldValue $StateIsCorrect -StoreAs [bool] -Tenant $Tenant
+ }
+
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1
index e6958b9e686e..9fadf659d79a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardSpoofWarn {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.SpoofWarn.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2021-11-16
POWERSHELLEQUIVALENT
Set-ExternalInOutlook –Enabled \$true or \$false
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardStaleEntraDevices.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardStaleEntraDevices.ps1
index 31b1afda1e09..f380385c7424 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardStaleEntraDevices.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardStaleEntraDevices.ps1
@@ -20,6 +20,8 @@ function Invoke-CIPPStandardStaleEntraDevices {
IMPACT
High Impact
+ ADDEDDATE
+ 2025-01-19
POWERSHELLEQUIVALENT
Remove-MgDevice, Update-MgDevice or Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1
index 7800b55045bb..8bcb90248721 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardTAP {
{"type":"autoComplete","multiple":false,"creatable":false,"label":"Select TAP Lifetime","name":"standards.TAP.config","options":[{"label":"Only Once","value":"true"},{"label":"Multiple Logons","value":"false"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-03-15
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEmailIntegration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEmailIntegration.ps1
index 5aec26f2c951..5c56f3973b0e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEmailIntegration.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEmailIntegration.ps1
@@ -1,70 +1,72 @@
-Function Invoke-CIPPStandardTeamsEmailIntegration {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsEmailIntegration
- .SYNOPSIS
- (Label) Disallow emails to be sent to channel email addresses
- .DESCRIPTION
- (Helptext) Should users be allowed to send emails directly to a channel email addresses?
- (DocsDescription) Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"switch","name":"standards.TeamsEmailIntegration.AllowEmailIntoChannel","label":"Allow channel emails"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-CsTeamsClientConfiguration -AllowEmailIntoChannel \$false
- RECOMMENDEDBY
- "CIS 3.0"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsEmailIntegration'
-
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsClientConfiguration' -CmdParams @{Identity = 'Global' }
- | Select-Object AllowEmailIntoChannel
-
- if ($null -eq $Settings.AllowEmailIntoChannel) { $Settings.AllowEmailIntoChannel = $false }
-
- $StateIsCorrect = ($CurrentState.AllowEmailIntoChannel -eq $Settings.AllowEmailIntoChannel)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings already set.' -sev Info
- } else {
- $cmdparams = @{
- Identity = 'Global'
- AllowEmailIntoChannel = $Settings.AllowEmailIntoChannel
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsClientConfiguration' -CmdParams $cmdparams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams Email Integration settings' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Email Integration settings. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings is not set correctly.' -sev Alert
- }
- }
-
- if ($Setings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsEmailIntoChannel' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsEmailIntegration {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsEmailIntegration
+ .SYNOPSIS
+ (Label) Disallow emails to be sent to channel email addresses
+ .DESCRIPTION
+ (Helptext) Should users be allowed to send emails directly to a channel email addresses?
+ (DocsDescription) Teams channel email addresses are an optional feature that allows users to email the Teams channel directly.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"switch","name":"standards.TeamsEmailIntegration.AllowEmailIntoChannel","label":"Allow channel emails"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-30
+ POWERSHELLEQUIVALENT
+ Set-CsTeamsClientConfiguration -AllowEmailIntoChannel \$false
+ RECOMMENDEDBY
+ "CIS 3.0"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsEmailIntegration'
+
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsClientConfiguration' -CmdParams @{Identity = 'Global' }
+ | Select-Object AllowEmailIntoChannel
+
+ if ($null -eq $Settings.AllowEmailIntoChannel) { $Settings.AllowEmailIntoChannel = $false }
+
+ $StateIsCorrect = ($CurrentState.AllowEmailIntoChannel -eq $Settings.AllowEmailIntoChannel)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings already set.' -sev Info
+ } else {
+ $cmdparams = @{
+ Identity = 'Global'
+ AllowEmailIntoChannel = $Settings.AllowEmailIntoChannel
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsClientConfiguration' -CmdParams $cmdparams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams Email Integration settings' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Email Integration settings. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Email Integration settings is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Setings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsEmailIntoChannel' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEnrollUser.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEnrollUser.ps1
index 77d3aa8258b6..2bf0c363a414 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEnrollUser.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsEnrollUser.ps1
@@ -1,69 +1,71 @@
-Function Invoke-CIPPStandardTeamsEnrollUser {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsEnrollUser
- .SYNOPSIS
- (Label) Default voice and face enrollment
- .DESCRIPTION
- (Helptext) Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.
- (DocsDescription) Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsEnrollUser.EnrollUserOverride","label":"Voice and Face Enrollment","options":[{"label":"Disabled","value":"Disabled"},{"label":"Enabled","value":"Enabled"}]}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-CsTeamsMeetingPolicy -Identity Global -EnrollUserOverride \$false
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
- #>
-
- param($Tenant, $Settings)
-
- # Get EnrollUserOverride value using null-coalescing operator
- $enrollUserOverride = $Settings.EnrollUserOverride.value ?? $Settings.EnrollUserOverride
-
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -cmdParams @{Identity = 'Global' }
- | Select-Object EnrollUserOverride
-
- $StateIsCorrect = ($CurrentState.EnrollUserOverride -eq $enrollUserOverride)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Teams Enroll User Override settings already set to $enrollUserOverride." -sev Info
- } else {
- $cmdParams = @{
- Identity = 'Global'
- EnrollUserOverride = $enrollUserOverride
- }
-
- try {
- $null = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -cmdParams $cmdParams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Teams Enroll User Override setting to $enrollUserOverride." -sev Info
- } catch {
- $ErrorMessage = Get-CippException -Exception $_
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Enroll User Override setting to $enrollUserOverride." -sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Enroll User Override settings is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Enroll User Override settings is not set correctly.' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsEnrollUser' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsEnrollUser {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsEnrollUser
+ .SYNOPSIS
+ (Label) Default voice and face enrollment
+ .DESCRIPTION
+ (Helptext) Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.
+ (DocsDescription) Controls whether users with this policy can set the voice profile capture and enrollment through the Recognition tab in their Teams client settings.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsEnrollUser.EnrollUserOverride","label":"Voice and Face Enrollment","options":[{"label":"Disabled","value":"Disabled"},{"label":"Enabled","value":"Enabled"}]}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-11-12
+ POWERSHELLEQUIVALENT
+ Set-CsTeamsMeetingPolicy -Identity Global -EnrollUserOverride \$false
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+
+ # Get EnrollUserOverride value using null-coalescing operator
+ $enrollUserOverride = $Settings.EnrollUserOverride.value ?? $Settings.EnrollUserOverride
+
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -cmdParams @{Identity = 'Global' }
+ | Select-Object EnrollUserOverride
+
+ $StateIsCorrect = ($CurrentState.EnrollUserOverride -eq $enrollUserOverride)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Teams Enroll User Override settings already set to $enrollUserOverride." -sev Info
+ } else {
+ $cmdParams = @{
+ Identity = 'Global'
+ EnrollUserOverride = $enrollUserOverride
+ }
+
+ try {
+ $null = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -cmdParams $cmdParams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Updated Teams Enroll User Override setting to $enrollUserOverride." -sev Info
+ } catch {
+ $ErrorMessage = Get-CippException -Exception $_
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Enroll User Override setting to $enrollUserOverride." -sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Enroll User Override settings is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Enroll User Override settings is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsEnrollUser' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1
index 77215de033b1..5324de381633 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalAccessPolicy.ps1
@@ -1,77 +1,79 @@
-Function Invoke-CIPPStandardTeamsExternalAccessPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsExternalAccessPolicy
- .SYNOPSIS
- (Label) External Access Settings for Microsoft Teams
- .DESCRIPTION
- (Helptext) Sets the properties of the Global external access policy.
- (DocsDescription) Sets the properties of the Global external access policy. External access policies determine whether or not your users can: 1) communicate with users who have Session Initiation Protocol (SIP) accounts with a federated organization; 2) communicate with users who are using custom applications built with Azure Communication Services; 3) access Skype for Business Server over the Internet, without having to log on to your internal network; 4) communicate with users who have SIP accounts with a public instant messaging (IM) provider such as Skype; and, 5) communicate with people who are using Teams with an account that's not managed by an organization.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableFederationAccess","label":"Allow communication from trusted organizations"}
- {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnablePublicCloudAccess","label":"Allow user to communicate with Skype users"}
- {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess","label":"Allow communication with unmanaged Teams accounts"}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-CsExternalAccessPolicy
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsExternalAccessPolicy'
-
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsExternalAccessPolicy' -CmdParams @{Identity = 'Global' }
- | Select-Object *
-
- if ($null -eq $Settings.EnableFederationAccess) { $Settings.EnableFederationAccess = $false }
- if ($null -eq $Settings.EnablePublicCloudAccess) { $Settings.EnablePublicCloudAccess = $false }
- if ($null -eq $Settings.EnableTeamsConsumerAccess) { $Settings.EnableTeamsConsumerAccess = $false }
-
- $StateIsCorrect = ($CurrentState.EnableFederationAccess -eq $Settings.EnableFederationAccess) -and
- ($CurrentState.EnablePublicCloudAccess -eq $Settings.EnablePublicCloudAccess) -and
- ($CurrentState.EnableTeamsConsumerAccess -eq $Settings.EnableTeamsConsumerAccess)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy already set.' -sev Info
- } else {
- $cmdparams = @{
- Identity = 'Global'
- EnableFederationAccess = $Settings.EnableFederationAccess
- EnablePublicCloudAccess = $Settings.EnablePublicCloudAccess
- EnableTeamsConsumerAccess = $Settings.EnableTeamsConsumerAccess
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsExternalAccessPolicy' -CmdParams $cmdparams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated External Access Policy' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set External Access Policy. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy is not set correctly.' -sev Alert
- }
- }
-
- if ($Setings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsExternalAccessPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsExternalAccessPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsExternalAccessPolicy
+ .SYNOPSIS
+ (Label) External Access Settings for Microsoft Teams
+ .DESCRIPTION
+ (Helptext) Sets the properties of the Global external access policy.
+ (DocsDescription) Sets the properties of the Global external access policy. External access policies determine whether or not your users can: 1) communicate with users who have Session Initiation Protocol (SIP) accounts with a federated organization; 2) communicate with users who are using custom applications built with Azure Communication Services; 3) access Skype for Business Server over the Internet, without having to log on to your internal network; 4) communicate with users who have SIP accounts with a public instant messaging (IM) provider such as Skype; and, 5) communicate with people who are using Teams with an account that's not managed by an organization.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableFederationAccess","label":"Allow communication from trusted organizations"}
+ {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnablePublicCloudAccess","label":"Allow user to communicate with Skype users"}
+ {"type":"switch","name":"standards.TeamsExternalAccessPolicy.EnableTeamsConsumerAccess","label":"Allow communication with unmanaged Teams accounts"}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-30
+ POWERSHELLEQUIVALENT
+ Set-CsExternalAccessPolicy
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsExternalAccessPolicy'
+
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsExternalAccessPolicy' -CmdParams @{Identity = 'Global' }
+ | Select-Object *
+
+ if ($null -eq $Settings.EnableFederationAccess) { $Settings.EnableFederationAccess = $false }
+ if ($null -eq $Settings.EnablePublicCloudAccess) { $Settings.EnablePublicCloudAccess = $false }
+ if ($null -eq $Settings.EnableTeamsConsumerAccess) { $Settings.EnableTeamsConsumerAccess = $false }
+
+ $StateIsCorrect = ($CurrentState.EnableFederationAccess -eq $Settings.EnableFederationAccess) -and
+ ($CurrentState.EnablePublicCloudAccess -eq $Settings.EnablePublicCloudAccess) -and
+ ($CurrentState.EnableTeamsConsumerAccess -eq $Settings.EnableTeamsConsumerAccess)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy already set.' -sev Info
+ } else {
+ $cmdparams = @{
+ Identity = 'Global'
+ EnableFederationAccess = $Settings.EnableFederationAccess
+ EnablePublicCloudAccess = $Settings.EnablePublicCloudAccess
+ EnableTeamsConsumerAccess = $Settings.EnableTeamsConsumerAccess
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsExternalAccessPolicy' -CmdParams $cmdparams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated External Access Policy' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set External Access Policy. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'External Access Policy is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Setings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsExternalAccessPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalFileSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalFileSharing.ps1
index dbde0768fccd..356b514e7eb0 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalFileSharing.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsExternalFileSharing.ps1
@@ -1,85 +1,87 @@
-Function Invoke-CIPPStandardTeamsExternalFileSharing {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsExternalFileSharing
- .SYNOPSIS
- (Label) Define approved cloud storage services for external file sharing in Teams
- .DESCRIPTION
- (Helptext) Ensure external file sharing in Teams is enabled for only approved cloud storage services.
- (DocsDescription) Ensure external file sharing in Teams is enabled for only approved cloud storage services.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowGoogleDrive","label":"Allow Google Drive"}
- {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowShareFile","label":"Allow ShareFile"}
- {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowBox","label":"Allow Box"}
- {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowDropBox","label":"Allow Dropbox"}
- {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowEgnyte","label":"Allow Egnyte"}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-CsTeamsClientConfiguration -AllowGoogleDrive \$false -AllowShareFile \$false -AllowBox \$false -AllowDropBox \$false -AllowEgnyte \$false
- RECOMMENDEDBY
- "CIS 3.0"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsExternalFileSharing'
-
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsClientConfiguration'
- | Select-Object AllowGoogleDrive, AllowShareFile, AllowBox, AllowDropBox, AllowEgnyte
-
- if ($null -eq $Settings.AllowGoogleDrive) { $Settings.AllowGoogleDrive = $false }
- if ($null -eq $Settings.AllowShareFile) { $Settings.AllowShareFile = $false }
- if ($null -eq $Settings.AllowBox) { $Settings.AllowBox = $false }
- if ($null -eq $Settings.AllowDropBox) { $Settings.AllowDropBox = $false }
- if ($null -eq $Settings.AllowEgnyte) { $Settings.AllowEgnyte = $false }
-
- $StateIsCorrect = ($CurrentState.AllowGoogleDrive -eq $Settings.AllowGoogleDrive) -and
- ($CurrentState.AllowShareFile -eq $Settings.AllowShareFile) -and
- ($CurrentState.AllowBox -eq $Settings.AllowBox) -and
- ($CurrentState.AllowDropBox -eq $Settings.AllowDropBox) -and
- ($CurrentState.AllowEgnyte -eq $Settings.AllowEgnyte)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing already set.' -sev Info
- } else {
- $cmdparams = @{
- AllowGoogleDrive = $Settings.AllowGoogleDrive
- AllowShareFile = $Settings.AllowShareFile
- AllowBox = $Settings.AllowBox
- AllowDropBox = $Settings.AllowDropBox
- AllowEgnyte = $Settings.AllowEgnyte
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsClientConfiguration' -CmdParams $cmdparams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams External File Sharing' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams External File Sharing. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing is not set correctly.' -sev Alert
- }
- }
-
- if ($Setings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsExternalFileSharing' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsExternalFileSharing {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsExternalFileSharing
+ .SYNOPSIS
+ (Label) Define approved cloud storage services for external file sharing in Teams
+ .DESCRIPTION
+ (Helptext) Ensure external file sharing in Teams is enabled for only approved cloud storage services.
+ (DocsDescription) Ensure external file sharing in Teams is enabled for only approved cloud storage services.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowGoogleDrive","label":"Allow Google Drive"}
+ {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowShareFile","label":"Allow ShareFile"}
+ {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowBox","label":"Allow Box"}
+ {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowDropBox","label":"Allow Dropbox"}
+ {"type":"switch","name":"standards.TeamsExternalFileSharing.AllowEgnyte","label":"Allow Egnyte"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-07-28
+ POWERSHELLEQUIVALENT
+ Set-CsTeamsClientConfiguration -AllowGoogleDrive \$false -AllowShareFile \$false -AllowBox \$false -AllowDropBox \$false -AllowEgnyte \$false
+ RECOMMENDEDBY
+ "CIS 3.0"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsExternalFileSharing'
+
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsClientConfiguration'
+ | Select-Object AllowGoogleDrive, AllowShareFile, AllowBox, AllowDropBox, AllowEgnyte
+
+ if ($null -eq $Settings.AllowGoogleDrive) { $Settings.AllowGoogleDrive = $false }
+ if ($null -eq $Settings.AllowShareFile) { $Settings.AllowShareFile = $false }
+ if ($null -eq $Settings.AllowBox) { $Settings.AllowBox = $false }
+ if ($null -eq $Settings.AllowDropBox) { $Settings.AllowDropBox = $false }
+ if ($null -eq $Settings.AllowEgnyte) { $Settings.AllowEgnyte = $false }
+
+ $StateIsCorrect = ($CurrentState.AllowGoogleDrive -eq $Settings.AllowGoogleDrive) -and
+ ($CurrentState.AllowShareFile -eq $Settings.AllowShareFile) -and
+ ($CurrentState.AllowBox -eq $Settings.AllowBox) -and
+ ($CurrentState.AllowDropBox -eq $Settings.AllowDropBox) -and
+ ($CurrentState.AllowEgnyte -eq $Settings.AllowEgnyte)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing already set.' -sev Info
+ } else {
+ $cmdparams = @{
+ AllowGoogleDrive = $Settings.AllowGoogleDrive
+ AllowShareFile = $Settings.AllowShareFile
+ AllowBox = $Settings.AllowBox
+ AllowDropBox = $Settings.AllowDropBox
+ AllowEgnyte = $Settings.AllowEgnyte
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsClientConfiguration' -CmdParams $cmdparams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams External File Sharing' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams External File Sharing. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams External File Sharing is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Setings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsExternalFileSharing' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1
index 0f191dd0149d..a17b92451ff6 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsFederationConfiguration.ps1
@@ -1,117 +1,119 @@
-Function Invoke-CIPPStandardTeamsFederationConfiguration {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsFederationConfiguration
- .SYNOPSIS
- (Label) Federation Configuration for Microsoft Teams
- .DESCRIPTION
- (Helptext) Sets the properties of the Global federation configuration.
- (DocsDescription) Sets the properties of the Global federation configuration. Federation configuration settings determine whether or not your users can communicate with users who have SIP accounts with a federated organization.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowTeamsConsumer","label":"Allow users to communicate with other organizations"}
- {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowPublicUsers","label":"Allow users to communicate with Skype Users"}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsFederationConfiguration.DomainControl","label":"Communication Mode","options":[{"label":"Allow all external domains","value":"AllowAllExternal"},{"label":"Block all external domains","value":"BlockAllExternal"},{"label":"Allow specific external domains","value":"AllowSpecificExternal"},{"label":"Block specific external domains","value":"BlockSpecificExternal"}]}
- {"type":"textField","name":"standards.TeamsFederationConfiguration.DomainList","label":"Domains, Comma separated","required":false}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-CsTenantFederationConfiguration
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsFederationConfiguration'
-
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTenantFederationConfiguration' -CmdParams @{Identity = 'Global' }
- | Select-Object *
-
- $DomainControl = $Settings.DomainControl.value ?? $Settings.DomainControl
- Switch ($DomainControl) {
- 'AllowAllExternal' {
- $AllowFederatedUsers = $true
- $AllowedDomainsAsAList = 'AllowAllKnownDomains'
- $BlockedDomains = @()
- }
- 'BlockAllExternal' {
- $AllowFederatedUsers = $false
- $AllowedDomainsAsAList = 'AllowAllKnownDomains'
- $BlockedDomains = @()
- }
- 'AllowSpecificExternal' {
- $AllowFederatedUsers = $true
- $BlockedDomains = @()
- if ($null -ne $Settings.DomainList) {
- $AllowedDomainsAsAList = @($Settings.DomainList).Split(',').Trim()
- } else {
- $AllowedDomainsAsAList = @()
- }
- }
- 'BlockSpecificExternal' {
- $AllowFederatedUsers = $true
- $AllowedDomainsAsAList = 'AllowAllKnownDomains'
- if ($null -ne $Settings.DomainList) {
- $BlockedDomains = @($Settings.DomainList).Split(',').Trim()
- } else {
- $BlockedDomains = @()
- }
- }
- Default {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Federation Configuration: Invalid $DomainControl parameter" -sev Error
- Return
- }
- }
-
- # TODO : Add proper validation for the domain list
- # $CurrentState.AllowedDomains returns a PSObject System.Object and adds a Domain= for each allowed domain, ex {Domain=example.com, Domain=example2.com}
-
- $StateIsCorrect = ($CurrentState.AllowTeamsConsumer -eq $Settings.AllowTeamsConsumer) -and
- ($CurrentState.AllowPublicUsers -eq $Settings.AllowPublicUsers) -and
- ($CurrentState.AllowFederatedUsers -eq $AllowFederatedUsers) -and
- ($CurrentState.AllowedDomains -eq $AllowedDomainsAsAList) -and
- ($CurrentState.BlockedDomains -eq $BlockedDomains)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration already set.' -sev Info
- } else {
- $cmdparams = @{
- Identity = 'Global'
- AllowTeamsConsumer = $Settings.AllowTeamsConsumer
- AllowPublicUsers = $Settings.AllowPublicUsers
- AllowFederatedUsers = $AllowFederatedUsers
- AllowedDomainsAsAList = $AllowedDomainsAsAList
- BlockedDomains = $BlockedDomains
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTenantFederationConfiguration' -CmdParams $cmdparams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Federation Configuration Policy' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Federation Configuration Policy. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration is not set correctly.' -sev Alert
- }
- }
-
- if ($Setings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'FederationConfiguration' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsFederationConfiguration {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsFederationConfiguration
+ .SYNOPSIS
+ (Label) Federation Configuration for Microsoft Teams
+ .DESCRIPTION
+ (Helptext) Sets the properties of the Global federation configuration.
+ (DocsDescription) Sets the properties of the Global federation configuration. Federation configuration settings determine whether or not your users can communicate with users who have SIP accounts with a federated organization.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowTeamsConsumer","label":"Allow users to communicate with other organizations"}
+ {"type":"switch","name":"standards.TeamsFederationConfiguration.AllowPublicUsers","label":"Allow users to communicate with Skype Users"}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsFederationConfiguration.DomainControl","label":"Communication Mode","options":[{"label":"Allow all external domains","value":"AllowAllExternal"},{"label":"Block all external domains","value":"BlockAllExternal"},{"label":"Allow specific external domains","value":"AllowSpecificExternal"},{"label":"Block specific external domains","value":"BlockSpecificExternal"}]}
+ {"type":"textField","name":"standards.TeamsFederationConfiguration.DomainList","label":"Domains, Comma separated","required":false}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2024-07-31
+ POWERSHELLEQUIVALENT
+ Set-CsTenantFederationConfiguration
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsFederationConfiguration'
+
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTenantFederationConfiguration' -CmdParams @{Identity = 'Global' }
+ | Select-Object *
+
+ $DomainControl = $Settings.DomainControl.value ?? $Settings.DomainControl
+ Switch ($DomainControl) {
+ 'AllowAllExternal' {
+ $AllowFederatedUsers = $true
+ $AllowedDomainsAsAList = 'AllowAllKnownDomains'
+ $BlockedDomains = @()
+ }
+ 'BlockAllExternal' {
+ $AllowFederatedUsers = $false
+ $AllowedDomainsAsAList = 'AllowAllKnownDomains'
+ $BlockedDomains = @()
+ }
+ 'AllowSpecificExternal' {
+ $AllowFederatedUsers = $true
+ $BlockedDomains = @()
+ if ($null -ne $Settings.DomainList) {
+ $AllowedDomainsAsAList = @($Settings.DomainList).Split(',').Trim()
+ } else {
+ $AllowedDomainsAsAList = @()
+ }
+ }
+ 'BlockSpecificExternal' {
+ $AllowFederatedUsers = $true
+ $AllowedDomainsAsAList = 'AllowAllKnownDomains'
+ if ($null -ne $Settings.DomainList) {
+ $BlockedDomains = @($Settings.DomainList).Split(',').Trim()
+ } else {
+ $BlockedDomains = @()
+ }
+ }
+ Default {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Federation Configuration: Invalid $DomainControl parameter" -sev Error
+ Return
+ }
+ }
+
+ # TODO : Add proper validation for the domain list
+ # $CurrentState.AllowedDomains returns a PSObject System.Object and adds a Domain= for each allowed domain, ex {Domain=example.com, Domain=example2.com}
+
+ $StateIsCorrect = ($CurrentState.AllowTeamsConsumer -eq $Settings.AllowTeamsConsumer) -and
+ ($CurrentState.AllowPublicUsers -eq $Settings.AllowPublicUsers) -and
+ ($CurrentState.AllowFederatedUsers -eq $AllowFederatedUsers) -and
+ ($CurrentState.AllowedDomains -eq $AllowedDomainsAsAList) -and
+ ($CurrentState.BlockedDomains -eq $BlockedDomains)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration already set.' -sev Info
+ } else {
+ $cmdparams = @{
+ Identity = 'Global'
+ AllowTeamsConsumer = $Settings.AllowTeamsConsumer
+ AllowPublicUsers = $Settings.AllowPublicUsers
+ AllowFederatedUsers = $AllowFederatedUsers
+ AllowedDomainsAsAList = $AllowedDomainsAsAList
+ BlockedDomains = $BlockedDomains
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTenantFederationConfiguration' -CmdParams $cmdparams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Federation Configuration Policy' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Federation Configuration Policy. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Federation Configuration is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Setings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'FederationConfiguration' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsGlobalMeetingPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsGlobalMeetingPolicy.ps1
index 34a3d4060955..e0c747739a8e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsGlobalMeetingPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsGlobalMeetingPolicy.ps1
@@ -1,85 +1,88 @@
-Function Invoke-CIPPStandardTeamsGlobalMeetingPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsGlobalMeetingPolicy
- .SYNOPSIS
- (Label) Define Global Meeting Policy for Teams
- .DESCRIPTION
- (Helptext) Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
- (DocsDescription) Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsGlobalMeetingPolicy.DesignatedPresenterRoleMode","label":"Default value of the `Who can present?`","options":[{"label":"EveryoneUserOverride","value":"EveryoneUserOverride"},{"label":"EveryoneInCompanyUserOverride","value":"EveryoneInCompanyUserOverride"},{"label":"EveryoneInSameAndFederatedCompanyUserOverride","value":"EveryoneInSameAndFederatedCompanyUserOverride"},{"label":"OrganizerOnlyUserOverride","value":"OrganizerOnlyUserOverride"}]}
- {"type":"switch","name":"standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToJoinMeeting","label":"Allow anonymous users to join meeting"}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsGlobalMeetingPolicy.MeetingChatEnabledType","label":"Meeting chat policy","options":[{"label":"On for everyone","value":"Enabled"},{"label":"On for everyone but anonymous users","value":"EnabledExceptAnonymous"},{"label":"Off for everyone","value":"Disabled"}]}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Set-CsTeamsMeetingPolicy -AllowAnonymousUsersToJoinMeeting \$false -AllowAnonymousUsersToStartMeeting \$false -AutoAdmittedUsers EveryoneInCompanyExcludingGuests -AllowPSTNUsersToBypassLobby \$false -MeetingChatEnabledType EnabledExceptAnonymous -DesignatedPresenterRoleMode \$DesignatedPresenterRoleMode -AllowExternalParticipantGiveRequestControl \$false
- RECOMMENDEDBY
- "CIS 3.0"
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
- #>
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsGlobalMeetingPolicy'
-
- param($Tenant, $Settings)
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -CmdParams @{Identity = 'Global' }
- | Select-Object AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
-
- $MeetingChatEnabledType = $Settings.MeetingChatEnabledType.value ?? $Settings.MeetingChatEnabledType
- $DesignatedPresenterRoleMode = $Settings.DesignatedPresenterRoleMode.value ?? $Settings.DesignatedPresenterRoleMode
-
- $StateIsCorrect = ($CurrentState.AllowAnonymousUsersToJoinMeeting -eq $Settings.AllowAnonymousUsersToJoinMeeting) -and
- ($CurrentState.AllowAnonymousUsersToStartMeeting -eq $false) -and
- ($CurrentState.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests') -and
- ($CurrentState.AllowPSTNUsersToBypassLobby -eq $false) -and
- ($CurrentState.MeetingChatEnabledType -eq $MeetingChatEnabledType) -and
- ($CurrentState.DesignatedPresenterRoleMode -eq $DesignatedPresenterRoleMode) -and
- ($CurrentState.AllowExternalParticipantGiveRequestControl -eq $false)
-
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy already set.' -sev Info
- } else {
- $cmdParams = @{
- Identity = 'Global'
- AllowAnonymousUsersToJoinMeeting = $Settings.AllowAnonymousUsersToJoinMeeting
- AllowAnonymousUsersToStartMeeting = $false
- AutoAdmittedUsers = 'EveryoneInCompanyExcludingGuests'
- AllowPSTNUsersToBypassLobby = $false
- MeetingChatEnabledType = $MeetingChatEnabledType
- DesignatedPresenterRoleMode = $DesignatedPresenterRoleMode
- AllowExternalParticipantGiveRequestControl = $Settings.AllowExternalParticipantGiveRequestControl
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -CmdParams $cmdParams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams Global Policy' -sev Info
- } catch {
- $ErrorMessage = Get-CippException -Exception $_
- Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Global Policy. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy is set correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy is not set correctly.' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsGlobalMeetingPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsGlobalMeetingPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsGlobalMeetingPolicy
+ .SYNOPSIS
+ (Label) Define Global Meeting Policy for Teams
+ .DESCRIPTION
+ (Helptext) Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
+ (DocsDescription) Defines the CIS recommended global meeting policy for Teams. This includes AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsGlobalMeetingPolicy.DesignatedPresenterRoleMode","label":"Default value of the `Who can present?`","options":[{"label":"EveryoneUserOverride","value":"EveryoneUserOverride"},{"label":"EveryoneInCompanyUserOverride","value":"EveryoneInCompanyUserOverride"},{"label":"EveryoneInSameAndFederatedCompanyUserOverride","value":"EveryoneInSameAndFederatedCompanyUserOverride"},{"label":"OrganizerOnlyUserOverride","value":"OrganizerOnlyUserOverride"}]}
+ {"type":"switch","name":"standards.TeamsGlobalMeetingPolicy.AllowAnonymousUsersToJoinMeeting","label":"Allow anonymous users to join meeting"}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsGlobalMeetingPolicy.MeetingChatEnabledType","label":"Meeting chat policy","options":[{"label":"On for everyone","value":"Enabled"},{"label":"On for everyone but anonymous users","value":"EnabledExceptAnonymous"},{"label":"Off for everyone","value":"Disabled"}]}
+ {"type":"switch","name":"standards.TeamsGlobalMeetingPolicy.AllowExternalParticipantGiveRequestControl","label":"External participants can give or request control"}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-11-12
+ POWERSHELLEQUIVALENT
+ Set-CsTeamsMeetingPolicy -AllowAnonymousUsersToJoinMeeting \$false -AllowAnonymousUsersToStartMeeting \$false -AutoAdmittedUsers EveryoneInCompanyExcludingGuests -AllowPSTNUsersToBypassLobby \$false -MeetingChatEnabledType EnabledExceptAnonymous -DesignatedPresenterRoleMode \$DesignatedPresenterRoleMode -AllowExternalParticipantGiveRequestControl \$false
+ RECOMMENDEDBY
+ "CIS 3.0"
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#low-impact
+ #>
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsGlobalMeetingPolicy'
+
+ param($Tenant, $Settings)
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMeetingPolicy' -CmdParams @{Identity = 'Global' }
+ | Select-Object AllowAnonymousUsersToJoinMeeting, AllowAnonymousUsersToStartMeeting, AutoAdmittedUsers, AllowPSTNUsersToBypassLobby, MeetingChatEnabledType, DesignatedPresenterRoleMode, AllowExternalParticipantGiveRequestControl
+
+ $MeetingChatEnabledType = $Settings.MeetingChatEnabledType.value ?? $Settings.MeetingChatEnabledType
+ $DesignatedPresenterRoleMode = $Settings.DesignatedPresenterRoleMode.value ?? $Settings.DesignatedPresenterRoleMode
+
+ $StateIsCorrect = ($CurrentState.AllowAnonymousUsersToJoinMeeting -eq $Settings.AllowAnonymousUsersToJoinMeeting) -and
+ ($CurrentState.AllowAnonymousUsersToStartMeeting -eq $false) -and
+ ($CurrentState.AutoAdmittedUsers -eq 'EveryoneInCompanyExcludingGuests') -and
+ ($CurrentState.AllowPSTNUsersToBypassLobby -eq $false) -and
+ ($CurrentState.MeetingChatEnabledType -eq $MeetingChatEnabledType) -and
+ ($CurrentState.DesignatedPresenterRoleMode -eq $DesignatedPresenterRoleMode) -and
+ ($CurrentState.AllowExternalParticipantGiveRequestControl -eq $false)
+
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy already set.' -sev Info
+ } else {
+ $cmdParams = @{
+ Identity = 'Global'
+ AllowAnonymousUsersToJoinMeeting = $Settings.AllowAnonymousUsersToJoinMeeting
+ AllowAnonymousUsersToStartMeeting = $false
+ AutoAdmittedUsers = 'EveryoneInCompanyExcludingGuests'
+ AllowPSTNUsersToBypassLobby = $false
+ MeetingChatEnabledType = $MeetingChatEnabledType
+ DesignatedPresenterRoleMode = $DesignatedPresenterRoleMode
+ AllowExternalParticipantGiveRequestControl = $Settings.AllowExternalParticipantGiveRequestControl
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMeetingPolicy' -CmdParams $cmdParams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated Teams Global Policy' -sev Info
+ } catch {
+ $ErrorMessage = Get-CippException -Exception $_
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set Teams Global Policy. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy is set correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Teams Global Policy is not set correctly.' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsGlobalMeetingPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1
index 9a3f94bb450f..c23c34f9ed9e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardTeamsMeetingsByDefault {
{"type":"autoComplete","multiple":false,"label":"Select value","name":"standards.TeamsMeetingsByDefault.state","options":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-05-31
POWERSHELLEQUIVALENT
Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMessagingPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMessagingPolicy.ps1
index 56b13d7d967f..ca5c223d8ecc 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMessagingPolicy.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMessagingPolicy.ps1
@@ -1,100 +1,102 @@
-Function Invoke-CIPPStandardTeamsMessagingPolicy {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) TeamsMessagingPolicy
- .SYNOPSIS
- (Label) Global Messaging Policy for Microsoft Teams
- .DESCRIPTION
- (Helptext) Sets the properties of the Global messaging policy.
- (DocsDescription) Sets the properties of the Global messaging policy. Messaging policies control which chat and channel messaging features are available to users in Teams.
- .NOTES
- CAT
- Teams Standards
- TAG
- ADDEDCOMPONENT
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowOwnerDeleteMessage","label":"Allow Owner to Delete Messages","default":false}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserDeleteMessage","label":"Allow User to Delete Messages","default":true}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserEditMessage","label":"Allow User to Edit Messages","default":true}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserDeleteChat","label":"Allow User to Delete Chats","default":true}
- {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsMessagingPolicy.ReadReceiptsEnabledType","label":"Read Receipts Enabled Type","options":[{"label":"User controlled","value":"UserPreference"},{"label":"Turned on for everyone","value":"Everyone"},{"label":"Turned off for everyone","value":"None"}]}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.CreateCustomEmojis","label":"Allow Creating Custom Emojis","default":true}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.DeleteCustomEmojis","label":"Allow Deleting Custom Emojis","default":false}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowSecurityEndUserReporting","label":"Allow reporting message as security concern","default":true}
- {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowCommunicationComplianceEndUserReporting","label":"Allow reporting message as inappropriate content","default":true}
- IMPACT
- Medium Impact
- POWERSHELLEQUIVALENT
- Set-CsTeamsMessagingPolicy
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
- #>
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsMessagingPolicy'
-
- param($Tenant, $Settings)
- $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMessagingPolicy' -CmdParams @{Identity = 'Global' }
-
- if ($null -eq $Settings.AllowOwnerDeleteMessage) { $Settings.AllowOwnerDeleteMessage = $CurrentState.AllowOwnerDeleteMessage }
- if ($null -eq $Settings.AllowUserDeleteMessage) { $Settings.AllowUserDeleteMessage = $CurrentState.AllowUserDeleteMessage }
- if ($null -eq $Settings.AllowUserEditMessage) { $Settings.AllowUserEditMessage = $CurrentState.AllowUserEditMessage }
- if ($null -eq $Settings.AllowUserDeleteChat) { $Settings.AllowUserDeleteChat = $CurrentState.AllowUserDeleteChat }
- if ($null -eq $Settings.CreateCustomEmojis) { $Settings.CreateCustomEmojis = $CurrentState.CreateCustomEmojis }
- if ($null -eq $Settings.DeleteCustomEmojis) { $Settings.DeleteCustomEmojis = $CurrentState.DeleteCustomEmojis }
- if ($null -eq $Settings.AllowSecurityEndUserReporting) { $Settings.AllowSecurityEndUserReporting = $CurrentState.AllowSecurityEndUserReporting }
- if ($null -eq $Settings.AllowCommunicationComplianceEndUserReporting) { $Settings.AllowCommunicationComplianceEndUserReporting = $CurrentState.AllowCommunicationComplianceEndUserReporting }
-
- $ReadReceiptsEnabledType = $Settings.ReadReceiptsEnabledType.value ?? $Settings.ReadReceiptsEnabledType
-
- $StateIsCorrect = ($CurrentState.AllowOwnerDeleteMessage -eq $Settings.AllowOwnerDeleteMessage) -and
- ($CurrentState.AllowUserDeleteMessage -eq $Settings.AllowUserDeleteMessage) -and
- ($CurrentState.AllowUserEditMessage -eq $Settings.AllowUserEditMessage) -and
- ($CurrentState.AllowUserDeleteChat -eq $Settings.AllowUserDeleteChat) -and
- ($CurrentState.ReadReceiptsEnabledType -eq $ReadReceiptsEnabledType) -and
- ($CurrentState.CreateCustomEmojis -eq $Settings.CreateCustomEmojis) -and
- ($CurrentState.DeleteCustomEmojis -eq $Settings.DeleteCustomEmojis) -and
- ($CurrentState.AllowSecurityEndUserReporting -eq $Settings.AllowSecurityEndUserReporting) -and
- ($CurrentState.AllowCommunicationComplianceEndUserReporting -eq $Settings.AllowCommunicationComplianceEndUserReporting)
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams Messaging policy already configured.' -sev Info
- } else {
- $cmdparams = @{
- Identity = 'Global'
- AllowOwnerDeleteMessage = $Settings.AllowOwnerDeleteMessage
- AllowUserDeleteMessage = $Settings.AllowUserDeleteMessage
- AllowUserEditMessage = $Settings.AllowUserEditMessage
- AllowUserDeleteChat = $Settings.AllowUserDeleteChat
- ReadReceiptsEnabledType = $ReadReceiptsEnabledType
- CreateCustomEmojis = $Settings.CreateCustomEmojis
- DeleteCustomEmojis = $Settings.DeleteCustomEmojis
- AllowSecurityEndUserReporting = $Settings.AllowSecurityEndUserReporting
- AllowCommunicationComplianceEndUserReporting = $Settings.AllowCommunicationComplianceEndUserReporting
- }
-
- try {
- New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMessagingPolicy' -CmdParams $cmdparams
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated global Teams messaging policy' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Failed to configure global Teams messaging policy.' -sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams messaging policy is configured correctly.' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams messaging policy is not configured correctly.' -sev Alert
- }
- }
-
- if ($Setings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'TeamsMessagingPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
- }
-}
+Function Invoke-CIPPStandardTeamsMessagingPolicy {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) TeamsMessagingPolicy
+ .SYNOPSIS
+ (Label) Global Messaging Policy for Microsoft Teams
+ .DESCRIPTION
+ (Helptext) Sets the properties of the Global messaging policy.
+ (DocsDescription) Sets the properties of the Global messaging policy. Messaging policies control which chat and channel messaging features are available to users in Teams.
+ .NOTES
+ CAT
+ Teams Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowOwnerDeleteMessage","label":"Allow Owner to Delete Messages","defaultValue":false}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserDeleteMessage","label":"Allow User to Delete Messages","defaultValue":true}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserEditMessage","label":"Allow User to Edit Messages","defaultValue":true}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowUserDeleteChat","label":"Allow User to Delete Chats","defaultValue":true}
+ {"type":"autoComplete","required":true,"multiple":false,"creatable":false,"name":"standards.TeamsMessagingPolicy.ReadReceiptsEnabledType","label":"Read Receipts Enabled Type","options":[{"label":"User controlled","value":"UserPreference"},{"label":"Turned on for everyone","value":"Everyone"},{"label":"Turned off for everyone","value":"None"}]}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.CreateCustomEmojis","label":"Allow Creating Custom Emojis","defaultValue":true}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.DeleteCustomEmojis","label":"Allow Deleting Custom Emojis","defaultValue":false}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowSecurityEndUserReporting","label":"Allow reporting message as security concern","defaultValue":true}
+ {"type":"switch","name":"standards.TeamsMessagingPolicy.AllowCommunicationComplianceEndUserReporting","label":"Allow reporting message as inappropriate content","defaultValue":true}
+ IMPACT
+ Medium Impact
+ ADDEDDATE
+ 2025-01-10
+ POWERSHELLEQUIVALENT
+ Set-CsTeamsMessagingPolicy
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/teams-standards#medium-impact
+ #>
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'TeamsMessagingPolicy'
+
+ param($Tenant, $Settings)
+ $CurrentState = New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Get-CsTeamsMessagingPolicy' -CmdParams @{Identity = 'Global' }
+
+ if ($null -eq $Settings.AllowOwnerDeleteMessage) { $Settings.AllowOwnerDeleteMessage = $CurrentState.AllowOwnerDeleteMessage }
+ if ($null -eq $Settings.AllowUserDeleteMessage) { $Settings.AllowUserDeleteMessage = $CurrentState.AllowUserDeleteMessage }
+ if ($null -eq $Settings.AllowUserEditMessage) { $Settings.AllowUserEditMessage = $CurrentState.AllowUserEditMessage }
+ if ($null -eq $Settings.AllowUserDeleteChat) { $Settings.AllowUserDeleteChat = $CurrentState.AllowUserDeleteChat }
+ if ($null -eq $Settings.CreateCustomEmojis) { $Settings.CreateCustomEmojis = $CurrentState.CreateCustomEmojis }
+ if ($null -eq $Settings.DeleteCustomEmojis) { $Settings.DeleteCustomEmojis = $CurrentState.DeleteCustomEmojis }
+ if ($null -eq $Settings.AllowSecurityEndUserReporting) { $Settings.AllowSecurityEndUserReporting = $CurrentState.AllowSecurityEndUserReporting }
+ if ($null -eq $Settings.AllowCommunicationComplianceEndUserReporting) { $Settings.AllowCommunicationComplianceEndUserReporting = $CurrentState.AllowCommunicationComplianceEndUserReporting }
+
+ $ReadReceiptsEnabledType = $Settings.ReadReceiptsEnabledType.value ?? $Settings.ReadReceiptsEnabledType
+
+ $StateIsCorrect = ($CurrentState.AllowOwnerDeleteMessage -eq $Settings.AllowOwnerDeleteMessage) -and
+ ($CurrentState.AllowUserDeleteMessage -eq $Settings.AllowUserDeleteMessage) -and
+ ($CurrentState.AllowUserEditMessage -eq $Settings.AllowUserEditMessage) -and
+ ($CurrentState.AllowUserDeleteChat -eq $Settings.AllowUserDeleteChat) -and
+ ($CurrentState.ReadReceiptsEnabledType -eq $ReadReceiptsEnabledType) -and
+ ($CurrentState.CreateCustomEmojis -eq $Settings.CreateCustomEmojis) -and
+ ($CurrentState.DeleteCustomEmojis -eq $Settings.DeleteCustomEmojis) -and
+ ($CurrentState.AllowSecurityEndUserReporting -eq $Settings.AllowSecurityEndUserReporting) -and
+ ($CurrentState.AllowCommunicationComplianceEndUserReporting -eq $Settings.AllowCommunicationComplianceEndUserReporting)
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams Messaging policy already configured.' -sev Info
+ } else {
+ $cmdparams = @{
+ Identity = 'Global'
+ AllowOwnerDeleteMessage = $Settings.AllowOwnerDeleteMessage
+ AllowUserDeleteMessage = $Settings.AllowUserDeleteMessage
+ AllowUserEditMessage = $Settings.AllowUserEditMessage
+ AllowUserDeleteChat = $Settings.AllowUserDeleteChat
+ ReadReceiptsEnabledType = $ReadReceiptsEnabledType
+ CreateCustomEmojis = $Settings.CreateCustomEmojis
+ DeleteCustomEmojis = $Settings.DeleteCustomEmojis
+ AllowSecurityEndUserReporting = $Settings.AllowSecurityEndUserReporting
+ AllowCommunicationComplianceEndUserReporting = $Settings.AllowCommunicationComplianceEndUserReporting
+ }
+
+ try {
+ New-TeamsRequest -TenantFilter $Tenant -Cmdlet 'Set-CsTeamsMessagingPolicy' -CmdParams $cmdparams
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Updated global Teams messaging policy' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Failed to configure global Teams messaging policy.' -sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams messaging policy is configured correctly.' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $Tenant -message 'Global Teams messaging policy is not configured correctly.' -sev Alert
+ }
+ }
+
+ if ($Setings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'TeamsMessagingPolicy' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $Tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1
index 5a6c9c956c1d..a65dd264850d 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardTenantDefaultTimezone {
{"type":"TimezoneSelect","name":"standards.TenantDefaultTimezone.Timezone","label":"Timezone"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2024-04-20
POWERSHELLEQUIVALENT
Update-MgBetaAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1
index 89fb1db0b725..d7dd378a2562 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTransportRuleTemplate.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardTransportRuleTemplate {
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-12-30
ADDEDCOMPONENT
{"type":"autoComplete","name":"transportRuleTemplate","label":"Select Transport Rule Template","api":{"url":"/api/ListTransportRulesTemplates","labelField":"name","valueField":"GUID","queryKey":"ListTransportRulesTemplates"}}
UPDATECOMMENTBLOCK
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1
index 4eb46340bfe1..4840372a6166 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardUndoOauth {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2022-01-07
POWERSHELLEQUIVALENT
Update-MgPolicyAuthorizationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1
index ff74e6a0bda4..979a6d76d7ef 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardUserSubmissions {
{"type":"textField","name":"standards.UserSubmissions.email","required":false,"label":"Destination email address"}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2024-06-28
POWERSHELLEQUIVALENT
New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy and New-ReportSubmissionRule or Set-ReportSubmissionRule
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1
index f335ba4859e1..6b0cc1e1641d 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardallowOAuthTokens {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2022-12-18
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1
index a79bbd62a2e4..99383d1356ed 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardallowOTPTokens {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-12-06
POWERSHELLEQUIVALENT
Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1
index dfac16a43399..908e76feb7d7 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1
@@ -19,6 +19,8 @@ function Invoke-CIPPStandardcalDefault {
{"type":"autoComplete","multiple":false,"label":"Select Sharing Level","name":"standards.calDefault.permissionLevel","options":[{"label":"Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.","value":"Owner"},{"label":"Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.","value":"PublishingEditor"},{"label":"Editor - The user can create items in the folder. The contents of the folder do not appear.","value":"Editor"},{"label":"Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.","value":"PublishingAuthor"},{"label":"Author - The user can create and read items, and modify and delete items that they create.","value":"Author"},{"label":"Non Editing Author - The user has full read access and create items. Can can delete only own items.","value":"NonEditingAuthor"},{"label":"Reviewer - The user can read all items in the folder.","value":"Reviewer"},{"label":"Contributor - The user can create items and folders.","value":"Contributor"},{"label":"Availability Only - Indicates that the user can view only free/busy time within the calendar.","value":"AvailabilityOnly"},{"label":"Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.","value":"LimitedDetails"},{"label":"None - The user has no permissions on the folder.","value":"none"}]}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-04-27
POWERSHELLEQUIVALENT
Set-MailboxFolderPermission
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1
index 50c59494e277..bfa15dd5d440 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandarddisableMacSync {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1
index 95289a2fa964..ac60619aef3e 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1
@@ -1,100 +1,102 @@
-function Invoke-CIPPStandardintuneBrandingProfile {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) intuneBrandingProfile
- .SYNOPSIS
- (Label) Set Intune Company Portal branding profile
- .DESCRIPTION
- (Helptext) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.
- (DocsDescription) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.
- .NOTES
- CAT
- Intune Standards
- TAG
- ADDEDCOMPONENT
- {"type":"textField","name":"standards.intuneBrandingProfile.displayName","label":"Organization name","required":false}
- {"type":"switch","name":"standards.intuneBrandingProfile.showLogo","label":"Show logo"}
- {"type":"switch","name":"standards.intuneBrandingProfile.showDisplayNameNextToLogo","label":"Show organization name next to logo","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.contactITName","label":"Contact IT name","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.contactITPhoneNumber","label":"Contact IT phone number","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.contactITEmailAddress","label":"Contact IT email address","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.contactITNotes","label":"Contact IT notes","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.onlineSupportSiteName","label":"Online support site name","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.onlineSupportSiteUrl","label":"Online support site URL","required":false}
- {"type":"textField","name":"standards.intuneBrandingProfile.privacyUrl","label":"Privacy statement URL","required":false}
- IMPACT
- Low Impact
- POWERSHELLEQUIVALENT
- Graph API
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'intuneBrandingProfile'
-
- $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/' -tenantid $Tenant -AsApp $true
-
- $StateIsCorrect = ((-not $Settings.displayName) -or ($CurrentState.displayName -eq $Settings.displayName)) -and
- ((-not $Settings.showLogo) -or ($CurrentState.showLogo -eq $Settings.showLogo)) -and
- ((-not $Settings.showDisplayNameNextToLogo) -or ($CurrentState.showDisplayNameNextToLogo -eq $Settings.showDisplayNameNextToLogo)) -and
- ((-not $Settings.contactITName) -or ($CurrentState.contactITName -eq $Settings.contactITName)) -and
- ((-not $Settings.contactITPhoneNumber) -or ($CurrentState.contactITPhoneNumber -eq $Settings.contactITPhoneNumber)) -and
- ((-not $Settings.contactITEmailAddress) -or ($CurrentState.contactITEmailAddress -eq $Settings.contactITEmailAddress)) -and
- ((-not $Settings.contactITNotes) -or ($CurrentState.contactITNotes -eq $Settings.contactITNotes)) -and
- ((-not $Settings.onlineSupportSiteName) -or ($CurrentState.onlineSupportSiteName -eq $Settings.onlineSupportSiteName)) -and
- ((-not $Settings.onlineSupportSiteUrl) -or ($CurrentState.onlineSupportSiteUrl -eq $Settings.onlineSupportSiteUrl)) -and
- ((-not $Settings.privacyUrl) -or ($CurrentState.privacyUrl -eq $Settings.privacyUrl))
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is already correctly configured' -sev Info
- } else {
- $Body = @{}
- if ($Settings.displayName) { $Body.displayName = $Settings.displayName }
- if ($Settings.showLogo) { $Body.showLogo = $Settings.showLogo }
- if ($Settings.showDisplayNameNextToLogo) { $Body.showDisplayNameNextToLogo = $Settings.showDisplayNameNextToLogo }
- if ($Settings.contactITName) { $Body.contactITName = $Settings.contactITName }
- if ($Settings.contactITPhoneNumber) { $Body.contactITPhoneNumber = $Settings.contactITPhoneNumber }
- if ($Settings.contactITEmailAddress) { $Body.contactITEmailAddress = $Settings.contactITEmailAddress }
- if ($Settings.contactITNotes) { $Body.contactITNotes = $Settings.contactITNotes }
- if ($Settings.onlineSupportSiteName) { $Body.onlineSupportSiteName = $Settings.onlineSupportSiteName }
- if ($Settings.onlineSupportSiteUrl) { $Body.onlineSupportSiteUrl = $Settings.onlineSupportSiteUrl }
- if ($Settings.privacyUrl) { $Body.privacyUrl = $Settings.privacyUrl }
-
- $cmdparams = @{
- tenantid = $tenant
- uri = 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/'
- AsApp = $true
- Type = 'PATCH'
- Body = ($Body | ConvertTo-Json)
- ContentType = 'application/json; charset=utf-8'
- }
-
- try {
- New-GraphPostRequest @cmdparams
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully updated Intune Branding Profile' -sev Info
- } catch {
- $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to update Intune Branding Profile. Error: $ErrorMessage" -sev Error
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is correctly configured' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is not correctly configured' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'intuneBrandingProfile' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-}
+function Invoke-CIPPStandardintuneBrandingProfile {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) intuneBrandingProfile
+ .SYNOPSIS
+ (Label) Set Intune Company Portal branding profile
+ .DESCRIPTION
+ (Helptext) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.
+ (DocsDescription) Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level.
+ .NOTES
+ CAT
+ Intune Standards
+ TAG
+ ADDEDCOMPONENT
+ {"type":"textField","name":"standards.intuneBrandingProfile.displayName","label":"Organization name","required":false}
+ {"type":"switch","name":"standards.intuneBrandingProfile.showLogo","label":"Show logo"}
+ {"type":"switch","name":"standards.intuneBrandingProfile.showDisplayNameNextToLogo","label":"Show organization name next to logo","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.contactITName","label":"Contact IT name","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.contactITPhoneNumber","label":"Contact IT phone number","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.contactITEmailAddress","label":"Contact IT email address","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.contactITNotes","label":"Contact IT notes","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.onlineSupportSiteName","label":"Online support site name","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.onlineSupportSiteUrl","label":"Online support site URL","required":false}
+ {"type":"textField","name":"standards.intuneBrandingProfile.privacyUrl","label":"Privacy statement URL","required":false}
+ IMPACT
+ Low Impact
+ ADDEDDATE
+ 2024-06-20
+ POWERSHELLEQUIVALENT
+ Graph API
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/intune-standards#low-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'intuneBrandingProfile'
+
+ $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/' -tenantid $Tenant -AsApp $true
+
+ $StateIsCorrect = ((-not $Settings.displayName) -or ($CurrentState.displayName -eq $Settings.displayName)) -and
+ ((-not $Settings.showLogo) -or ($CurrentState.showLogo -eq $Settings.showLogo)) -and
+ ((-not $Settings.showDisplayNameNextToLogo) -or ($CurrentState.showDisplayNameNextToLogo -eq $Settings.showDisplayNameNextToLogo)) -and
+ ((-not $Settings.contactITName) -or ($CurrentState.contactITName -eq $Settings.contactITName)) -and
+ ((-not $Settings.contactITPhoneNumber) -or ($CurrentState.contactITPhoneNumber -eq $Settings.contactITPhoneNumber)) -and
+ ((-not $Settings.contactITEmailAddress) -or ($CurrentState.contactITEmailAddress -eq $Settings.contactITEmailAddress)) -and
+ ((-not $Settings.contactITNotes) -or ($CurrentState.contactITNotes -eq $Settings.contactITNotes)) -and
+ ((-not $Settings.onlineSupportSiteName) -or ($CurrentState.onlineSupportSiteName -eq $Settings.onlineSupportSiteName)) -and
+ ((-not $Settings.onlineSupportSiteUrl) -or ($CurrentState.onlineSupportSiteUrl -eq $Settings.onlineSupportSiteUrl)) -and
+ ((-not $Settings.privacyUrl) -or ($CurrentState.privacyUrl -eq $Settings.privacyUrl))
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is already correctly configured' -sev Info
+ } else {
+ $Body = @{}
+ if ($Settings.displayName) { $Body.displayName = $Settings.displayName }
+ if ($Settings.showLogo) { $Body.showLogo = $Settings.showLogo }
+ if ($Settings.showDisplayNameNextToLogo) { $Body.showDisplayNameNextToLogo = $Settings.showDisplayNameNextToLogo }
+ if ($Settings.contactITName) { $Body.contactITName = $Settings.contactITName }
+ if ($Settings.contactITPhoneNumber) { $Body.contactITPhoneNumber = $Settings.contactITPhoneNumber }
+ if ($Settings.contactITEmailAddress) { $Body.contactITEmailAddress = $Settings.contactITEmailAddress }
+ if ($Settings.contactITNotes) { $Body.contactITNotes = $Settings.contactITNotes }
+ if ($Settings.onlineSupportSiteName) { $Body.onlineSupportSiteName = $Settings.onlineSupportSiteName }
+ if ($Settings.onlineSupportSiteUrl) { $Body.onlineSupportSiteUrl = $Settings.onlineSupportSiteUrl }
+ if ($Settings.privacyUrl) { $Body.privacyUrl = $Settings.privacyUrl }
+
+ $cmdparams = @{
+ tenantid = $tenant
+ uri = 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/'
+ AsApp = $true
+ Type = 'PATCH'
+ Body = ($Body | ConvertTo-Json)
+ ContentType = 'application/json; charset=utf-8'
+ }
+
+ try {
+ New-GraphPostRequest @cmdparams
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully updated Intune Branding Profile' -sev Info
+ } catch {
+ $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to update Intune Branding Profile. Error: $ErrorMessage" -sev Error
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is correctly configured' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Intune Branding Profile is not correctly configured' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'intuneBrandingProfile' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1
index 2103a785915e..bd58f15be325 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardintuneDeviceReg {
{"type":"number","name":"standards.intuneDeviceReg.max","label":"Maximum devices (Enter 2147483647 for unlimited.)","required":true}
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-03-27
POWERSHELLEQUIVALENT
Update-MgBetaPolicyDeviceRegistrationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1
index 34ac3bb23102..6705a03031e6 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1
@@ -17,6 +17,8 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays {
{"type":"number","name":"standards.intuneDeviceRetirementDays.days","label":"Maximum days (0 equals disabled)"}
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-05-19
POWERSHELLEQUIVALENT
Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1
index 26e60d4930d5..e898d3e88d0a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1
@@ -15,6 +15,8 @@ function Invoke-CIPPStandardintuneRequireMFA {
TAG
IMPACT
Medium Impact
+ ADDEDDATE
+ 2023-10-23
POWERSHELLEQUIVALENT
Update-MgBetaPolicyDeviceRegistrationPolicy
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1
index 9b30858e3675..866fabf1043c 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardlaps {
ADDEDCOMPONENT
IMPACT
Low Impact
+ ADDEDDATE
+ 2023-04-25
POWERSHELLEQUIVALENT
Portal or Graph API
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1
index 7a4e443d7962..4369a0c46b14 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1
@@ -18,6 +18,8 @@ function Invoke-CIPPStandardsharingCapability {
{"type":"autoComplete","multiple":false,"label":"Select Sharing Level","name":"standards.sharingCapability.Level","options":[{"label":"Users can share only with people in the organization. No external sharing is allowed.","value":"disabled"},{"label":"Users can share with new and existing guests. Guests must sign in or provide a verification code.","value":"externalUserSharingOnly"},{"label":"Users can share with anyone by using links that do not require sign-in.","value":"externalUserAndGuestSharing"},{"label":"Users can share with existing guests (those already in the directory of the organization).","value":"existingExternalUserSharingOnly"}]}
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgBetaAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1
index 32b74e3b1780..079b6e319d3a 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1
@@ -1,92 +1,94 @@
-function Invoke-CIPPStandardsharingDomainRestriction {
- <#
- .FUNCTIONALITY
- Internal
- .COMPONENT
- (APIName) sharingDomainRestriction
- .SYNOPSIS
- (Label) Restrict sharing to a specific domain
- .DESCRIPTION
- (Helptext) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.
- (DocsDescription) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.
- .NOTES
- CAT
- SharePoint Standards
- TAG
- "CIS"
- ADDEDCOMPONENT
- {"type":"autoComplete","multiple":false,"name":"standards.sharingDomainRestriction.Mode","label":"Limit external sharing by domains","options":[{"label":"Off","value":"none"},{"label":"Restrict sharing to specific domains","value":"allowList"},{"label":"Block sharing to specific domains","value":"blockList"}]}
- {"type":"textField","name":"standards.sharingDomainRestriction.Domains","label":"Domains to allow/block, comma separated","required":false}
- IMPACT
- High Impact
- POWERSHELLEQUIVALENT
- Update-MgAdminSharePointSetting
- RECOMMENDEDBY
- UPDATECOMMENTBLOCK
- Run the Tools\Update-StandardsComments.ps1 script to update this comment block
- .LINK
- https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#high-impact
- #>
-
- param($Tenant, $Settings)
- ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'sharingDomainRestriction'
-
- $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true
-
- # Get mode value using null-coalescing operator
- $mode = $Settings.Mode.value ?? $Settings.Mode
-
- if ($mode -eq 'none' -or $null -eq $mode) {
- $StateIsCorrect = $CurrentState.sharingDomainRestrictionMode -eq 'none'
- } else {
- $SelectedDomains = [String[]]$Settings.Domains.Split(',').Trim()
- $StateIsCorrect = ($CurrentState.sharingDomainRestrictionMode -eq $mode) -and
- ($mode -eq 'allowList' -and (!(Compare-Object -ReferenceObject $CurrentState.sharingAllowedDomainList -DifferenceObject $SelectedDomains))) -or
- ($mode -eq 'blockList' -and (!(Compare-Object -ReferenceObject $CurrentState.sharingBlockedDomainList -DifferenceObject $SelectedDomains)))
- }
-
- if ($Settings.remediate -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is already correctly configured' -sev Info
- } else {
- $Body = @{
- sharingDomainRestrictionMode = $mode
- }
-
- if ($mode -eq 'AllowList') {
- $Body.Add('sharingAllowedDomainList', $SelectedDomains)
- } elseif ($mode -eq 'BlockList') {
- $Body.Add('sharingBlockedDomainList', $SelectedDomains)
- }
-
- $cmdParams = @{
- tenantid = $tenant
- uri = 'https://graph.microsoft.com/beta/admin/sharepoint/settings'
- AsApp = $true
- Type = 'PATCH'
- Body = ($Body | ConvertTo-Json)
- ContentType = 'application/json'
- }
-
- try {
- $null = New-GraphPostRequest @cmdParams
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully updated Sharing Domain Restriction settings' -sev Info
- } catch {
- $ErrorMessage = Get-CippException -Exception $_
- Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to update Sharing Domain Restriction settings. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
- }
- }
- }
-
- if ($Settings.alert -eq $true) {
- if ($StateIsCorrect -eq $true) {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is correctly configured' -sev Info
- } else {
- Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is not correctly configured' -sev Alert
- }
- }
-
- if ($Settings.report -eq $true) {
- Add-CIPPBPAField -FieldName 'sharingDomainRestriction' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant
- }
-}
+function Invoke-CIPPStandardsharingDomainRestriction {
+ <#
+ .FUNCTIONALITY
+ Internal
+ .COMPONENT
+ (APIName) sharingDomainRestriction
+ .SYNOPSIS
+ (Label) Restrict sharing to a specific domain
+ .DESCRIPTION
+ (Helptext) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.
+ (DocsDescription) Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain.
+ .NOTES
+ CAT
+ SharePoint Standards
+ TAG
+ "CIS"
+ ADDEDCOMPONENT
+ {"type":"autoComplete","multiple":false,"name":"standards.sharingDomainRestriction.Mode","label":"Limit external sharing by domains","options":[{"label":"Off","value":"none"},{"label":"Restrict sharing to specific domains","value":"allowList"},{"label":"Block sharing to specific domains","value":"blockList"}]}
+ {"type":"textField","name":"standards.sharingDomainRestriction.Domains","label":"Domains to allow/block, comma separated","required":false}
+ IMPACT
+ High Impact
+ ADDEDDATE
+ 2024-06-20
+ POWERSHELLEQUIVALENT
+ Update-MgAdminSharePointSetting
+ RECOMMENDEDBY
+ UPDATECOMMENTBLOCK
+ Run the Tools\Update-StandardsComments.ps1 script to update this comment block
+ .LINK
+ https://docs.cipp.app/user-documentation/tenant/standards/list-standards/sharepoint-standards#high-impact
+ #>
+
+ param($Tenant, $Settings)
+ ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'sharingDomainRestriction'
+
+ $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true
+
+ # Get mode value using null-coalescing operator
+ $mode = $Settings.Mode.value ?? $Settings.Mode
+
+ if ($mode -eq 'none' -or $null -eq $mode) {
+ $StateIsCorrect = $CurrentState.sharingDomainRestrictionMode -eq 'none'
+ } else {
+ $SelectedDomains = [String[]]$Settings.Domains.Split(',').Trim()
+ $StateIsCorrect = ($CurrentState.sharingDomainRestrictionMode -eq $mode) -and
+ ($mode -eq 'allowList' -and (!(Compare-Object -ReferenceObject $CurrentState.sharingAllowedDomainList -DifferenceObject $SelectedDomains))) -or
+ ($mode -eq 'blockList' -and (!(Compare-Object -ReferenceObject $CurrentState.sharingBlockedDomainList -DifferenceObject $SelectedDomains)))
+ }
+
+ if ($Settings.remediate -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is already correctly configured' -sev Info
+ } else {
+ $Body = @{
+ sharingDomainRestrictionMode = $mode
+ }
+
+ if ($mode -eq 'AllowList') {
+ $Body.Add('sharingAllowedDomainList', $SelectedDomains)
+ } elseif ($mode -eq 'BlockList') {
+ $Body.Add('sharingBlockedDomainList', $SelectedDomains)
+ }
+
+ $cmdParams = @{
+ tenantid = $tenant
+ uri = 'https://graph.microsoft.com/beta/admin/sharepoint/settings'
+ AsApp = $true
+ Type = 'PATCH'
+ Body = ($Body | ConvertTo-Json)
+ ContentType = 'application/json'
+ }
+
+ try {
+ $null = New-GraphPostRequest @cmdParams
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Successfully updated Sharing Domain Restriction settings' -sev Info
+ } catch {
+ $ErrorMessage = Get-CippException -Exception $_
+ Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to update Sharing Domain Restriction settings. Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+ }
+ }
+ }
+
+ if ($Settings.alert -eq $true) {
+ if ($StateIsCorrect -eq $true) {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is correctly configured' -sev Info
+ } else {
+ Write-LogMessage -API 'Standards' -tenant $tenant -message 'Sharing Domain Restriction is not correctly configured' -sev Alert
+ }
+ }
+
+ if ($Settings.report -eq $true) {
+ Add-CIPPBPAField -FieldName 'sharingDomainRestriction' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant
+ }
+}
diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1
index 15547c8893ce..7b0d2b43b2cb 100644
--- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1
+++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1
@@ -16,6 +16,8 @@ function Invoke-CIPPStandardunmanagedSync {
ADDEDCOMPONENT
IMPACT
High Impact
+ ADDEDDATE
+ 2022-06-15
POWERSHELLEQUIVALENT
Update-MgAdminSharePointSetting
RECOMMENDEDBY
diff --git a/Tools/Update-StandardsComments.ps1 b/Tools/Update-StandardsComments.ps1
index 6f5cc8397db9..e804aefe0998 100644
--- a/Tools/Update-StandardsComments.ps1
+++ b/Tools/Update-StandardsComments.ps1
@@ -1,152 +1,152 @@
-<#
-.SYNOPSIS
- This script updates the comment block in the CIPP standard files.
-
-.DESCRIPTION
- The script reads the standards.json file and updates the comment block in the corresponding CIPP standard files.
- It adds or modifies the comment block based on the properties defined in the standards.json file.
- This is made to be able to generate the help documentation for the CIPP standards automatically.
-
-.INPUTS
- None. You cannot pipe objects to this script.
-
-.OUTPUTS
- None. The script modifies the CIPP standard files directly.
-
-.NOTES
- .FUNCTIONALITY Internal needs to be present in the comment block for the script, otherwise it will not be updated.
- This is done as a safety measure to avoid updating the wrong files.
-
-.EXAMPLE
- Update-StandardsComments.ps1
-
- This example runs the script to update the comment block in the CIPP standard files.
-
-#>
-param (
- [switch]$WhatIf
-)
-
-
-function EscapeMarkdown([object]$InputObject) {
- # https://github.com/microsoft/FormatPowerShellToMarkdownTable/blob/master/src/FormatMarkdownTable/FormatMarkdownTable.psm1
- $Temp = ''
-
- if ($null -eq $InputObject) {
- return ''
- } elseif ($InputObject.GetType().BaseType -eq [System.Array]) {
- $Temp = '{' + [System.String]::Join(', ', $InputObject) + '}'
- } elseif ($InputObject.GetType() -eq [System.Collections.ArrayList] -or $InputObject.GetType().ToString().StartsWith('System.Collections.Generic.List')) {
- $Temp = '{' + [System.String]::Join(', ', $InputObject.ToArray()) + '}'
- } elseif (Get-Member -InputObject $InputObject -Name ToString -MemberType Method) {
- $Temp = $InputObject.ToString()
- } else {
- $Temp = ''
- }
-
- return $Temp.Replace('\', '\\').Replace('*', '\*').Replace('_', '\_').Replace("``", "\``").Replace('$', '\$').Replace('|', '\|').Replace('<', '\<').Replace('>', '\>').Replace([System.Environment]::NewLine, '
')
-}
-
-
-# Find the paths to the standards.json file based on the current script path
-$StandardsJSONPath = Split-Path (Split-Path $PSScriptRoot)
-$StandardsJSONPath = Resolve-Path "$StandardsJSONPath\*\src\data\standards.json"
-$StandardsInfo = Get-Content -Path $StandardsJSONPath | ConvertFrom-Json -Depth 10
-
-foreach ($Standard in $StandardsInfo) {
-
- # Calculate the standards file name and path
- $StandardFileName = $Standard.name -replace 'standards.', 'Invoke-CIPPStandard'
- $StandardsFilePath = Resolve-Path "$(Split-Path $PSScriptRoot)\Modules\CIPPCore\Public\Standards\$StandardFileName.ps1"
- if (-not (Test-Path $StandardsFilePath)) {
- Write-Host "No file found for standard $($Standard.name)" -ForegroundColor Yellow
- continue
- }
- $Content = (Get-Content -Path $StandardsFilePath -Raw).TrimEnd() + "`r`n"
-
- # Remove random newlines before the param block
- $regexPattern = '#>\s*\r?\n\s*\r?\n\s*param'
- $Content = $Content -replace $regexPattern, "#>`r`n`r`n param"
-
- # Regex to match the existing comment block
- $Regex = '<#(.|\n)*?\.FUNCTIONALITY\s*Internal(.|\n)*?#>'
-
- if ($Content -match $Regex) {
- $NewComment = [System.Collections.Generic.List[string]]::new()
- # Add the initial static comments
- $NewComment.Add("<#`r`n")
- $NewComment.Add(" .FUNCTIONALITY`r`n")
- $NewComment.Add(" Internal`r`n")
- $NewComment.Add(" .COMPONENT`r`n")
- $NewComment.Add(" (APIName) $($Standard.name -replace 'standards.', '')`r`n")
- $NewComment.Add(" .SYNOPSIS`r`n")
- $NewComment.Add(" (Label) $($Standard.label.ToString())`r`n")
- $NewComment.Add(" .DESCRIPTION`r`n")
- if ([string]::IsNullOrWhiteSpace($Standard.docsDescription)) {
- $NewComment.Add(" (Helptext) $($Standard.helpText.ToString())`r`n")
- $NewComment.Add(" (DocsDescription) $(EscapeMarkdown($Standard.helpText.ToString()))`r`n")
- } else {
- $NewComment.Add(" (Helptext) $($Standard.helpText.ToString())`r`n")
- $NewComment.Add(" (DocsDescription) $(EscapeMarkdown($Standard.docsDescription.ToString()))`r`n")
- }
- $NewComment.Add(" .NOTES`r`n")
-
- # Loop through the rest of the properties of the standard and add them to the NOTES field
- foreach ($Property in $Standard.PSObject.Properties) {
- switch ($Property.Name) {
- 'name' { continue }
- 'impactColour' { continue }
- 'docsDescription' { continue }
- 'helpText' { continue }
- 'label' { continue }
- Default {
- $NewComment.Add(" $($Property.Name.ToUpper())`r`n")
- if ($Property.Value -is [System.Object[]]) {
- foreach ($Value in $Property.Value) {
- $NewComment.Add(" $(ConvertTo-Json -InputObject $Value -Depth 5 -Compress)`r`n")
- }
- continue
- }
- $NewComment.Add(" $(EscapeMarkdown($Property.Value.ToString()))`r`n")
- }
- }
-
- }
-
- # Add header about how to update the comment block with this script
- $NewComment.Add(" UPDATECOMMENTBLOCK`r`n")
- $NewComment.Add(" Run the Tools\Update-StandardsComments.ps1 script to update this comment block`r`n")
- # -Online help link
- $NewComment.Add(" .LINK`r`n")
- $DocsLink = 'https://docs.cipp.app/user-documentation/tenant/standards/list-standards/'
-
- switch ($Standard.cat) {
- 'Global Standards' { $DocsLink += 'global-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'Entra (AAD) Standards' { $DocsLink += 'entra-aad-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'Exchange Standards' { $DocsLink += 'exchange-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'Defender Standards' { $DocsLink += 'defender-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'Intune Standards' { $DocsLink += 'intune-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'SharePoint Standards' { $DocsLink += 'sharepoint-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- 'Teams Standards' { $DocsLink += 'teams-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
- Default {}
- }
-
- switch ($Standard.impact) {
- condition { }
- Default {}
- }
-
- $NewComment.Add(" $DocsLink`r`n")
- $NewComment.Add(' #>')
-
- # Write the new comment block to the file
- if ($WhatIf.IsPresent) {
- Write-Host "Would update $StandardsFilePath with the following comment block:"
- $NewComment
- } else {
- $Content -replace $Regex, $NewComment | Set-Content -Path $StandardsFilePath -Encoding utf8 -NoNewline
- }
- } else {
- Write-Host "No comment block found in $StandardsFilePath" -ForegroundColor Yellow
- }
-}
+<#
+.SYNOPSIS
+ This script updates the comment block in the CIPP standard files.
+
+.DESCRIPTION
+ The script reads the standards.json file and updates the comment block in the corresponding CIPP standard files.
+ It adds or modifies the comment block based on the properties defined in the standards.json file.
+ This is made to be able to generate the help documentation for the CIPP standards automatically.
+
+.INPUTS
+ None. You cannot pipe objects to this script.
+
+.OUTPUTS
+ None. The script modifies the CIPP standard files directly.
+
+.NOTES
+ .FUNCTIONALITY Internal needs to be present in the comment block for the script, otherwise it will not be updated.
+ This is done as a safety measure to avoid updating the wrong files.
+
+.EXAMPLE
+ Update-StandardsComments.ps1
+
+ This example runs the script to update the comment block in the CIPP standard files.
+
+#>
+param (
+ [switch]$WhatIf
+)
+
+
+function EscapeMarkdown([object]$InputObject) {
+ # https://github.com/microsoft/FormatPowerShellToMarkdownTable/blob/master/src/FormatMarkdownTable/FormatMarkdownTable.psm1
+ $Temp = ''
+
+ if ($null -eq $InputObject) {
+ return ''
+ } elseif ($InputObject.GetType().BaseType -eq [System.Array]) {
+ $Temp = '{' + [System.String]::Join(', ', $InputObject) + '}'
+ } elseif ($InputObject.GetType() -eq [System.Collections.ArrayList] -or $InputObject.GetType().ToString().StartsWith('System.Collections.Generic.List')) {
+ $Temp = '{' + [System.String]::Join(', ', $InputObject.ToArray()) + '}'
+ } elseif (Get-Member -InputObject $InputObject -Name ToString -MemberType Method) {
+ $Temp = $InputObject.ToString()
+ } else {
+ $Temp = ''
+ }
+
+ return $Temp.Replace('\', '\\').Replace('*', '\*').Replace('_', '\_').Replace("``", "\``").Replace('$', '\$').Replace('|', '\|').Replace('<', '\<').Replace('>', '\>').Replace([System.Environment]::NewLine, '
')
+}
+
+
+# Find the paths to the standards.json file based on the current script path
+$StandardsJSONPath = Split-Path (Split-Path $PSScriptRoot)
+$StandardsJSONPath = Resolve-Path "$StandardsJSONPath\*\src\data\standards.json"
+$StandardsInfo = Get-Content -Path $StandardsJSONPath | ConvertFrom-Json -Depth 10
+
+foreach ($Standard in $StandardsInfo) {
+
+ # Calculate the standards file name and path
+ $StandardFileName = $Standard.name -replace 'standards.', 'Invoke-CIPPStandard'
+ $StandardsFilePath = Resolve-Path "$(Split-Path $PSScriptRoot)\Modules\CIPPCore\Public\Standards\$StandardFileName.ps1"
+ if (-not (Test-Path $StandardsFilePath)) {
+ Write-Host "No file found for standard $($Standard.name)" -ForegroundColor Yellow
+ continue
+ }
+ $Content = (Get-Content -Path $StandardsFilePath -Raw).TrimEnd() + "`n"
+
+ # Remove random newlines before the param block
+ $regexPattern = '#>\s*\r?\n\s*\r?\n\s*param'
+ $Content = $Content -replace $regexPattern, "#>`n`n param"
+
+ # Regex to match the existing comment block
+ $Regex = '<#(.|\n)*?\.FUNCTIONALITY\s*Internal(.|\n)*?#>'
+
+ if ($Content -match $Regex) {
+ $NewComment = [System.Collections.Generic.List[string]]::new()
+ # Add the initial static comments
+ $NewComment.Add("<#`n")
+ $NewComment.Add(" .FUNCTIONALITY`n")
+ $NewComment.Add(" Internal`n")
+ $NewComment.Add(" .COMPONENT`n")
+ $NewComment.Add(" (APIName) $($Standard.name -replace 'standards.', '')`n")
+ $NewComment.Add(" .SYNOPSIS`n")
+ $NewComment.Add(" (Label) $($Standard.label.ToString())`n")
+ $NewComment.Add(" .DESCRIPTION`n")
+ if ([string]::IsNullOrWhiteSpace($Standard.docsDescription)) {
+ $NewComment.Add(" (Helptext) $($Standard.helpText.ToString())`n")
+ $NewComment.Add(" (DocsDescription) $(EscapeMarkdown($Standard.helpText.ToString()))`n")
+ } else {
+ $NewComment.Add(" (Helptext) $($Standard.helpText.ToString())`n")
+ $NewComment.Add(" (DocsDescription) $(EscapeMarkdown($Standard.docsDescription.ToString()))`n")
+ }
+ $NewComment.Add(" .NOTES`n")
+
+ # Loop through the rest of the properties of the standard and add them to the NOTES field
+ foreach ($Property in $Standard.PSObject.Properties) {
+ switch ($Property.Name) {
+ 'name' { continue }
+ 'impactColour' { continue }
+ 'docsDescription' { continue }
+ 'helpText' { continue }
+ 'label' { continue }
+ Default {
+ $NewComment.Add(" $($Property.Name.ToUpper())`n")
+ if ($Property.Value -is [System.Object[]]) {
+ foreach ($Value in $Property.Value) {
+ $NewComment.Add(" $(ConvertTo-Json -InputObject $Value -Depth 5 -Compress)`n")
+ }
+ continue
+ }
+ $NewComment.Add(" $(EscapeMarkdown($Property.Value.ToString()))`n")
+ }
+ }
+
+ }
+
+ # Add header about how to update the comment block with this script
+ $NewComment.Add(" UPDATECOMMENTBLOCK`n")
+ $NewComment.Add(" Run the Tools\Update-StandardsComments.ps1 script to update this comment block`n")
+ # -Online help link
+ $NewComment.Add(" .LINK`n")
+ $DocsLink = 'https://docs.cipp.app/user-documentation/tenant/standards/list-standards/'
+
+ switch ($Standard.cat) {
+ 'Global Standards' { $DocsLink += 'global-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'Entra (AAD) Standards' { $DocsLink += 'entra-aad-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'Exchange Standards' { $DocsLink += 'exchange-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'Defender Standards' { $DocsLink += 'defender-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'Intune Standards' { $DocsLink += 'intune-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'SharePoint Standards' { $DocsLink += 'sharepoint-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ 'Teams Standards' { $DocsLink += 'teams-standards#' + $Standard.impact.ToLower() -replace ' ', '-' }
+ Default {}
+ }
+
+ switch ($Standard.impact) {
+ condition { }
+ Default {}
+ }
+
+ $NewComment.Add(" $DocsLink`n")
+ $NewComment.Add(' #>')
+
+ # Write the new comment block to the file
+ if ($WhatIf.IsPresent) {
+ Write-Host "Would update $StandardsFilePath with the following comment block:"
+ $NewComment
+ } else {
+ $Content -replace $Regex, $NewComment | Set-Content -Path $StandardsFilePath -Encoding utf8 -NoNewline
+ }
+ } else {
+ Write-Host "No comment block found in $StandardsFilePath" -ForegroundColor Yellow
+ }
+}