Skip to content

Commit

Permalink
Merge pull request KelvinTegelaar#617 from KelvinTegelaar/dev
Browse files Browse the repository at this point in the history
Dev
  • Loading branch information
KelvinTegelaar authored Feb 6, 2024
2 parents d1f3e07 + 0e16005 commit c088057
Show file tree
Hide file tree
Showing 5 changed files with 129 additions and 44 deletions.
79 changes: 37 additions & 42 deletions Durable_BECRun/run.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -2,46 +2,45 @@ param($Context)
#$Context does not allow itself to be cast to a pscustomobject for some reason, so we convert
$context = $Context | ConvertTo-Json | ConvertFrom-Json
$APIName = $TriggerMetadata.FunctionName
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message "Accessed this API" -Sev "Debug"
Write-LogMessage -user $request.headers.'x-ms-client-principal' -API $APINAME -message 'Accessed this API' -Sev 'Debug'
$TenantFilter = $Context.input.tenantfilter
$SuspectUser = $Context.input.userid
$UserName = $Context.input.username
Write-Host "Working on $UserName"
try {
$startDate = (Get-Date).AddDays(-7)
$endDate = (Get-Date)
$auditLog = (New-ExoRequest -tenantid $Tenantfilter -cmdlet "Get-AdminAuditLogConfig").UnifiedAuditLogIngestionEnabled
$auditLog = (New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Get-AdminAuditLogConfig').UnifiedAuditLogIngestionEnabled
$7dayslog = if ($auditLog -eq $false) {
$ExtractResult = "AuditLog is disabled. Cannot perform full analysis"
}
else {
$ExtractResult = 'AuditLog is disabled. Cannot perform full analysis'
} else {
$sessionid = Get-Random -Minimum 10000 -Maximum 99999
$operations = @(
"New-InboxRule",
"Set-InboxRule",
"UpdateInboxRules",
"Remove-MailboxPermission",
"Add-MailboxPermission",
"UpdateCalendarDelegation",
"AddFolderPermissions",
"MailboxLogin",
"UserLoggedIn"
'New-InboxRule',
'Set-InboxRule',
'UpdateInboxRules',
'Remove-MailboxPermission',
'Add-MailboxPermission',
'UpdateCalendarDelegation',
'AddFolderPermissions',
'MailboxLogin',
'UserLoggedIn'
)
$startDate = (Get-Date).AddDays(-7)
$endDate = (Get-Date)
$SearchParam = @{
SessionCommand = "ReturnLargeSet"
SessionCommand = 'ReturnLargeSet'
Operations = $operations
sessionid = $sessionid
startDate = $startDate
endDate = $endDate
}
do {
New-ExoRequest -tenantid $Tenantfilter -cmdlet "Search-unifiedAuditLog" -cmdParams $SearchParam -Anchor $Username
New-ExoRequest -tenantid $Tenantfilter -cmdlet 'Search-unifiedAuditLog' -cmdParams $SearchParam -Anchor $Username
Write-Host "Retrieved $($logsTenant.count) logs" -ForegroundColor Yellow
$logsTenant
} while ($LogsTenant.count % 5000 -eq 0 -and $LogsTenant.count -ne 0)
$ExtractResult = "Succesfully extracted logs from auditlog"
$ExtractResult = 'Succesfully extracted logs from auditlog'
}
Try {
$URI = "https://graph.microsoft.com/beta/auditLogs/signIns?`$filter=(userId eq '$SuspectUser')&`$top=1&`$orderby=createdDateTime desc"
Expand All @@ -50,29 +49,26 @@ try {
@{ Name = 'AppDisplayName'; Expression = { $_.resourceDisplayName } },
@{ Name = 'Status'; Expression = { if (($_.conditionalAccessStatus -eq 'Success' -or 'Not Applied') -and $_.status.errorCode -eq 0) { 'Success' } else { 'Failed' } } },
@{ Name = 'IPAddress'; Expression = { $_.ipAddress } }
}
catch {
} catch {
$LastSignIn = [PSCustomObject]@{
AppDisplayName = "Unknown - could not retrieve information. No access to sign-in logs"
CreatedDateTime = "Unknown"
Id = "0"
Status = "Could not retrieve additional details"
AppDisplayName = 'Unknown - could not retrieve information. No access to sign-in logs'
CreatedDateTime = 'Unknown'
Id = '0'
Status = 'Could not retrieve additional details'
}
}
#List all users devices
$Bytes = [System.Text.Encoding]::UTF8.GetBytes($SuspectUser)
$base64IdentityParam = [Convert]::ToBase64String($Bytes)
Try {
$Devices = New-GraphGetRequest -uri "https://outlook.office365.com:443/adminapi/beta/$($TenantFilter)/mailbox('$($base64IdentityParam)')/MobileDevice/Exchange.GetMobileDeviceStatistics()/?IsEncoded=True" -Tenantid $tenantfilter -scope ExchangeOnline
}
catch {
} catch {
$Devices = $null
}
$PermissionsLog = ($7dayslog | Where-Object -Property Operations -In "Remove-MailboxPermission", "Add-MailboxPermission", "UpdateCalendarDelegation", "AddFolderPermissions" ).AuditData | ConvertFrom-Json -Depth 100 | ForEach-Object {
$PermissionsLog = ($7dayslog | Where-Object -Property Operations -In 'Remove-MailboxPermission', 'Add-MailboxPermission', 'UpdateCalendarDelegation', 'AddFolderPermissions' ).AuditData | ConvertFrom-Json -Depth 100 | ForEach-Object {
$perms = if ($_.Parameters) {
$_.Parameters | ForEach-Object { if ($_.Name -eq "AccessRights") { $_.Value } }
}
else
$_.Parameters | ForEach-Object { if ($_.Name -eq 'AccessRights') { $_.Value } }
} else
{ $_.item.ParentFolder.MemberRights }
$objectID = if ($_.ObjectID) { $_.ObjectID } else { $($_.MailboxOwnerUPN) + $_.item.ParentFolder.Path }
[pscustomobject]@{
Expand All @@ -83,43 +79,42 @@ try {
}
}

$RulesLog = @(($7dayslog | Where-Object -Property Operations -In "New-InboxRule", "Set-InboxRule", "UpdateInboxRules").AuditData | ConvertFrom-Json) | ForEach-Object {
$RulesLog = @(($7dayslog | Where-Object -Property Operations -In 'New-InboxRule', 'Set-InboxRule', 'UpdateInboxRules').AuditData | ConvertFrom-Json) | ForEach-Object {
Write-Host ($_ | ConvertTo-Json)
[pscustomobject]@{
ClientIP = $_.ClientIP
CreationTime = $_.CreationTime
UserId = $_.UserId
RuleName = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq "RuleName") { $_.Value } })
RuleCondition = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq "RuleCondition") { $_.Value } })
RuleName = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq 'RuleName') { $_.Value } })
RuleCondition = ($_.OperationProperties | ForEach-Object { if ($_.Name -eq 'RuleCondition') { $_.Value } })
}
}
$PasswordChanges = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`select=lastPasswordChangeDateTime,displayname,UserPrincipalName" -Tenantid $tenantfilter | Where-Object { $_.lastPasswordChangeDateTime -gt $startDate }
$NewUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayname,UserPrincipalName,CreatedDateTime" -Tenantid $tenantfilter | Where-Object { $_.CreatedDateTime -gt $startDate }
$NewUsers = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users?`$select=displayname,UserPrincipalName,CreatedDateTime" -Tenantid $tenantfilter | Where-Object { $_.CreatedDateTime -gt $startDate }
$MFADevices = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($SuspectUser)/authentication/methods" -Tenantid $tenantfilter
$NewSPs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/servicePrincipals?`$select=displayName,createdDateTime,id,AppDisplayName&`$filter=createdDateTime ge $($startDate.ToString('yyyy-MM-ddTHH:mm:ssZ'))" -Tenantid $tenantfilter
$Last50Logons = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/auditLogs/signIns?`$top=50&`$orderby=createdDateTime desc" -tenantid $TenantFilter -noPagination $true -verbose | Select-Object @{ Name = 'CreatedDateTime'; Expression = { $(($_.createdDateTime | Out-String) -replace '\r\n') } },
$Last50Logons = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/auditLogs/signIns?`$top=50&`$orderby=createdDateTime desc" -tenantid $TenantFilter -noPagination $true -verbose | Select-Object @{ Name = 'CreatedDateTime'; Expression = { $(($_.createdDateTime | Out-String) -replace '\r\n') } },
id,
@{ Name = 'AppDisplayName'; Expression = { $_.resourceDisplayName } },
@{ Name = 'Status'; Expression = { if (($_.conditionalAccessStatus -eq 'Success' -or 'Not Applied') -and $_.status.errorCode -eq 0) { 'Success' } else { 'Failed' } } },
@{ Name = 'IPAddress'; Expression = { $_.ipAddress } }, UserPrincipalName
$Results = [PSCustomObject]@{
AddedApps = $NewSPs
SuspectUserMailboxLogons = $Last50Logons
AddedApps = @($NewSPs)
SuspectUserMailboxLogons = @($Last50Logons)
LastSuspectUserLogon = @($LastSignIn)
SuspectUserDevices = @($Devices)
NewRules = @($RulesLog)
MailboxPermissionChanges = @($PermissionsLog)
NewUsers = @($NewUsers)
MFADevices = $MFADevices
ChangedPasswords = $PasswordChanges
MFADevices = @($MFADevices)
ChangedPasswords = @($PasswordChanges)
ExtractedAt = (Get-Date).ToString('s')
ExtractResult = $ExtractResult
}

}
catch {
} catch {
$errMessage = Get-NormalizedError -message $_.Exception.Message
$results = [pscustomobject]@{"Results" = "$errMessage" }
$results = [pscustomobject]@{'Results' = "$errMessage" }
}

$Table = Get-CippTable -tablename 'cachebec'
Expand All @@ -128,5 +123,5 @@ Add-CIPPAzDataTableEntity @Table -Entity @{
UserId = $Context.input.userid
Results = "$($results | ConvertTo-Json -Depth 10)"
RowKey = $Context.input.userid
PartitionKey = "bec"
PartitionKey = 'bec'
}
1 change: 0 additions & 1 deletion Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ function Remove-CIPPGroupMember(
$Message = "Successfully removed user $($Member) from $GroupId."
Write-LogMessage -user $ExecutingUser -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
return $message
return
} catch {
$message = "Failed to remove user $($Member) from $($GroupId): $($_.Exception.Message)"
Write-LogMessage -user $ExecutingUser -API $APIName -tenant $TenantFilter -message $message -Sev 'error'
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
function Invoke-CIPPStandardDisableOutlookAddins {
<#
.FUNCTIONALITY
Internal
#>
param($Tenant, $Settings)

$CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RoleAssignmentPolicy' | Where-Object { $_.IsDefault -eq $true }
$Roles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
$RolesToRemove = foreach ($Role in $Roles) {
if ($CurrentInfo.AssignedRoles -contains $Role) {
$Role
}
}

if ($Settings.remediate) {
if ($RolesToRemove) {
$Errors = [System.Collections.Generic.List[string]]::new()

foreach ($Role in $RolesToRemove) {
try {
New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ManagementRoleAssignment' -cmdparams @{ RoleAssignee = $CurrentInfo.Identity; Role = $Role } | ForEach-Object {
New-ExoRequest -tenantid $Tenant -cmdlet 'Remove-ManagementRoleAssignment' -cmdparams @{ Identity = $_.Guid; Confirm = $false } -UseSystemMailbox $true
Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabled Outlook add-in role: $Role" -sev Debug
}
} catch {
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable Outlook add-in role: $Role Error: $($_.exception.message)" -sev Error
$Errors.Add($Role)
}
}

if ($Errors.Count -gt 0) {
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable users from installing Outlook add-ins. Roles: $($Errors -join ', ')" -sev Error
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabled users from installing Outlook add-ins. Roles removed: $($RolesToRemove -join ', ')" -sev Info
$RolesToRemove = $null
}
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users installing Outlook add-ins already disabled' -sev Info
}
}

if ($Settings.alert) {
if ($RolesToRemove) {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are not disabled from installing Outlook add-ins.' -sev Alert
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Users are disabled from installing Outlook add-ins.' -sev Info
}
}
if ($Settings.report) {
if ($RolesToRemove) { $State = $false } else { $State = $true }
Add-CIPPBPAField -FieldName 'DisabledOutlookAddins' -FieldValue [bool]$State -StoreAs bool -Tenant $tenant
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
function Invoke-CIPPStandardDisableSharePointLegacyAuth {
<#
.FUNCTIONALITY
Internal
#>
param($Tenant, $Settings)

$CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings?$select=isLegacyAuthProtocolsEnabled' -tenantid $Tenant -AsApp $true

If ($Settings.remediate) {

if ($CurrentInfo.isLegacyAuthProtocolsEnabled) {
try {
$body = '{"isLegacyAuthProtocolsEnabled": "false"}'
$null = New-GraphPostRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -AsApp $true -Type patch -Body $body -ContentType 'application/json'
Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SharePoint basic authentication' -sev Info
$CurrentInfo.isLegacyAuthProtocolsEnabled = $false
} catch {
Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SharePoint basic authentication. Error: $($_.exception.message)" -sev Error
}
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SharePoint basic authentication is already disabled' -sev Info
}
}
if ($Settings.alert) {

if ($CurrentInfo.isLegacyAuthProtocolsEnabled) {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SharePoint basic authentication is enabled' -sev Alert
} else {
Write-LogMessage -API 'Standards' -tenant $tenant -message 'SharePoint basic authentication is disabled' -sev Info
}
}
if ($Settings.report) {

Add-CIPPBPAField -FieldName 'SharePointLegacyAuthEnabled' -FieldValue [bool]$CurrentInfo.isLegacyAuthProtocolsEnabled -StoreAs bool -Tenant $tenant
}
}
2 changes: 1 addition & 1 deletion version_latest.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
5.1.0
5.1.1

0 comments on commit c088057

Please sign in to comment.