Merge branch 'KelvinTegelaar:master' into master

Author: NIOSAG

CIPPHttpTrigger/function.json

@@ -26,6 +26,12 @@
       "name": "starter",
       "type": "durableClient",
       "direction": "in"
+    },
+    {
+      "type": "queue",
+      "direction": "out",
+      "name": "QueueItem",
+      "queueName": "cippqueue"
     }
   ]
 }

CIPPQueueTrigger/function.json

@@ -0,0 +1,17 @@
+{
+  "scriptFile": "../Modules/CippEntrypoints/CippEntrypoints.psm1",
+  "entryPoint": "Receive-CippQueueTrigger",
+  "bindings": [
+    {
+      "name": "QueueItem",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "cippqueue"
+    },
+    {
+      "name": "starter",
+      "type": "durableClient",
+      "direction": "in"
+    }
+  ]
+}

CIPPTimers.json

@@ -75,7 +75,7 @@
     "Id": "9b0c8e50-f798-49db-9a8b-dbcc0fcadeea",
     "Command": "Start-StandardsOrchestrator",
     "Description": "Orchestrator to process standards",
-    "Cron": "0 0 */4 * * *",
+    "Cron": "0 0 */12 * * *",
     "Priority": 4,
     "RunOnProcessor": true,
     "PreferredProcessor": "standards"

Modules/CIPPCore/Public/Add-CIPPWin32LobAppContent.ps1

@@ -138,7 +138,7 @@ function Add-CIPPWin32LobAppContent {
         if ($CommitStateReq.uploadState -like '*fail*') {
             $errorMsg = "Commit failed. Upload state: $($CommitStateReq.uploadState)"
             if ($Headers) {
-                Write-LogMessage -Headers $Headers -API $APIName -message $errorMsg -Sev 'Warning' -tenant $TenantFilter
+                Write-LogMessage -Headers $Headers -API $APIName -message $errorMsg -sev 'Warn' -tenant $TenantFilter
             }
             throw $errorMsg
         }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1

@@ -19,7 +19,7 @@ function Get-CIPPAlertGroupMembershipChange {
         $AuditLogs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=activityDateTime ge $OneHourAgo and (activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group')" -tenantid $TenantFilter
 
         $AlertData = foreach ($Log in $AuditLogs) {
-            $Member = ($Log.targetResources | Where-Object { $_.type -in @('User', 'ServicePrincipal') })[0]
+            $Member = ($Log.targetResources | Where-Object { $_.type -in @('User', 'ServicePrincipal', 'Group') })[0]
             $GroupProp = ($Member.modifiedProperties | Where-Object { $_.displayName -eq 'Group.DisplayName' })
             $GroupDisplayName = (($GroupProp.newValue ?? $GroupProp.oldValue) -replace '"', '')
             if (!$GroupDisplayName -or !($MonitoredGroups | Where-Object { $GroupDisplayName -like $_ })) { continue }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -18,31 +18,63 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
-                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            $MFAReport = try { Get-CIPPMFAStateReport -TenantFilter $TenantFilter } catch { $null }
+            $IncludeDisabled = [System.Convert]::ToBoolean($InputValue)
 
-            # Filter out JIT admins if any users were found
-            if ($Users) {
+            # Check 1: Admins with no MFA registered — prefer cache, fall back to live Graph
+            $Users = if ($MFAReport) {
+                $MFAReport | Where-Object { $_.IsAdmin -eq $true -and $_.MFARegistration -eq $false -and ($IncludeDisabled -or $_.AccountEnabled -eq $true) }
+            } else {
+                New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                    Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' } |
+                    Select-Object @{n = 'ID'; e = { $_.id } }, @{n = 'UPN'; e = { $_.userPrincipalName } }, @{n = 'DisplayName'; e = { $_.userDisplayName } }
+            }
+
+            # Check 2: Admins with MFA registered but no enforcement.
+            # I hate how this ended up looking, but I couldn't think of a better way to do it ¯\_(ツ)_/¯
+            $UnenforcedAdmins = $MFAReport | Where-Object {
+                $_.IsAdmin -eq $true -and
+                $_.MFARegistration -eq $true -and
+                ($IncludeDisabled -or $_.AccountEnabled -eq $true) -and
+                $_.PerUser -notin @('Enforced', 'Enabled') -and
+                $null -ne $_.CoveredBySD -and
+                $_.CoveredBySD -ne $true -and
+                $_.CoveredByCA -notlike 'Enforced*'
+            }
+
+            # Filter out JIT admins
+            if ($Users -or $UnenforcedAdmins) {
                 $Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
                 $JITAdmins = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users?`$select=id,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true" -tenantid $TenantFilter -ComplexFilter
                 $JITAdminIds = $JITAdmins.id
-                $Users = $Users | Where-Object { $_.id -notin $JITAdminIds }
+                $Users = $Users | Where-Object { $_.ID -notin $JITAdminIds }
+                $UnenforcedAdmins = $UnenforcedAdmins | Where-Object { $_.ID -notin $JITAdminIds }
+            }
+
+            $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+            foreach ($user in $Users) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) does not have MFA registered."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
+                        Tenant            = $TenantFilter
+                    })
             }
 
-            if ($Users.UserPrincipalName) {
-                $AlertData = foreach ($user in $Users) {
-                    [PSCustomObject]@{
-                        Message           = "Admin user $($user.userDisplayName) ($($user.userPrincipalName)) does not have MFA registered."
-                        UserPrincipalName = $user.userPrincipalName
-                        DisplayName       = $user.userDisplayName
-                        Id                = $user.id
-                        LastUpdated       = $user.lastUpdatedDateTime
+            foreach ($user in $UnenforcedAdmins) {
+                $AlertData.Add([PSCustomObject]@{
+                        Message           = "Admin user $($user.DisplayName) ($($user.UPN)) has MFA registered but no enforcement method (Per-User MFA, Security Defaults, or Conditional Access) is active."
+                        UserPrincipalName = $user.UPN
+                        DisplayName       = $user.DisplayName
+                        Id                = $user.ID
                         Tenant            = $TenantFilter
-                    }
-                }
+                    })
+            }
 
+            if ($AlertData.Count -gt 0) {
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
-
             }
         } else {
             Write-LogMessage -message 'Potentially using Duo for MFA, could not check MFA status for Admins with 100% accuracy' -API 'MFA Alerts - Informational' -tenant $TenantFilter -sev Info

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMXRecordChanged.ps1

@@ -16,6 +16,10 @@ function Get-CIPPAlertMXRecordChanged {
         $CacheTable = Get-CippTable -tablename 'CacheMxRecords'
         $PreviousResults = Get-CIPPAzDataTableEntity @CacheTable -Filter "PartitionKey eq '$TenantFilter'"
 
+        if (!$DomainData) {
+            return
+        }
+
         $ChangedDomains = foreach ($Domain in $DomainData) {
             try {
                 $PreviousDomain = $PreviousResults | Where-Object { $_.Domain -eq $Domain.Domain }
@@ -60,8 +64,6 @@ function Get-CIPPAlertMXRecordChanged {
         if ($ChangedDomains) {
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $ChangedDomains
         }
-        return $true
-
     } catch {
         Write-LogMessage -message "Failed to check MX record changes: $($_.Exception.Message)" -API 'MX Record Alert' -tenant $TenantFilter -sev Error
     }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewMFADevice.ps1

@@ -20,13 +20,30 @@ function Get-CIPPAlertNewMFADevice {
                 $User = $Log.targetResources[0].userPrincipalName
                 if (-not $User) { $User = $Log.initiatedBy.user.userPrincipalName }
 
+                $IPAddress = $Log.initiatedBy.user.ipAddress
+                $LocationData = $null
+                if (-not [string]::IsNullOrEmpty($IPAddress) -and $IPAddress -notmatch '[X]+') {
+                    try {
+                        $LocationData = Get-CIPPGeoIPLocation -IP $IPAddress
+                    } catch {
+                        Write-Information "Could not enrich MFA audit IP ${$IPAddress}: $($_.Exception.Message)"
+                    }
+                }
+
                 [PSCustomObject]@{
-                    Message      = "New MFA method registered: $User"
-                    User         = $User
-                    DisplayName  = $Log.targetResources[0].displayName
-                    Activity     = $Log.activityDisplayName
-                    ActivityTime = $Log.activityDateTime
-                    Tenant       = $TenantFilter
+                    Message           = "New MFA method registered: $User"
+                    User              = $User
+                    DisplayName       = $Log.targetResources[0].displayName
+                    Activity          = $Log.activityDisplayName
+                    ActivityTime      = $Log.activityDateTime
+                    Tenant            = $TenantFilter
+                    IpAddress         = $IPAddress
+                    CountryOrRegion   = if ($LocationData) { $LocationData.countryCode } else { $null }
+                    City              = if ($LocationData) { $LocationData.city } else { $null }
+                    Proxy             = if ($LocationData) { $LocationData.proxy } else { $null }
+                    Hosting           = if ($LocationData) { $LocationData.hosting } else { $null }
+                    ASN               = if ($LocationData) { $LocationData.asname } else { $null }
+                    GeoLocationInfo   = if ($LocationData) { ($LocationData | ConvertTo-Json -Depth 10 -Compress) } else { $null }
                 }
             }
         }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1

@@ -14,7 +14,7 @@
     #Add rerun protection: This Monitor can only run once every hour.
     $Rerun = Test-CIPPRerun -TenantFilter $TenantFilter -Type 'ExchangeMonitor' -API 'Get-CIPPAlertQuarantineReleaseRequests'
     if ($Rerun) {
-        return $true
+        return
     }
     $HasLicense = Test-CIPPStandardLicense -StandardName 'QuarantineReleaseRequests' -TenantFilter $TenantFilter -RequiredCapabilities @(
         'EXCHANGE_S_STANDARD',
@@ -25,7 +25,7 @@
     )
 
     if (-not $HasLicense) {
-        return $true
+        return
     }
 
     try {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSmtpAuthSuccess.ps1

@@ -13,7 +13,7 @@ function Get-CIPPAlertSmtpAuthSuccess {
 
     try {
         # Graph API endpoint for sign-ins
-        $uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=clientAppUsed eq 'Authenticated SMTP' and status/errorCode eq 0"
+        $uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=(clientAppUsed eq 'Authenticated SMTP' or clientAppUsed eq 'SMTP') and status/errorCode eq 0"
 
         # Call Graph API for the given tenant
         $SignIns = New-GraphGetRequest -uri $uri -tenantid $TenantFilter