diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 index ebf92d21e199..a09e427fbbf8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardActivityBasedTimeout.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardActivityBasedTimeout { <# .FUNCTIONALITY Internal + .APINAME + ActivityBasedTimeout + .CAT + Global Standards + .TAG + "mediumimpact" + "CIS" + "spo_idle_session_timeout" + .HELPTEXT + Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ActivityBasedTimeout.timeout","values":[{"label":"1 Hour","value":"01:00:00"},{"label":"3 Hours","value":"03:00:00"},{"label":"6 Hours","value":"06:00:00"},{"label":"12 Hours","value":"12:00:00"},{"label":"24 Hours","value":"1.00:00:00"}]} + .LABEL + Enable Activity based Timeout + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Portal or Graph API + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) # Input validation @@ -64,3 +92,7 @@ function Invoke-CIPPStandardActivityBasedTimeout { } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 index d4b8bd35166c..5cb6a387ad32 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAddDKIM.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardAddDKIM { <# .FUNCTIONALITY Internal + .APINAME + AddDKIM + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Enables DKIM for all domains that currently support it + .ADDEDCOMPONENT + .LABEL + Enables DKIM for all domains that currently support it + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + New-DkimSigningConfig and Set-DkimSigningConfig + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables DKIM for all domains that currently support it + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $AllDomains = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains?$top=999' -tenantid $Tenant | Where-Object { $_.supportedServices -contains 'Email' -or $_.id -like '*mail.onmicrosoft.com' }).id @@ -81,3 +107,7 @@ function Invoke-CIPPStandardAddDKIM { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIMState -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 index 411342e5ab3e..9255be3c1bff 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAnonReportDisable.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardAnonReportDisable { <# .FUNCTIONALITY Internal + .APINAME + AnonReportDisable + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly. + .DOCSDESCRIPTION + Microsoft announced some APIs and reports no longer return names, to comply with compliance and legal requirements in specific countries. This proves an issue for a lot of MSPs because those reports are often helpful for engineers. This standard applies a setting that shows usernames in those API calls / reports. + .ADDEDCOMPONENT + .LABEL + Enable Usernames instead of pseudo anonymised names in reports + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminReportSetting -BodyParameter @{displayConcealedNames = $true} + .RECOMMENDEDBY + .DOCSDESCRIPTION + Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/reportSettings' -tenantid $Tenant -AsApp $true @@ -32,3 +58,7 @@ function Invoke-CIPPStandardAnonReportDisable { Add-CIPPBPAField -FieldName 'AnonReport' -FieldValue $CurrentInfo.displayConcealedNames -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 index f43203659dca..3a245863f65b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAntiPhishPolicy.ps1 @@ -1,8 +1,53 @@ function Invoke-CIPPStandardAntiPhishPolicy { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + AntiPhishPolicy + .CAT + Defender Standards + .TAG + "lowimpact" + "CIS" + "mdo_safeattachments" + "mdo_highconfidencespamaction" + "mdo_highconfidencephishaction" + "mdo_phisspamacation" + "mdo_spam_notifications_only_for_admins" + "mdo_antiphishingpolicies" + .HELPTEXT + This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. + .ADDEDCOMPONENT + {"type":"number","label":"Phishing email threshold. (Default 1)","name":"standards.AntiPhishPolicy.PhishThresholdLevel","default":1} + {"type":"boolean","label":"Show first contact safety tip","name":"standards.AntiPhishPolicy.EnableFirstContactSafetyTips","default":true} + {"type":"boolean","label":"Show user impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarUsersSafetyTips","default":true} + {"type":"boolean","label":"Show domain impersonation safety tip","name":"standards.AntiPhishPolicy.EnableSimilarDomainsSafetyTips","default":true} + {"type":"boolean","label":"Show user impersonation unusual characters safety tip","name":"standards.AntiPhishPolicy.EnableUnusualCharactersSafetyTips","default":true} + {"type":"Select","label":"If the message is detected as spoof by spoof intelligence","name":"standards.AntiPhishPolicy.AuthenticationFailAction","values":[{"label":"Quarantine the message","value":"Quarantine"},{"label":"Move to Junk Folder","value":"MoveToJmf"}]} + {"type":"Select","label":"Quarantine policy for Spoof","name":"standards.AntiPhishPolicy.SpoofQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"Select","label":"If a message is detected as user impersonation","name":"standards.AntiPhishPolicy.TargetedUserProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Quarantine policy for user impersonation","name":"standards.AntiPhishPolicy.TargetedUserQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"Select","label":"If a message is detected as domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Quarantine policy for domain impersonation","name":"standards.AntiPhishPolicy.TargetedDomainQuarantineTag","values":[{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"},{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"}]} + {"type":"Select","label":"If Mailbox Intelligence detects an impersonated user","name":"standards.AntiPhishPolicy.MailboxIntelligenceProtectionAction","values":[{"label":"Move to Junk Folder","value":"MoveToJmf"},{"label":"Delete the message before its delivered","value":"Delete"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"Apply quarantine policy","name":"standards.AntiPhishPolicy.MailboxIntelligenceQuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + .LABEL + Default Anti-Phishing Policy + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-AntiphishPolicy or New-AntiphishPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + This creates a Anti-Phishing policy that automatically enables Mailbox Intelligence and spoofing, optional switches for Mailtips. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $PolicyName = 'Default Anti-Phishing Policy' @@ -135,3 +180,7 @@ function Invoke-CIPPStandardAntiPhishPolicy { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 index 4538eef5aed7..3d09454aaaf1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAtpPolicyForO365.ps1 @@ -1,8 +1,35 @@ function Invoke-CIPPStandardAtpPolicyForO365 { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + AtpPolicyForO365 + .CAT + Defender Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. + .ADDEDCOMPONENT + {"type":"boolean","label":"Allow people to click through Protected View even if Safe Documents identified the file as malicious","name":"standards.AtpPolicyForO365.AllowSafeDocsOpen","default":false} + .LABEL + Default Atp Policy For O365 + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-AtpPolicyForO365 + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + This creates a Atp policy that enables Defender for Office 365 for Sharepoint, OneDrive and Microsoft Teams. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AtpPolicyForO365' | @@ -46,3 +73,7 @@ function Invoke-CIPPStandardAtpPolicyForO365 { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 index acb6bf9834a1..17d7c440b840 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAuditLog.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardAuditLog { <# .FUNCTIONALITY Internal + .APINAME + AuditLog + .CAT + Global Standards + .TAG + "lowimpact" + "CIS" + "mip_search_auditlog" + .HELPTEXT + Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. + .ADDEDCOMPONENT + .LABEL + Enable the Unified Audit Log + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Enable-OrganizationCustomization + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) Write-Host ($Settings | ConvertTo-Json) $AuditLogEnabled = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AdminAuditLogConfig' -Select UnifiedAuditLogIngestionEnabled).UnifiedAuditLogIngestionEnabled @@ -48,3 +75,7 @@ function Invoke-CIPPStandardAuditLog { Add-CIPPBPAField -FieldName 'AuditLog' -FieldValue $AuditLogEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 index 53d29e442822..432923a068d1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardAutoExpandArchive.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardAutoExpandArchive { <# .FUNCTIONALITY Internal + .APINAME + AutoExpandArchive + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Enables auto-expanding archives for the tenant + .DOCSDESCRIPTION + Enables auto-expanding archives for the tenant. Does not enable archives for users. + .ADDEDCOMPONENT + .LABEL + Enable Auto-expanding archives + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -AutoExpandingArchive + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables auto-expanding archives for the tenant + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AutoExpandingArchiveEnabled @@ -36,3 +62,7 @@ function Invoke-CIPPStandardAutoExpandArchive { Add-CIPPBPAField -FieldName 'AutoExpandingArchive' -FieldValue $CurrentState -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 index 406f0c06bd84..b42cf95556c3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBookings.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardBookings { <# .FUNCTIONALITY Internal + .APINAME + Bookings + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. + .DOCSDESCRIPTION + Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.Bookings.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + .LABEL + Set Bookings state + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -BookingsEnabled + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the state of Bookings on the tenant. Bookings is a scheduling tool that allows users to book appointments with others both internal and external. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').BookingsEnabled @@ -47,3 +74,7 @@ function Invoke-CIPPStandardBookings { } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 index 2f3841588d28..bd53e1c635e7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1 @@ -2,8 +2,38 @@ function Invoke-CIPPStandardBranding { <# .FUNCTIONALITY Internal + .APINAME + Branding + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the branding for the tenant. This includes the login page, and the Office 365 portal. + .ADDEDCOMPONENT + {"type":"input","name":"standards.Branding.signInPageText","label":"Sign-in page text"} + {"type":"input","name":"standards.Branding.usernameHintText","label":"Username hint Text"} + {"type":"boolean","name":"standards.Branding.hideAccountResetCredentials","label":"Hide self-service password reset"} + {"type":"Select","label":"Visual Template","name":"standards.Branding.layoutTemplateType","values":[{"label":"Full-screen background","value":"default"},{"label":"Parial-screen background","value":"verticalSplit"}]} + {"type":"boolean","name":"standards.Branding.isHeaderShown","label":"Show header"} + {"type":"boolean","name":"standards.Branding.isFooterShown","label":"Show footer"} + .LABEL + Set branding for the tenant + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Portal only + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the branding for the tenant. This includes the login page, and the Office 365 portal. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $TenantId = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant @@ -68,3 +98,7 @@ function Invoke-CIPPStandardBranding { Add-CIPPBPAField -FieldName 'Branding' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $Tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 index 19c6926d5af4..0c2fcedfcca8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardCloudMessageRecall.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardCloudMessageRecall { <# .FUNCTIONALITY Internal + .APINAME + CloudMessageRecall + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud. + .DOCSDESCRIPTION + Sets the default state for Cloud Message Recall for the tenant. By default this is enabled. You can read more about the feature [here.](https://techcommunity.microsoft.com/t5/exchange-team-blog/cloud-based-message-recall-in-exchange-online/ba-p/3744714) + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.CloudMessageRecall.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + .LABEL + Set Cloud Message Recall state + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -MessageRecallEnabled + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the Cloud Message Recall state for the tenant. This allows users to recall messages from the cloud. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').MessageRecallEnabled @@ -48,3 +75,7 @@ function Invoke-CIPPStandardCloudMessageRecall { } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 index 81cbdc6e5167..819ba429fa25 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDelegateSentItems.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDelegateSentItems { <# .FUNCTIONALITY Internal + .APINAME + DelegateSentItems + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder + .DOCSDESCRIPTION + This makes sure that e-mails sent from shared mailboxes or delegate mailboxes, end up in the mailbox of the shared/delegate mailbox instead of the sender, allowing you to keep replies in the same mailbox as the original e-mail. + .ADDEDCOMPONENT + .LABEL + Set mailbox Sent Items delegation (Sent items for shared mailboxes) + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-Mailbox + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $Mailboxes = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdParams @{ RecipientTypeDetails = @('UserMailbox', 'SharedMailbox') } | Where-Object { $_.MessageCopyForSendOnBehalfEnabled -eq $false -or $_.MessageCopyForSentAsEnabled -eq $false } @@ -51,3 +77,7 @@ function Invoke-CIPPStandardDelegateSentItems { Add-CIPPBPAField -FieldName 'DelegateSentItems' -FieldValue $Filtered -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 index 157bf5fbf690..ae712abebb36 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDeletedUserRentention.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDeletedUserRentention { <# .FUNCTIONALITY Internal + .APINAME + DeletedUserRentention + .CAT + SharePoint Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the retention period for deleted users OneDrive to 1 year/365 days + .DOCSDESCRIPTION + When a OneDrive user gets deleted, the personal SharePoint site is saved for 1 year and data can be retrieved from it. + .ADDEDCOMPONENT + .LABEL + Retain a deleted user OneDrive for 1 year + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the retention period for deleted users OneDrive to 1 year/365 days + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true $StateSetCorrectly = if ($CurrentInfo.deletedUserPersonalSiteRetentionPeriodInDays -eq 365) { $true } else { $false } @@ -39,3 +65,7 @@ function Invoke-CIPPStandardDeletedUserRentention { Add-CIPPBPAField -FieldName 'DeletedUserRentention' -FieldValue $StateSetCorrectly -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 index 485fe370c59d..1cfb91402bca 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAddShortcutsToOneDrive.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { <# .FUNCTIONALITY Internal + .APINAME + DisableAddShortcutsToOneDrive + .CAT + SharePoint Standards + .TAG + "mediumimpact" + .HELPTEXT + When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. + .DISABLEDFEATURES + + .ADDEDCOMPONENT + .LABEL + Disable Add Shortcuts To OneDrive + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Graph API or Portal + .RECOMMENDEDBY + .DOCSDESCRIPTION + When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) If ($Settings.remediate -eq $true) { @@ -95,3 +121,7 @@ function Invoke-CIPPStandardDisableAddShortcutsToOneDrive { Write-LogMessage @log } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 index 6612d7090240..242a4fa64d3c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAdditionalStorageProviders.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardDisableAdditionalStorageProviders { <# .FUNCTIONALITY Internal + .APINAME + DisableAdditionalStorageProviders + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + "exo_storageproviderrestricted" + .HELPTEXT + Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc. + .DOCSDESCRIPTION + Disables additional storage providers in OWA. This is to prevent users from using personal storage providers like Dropbox, Google Drive, etc. Usually this has little user impact. + .ADDEDCOMPONENT + .LABEL + Disable additional storage providers in OWA + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AdditionalStorageProvidersEnabled $False + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $AdditionalStorageProvidersState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' } @@ -35,3 +64,7 @@ function Invoke-CIPPStandardDisableAdditionalStorageProviders { Add-CIPPBPAField -FieldName 'AdditionalStorageProvidersEnabled' -FieldValue $AdditionalStorageProvidersState.AdditionalStorageProvidersEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 index 7204971fae4e..624f7d20f1f1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableAppCreation.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardDisableAppCreation { <# .FUNCTIONALITY Internal + .APINAME + DisableAppCreation + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Disables the ability for users to create App registrations in the tenant. + .DOCSDESCRIPTION + Disables the ability for users to create applications in Entra. Done to prevent breached accounts from creating an app to maintain access to the tenant, even after the breached account has been secured. + .ADDEDCOMPONENT + .LABEL + Disable App creation by users + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability for users to create App registrations in the tenant. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy?$select=defaultUserRolePermissions' -tenantid $Tenant @@ -36,3 +64,7 @@ function Invoke-CIPPStandardDisableAppCreation { Add-CIPPBPAField -FieldName 'UserAppCreationDisabled' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 index ed8a7b256ff7..ded00502d1e0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableBasicAuthSMTP.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { <# .FUNCTIONALITY Internal + .APINAME + DisableBasicAuthSMTP + .CAT + Global Standards + .TAG + "mediumimpact" + .HELPTEXT + Disables SMTP AUTH for the organization and all users. This is the default for new tenants. + .DOCSDESCRIPTION + Disables SMTP basic authentication for the tenant and all users with it explicitly enabled. + .ADDEDCOMPONENT + .LABEL + Disable SMTP Basic Authentication + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-TransportConfig -SmtpClientAuthenticationDisabled $true + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables SMTP AUTH for the organization and all users. This is the default for new tenants. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' $SMTPusers = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-CASMailbox' -cmdParams @{ ResultSize = 'Unlimited' } | Where-Object { ($_.SmtpClientAuthenticationDisabled -eq $false) } @@ -68,3 +94,7 @@ function Invoke-CIPPStandardDisableBasicAuthSMTP { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 index 43eb1f36db3a..09b6fa9ca8d3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableEmail.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardDisableEmail { <# .FUNCTIONALITY Internal + .APINAME + DisableEmail + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. + .ADDEDCOMPONENT + .LABEL + Disables Email as an MFA method + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Email' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -27,3 +51,7 @@ function Invoke-CIPPStandardDisableEmail { Add-CIPPBPAField -FieldName 'DisableEmail' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 index 2393e7c3994d..1646b7b36dc1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableExternalCalendarSharing.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing { <# .FUNCTIONALITY Internal + .APINAME + DisableExternalCalendarSharing + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + "exo_individualsharing" + .HELPTEXT + Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed. + .DOCSDESCRIPTION + Disables external calendar sharing for the entire tenant. This is not a widely used feature, and it's therefore unlikely that this will impact users. Only for the default policy, so exclusions can be made if needed by making a new policy and assigning it to users. + .ADDEDCOMPONENT + .LABEL + Disable external calendar sharing + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Get-SharingPolicy | Set-SharingPolicy -Enabled $False + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-SharingPolicy' | Where-Object { $_.Default -eq $true } @@ -37,3 +66,7 @@ function Invoke-CIPPStandardDisableExternalCalendarSharing { Add-CIPPBPAField -FieldName 'ExternalCalendarSharingDisabled' -FieldValue $CurrentInfo.Enabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 index 8fbcb35110d5..62b17aef5b46 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuestDirectory.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableGuestDirectory { <# .FUNCTIONALITY Internal + .APINAME + DisableGuestDirectory + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory. + .DOCSDESCRIPTION + Sets it so guests can view only their own user profile. Permission to view other users isn't allowed. Also restricts guest users from seeing the membership of groups they're in. See exactly what get locked down in the [Microsoft documentation.](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) + .ADDEDCOMPONENT + .LABEL + Restrict guest user access to directory objects + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-AzureADMSAuthorizationPolicy -GuestUserRoleId '2af84b1e-32c8-42b7-82bc-daa82404023b' + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant @@ -36,3 +62,7 @@ function Invoke-CIPPStandardDisableGuestDirectory { Add-CIPPBPAField -FieldName 'DisableGuestDirectory' -FieldValue $CurrentInfo.guestUserRoleId -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 index 7b13fffd147f..e654cd9b5dc7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableGuests.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardDisableGuests { <# .FUNCTIONALITY Internal + .APINAME + DisableGuests + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + .HELPTEXT + Blocks login for guest users that have not logged in for 90 days + .ADDEDCOMPONENT + .LABEL + Disable Guest accounts that have not logged on for 90 days + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Graph API + .RECOMMENDEDBY + .DOCSDESCRIPTION + Blocks login for guest users that have not logged in for 90 days + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $Lookup = (Get-Date).AddDays(-90).ToUniversalTime().ToString('o') $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$filter=(signInActivity/lastNonInteractiveSignInDateTime le $Lookup)&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.userType -EQ 'Guest' -and $_.AccountEnabled -EQ $true } @@ -37,3 +61,7 @@ function Invoke-CIPPStandardDisableGuests { Add-CIPPBPAField -FieldName 'DisableGuests' -FieldValue $filtered -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 index a173eaba6759..558ce91bf77f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableM365GroupUsers.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableM365GroupUsers { <# .FUNCTIONALITY Internal + .APINAME + DisableM365GroupUsers + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc + .DOCSDESCRIPTION + Users by default are allowed to create M365 groups. This restricts M365 group creation to certain admin roles. This disables the ability to create Teams, SharePoint sites, Planner, etc + .ADDEDCOMPONENT + .LABEL + Disable M365 Group creation by users + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaDirectorySetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/settings' -tenantid $tenant) | Where-Object -Property displayname -EQ 'Group.unified' @@ -53,3 +79,7 @@ function Invoke-CIPPStandardDisableM365GroupUsers { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 index 230920781a6a..39b2b91a764e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableOutlookAddins.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardDisableOutlookAddins { <# .FUNCTIONALITY Internal + .APINAME + DisableOutlookAddins + .CAT + Exchange Standards + .TAG + "mediumimpact" + "CIS" + "exo_outlookaddins" + .HELPTEXT + Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins. + .DOCSDESCRIPTION + Disables users from being able to install add-ins in Outlook. Only admins are able to approve add-ins for the users. This is done to reduce the threat surface for data exfiltration. + .ADDEDCOMPONENT + .LABEL + Disable users from installing add-ins in Outlook + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Get-ManagementRoleAssignment | Remove-ManagementRoleAssignment + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RoleAssignmentPolicy' | Where-Object { $_.IsDefault -eq $true } @@ -53,3 +82,7 @@ function Invoke-CIPPStandardDisableOutlookAddins { Add-CIPPBPAField -FieldName 'DisabledOutlookAddins' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 index 0893d8fda2d2..26db5c11c88a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableReshare.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardDisableReshare { <# .FUNCTIONALITY Internal + .APINAME + DisableReshare + .CAT + SharePoint Standards + .TAG + "highimpact" + "CIS" + .HELPTEXT + Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access + .DOCSDESCRIPTION + Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access. This is a tenant wide setting and overrules any settings set on the site level + .ADDEDCOMPONENT + .LABEL + Disable Resharing by External Users + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -34,3 +62,7 @@ function Invoke-CIPPStandardDisableReshare { Add-CIPPBPAField -FieldName 'DisableReshare' -FieldValue $CurrentInfo.isResharingByExternalUsersEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 index 43dd0198d1b3..30454df4cba6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSMS.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableSMS { <# .FUNCTIONALITY Internal + .APINAME + DisableSMS + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in. + .DOCSDESCRIPTION + Disables SMS as an MFA method for the tenant. If a user only has SMS as a MFA method, they will be unable to sign in. + .ADDEDCOMPONENT + .LABEL + Disables SMS as an MFA method + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to log in. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/SMS' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -27,3 +53,7 @@ function Invoke-CIPPStandardDisableSMS { Add-CIPPBPAField -FieldName 'DisableSMS' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 index edaf91dfde7d..df6a6d327447 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSecurityGroupUsers.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { <# .FUNCTIONALITY Internal + .APINAME + DisableSecurityGroupUsers + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + .HELPTEXT + Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams + .ADDEDCOMPONENT + .LABEL + Disable Security Group creation by users + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthorizationPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant @@ -35,3 +59,7 @@ function Invoke-CIPPStandardDisableSecurityGroupUsers { Add-CIPPBPAField -FieldName 'DisableSecurityGroupUsers' -FieldValue $CurrentInfo.defaultUserRolePermissions.allowedToCreateSecurityGroups -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 index 6431f6053dc5..147aa0fefe89 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSelfServiceLicenses.ps1 @@ -2,9 +2,37 @@ function Invoke-CIPPStandardDisableSelfServiceLicenses { <# .FUNCTIONALITY Internal + .APINAME + DisableSelfServiceLicenses + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + .HELPTEXT + This standard currently does not function and can be safely disabled + .ADDEDCOMPONENT + .LABEL + Disable Self Service Licensing + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-MsolCompanySettings -AllowAdHocSubscriptions $false + .RECOMMENDEDBY + .DOCSDESCRIPTION + This standard currently does not function and can be safely disabled + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message 'Self Service Licenses cannot be disabled' -sev Error } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 index 1e109b41a3aa..b562d10dbd3e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharePointLegacyAuth.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardDisableSharePointLegacyAuth { <# .FUNCTIONALITY Internal + .APINAME + DisableSharePointLegacyAuth + .CAT + SharePoint Standards + .TAG + "mediumimpact" + "CIS" + .HELPTEXT + Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication. + .DOCSDESCRIPTION + Disables the ability for users and applications to access SharePoint via legacy basic authentication. This will likely not have any user impact, but will block systems/applications depending on basic auth or the SharePointOnlineCredentials class. + .ADDEDCOMPONENT + .LABEL + Disable legacy basic authentication for SharePoint + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-SPOTenant -LegacyAuthProtocolsEnabled $false + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings?$select=isLegacyAuthProtocolsEnabled' -tenantid $Tenant -AsApp $true @@ -36,3 +64,7 @@ function Invoke-CIPPStandardDisableSharePointLegacyAuth { Add-CIPPBPAField -FieldName 'SharePointLegacyAuthEnabled' -FieldValue $CurrentInfo.isLegacyAuthProtocolsEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 index d9d3356eba00..c60ffd274664 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableSharedMailbox.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardDisableSharedMailbox { <# .FUNCTIONALITY Internal + .APINAME + DisableSharedMailbox + .CAT + Exchange Standards + .TAG + "mediumimpact" + "CIS" + .HELPTEXT + Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes. + .DOCSDESCRIPTION + Shared mailboxes can be directly logged into if the password is reset, this presents a security risk as do all shared login credentials. Microsoft's recommendation is to disable the user account for shared mailboxes. It would be a good idea to review the sign-in reports to establish potential impact. + .ADDEDCOMPONENT + .LABEL + Disable Shared Mailbox AAD accounts + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Get-Mailbox & Update-MgUser + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $UserList = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/users?$top=999&$filter=accountEnabled eq true' -Tenantid $tenant -scope 'https://graph.microsoft.com/.default' $SharedMailboxList = (New-GraphGetRequest -uri "https://outlook.office365.com/adminapi/beta/$($Tenant)/Mailbox" -Tenantid $tenant -scope ExchangeOnline | Where-Object { $_.RecipientTypeDetails -EQ 'SharedMailbox' -or $_.RecipientTypeDetails -eq 'SchedulingMailbox' -and $_.UserPrincipalName -in $UserList.UserPrincipalName }) @@ -37,3 +65,7 @@ function Invoke-CIPPStandardDisableSharedMailbox { Add-CIPPBPAField -FieldName 'DisableSharedMailbox' -FieldValue $SharedMailboxList -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 index 022f21807864..1db22507ede0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTNEF.ps1 @@ -2,8 +2,34 @@ function Invoke-CIPPStandardDisableTNEF { <# .FUNCTIONALITY Internal + .APINAME + DisableTNEF + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. + .DOCSDESCRIPTION + Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. Cannot be overridden by the user. For more information, see [Microsoft's documentation.](https://learn.microsoft.com/en-us/exchange/mail-flow/content-conversion/tnef-conversion?view=exchserver-2019) + .ADDEDCOMPONENT + .LABEL + Disable TNEF/winmail.dat + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-RemoteDomain -Identity 'Default' -TNEFEnabled $false + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables Transport Neutral Encapsulation Format (TNEF)/winmail.dat for the tenant. TNEF can cause issues if the recipient is not using a client supporting TNEF. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param ($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-RemoteDomain' -cmdParams @{Identity = 'Default' } @@ -37,3 +63,7 @@ function Invoke-CIPPStandardDisableTNEF { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 index 97616ca367ea..30eef38a9254 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableTenantCreation.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardDisableTenantCreation { <# .FUNCTIONALITY Internal + .APINAME + DisableTenantCreation + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. + .DOCSDESCRIPTION + Users by default are allowed to create M365 tenants. This disables that so only admins can create new M365 tenants. + .ADDEDCOMPONENT + .LABEL + Disable M365 Tenant creation by users + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $Tenant $State = $CurrentInfo.defaultUserRolePermissions.allowedToCreateTenants @@ -35,3 +63,7 @@ function Invoke-CIPPStandardDisableTenantCreation { Add-CIPPBPAField -FieldName 'DisableTenantCreation' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 index 97bac09d7668..b47e17c3ccc6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableUserSiteCreate.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableUserSiteCreate { <# .FUNCTIONALITY Internal + .APINAME + DisableUserSiteCreate + .CAT + SharePoint Standards + .TAG + "highimpact" + .HELPTEXT + Disables users from creating new SharePoint sites + .DOCSDESCRIPTION + Disables standard users from creating SharePoint sites, also disables the ability to fully create teams + .ADDEDCOMPONENT + .LABEL + Disable site creation by standard users + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables users from creating new SharePoint sites + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -36,3 +62,7 @@ function Invoke-CIPPStandardDisableUserSiteCreate { Add-CIPPBPAField -FieldName 'DisableUserSiteCreate' -FieldValue $CurrentInfo.isSiteCreationEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 index 2a87da3fef09..efc8ef960fa4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableViva.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisableViva { <# .FUNCTIONALITY Internal + .APINAME + DisableViva + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Disables the daily viva reports for all users. + .DOCSDESCRIPTION + Disables the daily viva reports for all users. + .ADDEDCOMPONENT + .LABEL + Disable daily Insight/Viva reports + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-UserBriefingConfig + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables the daily viva reports for all users. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) try { @@ -45,3 +71,7 @@ function Invoke-CIPPStandardDisableViva { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 index 0c064013b444..7d8fc7b30d80 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisableVoice.ps1 @@ -2,7 +2,30 @@ function Invoke-CIPPStandardDisableVoice { <# .FUNCTIONALITY Internal + .APINAME + DisableVoice + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in. + .DOCSDESCRIPTION + Disables Voice call as an MFA method for the tenant. If a user only has Voice call as a MFA method, they will be unable to sign in. + .ADDEDCOMPONENT + .LABEL + Disables Voice call as an MFA method + .IMPACT + High Impact + .DOCSDESCRIPTION + This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to log in. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Voice' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -27,3 +50,7 @@ function Invoke-CIPPStandardDisableVoice { Add-CIPPBPAField -FieldName 'DisableVoice' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 index d59042f1f6c8..b79fa98643c2 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardDisablex509Certificate.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardDisablex509Certificate { <# .FUNCTIONALITY Internal + .APINAME + Disablex509Certificate + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + This blocks users from using Certificates as an MFA method. + .DOCSDESCRIPTION + This blocks users from using Certificates as an MFA method. + .ADDEDCOMPONENT + .LABEL + Disables Certificates as an MFA method + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + This blocks users from using Certificates as an MFA method. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/x509Certificate' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -28,3 +54,7 @@ function Invoke-CIPPStandardDisablex509Certificate { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 index 835d6a9dfe94..4c427bac19d1 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableAppConsentRequests.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardEnableAppConsentRequests { <# .FUNCTIONALITY Internal + .APINAME + EnableAppConsentRequests + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings + .DOCSDESCRIPTION + Enables the ability for users to request admin consent for applications. Should be used in conjunction with the "Require admin consent for applications" standards + .ADDEDCOMPONENT + {"type":"AdminRolesMultiSelect","label":"App Consent Reviewer Roles","name":"standards.EnableAppConsentRequests.ReviewerRoles"} + .LABEL + Enable App consent admin requests + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAdminConsentRequestPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy' -tenantid $Tenant @@ -77,3 +106,7 @@ function Invoke-CIPPStandardEnableAppConsentRequests { Add-CIPPBPAField -FieldName 'EnableAppConsentAdminRequests' -FieldValue $CurrentInfo.isEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 index b5741d27ac4d..daabff2b8ccc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableCustomerLockbox.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardEnableCustomerLockbox { <# .FUNCTIONALITY Internal + .APINAME + EnableCustomerLockbox + .CAT + Global Standards + .TAG + "lowimpact" + "CIS" + "CustomerLockBoxEnabled" + .HELPTEXT + Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data + .DOCSDESCRIPTION + Customer Lockbox ensures that Microsoft can't access your content to do service operations without your explicit approval. Customer Lockbox ensures only authorized requests allow access to your organizations data. + .ADDEDCOMPONENT + .LABEL + Enable Customer Lockbox + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -CustomerLockBoxEnabled $true + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CustomerLockboxStatus = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').CustomerLockboxEnabled @@ -38,3 +67,7 @@ function Invoke-CIPPStandardEnableCustomerLockbox { Add-CIPPBPAField -FieldName 'CustomerLockboxEnabled' -FieldValue $CustomerLockboxStatus -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 index d5d84aa3d8e6..f7111785c042 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableFIDO2.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardEnableFIDO2 { <# .FUNCTIONALITY Internal + .APINAME + EnableFIDO2 + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Enables the FIDO2 authenticationMethod for the tenant + .DOCSDESCRIPTION + Enables FIDO2 capabilities for the tenant. This allows users to use FIDO2 keys like a Yubikey for authentication. + .ADDEDCOMPONENT + .LABEL + Enable FIDO2 capabilities + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the FIDO2 authenticationMethod for the tenant + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/Fido2' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -31,3 +57,7 @@ function Invoke-CIPPStandardEnableFIDO2 { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 index 67b0cf7e7bc4..eaf297caf78e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableHardwareOAuth.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardEnableHardwareOAuth { <# .FUNCTIONALITY Internal + .APINAME + EnableHardwareOAuth + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes. + .DOCSDESCRIPTION + Enables Hardware OAuth tokens for the tenant. This allows users to use hardware tokens like a Yubikey for authentication. + .ADDEDCOMPONENT + .LABEL + Enable Hardware OAuth tokens + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/HardwareOath' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -30,3 +56,7 @@ function Invoke-CIPPStandardEnableHardwareOAuth { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 index 1de0a2315a13..17e735496e88 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableLitigationHold.ps1 @@ -1,8 +1,32 @@ function Invoke-CIPPStandardEnableLitigationHold { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + EnableLitigationHold + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Enables litigation hold for all UserMailboxes with a valid license. + .ADDEDCOMPONENT + .LABEL + Enable Litigation Hold for all users + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-Mailbox -LitigationHoldEnabled $true + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables litigation hold for all UserMailboxes with a valid license. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $MailboxesNoLitHold = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-Mailbox' -cmdparams @{ MailboxPlan = 'ExchangeOnlineEnterprise'; Filter = 'LitigationHoldEnabled -eq "False"'} @@ -52,3 +76,7 @@ function Invoke-CIPPStandardEnableLitigationHold { Add-CIPPBPAField -FieldName 'EnableLitHold' -FieldValue $filtered -StoreAs json -Tenant $Tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 index 52d3e3294c18..1abee9433d86 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailTips.ps1 @@ -2,8 +2,36 @@ function Invoke-CIPPStandardEnableMailTips { <# .FUNCTIONALITY Internal + .APINAME + EnableMailTips + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + "exo_mailtipsenabled" + .HELPTEXT + Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements + .ADDEDCOMPONENT + {"type":"number","name":"standards.EnableMailTips.MailTipsLargeAudienceThreshold","label":"Number of recipients to trigger the large audience MailTip (Default is 25)","placeholder":"Enter a profile name","default":25} + .LABEL + Enable all MailTips + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $MailTipsState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig' | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold $StateIsCorrect = if ($MailTipsState.MailTipsAllTipsEnabled -and $MailTipsState.MailTipsExternalRecipientsTipsEnabled -and $MailTipsState.MailTipsGroupMetricsEnabled -and $MailTipsState.MailTipsLargeAudienceThreshold -eq $Settings.MailTipsLargeAudienceThreshold) { $true } else { $false } @@ -38,3 +66,7 @@ function Invoke-CIPPStandardEnableMailTips { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 index 2374206fc6d0..e085bb128d8a 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableMailboxAuditing.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardEnableMailboxAuditing { <# .FUNCTIONALITY Internal + .APINAME + EnableMailboxAuditing + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + "exo_mailboxaudit" + .HELPTEXT + Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function. + .DOCSDESCRIPTION + Enables mailbox auditing on tenant level and for all mailboxes. Disables audit bypass on all mailboxes. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function. + .ADDEDCOMPONENT + .LABEL + Enable Mailbox auditing + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -AuditDisabled $false + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables Mailbox auditing for all mailboxes and on tenant level. Disables audit bypass on all mailboxes. Unified Audit Log needs to be enabled for this standard to function. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $AuditState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').AuditDisabled @@ -91,3 +120,7 @@ function Invoke-CIPPStandardEnableMailboxAuditing { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 index 3c3dbd004c45..90a20d59b356 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnableOnlineArchiving.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardEnableOnlineArchiving { <# .FUNCTIONALITY Internal + .APINAME + EnableOnlineArchiving + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Enables the In-Place Online Archive for all UserMailboxes with a valid license. + .ADDEDCOMPONENT + .LABEL + Enable Online Archive for all users + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Enable-Mailbox -Archive $true + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the In-Place Online Archive for all UserMailboxes with a valid license. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $MailboxPlans = @( 'ExchangeOnline', 'ExchangeOnlineEnterprise' ) @@ -56,3 +80,7 @@ function Invoke-CIPPStandardEnableOnlineArchiving { Add-CIPPBPAField -FieldName 'EnableOnlineArchiving' -FieldValue $filtered -StoreAs json -Tenant $Tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 index bd4d6c85e70e..7d20bcee6666 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardEnablePronouns { <# .FUNCTIONALITY Internal + .APINAME + EnablePronouns + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. + .ADDEDCOMPONENT + .LABEL + Enable Pronouns + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminPeoplePronoun -IsEnabledInOrganization:$true + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the Pronouns feature for the tenant. This allows users to set their pronouns in their profile. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param ($Tenant, $Settings) $Uri = 'https://graph.microsoft.com/v1.0/admin/people/pronouns' @@ -47,3 +71,7 @@ function Invoke-CIPPStandardEnablePronouns { Add-CIPPBPAField -FieldName 'PronounsEnabled' -FieldValue $CurrentState.isEnabledInOrganization -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 index 321c13c46ad8..28ab4c8ca495 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExcludedfileExt.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardExcludedfileExt { <# .FUNCTIONALITY Internal + .APINAME + ExcludedfileExt + .CAT + SharePoint Standards + .TAG + "highimpact" + .HELPTEXT + Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. + .ADDEDCOMPONENT + {"type":"input","name":"standards.ExcludedfileExt.ext","label":"Extensions, Comma separated"} + .LABEL + Exclude File Extensions from Syncing + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload. '*.' is automatically added to the extension and can be omitted. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true $Exts = ($Settings.ext -replace ' ', '') -split ',' @@ -52,3 +77,7 @@ function Invoke-CIPPStandardExcludedfileExt { Add-CIPPBPAField -FieldName 'ExcludedfileExt' -FieldValue $CurrentInfo.excludedFileExtensionsForSyncApp -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 index 6fefb63e5b59..619455fdb0e7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardExternalMFATrusted.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardExternalMFATrusted { <# .FUNCTIONALITY Internal + .APINAME + ExternalMFATrusted + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ExternalMFATrusted.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + .LABEL + Sets the Cross-tenant access setting to trust external MFA + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyCrossTenantAccessPolicyDefault + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the state of the Cross-tenant access setting to trust external MFA. This allows guest users to use their home tenant MFA to access your tenant. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $ExternalMFATrusted = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/default?$select=inboundTrust' -tenantid $Tenant) @@ -48,3 +73,7 @@ function Invoke-CIPPStandardExternalMFATrusted { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 index 6dccab45117f..9a9655ac22a4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardFocusedInbox.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardFocusedInbox { <# .FUNCTIONALITY Internal + .APINAME + FocusedInbox + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the default Focused Inbox state for the tenant. This can be overridden by the user. + .DOCSDESCRIPTION + Sets the default Focused Inbox state for the tenant. This can be overridden by the user in their Outlook settings. For more information, see [Microsoft's documentation.](https://support.microsoft.com/en-us/office/focused-inbox-for-outlook-f445ad7f-02f4-4294-a82e-71d8964e3978) + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.FocusedInbox.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + .LABEL + Set Focused Inbox state + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -FocusedInboxOn $true or $false + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the default Focused Inbox state for the tenant. This can be overridden by the user. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) # Input validation @@ -45,3 +72,7 @@ function Invoke-CIPPStandardFocusedInbox { Add-CIPPBPAField -FieldName 'FocusedInboxCorrectState' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 index 583a39ecb8f8..a99543882349 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardGlobalQuarantineNotifications.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardGlobalQuarantineNotifications { <# .FUNCTIONALITY Internal + .APINAME + GlobalQuarantineNotifications + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users. + .DOCSDESCRIPTION + Sets the global quarantine notification interval for the tenant. This is the time between the quarantine notification emails are sent out to users. Default is 24 hours. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.GlobalQuarantineNotifications.NotificationInterval","values":[{"label":"4 hours","value":"04:00:00"},{"label":"1 day/Daily","value":"1.00:00:00"},{"label":"7 days/Weekly","value":"7.00:00:00"}]} + .LABEL + Set Global Quarantine Notification Interval + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-QuarantinePolicy -EndUserSpamNotificationFrequency + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the Global Quarantine Notification Interval to the selected value. Determines how often the quarantine notification is sent to users. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param ($Tenant, $Settings) $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-QuarantinePolicy' -cmdParams @{ QuarantinePolicyType = 'GlobalQuarantinePolicy' } @@ -55,3 +82,7 @@ function Invoke-CIPPStandardGlobalQuarantineNotifications { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 index 08f43267469f..282d7ebc4778 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardLegacyMFACleanup.ps1 @@ -2,8 +2,36 @@ function Invoke-CIPPStandardLegacyMFACleanup { <# .FUNCTIONALITY Internal + .APINAME + LegacyMFACleanup + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + .HELPTEXT + This standard currently does not function and can be safely disabled + .ADDEDCOMPONENT + .LABEL + Remove Legacy MFA if SD or CA is active + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-MsolUser -StrongAuthenticationRequirements $null + .RECOMMENDEDBY + .DOCSDESCRIPTION + This standard currently does not function and can be safely disabled + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) Write-LogMessage -API 'Standards' -tenant $tenant -message 'Per User MFA APIs have been disabled.' -sev Info } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 index 8cc14082f3a3..724357d3ef55 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMailContacts.ps1 @@ -2,7 +2,39 @@ function Invoke-CIPPStandardMailContacts { <# .FUNCTIONALITY Internal + .APINAME + MailContacts + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. + .DOCSDESCRIPTION + Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. + .DISABLEDFEATURES + + .ADDEDCOMPONENT + {"type":"input","name":"standards.MailContacts.GeneralContact","label":"General Contact"} + {"type":"input","name":"standards.MailContacts.SecurityContact","label":"Security Contact"} + {"type":"input","name":"standards.MailContacts.MarketingContact","label":"Marketing Contact"} + {"type":"input","name":"standards.MailContacts.TechContact","label":"Technical Contact"} + .LABEL + Set contact e-mails + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-MsolCompanyContactInformation + .RECOMMENDEDBY + .DOCSDESCRIPTION + Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $TenantID = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/organization' -tenantid $tenant) $CurrentInfo = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantID.id)" -tenantid $Tenant @@ -63,3 +95,7 @@ function Invoke-CIPPStandardMailContacts { Add-CIPPBPAField -FieldName 'MailContacts' -FieldValue $CurrentInfo -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 index 863110cdac69..79fa04d4c3fc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 @@ -1,8 +1,43 @@ function Invoke-CIPPStandardMalwareFilterPolicy { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + MalwareFilterPolicy + .CAT + Defender Standards + .TAG + "lowimpact" + "CIS" + "mdo_zapspam" + "mdo_zapphish" + "mdo_zapmalware" + .HELPTEXT + This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. + .ADDEDCOMPONENT + {"type":"Select","label":"FileTypeAction","name":"standards.MalwareFilterPolicy.FileTypeAction","values":[{"label":"Reject","value":"Reject"},{"label":"Quarantine the message","value":"Quarantine"}]} + {"type":"Select","label":"QuarantineTag","name":"standards.MalwareFilterPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"boolean","label":"Enable Internal Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableInternalSenderAdminNotifications"} + {"type":"input","name":"standards.MalwareFilterPolicy.InternalSenderAdminAddress","label":"Internal Sender Admin Address"} + {"type":"boolean","label":"Enable External Sender Admin Notifications","name":"standards.MalwareFilterPolicy.EnableExternalSenderAdminNotifications"} + {"type":"input","name":"standards.MalwareFilterPolicy.ExternalSenderAdminAddress","label":"External Sender Admin Address"} + .LABEL + Default Malware Filter Policy + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-MalwareFilterPolicy or New-MalwareFilterPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + This creates a Malware filter policy that enables the default File filter and Zero-hour auto purge for malware. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $PolicyName = 'Default Malware Policy' @@ -119,3 +154,7 @@ function Invoke-CIPPStandardMalwareFilterPolicy { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 index 820486c52ef3..b5012d7aefea 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMessageExpiration.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardMessageExpiration { <# .FUNCTIONALITY Internal + .APINAME + MessageExpiration + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the transport message configuration to timeout a message at 12 hours. + .DOCSDESCRIPTION + Expires messages in the transport queue after 12 hours. Makes the NDR for failed messages show up faster for users. Default is 24 hours. + .ADDEDCOMPONENT + .LABEL + Lower Transport Message Expiration to 12 hours + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-TransportConfig -MessageExpirationTimeout 12.00:00:00 + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the transport message configuration to timeout a message at 12 hours. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $MessageExpiration = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig').messageExpiration @@ -34,3 +60,7 @@ function Invoke-CIPPStandardMessageExpiration { Add-CIPPBPAField -FieldName 'messageExpiration' -FieldValue $MessageExpiration -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 index 6d387b212767..116b3d4ed40f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardNudgeMFA.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardNudgeMFA { <# .FUNCTIONALITY Internal + .APINAME + NudgeMFA + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the state of the registration campaign for the tenant + .DOCSDESCRIPTION + Sets the state of the registration campaign for the tenant. If enabled nudges users to set up the Microsoft Authenticator during sign-in. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.NudgeMFA.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + {"type":"number","name":"standards.NudgeMFA.snoozeDurationInDays","label":"Number of days to allow users to skip registering Authenticator (0-14, default is 1)","default":1} + .LABEL + Sets the state for the request to setup Authenticator + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthenticationMethodPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the state of the registration campaign for the tenant + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy' -tenantid $Tenant @@ -57,3 +85,7 @@ function Invoke-CIPPStandardNudgeMFA { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 index 38d2b41dfce3..036bd6f011d0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsent.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardOauthConsent { <# .FUNCTIONALITY Internal + .APINAME + OauthConsent + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + "CIS" + .HELPTEXT + Disables users from being able to consent to applications, except for those specified in the field below + .DOCSDESCRIPTION + Requires users to get administrator consent before sharing data with applications. You can preapprove specific applications. + .ADDEDCOMPONENT + {"type":"input","name":"standards.OauthConsent.AllowedApps","label":"Allowed application IDs, comma separated"} + .LABEL + Require admin consent for applications (Prevent OAuth phishing) + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables users from being able to consent to applications, except for those specified in the field below + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($tenant, $settings) $State = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant $StateIsCorrect = if ($State.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'managePermissionGrantsForSelf.cipp-consent-policy') { $true } else { $false } @@ -46,3 +75,7 @@ function Invoke-CIPPStandardOauthConsent { Add-CIPPBPAField -FieldName 'OauthConsent' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 index 42814d48cfb6..ba94c4f77843 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOauthConsentLowSec.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardOauthConsentLowSec { <# .FUNCTIONALITY Internal + .APINAME + OauthConsentLowSec + .CAT + Entra (AAD) Standards + .TAG + "mediumimpact" + .HELPTEXT + Sets the default oauth consent level so users can consent to applications that have low risks. + .DOCSDESCRIPTION + Allows users to consent to applications with low assigned risk. + .LABEL + Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure) + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the default oauth consent level so users can consent to applications that have low risks. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $State = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy' -tenantid $tenant) If ($Settings.remediate -eq $true) { @@ -34,3 +59,7 @@ function Invoke-CIPPStandardOauthConsentLowSec { Add-CIPPBPAField -FieldName 'OauthConsentLowSec' -FieldValue $State.permissionGrantPolicyIdsAssignedToDefaultUserRole -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 index a786a7d044b8..8ab6cab3d30e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardOutBoundSpamAlert.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardOutBoundSpamAlert { <# .FUNCTIONALITY Internal + .APINAME + OutBoundSpamAlert + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Set the Outbound Spam Alert e-mail address + .DOCSDESCRIPTION + Sets the e-mail address to which outbound spam alerts are sent. + .ADDEDCOMPONENT + {"type":"input","name":"standards.OutBoundSpamAlert.OutboundSpamContact","label":"Outbound spam contact"} + .LABEL + Set Outbound Spam Alert e-mail + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-HostedOutboundSpamFilterPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Set the Outbound Spam Alert e-mail address + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-HostedOutboundSpamFilterPolicy' -useSystemMailbox $true @@ -35,3 +64,7 @@ function Invoke-CIPPStandardOutBoundSpamAlert { Add-CIPPBPAField -FieldName 'OutboundSpamAlert' -FieldValue $CurrentInfo.NotifyOutboundSpam -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 index c2e3c7a687b7..8148322ca651 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWcompanionAppAllowedState.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { <# .FUNCTIONALITY Internal + .APINAME + PWcompanionAppAllowedState + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication. + .DOCSDESCRIPTION + Sets the Authenticator Lite state to enabled. This allows users to use the Authenticator Lite built into the Outlook app instead of the full Authenticator app. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.PWcompanionAppAllowedState.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + .LABEL + Set Authenticator Lite state + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $authenticatorFeaturesState = (New-GraphGetRequest -tenantid $tenant -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -Type GET) @@ -58,3 +85,7 @@ function Invoke-CIPPStandardPWcompanionAppAllowedState { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 index 2f85c01bf859..83b2b276195e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPWdisplayAppInformationRequiredState.ps1 @@ -2,7 +2,35 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { <# .FUNCTIONALITY Internal + .APINAME + PWdisplayAppInformationRequiredState + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name. + .DOCSDESCRIPTION + Allows users to use Passwordless with Number Matching and adds location information from the last request + .ADDEDCOMPONENT + .LABEL + Enable Passwordless with Location information and Number Matching + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant $State = if ($CurrentInfo.state -eq 'enabled') { $true } else { $false } @@ -27,3 +55,7 @@ function Invoke-CIPPStandardPWdisplayAppInformationRequiredState { Add-CIPPBPAField -FieldName 'PWdisplayAppInformationRequiredState' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 index 5cf8dac138a1..c4b2bff28cd7 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPasswordExpireDisabled.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardPasswordExpireDisabled { <# .FUNCTIONALITY Internal + .APINAME + PasswordExpireDisabled + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + "CIS" + "PWAgePolicyNew" + .HELPTEXT + Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user. + .DOCSDESCRIPTION + Sets passwords to never expire for tenant, recommended to use in conjunction with secure password requirements. + .ADDEDCOMPONENT + .LABEL + Do not expire passwords + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgDomain + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $GraphRequest = New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/domains' -tenantid $Tenant $DomainswithoutPassExpire = $GraphRequest | Where-Object -Property passwordValidityPeriodInDays -NE '2147483647' @@ -43,3 +72,7 @@ function Invoke-CIPPStandardPasswordExpireDisabled { Add-CIPPBPAField -FieldName 'PasswordExpireDisabled' -FieldValue $DomainswithoutPassExpire -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 index c83204529423..5f08753147f6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPerUserMFA.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardPerUserMFA { <# .FUNCTIONALITY Internal + .APINAME + PerUserMFA + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + Enables per user MFA for all users. + .ADDEDCOMPONENT + .LABEL + Enables per user MFA for all users. + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Graph API + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables per user MFA for all users. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $GraphRequest = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users?`$top=999&`$select=UserPrincipalName,accountEnabled" -scope 'https://graph.microsoft.com/.default' -tenantid $Tenant | Where-Object { $_.AccountEnabled -EQ $true } @@ -39,3 +63,7 @@ function Invoke-CIPPStandardPerUserMFA { Add-CIPPBPAField -FieldName 'LegacyMFAUsers' -FieldValue $UsersWithoutMFA -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 index 8d0e37ffe6b0..1ed18b3104f5 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardPhishProtection.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardPhishProtection { <# .FUNCTIONALITY Internal + .APINAME + PhishProtection + .CAT + Global Standards + .TAG + "lowimpact" + .HELPTEXT + Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. + .ADDEDCOMPONENT + .LABEL + Enable Phishing Protection system via branding CSS + .IMPACT + Low Impact + .DISABLEDFEATURES + + .POWERSHELLEQUIVALENT + Portal only + .RECOMMENDEDBY + "CIPP" + .DOCSDESCRIPTION + Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $TenantId = Get-Tenants | Where-Object -Property defaultDomainName -EQ $tenant @@ -56,3 +83,7 @@ function Invoke-CIPPStandardPhishProtection { Add-CIPPBPAField -FieldName 'PhishProtection' -FieldValue $authstate -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 index e149d3aec70d..135d55c06641 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardRotateDKIM.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardRotateDKIM { <# .FUNCTIONALITY Internal + .APINAME + RotateDKIM + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Rotate DKIM keys that are 1024 bit to 2048 bit + .ADDEDCOMPONENT + .LABEL + Rotate DKIM keys that are 1024 bit to 2048 bit + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Rotate-DkimSigningConfig + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Rotate DKIM keys that are 1024 bit to 2048 bit + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $DKIM = (New-ExoRequest -tenantid $tenant -cmdlet 'Get-DkimSigningConfig') | Where-Object { $_.Selector1KeySize -Eq 1024 -and $_.Enabled -eq $true } @@ -36,3 +62,7 @@ function Invoke-CIPPStandardRotateDKIM { Add-CIPPBPAField -FieldName 'DKIM' -FieldValue $DKIM -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 index bad693702eb5..dc080914f7b8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeAttachmentPolicy.ps1 @@ -1,8 +1,41 @@ function Invoke-CIPPStandardSafeAttachmentPolicy { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + SafeAttachmentPolicy + .CAT + Defender Standards + .TAG + "lowimpact" + "CIS" + "mdo_safedocuments" + "mdo_commonattachmentsfilter" + "mdo_safeattachmentpolicy" + .HELPTEXT + This creates a Safe Attachment policy + .ADDEDCOMPONENT + {"type":"Select","label":"Action","name":"standards.SafeAttachmentPolicy.Action","values":[{"label":"Allow","value":"Allow"},{"label":"Block","value":"Block"},{"label":"DynamicDelivery","value":"DynamicDelivery"}]} + {"type":"Select","label":"QuarantineTag","name":"standards.SafeAttachmentPolicy.QuarantineTag","values":[{"label":"AdminOnlyAccessPolicy","value":"AdminOnlyAccessPolicy"},{"label":"DefaultFullAccessPolicy","value":"DefaultFullAccessPolicy"},{"label":"DefaultFullAccessWithNotificationPolicy","value":"DefaultFullAccessWithNotificationPolicy"}]} + {"type":"boolean","label":"Redirect","name":"standards.SafeAttachmentPolicy.Redirect"} + {"type":"input","name":"standards.SafeAttachmentPolicy.RedirectAddress","label":"Redirect Address"} + .LABEL + Default Safe Attachment Policy + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-SafeAttachmentPolicy or New-SafeAttachmentPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + This creates a Safe Attachment policy + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $PolicyName = 'Default Safe Attachment Policy' @@ -104,3 +137,7 @@ function Invoke-CIPPStandardSafeAttachmentPolicy { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 index 1e68ef5a2475..92220f54e19c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeLinksPolicy.ps1 @@ -1,8 +1,39 @@ function Invoke-CIPPStandardSafeLinksPolicy { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + SafeLinksPolicy + .CAT + Defender Standards + .TAG + "lowimpact" + "CIS" + "mdo_safelinksforemail" + "mdo_safelinksforOfficeApps" + .HELPTEXT + This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders + .ADDEDCOMPONENT + {"type":"boolean","label":"AllowClickThrough","name":"standards.SafeLinksPolicy.AllowClickThrough"} + {"type":"boolean","label":"DisableUrlRewrite","name":"standards.SafeLinksPolicy.DisableUrlRewrite"} + {"type":"boolean","label":"EnableOrganizationBranding","name":"standards.SafeLinksPolicy.EnableOrganizationBranding"} + .LABEL + Default SafeLinks Policy + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-SafeLinksPolicy or New-SafeLinksPolicy + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + This creates a safelink policy that automatically scans, tracks, and and enables safe links for Email, Office, and Teams for both external and internal senders + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $PolicyName = 'Default SafeLinks Policy' @@ -116,3 +147,7 @@ function Invoke-CIPPStandardSafeLinksPolicy { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 index d70fe30cef99..de39be25829d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSafeSendersDisable.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardSafeSendersDisable { <# .FUNCTIONALITY Internal + .APINAME + SafeSendersDisable + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. + .ADDEDCOMPONENT + .DISABLEDFEATURES + + .LABEL + Remove Safe Senders to prevent SPF bypass + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-MailboxJunkEmailConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) If ($Settings.remediate -eq $true) { @@ -36,3 +62,7 @@ function Invoke-CIPPStandardSafeSendersDisable { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 index 07bc25df5021..d563d8c1fd4e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSecurityDefaults.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardSecurityDefaults { <# .FUNCTIONALITY Internal + .APINAME + SecurityDefaults + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access. + .DOCSDESCRIPTION + Enables SD for the tenant, which disables all forms of basic authentication and enforces users to configure MFA. Users are only prompted for MFA when a logon is considered 'suspect' by Microsoft. + .ADDEDCOMPONENT + .LABEL + Enable Security Defaults + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + [Read more here](https://www.cyberdrain.com/automating-with-powershell-enabling-secure-defaults-and-sd-explained/) + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $SecureDefaultsState = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/identitySecurityDefaultsEnforcementPolicy' -tenantid $tenant) @@ -36,3 +62,7 @@ function Invoke-CIPPStandardSecurityDefaults { Add-CIPPBPAField -FieldName 'SecurityDefaults' -FieldValue $SecureDefaultsState.IsEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 index ce7d56f76454..14b551316e11 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendFromAlias.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardSendFromAlias { <# .FUNCTIONALITY Internal + .APINAME + SendFromAlias + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Enables the ability for users to send from their alias addresses. + .DOCSDESCRIPTION + Allows users to change the 'from' address to any set in their Azure AD Profile. + .ADDEDCOMPONENT + .LABEL + Allow users to send from their alias addresses + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-Mailbox + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the ability for users to send from their alias addresses. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').SendFromAliasEnabled @@ -33,3 +59,7 @@ function Invoke-CIPPStandardSendFromAlias { Add-CIPPBPAField -FieldName 'SendFromAlias' -FieldValue $CurrentInfo -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 index 68c7519f5e25..a9ba445828ed 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSendReceiveLimitTenant.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { <# .FUNCTIONALITY Internal + .APINAME + SendReceiveLimitTenant + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB + .ADDEDCOMPONENT + {"type":"number","name":"standards.SendReceiveLimitTenant.SendLimit","label":"Send limit in MB (Default is 35)","default":35} + {"type":"number","name":"standards.SendReceiveLimitTenant.ReceiveLimit","label":"Receive Limit in MB (Default is 36)","default":36} + .LABEL + Set send/receive size limits + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-MailboxPlan + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) # Input validation @@ -62,3 +88,7 @@ function Invoke-CIPPStandardSendReceiveLimitTenant { Add-CIPPBPAField -FieldName 'SendReceiveLimit' -FieldValue $NotSetCorrectly -StoreAs json -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 index f6605904777f..3fe19fbad3c4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardShortenMeetings.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardShortenMeetings { <# .FUNCTIONALITY Internal + .APINAME + ShortenMeetings + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.ShortenMeetings.ShortenEventScopeDefault","values":[{"label":"Disabled/None","value":"None"},{"label":"End early","value":"EndEarly"},{"label":"Start late","value":"StartLate"}]} + {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceShortEventsBy","label":"Minutes to reduce short calendar events by (Default is 5)","default":5} + {"type":"number","name":"standards.ShortenMeetings.DefaultMinutesToReduceLongEventsBy","label":"Minutes to reduce long calendar events by (Default is 10)","default":10} + .LABEL + Set shorten meetings state + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -ShortenEventScopeDefault -DefaultMinutesToReduceShortEventsBy -DefaultMinutesToReduceLongEventsBy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the shorten meetings settings on a tenant level. This will shorten meetings by the selected amount of minutes. Valid values are 0 to 29. Short meetings are under 60 minutes, long meetings are over 60 minutes. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) # Input validation @@ -55,3 +82,7 @@ function Invoke-CIPPStandardShortenMeetings { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index af9e03c6122c..17e4762e44f8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardSpoofWarn { <# .FUNCTIONALITY Internal + .APINAME + SpoofWarn + .CAT + Exchange Standards + .TAG + "lowimpact" + "CIS" + .HELPTEXT + Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA + .DOCSDESCRIPTION + Adds or removes indicators to e-mail messages received from external senders in Outlook. You can read more about this feature on [Microsoft's Exchange Team Blog.](https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098) + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.SpoofWarn.state","values":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + .LABEL + Enable or disable 'external' warning in Outlook + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + et-ExternalInOutlook –Enabled $true or $false + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook') @@ -45,3 +74,7 @@ function Invoke-CIPPStandardSpoofWarn { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 index ef315d877530..fc53152bb426 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTAP.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardTAP { <# .FUNCTIONALITY Internal + .APINAME + TAP + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon. + .DOCSDESCRIPTION + Enables Temporary Password generation for the tenant. + .ADDEDCOMPONENT + {"type":"Select","label":"Select TAP Lifetime","name":"standards.TAP.config","values":[{"label":"Only Once","value":"true"},{"label":"Multiple Logons","value":"false"}]} + .LABEL + Enable Temporary Access Passwords + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/policies/authenticationmethodspolicy/authenticationMethodConfigurations/TemporaryAccessPass' -tenantid $Tenant @@ -34,3 +61,7 @@ function Invoke-CIPPStandardTAP { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 index 615dd6e94237..7945d9e4a2f3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTeamsMeetingsByDefault.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardTeamsMeetingsByDefault { <# .FUNCTIONALITY Internal + .APINAME + TeamsMeetingsByDefault + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.TeamsMeetingsByDefault.state","values":[{"label":"Enabled","value":"true"},{"label":"Disabled","value":"false"}]} + .LABEL + Set Teams Meetings by default state + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-OrganizationConfig -OnlineMeetingsByDefaultEnabled + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the default state for automatically turning meetings into Teams meetings for the tenant. This can be overridden by the user in Outlook. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OrganizationConfig').OnlineMeetingsByDefaultEnabled @@ -45,3 +70,7 @@ function Invoke-CIPPStandardTeamsMeetingsByDefault { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 index c2651ae346a9..180b8323ca23 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardTenantDefaultTimezone.ps1 @@ -2,8 +2,33 @@ function Invoke-CIPPStandardTenantDefaultTimezone { <# .FUNCTIONALITY Internal + .APINAME + TenantDefaultTimezone + .CAT + SharePoint Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the default timezone for the tenant. This will be used for all new users and sites. + .ADDEDCOMPONENT + {"type":"TimezoneSelect","name":"standards.TenantDefaultTimezone.Timezone","label":"Timezone"} + .LABEL + Set Default Timezone for Tenant + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the default timezone for the tenant. This will be used for all new users and sites. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -43,3 +68,7 @@ function Invoke-CIPPStandardTenantDefaultTimezone { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 index 51cef2225307..f662a8f200f3 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUndoOauth.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardUndoOauth { <# .FUNCTIONALITY Internal + .APINAME + UndoOauth + .CAT + Entra (AAD) Standards + .TAG + "highimpact" + .HELPTEXT + Disables App consent and set to Allow user consent for apps + .ADDEDCOMPONENT + .LABEL + Undo App Consent Standard + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgPolicyAuthorizationPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables App consent and set to Allow user consent for apps + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -tenantid $Tenant -Uri 'https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy?$select=permissionGrantPolicyIdsAssignedToDefaultUserRole' $State = if ($CurrentState.permissionGrantPolicyIdsAssignedToDefaultUserRole -eq 'ManagePermissionGrantsForSelf.microsoft-user-default-legacy') { $true } else { $false } @@ -36,3 +60,7 @@ function Invoke-CIPPStandardUndoOauth { Add-CIPPBPAField -FieldName 'UndoOauth' -FieldValue $State -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 similarity index 74% rename from Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1.ps1 rename to Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 index 670da0608743..98466f02cec4 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserReportDestinationEmail.ps1 @@ -1,8 +1,31 @@ -function Invoke-CIPPStandardUserReportDestinationEmail { +function Invoke-CIPPStandardUserReportDestinationEmail { <# .FUNCTIONALITY Internal + .APINAME + UserReportDestinationEmail + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. + .ADDEDCOMPONENT + {"type":"input","name":"standards.UserReportDestinationEmail.Email","label":"Destination email address"} + .LABEL + Set the destination email for user reported emails + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + New-ReportSubmissionRule or Set-ReportSubmissionRule + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the destination for email when users report them as spam or phishing. Works well together with the 'Set the state of the built-in Report button in Outlook standard'. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + param($Tenant, $Settings) # Input validation @@ -52,3 +75,5 @@ Add-CIPPBPAField -FieldName 'UserReportDestinationEmail' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 index 0d20abaeb57a..4e1c15e55651 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardUserSubmissions.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardUserSubmissions { <# .FUNCTIONALITY Internal + .APINAME + UserSubmissions + .CAT + Exchange Standards + .TAG + "mediumimpact" + .HELPTEXT + Set the state of the spam submission button in Outlook + .DOCSDESCRIPTION + Set the state of the built-in Report button in Outlook. This gives the users the ability to report emails as spam or phish. + .ADDEDCOMPONENT + {"type":"Select","label":"Select value","name":"standards.UserSubmissions.state","values":[{"label":"Enabled","value":"enable"},{"label":"Disabled","value":"disable"}]} + .LABEL + Set the state of the built-in Report button in Outlook + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + New-ReportSubmissionPolicy or Set-ReportSubmissionPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Set the state of the spam submission button in Outlook + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $Policy = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ReportSubmissionPolicy' @@ -73,3 +100,7 @@ function Invoke-CIPPStandardUserSubmissions { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 index a5f43f175998..1c26284c9315 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOAuthTokens.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardallowOAuthTokens { <# .FUNCTIONALITY Internal + .APINAME + allowOAuthTokens + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Allows you to use any software OAuth token generator + .DOCSDESCRIPTION + Enables OTP Software OAuth tokens for the tenant. This allows users to use OTP codes generated via software, like a password manager to be used as an authentication method. + .ADDEDCOMPONENT + .LABEL + Enable OTP Software OAuth tokens + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Allows you to use any software OAuth token generator + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath' -tenantid $Tenant @@ -39,3 +65,7 @@ function Invoke-CIPPStandardallowOAuthTokens { } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 index 8459fce1aadc..57dd7c7adb49 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardallowOTPTokens.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardallowOTPTokens { <# .FUNCTIONALITY Internal + .APINAME + allowOTPTokens + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Allows you to use MS authenticator OTP token generator + .DOCSDESCRIPTION + Allows you to use Microsoft Authenticator OTP token generator. Useful for using the NPS extension as MFA on VPN clients. + .ADDEDCOMPONENT + .LABEL + Enable OTP via Authenticator + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyAuthenticationMethodPolicyAuthenticationMethodConfiguration + .RECOMMENDEDBY + .DOCSDESCRIPTION + Allows you to use MS authenticator OTP token generator + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator' -tenantid $Tenant @@ -27,3 +53,7 @@ function Invoke-CIPPStandardallowOTPTokens { } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 index 491d35ab7eb5..e716d72e8651 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardcalDefault.ps1 @@ -2,7 +2,36 @@ function Invoke-CIPPStandardcalDefault { <# .FUNCTIONALITY Internal + .APINAME + calDefault + .CAT + Exchange Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the default sharing level for the default calendar, for all users + .DOCSDESCRIPTION + Sets the default sharing level for the default calendar for all users in the tenant. You can read about the different sharing levels [here.](https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxfolderpermission?view=exchange-ps#-accessrights) + .DISABLEDFEATURES + + .ADDEDCOMPONENT + {"type":"Select","label":"Select Sharing Level","name":"standards.calDefault.permissionlevel","values":[{"label":"Owner - The user can create, read, edit, and delete all items in the folder, and create subfolders. The user is both folder owner and folder contact.","value":"Owner"},{"label":"Publishing Editor - The user can create, read, edit, and delete all items in the folder, and create subfolders.","value":"PublishingEditor"},{"label":"Editor - The user can create items in the folder. The contents of the folder do not appear.","value":"Editor"},{"label":"Publishing Author. The user can read, create all items/subfolders. Can modify and delete only items they create.","value":"PublishingAuthor"},{"label":"Author - The user can create and read items, and modify and delete items that they create.","value":"Author"},{"label":"Non Editing Author - The user has full read access and create items. Can can delete only own items.","value":"NonEditingAuthor"},{"label":"Reviewer - The user can read all items in the folder.","value":"Reviewer"},{"label":"Contributor - The user can create items and folders.","value":"Contributor"},{"label":"Availability Only - Indicates that the user can view only free/busy time within the calendar.","value":"AvailabilityOnly"},{"label":"Limited Details - The user can view free/busy time within the calendar and the subject and location of appointments.","value":"LimitedDetails"},{"label":"None - The user has no permissions on the folder.","value":"none"}]} + .LABEL + Set Sharing Level for Default calendar + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Set-MailboxFolderPermission + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the default sharing level for the default calendar, for all users + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings, $QueueItem) # Input validation @@ -77,3 +106,7 @@ function Invoke-CIPPStandardcalDefault { Write-LogMessage -API 'Standards' -tenant $Tenant -message "Successfully set default calendar permissions for $SuccessCounter out of $TotalMailboxes mailboxes." -sev Info } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 index b096ade25384..42f8977f066e 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandarddisableMacSync.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandarddisableMacSync { <# .FUNCTIONALITY Internal + .APINAME + disableMacSync + .CAT + SharePoint Standards + .TAG + "highimpact" + .HELPTEXT + Disables the ability for Mac devices to sync with OneDrive. + .ADDEDCOMPONENT + .LABEL + Do not allow Mac devices to sync using OneDrive + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Disables the ability for Mac devices to sync with OneDrive. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -36,3 +60,7 @@ function Invoke-CIPPStandarddisableMacSync { Add-CIPPBPAField -FieldName 'MacSync' -FieldValue $CurrentInfo.isMacSyncAppEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 index c049ebb95749..1a15822c6e38 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneBrandingProfile.ps1 @@ -1,8 +1,42 @@ function Invoke-CIPPStandardintuneBrandingProfile { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + intuneBrandingProfile + .CAT + Intune Standards + .TAG + "lowimpact" + .HELPTEXT + Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. + .ADDEDCOMPONENT + {"type":"input","name":"standards.intuneBrandingProfile.displayName","label":"Organization name"} + {"type":"boolean","name":"standards.intuneBrandingProfile.showLogo","label":"Show logo"} + {"type":"boolean","name":"standards.intuneBrandingProfile.showDisplayNameNextToLogo","label":"Show organization name next to logo"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITName","label":"Contact IT name"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITPhoneNumber","label":"Contact IT phone number"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITEmailAddress","label":"Contact IT email address"} + {"type":"input","name":"standards.intuneBrandingProfile.contactITNotes","label":"Contact IT notes"} + {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteName","label":"Online support site name"} + {"type":"input","name":"standards.intuneBrandingProfile.onlineSupportSiteUrl","label":"Online support site URL"} + {"type":"input","name":"standards.intuneBrandingProfile.privacyUrl","label":"Privacy statement URL"} + .LABEL + Set Intune Company Portal branding profile + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Graph API + .RECOMMENDEDBY + .DOCSDESCRIPTION + Sets the branding profile for the Intune Company Portal app. This is a tenant wide setting and overrules any settings set on the app level. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/intuneBrandingProfiles/c3a59481-1bf2-46ce-94b3-66eec07a8d60/' -tenantid $Tenant -AsApp $true @@ -65,3 +99,7 @@ function Invoke-CIPPStandardintuneBrandingProfile { Add-CIPPBPAField -FieldName 'intuneBrandingProfile' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 index e261dbfb859c..9dbcdbba602c 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceReg.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardintuneDeviceReg { <# .FUNCTIONALITY Internal + .APINAME + intuneDeviceReg + .CAT + Intune Standards + .TAG + "mediumimpact" + .HELPTEXT + sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users + .ADDEDCOMPONENT + {"type":"number","name":"standards.intuneDeviceReg.max","label":"Maximum devices (Enter 2147483647 for unlimited.)"} + .LABEL + Set Maximum Number of Devices per user + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyDeviceRegistrationPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant $StateIsCorrect = if ($PreviousSetting.userDeviceQuota -eq $Settings.max) { $true } else { $false } @@ -38,3 +63,7 @@ function Invoke-CIPPStandardintuneDeviceReg { Add-CIPPBPAField -FieldName 'intuneDeviceReg' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 index b150c84e2f0a..1ea419e2639d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneDeviceRetirementDays.ps1 @@ -2,7 +2,32 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { <# .FUNCTIONALITY Internal + .APINAME + intuneDeviceRetirementDays + .CAT + Intune Standards + .TAG + "lowimpact" + .HELPTEXT + A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. + .ADDEDCOMPONENT + {"type":"number","name":"standards.intuneDeviceRetirementDays.days","label":"Maximum days (0 equals disabled)"} + .LABEL + Set inactive device retirement days + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Graph API + .RECOMMENDEDBY + .DOCSDESCRIPTION + A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = (New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/deviceManagement/managedDeviceCleanupSettings' -tenantid $Tenant) @@ -38,3 +63,7 @@ function Invoke-CIPPStandardintuneDeviceRetirementDays { Add-CIPPBPAField -FieldName 'intuneDeviceRetirementDays' -FieldValue $StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 index 9698085e6cb7..79c0d352d1c9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardintuneRequireMFA.ps1 @@ -2,7 +2,30 @@ function Invoke-CIPPStandardintuneRequireMFA { <# .FUNCTIONALITY Internal + .APINAME + intuneRequireMFA + .CAT + Intune Standards + .TAG + "mediumimpact" + .HELPTEXT + Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. + .LABEL + Require Multifactor Authentication to register or join devices with Microsoft Entra + .IMPACT + Medium Impact + .POWERSHELLEQUIVALENT + Update-MgBetaPolicyDeviceRegistrationPolicy + .RECOMMENDEDBY + .DOCSDESCRIPTION + Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant @@ -37,3 +60,7 @@ function Invoke-CIPPStandardintuneRequireMFA { Add-CIPPBPAField -FieldName 'intuneRequireMFA' -FieldValue $RequireMFA -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 index 84f24cffa73d..b159a5d5796f 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardlaps.ps1 @@ -2,7 +2,33 @@ function Invoke-CIPPStandardlaps { <# .FUNCTIONALITY Internal + .APINAME + laps + .CAT + Entra (AAD) Standards + .TAG + "lowimpact" + .HELPTEXT + Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default. + .DOCSDESCRIPTION + Enables the LAPS functionality on the tenant. Prerequisite for using Windows LAPS via Azure AD. + .ADDEDCOMPONENT + .LABEL + Enable LAPS on the tenant + .IMPACT + Low Impact + .POWERSHELLEQUIVALENT + Portal or Graph API + .RECOMMENDEDBY + .DOCSDESCRIPTION + Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $PreviousSetting = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy' -tenantid $Tenant @@ -36,3 +62,7 @@ function Invoke-CIPPStandardlaps { Add-CIPPBPAField -FieldName 'laps' -FieldValue $PreviousSetting.localAdminPassword.isEnabled -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 index 95dfcec5a26d..1f0f3f7e9f5d 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingCapability.ps1 @@ -2,7 +2,34 @@ function Invoke-CIPPStandardsharingCapability { <# .FUNCTIONALITY Internal + .APINAME + sharingCapability + .CAT + SharePoint Standards + .TAG + "highimpact" + "CIS" + .HELPTEXT + Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level + .ADDEDCOMPONENT + {"type":"Select","label":"Select Sharing Level","name":"standards.sharingCapability.Level","values":[{"label":"Users can share only with people in the organization. No external sharing is allowed.","value":"disabled"},{"label":"Users can share with new and existing guests. Guests must sign in or provide a verification code.","value":"externalUserSharingOnly"},{"label":"Users can share with anyone by using links that do not require sign-in.","value":"externalUserAndGuestSharing"},{"label":"Users can share with existing guests (those already in the directory of the organization).","value":"existingExternalUserSharingOnly"}]} + .LABEL + Set Sharing Level for OneDrive and Sharepoint + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgBetaAdminSharepointSetting + .RECOMMENDEDBY + "CIS" + .DOCSDESCRIPTION + Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -43,3 +70,7 @@ function Invoke-CIPPStandardsharingCapability { } } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 index 9c7e7d11f555..c148a249f8e0 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardsharingDomainRestriction.ps1 @@ -1,8 +1,35 @@ function Invoke-CIPPStandardsharingDomainRestriction { - <# - .FUNCTIONALITY - Internal - #> + <# + .FUNCTIONALITY + Internal + .APINAME + sharingDomainRestriction + .CAT + SharePoint Standards + .TAG + "highimpact" + "CIS" + .HELPTEXT + Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. + .ADDEDCOMPONENT + {"type":"Select","name":"standards.sharingDomainRestriction.Mode","label":"Limit external sharing by domains","values":[{"label":"Off","value":"none"},{"label":"Restirct sharing to specific domains","value":"allowList"},{"label":"Block sharing to specific domains","value":"blockList"}]} + {"type":"input","name":"standards.sharingDomainRestriction.Domains","label":"Domains to allow/block, comma separated"} + .LABEL + Restrict sharing to a specific domain + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + Restricts sharing to only users with the specified domain. This is useful for organizations that only want to share with their own domain. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + + + param($Tenant, $Settings) $CurrentState = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -61,3 +88,7 @@ function Invoke-CIPPStandardsharingDomainRestriction { Add-CIPPBPAField -FieldName 'sharingDomainRestriction' -FieldValue [bool]$StateIsCorrect -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 index 8a234d8eff2a..cc7f13e36fa8 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardunmanagedSync.ps1 @@ -2,7 +2,31 @@ function Invoke-CIPPStandardunmanagedSync { <# .FUNCTIONALITY Internal + .APINAME + unmanagedSync + .CAT + SharePoint Standards + .TAG + "highimpact" + .HELPTEXT + The unmanaged Sync standard has been temporarily disabled and does nothing. + .ADDEDCOMPONENT + .LABEL + Only allow users to sync OneDrive from AAD joined devices + .IMPACT + High Impact + .POWERSHELLEQUIVALENT + Update-MgAdminSharepointSetting + .RECOMMENDEDBY + .DOCSDESCRIPTION + The unmanaged Sync standard has been temporarily disabled and does nothing. + .UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block #> + + + + param($Tenant, $Settings) $CurrentInfo = New-GraphGetRequest -Uri 'https://graph.microsoft.com/beta/admin/sharepoint/settings' -tenantid $Tenant -AsApp $true @@ -35,3 +59,7 @@ function Invoke-CIPPStandardunmanagedSync { Add-CIPPBPAField -FieldName 'unmanagedSync' -FieldValue $CurrentInfo.isUnmanagedSyncAppForTenantRestricted -StoreAs bool -Tenant $tenant } } + + + + diff --git a/Tools/Update-StandardsComments.ps1 b/Tools/Update-StandardsComments.ps1 new file mode 100644 index 000000000000..3c47284284c0 --- /dev/null +++ b/Tools/Update-StandardsComments.ps1 @@ -0,0 +1,97 @@ +<# +.SYNOPSIS + This script updates the comment block in the CIPP standard files. + +.DESCRIPTION + The script reads the standards.json file and updates the comment block in the corresponding CIPP standard files. + It adds or modifies the comment block based on the properties defined in the standards.json file. + This is made to be able to generate the help documentation for the CIPP standards automatically. + +.INPUTS + None. You cannot pipe objects to this script. + +.OUTPUTS + None. The script modifies the CIPP standard files directly. + +.EXAMPLE + Update-StandardsComments.ps1 + + This example runs the script to update the comment block in the CIPP standard files. + +#> +param ( + [switch]$WhatIf +) + +# Find the paths to the standards.json file based on the current script path +$StandardsJSONPath = Split-Path (Split-Path $PSScriptRoot) +$StandardsJSONPath = Resolve-Path "$StandardsJSONPath\*\src\data\standards.json" +$StandardsInfo = Get-Content -Path $StandardsJSONPath | ConvertFrom-Json -Depth 10 + +foreach ($Standard in $StandardsInfo) { + + # Calculate the standards file name and path + $StandardFileName = $Standard.name -replace 'standards.', 'Invoke-CIPPStandard' + $StandardsFilePath = Resolve-Path "$(Split-Path $PSScriptRoot)\Modules\CIPPCore\Public\Standards\$StandardFileName.ps1" + if (-not (Test-Path $StandardsFilePath)) { + Write-Host "No file found for standard $($Standard.name)" -ForegroundColor Yellow + continue + } + $Content = Get-Content -Path $StandardsFilePath -Raw + + # Regex to match the existing comment block + $Regex = '<#(.|\n)*?\.FUNCTIONALITY\s*Internal(.|\n)*?#>' + + if ($Content -match $Regex) { + $NewComment = [System.Collections.Generic.List[string]]::new() + # Add the initial scatic comments + $NewComment.Add("<#`n") + $NewComment.Add(" .FUNCTIONALITY`n") + $NewComment.Add(" Internal`n") + $NewComment.Add(" .APINAME`n") + $NewComment.Add(" $($Standard.name -replace 'standards.', '')`n") + + # Loop through the properties of the standard and add them to the comment block + foreach ($Property in $Standard.PSObject.Properties) { + if ($Property.Name -eq 'name') { continue } + if ($Property.Name -eq 'impactColour') { continue } + + # If the property is docsDescription and is empty, use the helpText instead + if ($Property.Name -eq 'docsDescription' -and ([string]::IsNullOrWhiteSpace($Property.Value))) { + $NewComment.Add(" .$('docsDescription'.ToUpper())`n") + $NewComment.Add(" $($Standard.helpText.ToString())`n") + continue + } + + $NewComment.Add(" .$($Property.Name.ToUpper())`n") + # Flatten objects to JSON + if ($Property.Value -is [System.Object[]]) { + foreach ($Value in $Property.Value) { + $NewComment.Add(" $(ConvertTo-Json -InputObject $Value -Depth 5 -Compress)`n") + } + continue + } + $NewComment.Add(" $($Property.Value.ToString())`n") + } + + # Add DOCSDESCRIPTION if it doesn't exist + if ($NewComment -notcontains '.DOCSDESCRIPTION') { + $NewComment.Add(" .DOCSDESCRIPTION`n") + $NewComment.Add(" $($Standard.helpText.ToString())`n") + } + # Add header about how to update the comment block with this script + $NewComment.Add(" .UPDATECOMMENTBLOCK`n") + $NewComment.Add(" Run the Tools\Update-StandardsComments.ps1 script to update this comment block`n") + $NewComment.Add(" #>`n") + + # Write the new comment block to the file + if ($WhatIf.IsPresent) { + Write-Host "Would update $StandardsFilePath with the following comment block:" + $NewComment + } else { + $Content -replace $Regex, $NewComment | Set-Content -Path $StandardsFilePath + } + } else { + Write-Host "No comment block found in $StandardsFilePath" -ForegroundColor Yellow + } +}