From cb1a622d7b21500dd2bb31890811bcc08004d027 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sat, 18 Jan 2025 17:39:30 +0100 Subject: [PATCH 1/4] Improve error handling in Invoke-CIPPStandardEnablePronouns function --- .../Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 index 915bf8ecc044..070e25a23aa6 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardEnablePronouns.ps1 @@ -33,8 +33,8 @@ function Invoke-CIPPStandardEnablePronouns { try { $CurrentState = New-GraphGetRequest -Uri $Uri -tenantid $Tenant } catch { - $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message - Write-LogMessage -API 'Standards' -tenant $Tenant -message "Could not get CurrentState for Pronouns. Error: $ErrorMessage" -sev Error + $ErrorMessage = Get-CippException -Exception $_ + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Could not get CurrentState for Pronouns. Error: $($ErrorMessage.NormalizedError)" -sev Error Return } Write-Host $CurrentState From a5f98e2ddf04603f44459764c297e53e6b3b918b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sat, 18 Jan 2025 17:39:52 +0100 Subject: [PATCH 2/4] Add new standard: ProfilePhotos --- .../Invoke-CIPPStandardProfilePhotos.ps1 | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 new file mode 100644 index 000000000000..6a53f09a7073 --- /dev/null +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 @@ -0,0 +1,103 @@ +function Invoke-CIPPStandardProfilePhotos { + <# + .FUNCTIONALITY + Internal + .COMPONENT + (APIName) ProfilePhotos + .SYNOPSIS + (Label) Allow users to set profile photos + .DESCRIPTION + (Helptext) Controls whether users can set their own profile photos in Microsoft 365 + (DocsDescription) Controls whether users can set their own profile photos in Microsoft 365. When disabled, only User and Global administrators can update profile photos for users. + .NOTES + CAT + Global Standards + TAG + "lowimpact" + ADDEDCOMPONENT + {"type":"select","multiple":false,"label":"Select value","name":"standards.ProfilePhotos.state","options":[{"label":"Enabled","value":"enabled"},{"label":"Disabled","value":"disabled"}]} + IMPACT + Low Impact + POWERSHELLEQUIVALENT + Set-OrganizationConfig -ProfilePhotoOptions EnablePhotos and Update-MgBetaAdminPeople + UPDATECOMMENTBLOCK + Run the Tools\Update-StandardsComments.ps1 script to update this comment block + #> + + param($Tenant, $Settings) + + # Input validation + if ([string]::IsNullOrWhiteSpace($Settings.state)) { + Write-LogMessage -API 'Standards' -tenant $tenant -message 'ProfilePhotos: Invalid state parameter set' -sev Error + Return + } + + # true if wanted state is enabled, false if disabled + $DesiredState = $Settings.state -eq 'enabled' + + + # Get current Graph policy state + # $Uri = 'https://graph.microsoft.com/beta/admin/people/photoUpdateSettings' + # $CurrentGraphState = New-GraphGetRequest -uri $Uri -tenantid $Tenant + # $UsersCanChangePhotos = if (($CurrentGraphState.allowedRoles -contains 'fe930be7-5e62-47db-91af-98c3a49a38b1' -and $CurrentGraphState.allowedRoles -contains '62e90394-69f5-4237-9190-012177145e10') -or + # $null -ne $CurrentGraphState.allowedRoles) { $false } else { $true } + + + # Get current OWA mailbox policy state + $CurrentOWAState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' } -Select 'Identity,SetPhotoEnabled' + $OWAStateCorrect = $CurrentOWAState.SetPhotoEnabled -eq $DesiredState + # $GraphStateCorrect = $UsersCanChangePhotos -eq $DesiredState + # $CurrentStatesCorrect = $GraphStateCorrect -eq $true -and $OWAStateCorrect -eq $true + $CurrentStatesCorrect = $OWAStateCorrect -eq $true + + if ($Settings.remediate -eq $true) { + Write-Host 'Time to remediate' + + if ($CurrentStatesCorrect -eq $false) { + Write-Host 'Settings are not correct' + try { + if ($Settings.state -eq 'enabled') { + Write-Host 'Enabling' + # Enable photo updates + $null = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{Identity = $CurrentOWAState.Identity; SetPhotoEnabled = $true } -useSystemMailbox $true + # $null = New-GraphRequest -uri $Uri -tenant $Tenant -type DELETE + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Profile photo settings to $($Settings.state)" -sev Info + + } else { + Write-Host 'Disabling' + # Disable photo updates + $null = New-ExoRequest -tenantid $Tenant -cmdlet 'Set-OwaMailboxPolicy' -cmdParams @{Identity = $CurrentOWAState.Identity; SetPhotoEnabled = $false } -useSystemMailbox $true + + # $body = @{ + # source = 'cloud' + # allowedRoles = @( + # 'fe930be7-5e62-47db-91af-98c3a49a38b1', # Global admin + # '62e90394-69f5-4237-9190-012177145e10' # User admin + # ) + # } + # $body = ConvertTo-Json -InputObject $body -Depth 5 -Compress + # $null = New-GraphPostRequest -uri $Uri -tenant $Tenant -body $body -type PATCH -AsApp $true + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Set Profile photo settings to $($Settings.state)" -sev Info + } + } catch { + $ErrorMessage = Get-CippException -Exception $_ + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Failed to set profile photo settings to $($Settings.state). Error: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage + } + } else { + Write-Host 'Settings are correct' + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Profile photo settings are already set to the desired state: $($Settings.state)" -sev Info + } + } + + if ($Settings.alert -eq $true) { + if ($CurrentStatesCorrect -eq $false) { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Profile photo settings do not match desired state: $($Settings.state)" -sev Info + } else { + Write-LogMessage -API 'Standards' -tenant $Tenant -message "Profile photo settings match desired state: $($Settings.state)" -sev Alert + } + } + + if ($Settings.report -eq $true) { + Add-CIPPBPAField -FieldName 'ProfilePhotos' -FieldValue $CurrentStatesCorrect -StoreAs bool -Tenant $Tenant + } +} From d1f548bf8ad632a042031f419e091c0df528415a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sat, 18 Jan 2025 17:41:44 +0100 Subject: [PATCH 3/4] move comment --- .../Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 index 6a53f09a7073..7878a08a4bdc 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 @@ -41,12 +41,12 @@ # $CurrentGraphState = New-GraphGetRequest -uri $Uri -tenantid $Tenant # $UsersCanChangePhotos = if (($CurrentGraphState.allowedRoles -contains 'fe930be7-5e62-47db-91af-98c3a49a38b1' -and $CurrentGraphState.allowedRoles -contains '62e90394-69f5-4237-9190-012177145e10') -or # $null -ne $CurrentGraphState.allowedRoles) { $false } else { $true } + # $GraphStateCorrect = $UsersCanChangePhotos -eq $DesiredState # Get current OWA mailbox policy state $CurrentOWAState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-OwaMailboxPolicy' -cmdParams @{Identity = 'OwaMailboxPolicy-Default' } -Select 'Identity,SetPhotoEnabled' $OWAStateCorrect = $CurrentOWAState.SetPhotoEnabled -eq $DesiredState - # $GraphStateCorrect = $UsersCanChangePhotos -eq $DesiredState # $CurrentStatesCorrect = $GraphStateCorrect -eq $true -and $OWAStateCorrect -eq $true $CurrentStatesCorrect = $OWAStateCorrect -eq $true From cba3c55107d310d705b6cce98e0935d283cade6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Sat, 18 Jan 2025 17:48:16 +0100 Subject: [PATCH 4/4] Add a comment explaining the current limitation with the API endpoint for profile photos --- .../Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 index 7878a08a4bdc..1c0472b3749b 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardProfilePhotos.ps1 @@ -35,6 +35,11 @@ # true if wanted state is enabled, false if disabled $DesiredState = $Settings.state -eq 'enabled' + <# + HACK This does not work, as the API endpoint is not available via GDAP it seems? It works in the Graph Explorer, but not here. + The error is: "Authorization failed because of missing requirement(s)." + I'm keeping the code here for now, so it's much easier to re-enable if Microsoft makes it possible someday. -Bobby + #> # Get current Graph policy state # $Uri = 'https://graph.microsoft.com/beta/admin/people/photoUpdateSettings'