[pull] dev from KelvinTegelaar:dev

Config/standards.json

@@ -1722,6 +1722,35 @@
     "powershellEquivalent": "New-ProtectionAlert and Set-ProtectionAlert",
     "recommendedBy": []
   },
+  {
+    "name": "standards.SafeLinksTemplatePolicy",
+    "label": "SafeLinks Policy Template",
+    "cat": "Templates",
+    "multiple": false,
+    "disabledFeatures": {
+      "report": false,
+      "warn": false,
+      "remediate": false
+    },
+    "impact": "Medium Impact",
+    "addedDate": "2025-04-29",
+    "helpText": "Deploy and manage SafeLinks policy templates to protect against malicious URLs in emails and Office documents.",
+    "addedComponent": [
+      {
+        "type": "autoComplete",
+        "multiple": true,
+        "creatable": false,
+        "name": "standards.SafeLinksTemplatePolicy.TemplateIds",
+        "label": "Select SafeLinks Policy Templates",
+        "api": {
+          "url": "/api/ListSafeLinksPolicyTemplates",
+          "labelField": "TemplateName",
+          "valueField": "GUID",
+          "queryKey": "ListSafeLinksPolicyTemplates"
+        }
+      }
+    ]
+  },
   {
     "name": "standards.SafeLinksPolicy",
     "cat": "Defender Standards",

Modules/CIPPCore/Public/Add-CIPPGroupMember.ps1

@@ -7,21 +7,22 @@ function Add-CIPPGroupMember(
     [string]$APIName = 'Add Group Member'
 ) {
     try {
-        if ($member -like '*#EXT#*') { $member = [System.Web.HttpUtility]::UrlEncode($member) }
-        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($member)" -tenantid $TenantFilter).id
-        $addmemberbody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
+        if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) }
+        $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id
+        $AddMemberBody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }"
         if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') {
-            $Params = @{ Identity = $GroupId; Member = $member; BypassSecurityGroupManagerCheck = $true }
-            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $params -UseSystemMailbox $true
+            $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true }
+            $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Add-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true
         } else {
-            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $addmemberbody -Verbose
+            $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)" -tenantid $TenantFilter -type patch -body $AddMemberBody -Verbose
         }
-        $Message = "Successfully added user $($Member) to $($GroupId)."
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Message -Sev 'Info'
-        return $message
+        $Results = "Successfully added user $($Member) to $($GroupId)."
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'Info'
+        return $Results
     } catch {
-        $message = "Failed to add user $($Member) to $($GroupId) - $($_.Exception.Message)"
-        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $message -Sev 'error' -LogData (Get-CippException -Exception $_)
-        return $message
+        $ErrorMessage = Get-CippException -Exception $_
+        $Results = "Failed to add user $($Member) to $($GroupId) - $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Results -Sev 'error' -LogData $ErrorMessage
+        throw $Results
     }
 }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Email-Exchange/Administration/Invoke-ExecModifyCalPerms.ps1

@@ -12,14 +12,14 @@ Function Invoke-ExecModifyCalPerms {
 
     $APIName = $Request.Params.CIPPEndpoint
     Write-LogMessage -headers $Request.Headers -API $APINAME-message 'Accessed this API' -Sev 'Debug'
-    
+
     $Username = $request.body.userID
     $Tenantfilter = $request.body.tenantfilter
     $Permissions = $request.body.permissions
 
     Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing request for user: $Username, tenant: $Tenantfilter" -Sev 'Debug'
 
-    if ($username -eq $null) { 
+    if ($username -eq $null) {
         Write-LogMessage -headers $Request.Headers -API $APINAME-message 'Username is null' -Sev 'Error'
         $body = [pscustomobject]@{'Results' = @('Username is required') }
         Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
@@ -28,12 +28,11 @@ Function Invoke-ExecModifyCalPerms {
             })
         return
     }
-    
+
     try {
         $userid = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($username)" -tenantid $Tenantfilter).id
         Write-LogMessage -headers $Request.Headers -API $APINAME-message "Retrieved user ID: $userid" -Sev 'Debug'
-    }
-    catch {
+    } catch {
         Write-LogMessage -headers $Request.Headers -API $APINAME-message "Failed to get user ID: $($_.Exception.Message)" -Sev 'Error'
         $body = [pscustomobject]@{'Results' = @("Failed to get user ID: $($_.Exception.Message)") }
         Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
@@ -50,8 +49,7 @@ Function Invoke-ExecModifyCalPerms {
     if ($Permissions -is [PSCustomObject]) {
         if ($Permissions.PSObject.Properties.Name -match '^\d+$') {
             $Permissions = $Permissions.PSObject.Properties.Value
-        }
-        else {
+        } else {
             $Permissions = @($Permissions)
         }
     }
@@ -60,13 +58,14 @@ Function Invoke-ExecModifyCalPerms {
 
     foreach ($Permission in $Permissions) {
         Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing permission: $($Permission | ConvertTo-Json)" -Sev 'Debug'
-        
+
         $PermissionLevel = $Permission.PermissionLevel.value ?? $Permission.PermissionLevel
         $Modification = $Permission.Modification
         $CanViewPrivateItems = $Permission.CanViewPrivateItems ?? $false
-
-        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Permission Level: $PermissionLevel, Modification: $Modification, CanViewPrivateItems: $CanViewPrivateItems" -Sev 'Debug'
-
+        $FolderName = $Permission.FolderName ?? 'Calendar'
+
+        Write-LogMessage -headers $Request.Headers -API $APINAME-message "Permission Level: $PermissionLevel, Modification: $Modification, CanViewPrivateItems: $CanViewPrivateItems, FolderName: $FolderName" -Sev 'Debug'
+
         # Handle UserID as array or single value
         $TargetUsers = @($Permission.UserID | ForEach-Object { $_.value ?? $_ })
 
@@ -75,48 +74,24 @@ Function Invoke-ExecModifyCalPerms {
         foreach ($TargetUser in $TargetUsers) {
             try {
                 Write-LogMessage -headers $Request.Headers -API $APINAME-message "Processing target user: $TargetUser" -Sev 'Debug'
-
-                if ($Modification -eq 'Remove') {
-                    try {
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Remove-MailboxFolderPermission' -cmdParams @{
-                            Identity = "$($userid):\Calendar"
-                            User     = $TargetUser
-                            Confirm  = $false
-                        }
-                        $null = $results.Add("Removed $($TargetUser) from $($username) Calendar permissions")
-                    }
-                    catch {
-                        $null = $results.Add("No existing permissions to remove for $($TargetUser)")
-                    }
-                }
-                else {
-                    Write-LogMessage -headers $Request.Headers -API $APINAME-message "Setting permissions with AccessRights: $PermissionLevel" -Sev 'Debug'
-
-                    $cmdParams = @{
-                        Identity     = "$($userid):\Calendar"
-                        User         = $TargetUser
-                        AccessRights = $PermissionLevel
-                        Confirm      = $false
-                    }
-
-                    if ($CanViewPrivateItems) {
-                        $cmdParams['SharingPermissionFlags'] = 'Delegate,CanViewPrivateItems'
-                    }
-
-                    try {
-                        # Try Add first
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Add-MailboxFolderPermission' -cmdParams $cmdParams
-                        $null = $results.Add("Granted $($TargetUser) $($PermissionLevel) access to $($username) Calendar$($CanViewPrivateItems ? ' with access to private items' : '')")
-                    }
-                    catch {
-                        # If Add fails, try Set
-                        $CalPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet 'Set-MailboxFolderPermission' -cmdParams $cmdParams
-                        $null = $results.Add("Updated $($TargetUser) $($PermissionLevel) access to $($username) Calendar$($CanViewPrivateItems ? ' with access to private items' : '')")
-                    }
+                $Params = @{
+                    APIName              = $APIName
+                    Headers              = $Request.Headers
+                    RemoveAccess         = if ($Modification -eq 'Remove') { $TargetUser } else { $null }
+                    TenantFilter         = $Tenantfilter
+                    UserID               = $userid
+                    folderName           = $FolderName
+                    UserToGetPermissions = $TargetUser
+                    LoggingName          = $TargetUser
+                    Permissions          = $PermissionLevel
+                    CanViewPrivateItems  = $CanViewPrivateItems
                 }
+
+                $Result = Set-CIPPCalendarPermission @Params
+
+                $null = $results.Add($Result)
                 Write-LogMessage -headers $Request.Headers -API $APINAME-message "Successfully executed $($PermissionLevel) permission modification for $($TargetUser) on $($username)" -Sev 'Info' -tenant $TenantFilter
-            }
-            catch {
+            } catch {
                 $HasErrors = $true
                 Write-LogMessage -headers $Request.Headers -API $APINAME-message "Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username). Error: $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter
                 $null = $results.Add("Could not execute $($PermissionLevel) permission modification for $($TargetUser) on $($username). Error: $($_.Exception.Message)")
@@ -137,4 +112,4 @@ Function Invoke-ExecModifyCalPerms {
             StatusCode = if ($HasErrors) { [HttpStatusCode]::InternalServerError } else { [HttpStatusCode]::OK }
             Body       = $Body
         })
-} 
+}