starred/CIPP

Fork 0

mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-25 16:26:09 +03:00

[GH-ISSUE #2114] [Feature Request]: Add impersonation protection toggles to new and offboarding users #1078

New issue

Closed

opened 2026-03-02 13:41:22 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 13:41:22 +03:00

Owner

Originally created by @SMRITServices on GitHub (Feb 7, 2024).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/2114

Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole.

When adding a new user, a toggle that subsequently adds the new user to the impersonation protection policy after the user is created
When offboarding a user via the wizard, a toggle that subsequently removes the user from the impersonation protection policy during the offboarding process
You can add a drop down in the respective form to select which policy(s) to add/remove the user from

When adding or offboarding a user, a proper setup should include adding or removing that user to/from impersonation protection, with this toggle, it is one less standard operating procedure that needs to be done outside of CIPP. Adding this feature will also make it easier for MSP's to get started using impersonation protection if they are not already.

PowerShell commands you would normally use to achieve above request

DefineUser

 $DisplayName = "First Last"
 $UPN = "flast@fabrikam.com"

Get list of polices

 $Polices = Get-AntiPhishPolicy | Where-Object {($_.Enabled -eq $True)}

DefinePolicy (Let user select Policy(s) from list of polices gathered in $Policies using $Policies[#].Identity as the display varibale)

 $Policy = $Policies[0].Id  #In this case I have selected the policy that was $Policies[0]

Add user to policy

 Set-AntiPhishPolicy -Identity $Policy -TargetedUsersToProtect @{Add="$($DisplayName);$($UPN)"}

Remove user from policy

 Set-AntiPhishPolicy -Identity $Policy -TargetedUsersToProtect @{Remove="$($DisplayName);$($UPN)"}

To make the removal more robust, a search can be performed on a policy through the $_.TargetedUsersToProtect to confirm the user is there prior to removal

The above search should rely on the users UPN and not the whole "$(`$DisplayName);$($UPN)" variable due to the fact that someone can manually change the display name of the user when adding them to impersonation protection, but they cannot modify the UPN. Then you remove them based on that variable in the event that the display name is different than the office 365 display name.

Originally created by @SMRITServices on GitHub (Feb 7, 2024). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/2114 ### Description of the new feature - must be an in-depth explanation of the feature you want, reasoning why, and the added benefits for MSPs as a whole. When adding a new user, a toggle that subsequently adds the new user to the impersonation protection policy after the user is created When offboarding a user via the wizard, a toggle that subsequently removes the user from the impersonation protection policy during the offboarding process You can add a drop down in the respective form to select which policy(s) to add/remove the user from When adding or offboarding a user, a proper setup should include adding or removing that user to/from impersonation protection, with this toggle, it is one less standard operating procedure that needs to be done outside of CIPP. Adding this feature will also make it easier for MSP's to get started using impersonation protection if they are not already. ### PowerShell commands you would normally use to achieve above request # DefineUser $DisplayName = "First Last" $UPN = "flast@fabrikam.com" # Get list of polices $Polices = Get-AntiPhishPolicy | Where-Object {($_.Enabled -eq $True)} # DefinePolicy (Let user select Policy(s) from list of polices gathered in $Policies using $Policies[#].Identity as the display varibale) $Policy = $Policies[0].Id #In this case I have selected the policy that was $Policies[0] # Add user to policy Set-AntiPhishPolicy -Identity $Policy -TargetedUsersToProtect @{Add="$($DisplayName);$($UPN)"} # Remove user from policy Set-AntiPhishPolicy -Identity $Policy -TargetedUsersToProtect @{Remove="$($DisplayName);$($UPN)"} # To make the removal more robust, a search can be performed on a policy through the $_.TargetedUsersToProtect to confirm the user is there prior to removal # The above search should rely on the users UPN and not the whole "$(`$DisplayName);$($UPN)" variable due to the fact that someone can manually change the display name of the user when adding them to impersonation protection, but they cannot modify the UPN. Then you remove them based on that variable in the event that the display name is different than the office 365 display name.

kerem

2026-03-02 13:41:22 +03:00

closed this issue
added the
enhancement

no-priority
labels

kerem commented

2026-03-02 13:41:23 +03:00

Author

Owner

@KelvinTegelaar commented on GitHub (Feb 7, 2024):

You must be a sponsor to create an fr

@KelvinTegelaar commented on GitHub (Feb 7, 2024): You must be a sponsor to create an fr

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#1078

No description provided.

Rows
Columns