cisagov · skirkpatrickMSFT · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025 · Nov 17, 2025
diff --git a/PowerShell/ScubaGear/Modules/Orchestrator.psm1 b/PowerShell/ScubaGear/Modules/Orchestrator.psm1
@@ -102,6 +102,12 @@ function Invoke-SCuBA {
     .Parameter SkipDoH
     If true, do not fallback to DoH should the traditional DNS requests fail
     when retrieving any DNS records required by specific SCuBA policies.
+    .Parameter UseNewTeamsAppSettings
+    When using interactive authentication for Teams, this switch enables ScubaGear to validate
+    the newer org-wide app settings (MS.TEAMS.5.1v2, 5.2v2, 5.3v2) instead of the legacy 
+    app permission policies (MS.TEAMS.5.1v1, 5.2v1, 5.3v1). By default, interactive authentication
+    validates the legacy v1 settings. Certificate-based authentication always validates legacy settings
+    regardless of this parameter.
     .Example
     Invoke-SCuBA
     Run an assessment against by default a commercial M365 Tenant against the
@@ -291,7 +297,12 @@ function Invoke-SCuBA {
         [ValidateNotNullOrEmpty()]
         [ValidateSet($true, $false)]
         [boolean]
-        $SkipDoH = [ScubaConfig]::ScubaDefault('DefaultSkipDoH')
+        $SkipDoH = [ScubaConfig]::ScubaDefault('DefaultSkipDoH'),
+
+        [Parameter(Mandatory = $false, ParameterSetName = 'Configuration')]
+        [Parameter(Mandatory = $false, ParameterSetName = 'Report')]
+        [switch]
+        $UseNewTeamsAppSettings
     )
     process {
         # Retrieve ScubaGear Module versions
@@ -619,7 +630,14 @@ function Invoke-ProviderList {
                             $RetVal = Export-SharePointProvider @SPOProviderParams | Select-Object -Last 1
                         }
                         "teams" {
-                            $RetVal = Export-TeamsProvider | Select-Object -Last 1
+                            $TeamsProviderParams = @{}
+                            if ($BoundParameters.AppID) {
+                                $TeamsProviderParams += @{CertificateBasedAuth = $true}
+                            }
+                            if ($BoundParameters.UseNewTeamsAppSettings) {
+                                $TeamsProviderParams += @{UseNewSettings = $true}
+                            }
+                            $RetVal = Export-TeamsProvider @TeamsProviderParams | Select-Object -Last 1
                         }
                         default {
                             Write-Error -Message "Invalid ProductName argument"
@@ -646,8 +664,8 @@ function Invoke-ProviderList {
                 $TimeZone = ($GetTimeZone).StandardName
             }
 
-        $ConfigDetails = @(ConvertTo-Json -Depth 100 $ScubaConfig)
-        if(! $ConfigDetails) {
+        $ConfigDetails = ConvertTo-Json -Depth 100 $([ScubaConfig]::GetInstance().Configuration)
+        if((! $ConfigDetails) -or ($ConfigDetails -eq "null")) {
             $ConfigDetails = "{}"
         }
 

diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportTeamsProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportTeamsProvider.psm1
@@ -7,6 +7,15 @@ function Export-TeamsProvider {
     Internal
     #>
     [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [switch]
+        $CertificateBasedAuth = $false,
+
+        [Parameter(Mandatory = $false)]
+        [switch]
+        $UseNewSettings = $false
+    )
 
     $HelperFolderPath = Join-Path -Path $PSScriptRoot -ChildPath "ProviderHelpers"
     Import-Module (Join-Path -Path $HelperFolderPath -ChildPath "CommandTracker.psm1")
@@ -18,6 +27,48 @@ function Export-TeamsProvider {
     $ClientConfig = ConvertTo-Json @($Tracker.TryCommand("Get-CsTeamsClientConfiguration"))
     $AppPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-CsTeamsAppPermissionPolicy"))
     $BroadcastPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-CsTeamsMeetingBroadcastPolicy"))
+
+    # Determine which Teams app settings to retrieve based on authentication method and user preference
+    # Three scenarios:
+    # 1. Certificate-based auth: Always use legacy settings (Get-M365UnifiedTenantSettings unavailable)
+    # 2. Interactive auth with -UseNewTeamsAppSettings: Use new org-wide settings by user choice
+    # 3. Interactive auth without switch: Use legacy settings (default)
+
+    if ($CertificateBasedAuth) {
+        # Scenario 1: Certificate-based authentication - legacy only
+        Write-Warning @"
+Certificate-based authentication detected. 
+- Legacy Teams app permission policies will be validated for MS.TEAMS.5.1v1, 5.2v1, and 5.3v1 policies.
+- Org-wide app settings cannot be retrieved with certificate authentication (Get-M365UnifiedTenantSettings requires user login).
+- If your organization uses the newer Teams Admin Center org-wide app settings, 
+  please re-run ScubaGear using interactive user authentication with the -UseNewTeamsAppSettings parameter
+  to validate policies MS.TEAMS.5.1v2, 5.2v2, and 5.3v2 against new settings.
+"@
+        $TenantAppSettings = ConvertTo-Json @()
+    }
+    elseif ($UseNewSettings) {
+        # Scenario 2: Interactive auth with explicit new settings preference
+        Write-Warning @"
+Interactive authentication with -UseNewTeamsAppSettings parameter detected.
+- Org-wide app settings (newer v2 policies) will be validated for MS.TEAMS.5.1v2, 5.2v2, and 5.3v2.
+- Legacy Teams app permission policies (MS.TEAMS.5.1v1, 5.2v1, 5.3v1) will NOT be validated.
+- To validate legacy Teams app permission policies instead, 
+  re-run ScubaGear without the -UseNewTeamsAppSettings parameter.
+"@
+        # Interactive/user authentication - attempt to get org-wide app settings
+        $TenantAppSettings = ConvertTo-Json @($Tracker.TryCommand("Get-M365UnifiedTenantSettings"))
+    }
+    else {
+        # Scenario 3: Interactive auth, default behavior - use legacy settings
+        Write-Warning @"
+Interactive/user authentication detected (default mode).
+- Legacy Teams app permission policies will be validated for MS.TEAMS.5.1v1, 5.2v1, and 5.3v1 policies.
+- Org-wide app settings (newer v2 policies) will NOT be retrieved.
+- If your organization uses the newer Teams Admin Center org-wide app settings,
+  re-run ScubaGear with the -UseNewTeamsAppSettings parameter to validate MS.TEAMS.5.1v2, 5.2v2, and 5.3v2 instead.
+"@
+        $TenantAppSettings = ConvertTo-Json @()
+    }
 
     $TeamsSuccessfulCommands = ConvertTo-Json @($Tracker.GetSuccessfulCommands())
     $TeamsUnSuccessfulCommands = ConvertTo-Json @($Tracker.GetUnSuccessfulCommands())
@@ -30,6 +81,7 @@ function Export-TeamsProvider {
     "client_configuration": $ClientConfig,
     "app_policies": $AppPolicies,
     "broadcast_policies": $BroadcastPolicies,
+    "tenant_app_settings": $TenantAppSettings,
     "teams_successful_commands": $TeamsSuccessfulCommands,
     "teams_unsuccessful_commands": $TeamsUnSuccessfulCommands,
 "@