diff --git a/.gitignore b/.gitignore
index 073300712d7e..93317828cfe5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,7 @@ yarn.lock
# Cursor IDE
.cursor/rules
+.claude
# Ignore all root PowerShell files except profile.ps1
/*.ps1
diff --git a/CIPPDBCacheTypes.json b/CIPPDBCacheTypes.json
new file mode 100644
index 000000000000..28fac3a6fde8
--- /dev/null
+++ b/CIPPDBCacheTypes.json
@@ -0,0 +1,332 @@
+[
+ {
+ "type": "Users",
+ "friendlyName": "Users",
+ "description": "All Azure AD users with sign-in activity"
+ },
+ {
+ "type": "Groups",
+ "friendlyName": "Groups",
+ "description": "All Azure AD groups with members"
+ },
+ {
+ "type": "Guests",
+ "friendlyName": "Guest Users",
+ "description": "All guest users in the tenant"
+ },
+ {
+ "type": "ServicePrincipals",
+ "friendlyName": "Service Principals",
+ "description": "All service principals (applications)"
+ },
+ {
+ "type": "Apps",
+ "friendlyName": "Application Registrations",
+ "description": "All application registrations with owners"
+ },
+ {
+ "type": "Devices",
+ "friendlyName": "Azure AD Devices",
+ "description": "All Azure AD registered devices"
+ },
+ {
+ "type": "Organization",
+ "friendlyName": "Organization",
+ "description": "Tenant organization information"
+ },
+ {
+ "type": "Roles",
+ "friendlyName": "Directory Roles",
+ "description": "All Azure AD directory roles with members"
+ },
+ {
+ "type": "AdminConsentRequestPolicy",
+ "friendlyName": "Admin Consent Request Policy",
+ "description": "Admin consent request policy settings"
+ },
+ {
+ "type": "AuthorizationPolicy",
+ "friendlyName": "Authorization Policy",
+ "description": "Tenant authorization policy"
+ },
+ {
+ "type": "AuthenticationMethodsPolicy",
+ "friendlyName": "Authentication Methods Policy",
+ "description": "Authentication methods policy configuration"
+ },
+ {
+ "type": "DeviceSettings",
+ "friendlyName": "Device Settings",
+ "description": "Device management settings"
+ },
+ {
+ "type": "DirectoryRecommendations",
+ "friendlyName": "Directory Recommendations",
+ "description": "Azure AD directory recommendations"
+ },
+ {
+ "type": "CrossTenantAccessPolicy",
+ "friendlyName": "Cross-Tenant Access Policy",
+ "description": "Cross-tenant access policy configuration"
+ },
+ {
+ "type": "DefaultAppManagementPolicy",
+ "friendlyName": "Default App Management Policy",
+ "description": "Default application management policy"
+ },
+ {
+ "type": "Settings",
+ "friendlyName": "Directory Settings",
+ "description": "Directory settings configuration"
+ },
+ {
+ "type": "SecureScore",
+ "friendlyName": "Secure Score",
+ "description": "Microsoft Secure Score and control profiles"
+ },
+ {
+ "type": "PIMSettings",
+ "friendlyName": "PIM Settings",
+ "description": "Privileged Identity Management settings and assignments"
+ },
+ {
+ "type": "Domains",
+ "friendlyName": "Domains",
+ "description": "All verified and unverified domains"
+ },
+ {
+ "type": "RoleEligibilitySchedules",
+ "friendlyName": "Role Eligibility Schedules",
+ "description": "PIM role eligibility schedules"
+ },
+ {
+ "type": "RoleManagementPolicies",
+ "friendlyName": "Role Management Policies",
+ "description": "Role management policies"
+ },
+ {
+ "type": "RoleAssignmentScheduleInstances",
+ "friendlyName": "Role Assignment Schedule Instances",
+ "description": "Active role assignment instances"
+ },
+ {
+ "type": "B2BManagementPolicy",
+ "friendlyName": "B2B Management Policy",
+ "description": "B2B collaboration policy settings"
+ },
+ {
+ "type": "AuthenticationFlowsPolicy",
+ "friendlyName": "Authentication Flows Policy",
+ "description": "Authentication flows policy configuration"
+ },
+ {
+ "type": "DeviceRegistrationPolicy",
+ "friendlyName": "Device Registration Policy",
+ "description": "Device registration policy settings"
+ },
+ {
+ "type": "CredentialUserRegistrationDetails",
+ "friendlyName": "Credential User Registration Details",
+ "description": "User credential registration details"
+ },
+ {
+ "type": "UserRegistrationDetails",
+ "friendlyName": "User Registration Details",
+ "description": "MFA registration details for users"
+ },
+ {
+ "type": "OAuth2PermissionGrants",
+ "friendlyName": "OAuth2 Permission Grants",
+ "description": "OAuth2 permission grants"
+ },
+ {
+ "type": "AppRoleAssignments",
+ "friendlyName": "App Role Assignments",
+ "description": "Application role assignments"
+ },
+ {
+ "type": "LicenseOverview",
+ "friendlyName": "License Overview",
+ "description": "License usage overview"
+ },
+ {
+ "type": "MFAState",
+ "friendlyName": "MFA State",
+ "description": "Multi-factor authentication state"
+ },
+ {
+ "type": "ExoAntiPhishPolicies",
+ "friendlyName": "Exchange Anti-Phish Policies",
+ "description": "Exchange Online anti-phishing policies"
+ },
+ {
+ "type": "ExoMalwareFilterPolicies",
+ "friendlyName": "Exchange Malware Filter Policies",
+ "description": "Exchange Online malware filter policies"
+ },
+ {
+ "type": "ExoSafeLinksPolicies",
+ "friendlyName": "Exchange Safe Links Policies",
+ "description": "Exchange Online Safe Links policies"
+ },
+ {
+ "type": "ExoSafeAttachmentPolicies",
+ "friendlyName": "Exchange Safe Attachment Policies",
+ "description": "Exchange Online Safe Attachment policies"
+ },
+ {
+ "type": "ExoTransportRules",
+ "friendlyName": "Exchange Transport Rules",
+ "description": "Exchange Online transport rules"
+ },
+ {
+ "type": "ExoDkimSigningConfig",
+ "friendlyName": "Exchange DKIM Signing Config",
+ "description": "Exchange Online DKIM signing configuration"
+ },
+ {
+ "type": "ExoOrganizationConfig",
+ "friendlyName": "Exchange Organization Config",
+ "description": "Exchange Online organization configuration"
+ },
+ {
+ "type": "ExoAcceptedDomains",
+ "friendlyName": "Exchange Accepted Domains",
+ "description": "Exchange Online accepted domains"
+ },
+ {
+ "type": "ExoHostedContentFilterPolicy",
+ "friendlyName": "Exchange Hosted Content Filter Policy",
+ "description": "Exchange Online hosted content filter policy"
+ },
+ {
+ "type": "ExoHostedOutboundSpamFilterPolicy",
+ "friendlyName": "Exchange Hosted Outbound Spam Filter Policy",
+ "description": "Exchange Online hosted outbound spam filter policy"
+ },
+ {
+ "type": "ExoAntiPhishPolicy",
+ "friendlyName": "Exchange Anti-Phish Policy",
+ "description": "Exchange Online anti-phishing policy"
+ },
+ {
+ "type": "ExoSafeLinksPolicy",
+ "friendlyName": "Exchange Safe Links Policy",
+ "description": "Exchange Online Safe Links policy"
+ },
+ {
+ "type": "ExoSafeAttachmentPolicy",
+ "friendlyName": "Exchange Safe Attachment Policy",
+ "description": "Exchange Online Safe Attachment policy"
+ },
+ {
+ "type": "ExoMalwareFilterPolicy",
+ "friendlyName": "Exchange Malware Filter Policy",
+ "description": "Exchange Online malware filter policy"
+ },
+ {
+ "type": "ExoAtpPolicyForO365",
+ "friendlyName": "Exchange ATP Policy for O365",
+ "description": "Exchange Online Advanced Threat Protection policy"
+ },
+ {
+ "type": "ExoQuarantinePolicy",
+ "friendlyName": "Exchange Quarantine Policy",
+ "description": "Exchange Online quarantine policy"
+ },
+ {
+ "type": "ExoRemoteDomain",
+ "friendlyName": "Exchange Remote Domain",
+ "description": "Exchange Online remote domain configuration"
+ },
+ {
+ "type": "ExoSharingPolicy",
+ "friendlyName": "Exchange Sharing Policy",
+ "description": "Exchange Online sharing policies"
+ },
+ {
+ "type": "ExoAdminAuditLogConfig",
+ "friendlyName": "Exchange Admin Audit Log Config",
+ "description": "Exchange Online admin audit log configuration"
+ },
+ {
+ "type": "ExoPresetSecurityPolicy",
+ "friendlyName": "Exchange Preset Security Policy",
+ "description": "Exchange Online preset security policy"
+ },
+ {
+ "type": "ExoTenantAllowBlockList",
+ "friendlyName": "Exchange Tenant Allow/Block List",
+ "description": "Exchange Online tenant allow/block list"
+ },
+ {
+ "type": "Mailboxes",
+ "friendlyName": "Mailboxes",
+ "description": "All Exchange Online mailboxes"
+ },
+ {
+ "type": "CASMailboxes",
+ "friendlyName": "CAS Mailboxes",
+ "description": "Client Access Server mailbox settings"
+ },
+ {
+ "type": "MailboxUsage",
+ "friendlyName": "Mailbox Usage",
+ "description": "Exchange Online mailbox usage statistics"
+ },
+ {
+ "type": "OneDriveUsage",
+ "friendlyName": "OneDrive Usage",
+ "description": "OneDrive usage statistics"
+ },
+ {
+ "type": "ConditionalAccessPolicies",
+ "friendlyName": "Conditional Access Policies",
+ "description": "Azure AD Conditional Access policies"
+ },
+ {
+ "type": "RiskyUsers",
+ "friendlyName": "Risky Users",
+ "description": "Users flagged as risky by Identity Protection"
+ },
+ {
+ "type": "RiskyServicePrincipals",
+ "friendlyName": "Risky Service Principals",
+ "description": "Service principals flagged as risky by Identity Protection"
+ },
+ {
+ "type": "ServicePrincipalRiskDetections",
+ "friendlyName": "Service Principal Risk Detections",
+ "description": "Risk detections for service principals"
+ },
+ {
+ "type": "RiskDetections",
+ "friendlyName": "Risk Detections",
+ "description": "Identity Protection risk detections"
+ },
+ {
+ "type": "ManagedDevices",
+ "friendlyName": "Managed Devices",
+ "description": "Intune managed devices"
+ },
+ {
+ "type": "IntunePolicies",
+ "friendlyName": "Intune Policies",
+ "description": "All Intune policies including compliance, configuration, and app protection"
+ },
+ {
+ "type": "ManagedDeviceEncryptionStates",
+ "friendlyName": "Managed Device Encryption States",
+ "description": "BitLocker encryption states for managed devices"
+ },
+ {
+ "type": "IntuneAppProtectionPolicies",
+ "friendlyName": "Intune App Protection Policies",
+ "description": "Intune app protection policies for iOS and Android"
+ },
+ {
+ "type": "DetectedApps",
+ "friendlyName": "Detected Apps",
+ "description": "All detected applications with devices where each app is installed"
+ }
+]
diff --git a/CIPPTimers.json b/CIPPTimers.json
index f76dba8941e2..ed7cd4c31819 100644
--- a/CIPPTimers.json
+++ b/CIPPTimers.json
@@ -135,8 +135,8 @@
"Id": "c2ebde3f-fa35-45aa-8a6b-91c835050b79",
"Command": "Start-DomainOrchestrator",
"Description": "Orchestrator to process domains",
- "Cron": "0 0 0 * * *",
- "Priority": 10,
+ "Cron": "0 30 3 * * *",
+ "Priority": 22,
"RunOnProcessor": true
},
{
@@ -223,12 +223,21 @@
"RunOnProcessor": true,
"IsSystem": true
},
+ {
+ "Id": "a9e8d7c6-b5a4-3f2e-1d0c-9b8a7f6e5d4c",
+ "Command": "Start-LogRetentionCleanup",
+ "Description": "Timer to cleanup old logs based on retention policy",
+ "Cron": "0 30 2 * * *",
+ "Priority": 22,
+ "RunOnProcessor": true,
+ "IsSystem": true
+ },
{
"Id": "9a7f8e6d-5c4b-3a2d-1e0f-9b8c7d6e5f4a",
"Command": "Start-CIPPDBCacheOrchestrator",
"Description": "Timer to collect and cache Microsoft Graph data for all tenants",
"Cron": "0 0 3 * * *",
- "Priority": 22,
+ "Priority": 23,
"RunOnProcessor": true,
"IsSystem": true
},
@@ -237,7 +246,7 @@
"Command": "Start-TestsOrchestrator",
"Description": "Timer to run security and compliance tests against cached data",
"Cron": "0 0 4 * * *",
- "Priority": 23,
+ "Priority": 24,
"RunOnProcessor": true,
"IsSystem": true
}
diff --git a/Modules/CIPPCore/Public/Add-CIPPDbItem.ps1 b/Modules/CIPPCore/Public/Add-CIPPDbItem.ps1
index be862eabe375..9dd5a5af2abf 100644
--- a/Modules/CIPPCore/Public/Add-CIPPDbItem.ps1
+++ b/Modules/CIPPCore/Public/Add-CIPPDbItem.ps1
@@ -22,6 +22,10 @@ function Add-CIPPDbItem {
.PARAMETER AddCount
If specified, automatically records the total count after processing all items
+ .PARAMETER Append
+ If specified, adds items without clearing existing entries for this type/tenant and automatically
+ increments the count. Useful for accumulating report data over time. By default, existing entries are replaced.
+
.EXAMPLE
Add-CIPPDbItem -TenantFilter 'contoso.onmicrosoft.com' -Type 'Groups' -Data $GroupsData
@@ -30,6 +34,9 @@ function Add-CIPPDbItem {
.EXAMPLE
Add-CIPPDbItem -TenantFilter 'contoso.onmicrosoft.com' -Type 'Groups' -Data $GroupsData -Count
+
+ .EXAMPLE
+ Add-CIPPDbItem -TenantFilter 'contoso.onmicrosoft.com' -Type 'AlertHistory' -Data $AlertData -Append -AddCount
#>
[CmdletBinding()]
param(
@@ -49,7 +56,10 @@ function Add-CIPPDbItem {
[switch]$Count,
[Parameter(Mandatory = $false)]
- [switch]$AddCount
+ [switch]$AddCount,
+
+ [Parameter(Mandatory = $false)]
+ [switch]$Append
)
begin {
@@ -104,7 +114,7 @@ function Add-CIPPDbItem {
}
}
- if (-not $Count.IsPresent) {
+ if (-not $Count.IsPresent -and -not $Append.IsPresent) {
# Delete existing entries for this type
$Filter = "PartitionKey eq '{0}' and RowKey ge '{1}-' and RowKey lt '{1}0'" -f $TenantFilter, $Type
$ExistingEntities = Get-CIPPAzDataTableEntity @Table -Filter $Filter -Property PartitionKey, RowKey, ETag
@@ -168,18 +178,29 @@ function Add-CIPPDbItem {
Invoke-FlushBatch -State $State
}
- if ($Count.IsPresent) {
+ if ($Count.IsPresent -or $Append.IsPresent) {
# Store count record
+ if ($Append.IsPresent) {
+ # When appending, always increment the existing count
+ $Filter = "PartitionKey eq '{0}' and RowKey eq '{1}-Count'" -f $TenantFilter, $Type
+ $ExistingCount = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+ $PreviousCount = if ($ExistingCount -and $ExistingCount.DataCount) { [int]$ExistingCount.DataCount } else { 0 }
+ $NewCount = $PreviousCount + $State.TotalProcessed
+ } else {
+ # Normal mode - replace count
+ $NewCount = $State.TotalProcessed
+ }
+
$Entity = @{
PartitionKey = $TenantFilter
RowKey = Format-RowKey "$Type-Count"
- DataCount = [int]$State.TotalProcessed
+ DataCount = [int]$NewCount
}
Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
}
Write-LogMessage -API 'CIPPDbItem' -tenant $TenantFilter `
- -message "Added $($State.TotalProcessed) items of type $Type$(if ($Count.IsPresent) { ' (count mode)' })" -sev Debug
+ -message "Added $($State.TotalProcessed) items of type $Type$(if ($Count.IsPresent) { ' (count mode)' })$(if ($Append.IsPresent) { ' (append mode)' })" -sev Debug
} catch {
Write-LogMessage -API 'CIPPDbItem' -tenant $TenantFilter `
@@ -191,7 +212,16 @@ function Add-CIPPDbItem {
# Record count if AddCount was specified
if ($AddCount.IsPresent -and $State.TotalProcessed -gt 0) {
try {
- Add-CIPPDbItem -TenantFilter $TenantFilter -Type $Type -InputObject $State.TotalProcessed -Count
+ $countParams = @{
+ TenantFilter = $TenantFilter
+ Type = $Type
+ InputObject = $State.TotalProcessed
+ Count = $true
+ }
+ if ($Append.IsPresent) {
+ $countParams.Append = $true
+ }
+ Add-CIPPDbItem @countParams
} catch {
Write-LogMessage -API 'CIPPDbItem' -tenant $TenantFilter `
-message "Failed to record count for $Type : $($_.Exception.Message)" -sev Warning
diff --git a/Modules/CIPPCore/Public/Add-CIPPPackagedApplication.ps1 b/Modules/CIPPCore/Public/Add-CIPPPackagedApplication.ps1
new file mode 100644
index 000000000000..0730a11e16a1
--- /dev/null
+++ b/Modules/CIPPCore/Public/Add-CIPPPackagedApplication.ps1
@@ -0,0 +1,77 @@
+function Add-CIPPPackagedApplication {
+ <#
+ .SYNOPSIS
+ Adds a packaged Win32Lob application to Intune.
+
+ .DESCRIPTION
+ Handles creation of Win32Lob apps with intunewin files and uploads the content.
+
+ .PARAMETER AppBody
+ Hashtable or PSCustomObject containing the app configuration.
+
+ .PARAMETER TenantFilter
+ Tenant ID or domain name for the Graph API call.
+
+ .PARAMETER AppType
+ Type of app: 'Choco' or 'MSPApp'.
+
+ .PARAMETER FilePath
+ Path to the intunewin file.
+
+ .PARAMETER FileName
+ Name of the file from XML metadata.
+
+ .PARAMETER UnencryptedSize
+ Unencrypted size of the file from XML metadata.
+
+ .PARAMETER EncryptionInfo
+ Hashtable containing encryption information from XML.
+
+ .PARAMETER DisplayName
+ Display name of the app for logging.
+
+ .PARAMETER APIName
+ API name for logging (optional).
+
+ .PARAMETER Headers
+ Request headers for logging (optional).
+
+ .EXAMPLE
+ $AppBody = @{ '@odata.type' = '#microsoft.graph.win32LobApp'; displayName = 'My App' }
+ $EncryptionInfo = @{ EncryptionKey = '...'; MacKey = '...'; ... }
+ Add-CIPPPackagedApplication -AppBody $AppBody -TenantFilter 'contoso.com' -AppType 'Choco' -FilePath 'app.intunewin' -FileName 'app.intunewin' -UnencryptedSize 1024000 -EncryptionInfo $EncryptionInfo
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ [object]$AppBody,
+
+ [Parameter(Mandatory = $true)]
+ [string]$TenantFilter,
+
+ [Parameter(Mandatory = $true)]
+ [string]$FilePath,
+
+ [Parameter(Mandatory = $true)]
+ [string]$FileName,
+
+ [Parameter(Mandatory = $true)]
+ [int64]$UnencryptedSize,
+
+ [Parameter(Mandatory = $true)]
+ [hashtable]$EncryptionInfo,
+
+ [Parameter(Mandatory = $false)]
+ [string]$DisplayName
+ )
+
+ $BaseUri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
+
+ # Create the Win32Lob app
+ $NewApp = New-GraphPostRequest -Uri $BaseUri -Body ($AppBody | ConvertTo-Json) -Type POST -tenantid $TenantFilter
+
+ # Upload intunewin content
+ Add-CIPPWin32LobAppContent -AppId $NewApp.id -FilePath $FilePath -FileName $FileName -UnencryptedSize $UnencryptedSize -EncryptionInfo $EncryptionInfo -TenantFilter $TenantFilter -APIName $APIName -Headers $Headers
+
+ return $NewApp
+}
diff --git a/Modules/CIPPCore/Public/Add-CIPPW32ScriptApplication.ps1 b/Modules/CIPPCore/Public/Add-CIPPW32ScriptApplication.ps1
new file mode 100644
index 000000000000..5ef92c5a997a
--- /dev/null
+++ b/Modules/CIPPCore/Public/Add-CIPPW32ScriptApplication.ps1
@@ -0,0 +1,215 @@
+function Add-CIPPW32ScriptApplication {
+ <#
+ .SYNOPSIS
+ Adds a Win32 app with PowerShell script installer to Intune using the standard Chocolatey package.
+
+ .DESCRIPTION
+ Creates a Win32 app that uses the standard Chocolatey intunewin package but with custom PowerShell scripts.
+ Always uploads the same Choco package, but uses user-provided scripts for install/uninstall commands.
+
+ .PARAMETER TenantFilter
+ Tenant ID or domain name for the Graph API call.
+
+ .PARAMETER Properties
+ PSCustomObject containing all Win32 app properties:
+ - displayName (required): Display name of the app
+ - description: Description of the app
+ - publisher: Publisher name
+ - installScript (required): PowerShell install script content (plaintext)
+ - uninstallScript: PowerShell uninstall script content (plaintext)
+ - detectionPath (required): Full path to the file or folder to detect (e.g., 'C:\\Program Files\\MyApp')
+ - detectionFile: File name to detect (optional, for folder path detection)
+ - detectionType: 'exists', 'modifiedDate', 'createdDate', 'version', 'sizeInMB' (default: 'exists')
+ - check32BitOn64System: Boolean, check 32-bit registry/paths on 64-bit systems (default: false)
+ - runAsAccount: 'system' or 'user' (default: 'system')
+ - deviceRestartBehavior: 'allow', 'suppress', or 'force' (default: 'suppress')
+
+ .EXAMPLE
+ $Properties = @{
+ displayName = 'My Script App'
+ installScript = 'Write-Host "Installing..."'
+ detectionPath = 'C:\\Program Files\\MyApp'
+ detectionFile = 'app.exe'
+ }
+ Add-CIPPW32ScriptApplication -TenantFilter 'contoso.com' -Properties $Properties
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ [string]$TenantFilter,
+
+ [Parameter(Mandatory = $true)]
+ [PSCustomObject]$Properties
+ )
+
+ # Get the standard Chocolatey package location (relative to function app root)
+ $IntuneWinFile = 'AddChocoApp\IntunePackage.intunewin'
+ $ChocoXmlFile = 'AddChocoApp\Choco.App.xml'
+
+ if (-not (Test-Path $IntuneWinFile)) {
+ throw "Chocolatey IntunePackage.intunewin not found at: $IntuneWinFile (Current directory: $PWD)"
+ }
+
+ if (-not (Test-Path $ChocoXmlFile)) {
+ throw "Choco.App.xml not found at: $ChocoXmlFile (Current directory: $PWD)"
+ }
+
+ # Parse the Choco XML to get encryption info. We need a wrapper around the application and this is a tiny intune file, perfect for our purpose.
+ [xml]$ChocoXml = Get-Content $ChocoXmlFile
+ $EncryptionInfo = @{
+ EncryptionKey = $ChocoXml.ApplicationInfo.EncryptionInfo.EncryptionKey
+ MacKey = $ChocoXml.ApplicationInfo.EncryptionInfo.MacKey
+ InitializationVector = $ChocoXml.ApplicationInfo.EncryptionInfo.InitializationVector
+ Mac = $ChocoXml.ApplicationInfo.EncryptionInfo.Mac
+ ProfileIdentifier = $ChocoXml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
+ FileDigest = $ChocoXml.ApplicationInfo.EncryptionInfo.FileDigest
+ FileDigestAlgorithm = $ChocoXml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
+ }
+
+ $FileName = $ChocoXml.ApplicationInfo.FileName
+ $UnencryptedSize = [int64]$ChocoXml.ApplicationInfo.UnencryptedContentSize
+
+ # Build detection rules
+ if ($Properties.detectionPath) {
+ # Determine if this is a file or folder detection
+ $DetectionRule = @{
+ '@odata.type' = '#microsoft.graph.win32LobAppFileSystemDetection'
+ check32BitOn64System = if ($null -ne $Properties.check32BitOn64System) { [bool]$Properties.check32BitOn64System } else { $false }
+ detectionType = if ($Properties.detectionType) { $Properties.detectionType } else { 'exists' }
+ }
+
+ if ($Properties.detectionFile) {
+ # File detection (path + file)
+ $DetectionRule['path'] = $Properties.detectionPath
+ $DetectionRule['fileOrFolderName'] = $Properties.detectionFile
+ } else {
+ # Folder/File detection (full path)
+ # Split the path into directory and file/folder name
+ $PathItem = Split-Path $Properties.detectionPath -Leaf
+ $ParentPath = Split-Path $Properties.detectionPath -Parent
+
+ if ([string]::IsNullOrEmpty($ParentPath)) {
+ throw "Invalid detection path: $($Properties.detectionPath). Must be a full path."
+ }
+
+ $DetectionRule['path'] = $ParentPath
+ $DetectionRule['fileOrFolderName'] = $PathItem
+ }
+
+ $DetectionRules = @($DetectionRule)
+ } else {
+ # Default detection: Check for a marker file in ProgramData
+ $DetectionRules = @(
+ @{
+ '@odata.type' = '#microsoft.graph.win32LobAppFileSystemDetection'
+ path = '%ProgramData%\CIPPApps'
+ fileOrFolderName = "$($Properties.displayName -replace '[^a-zA-Z0-9]', '_').txt"
+ check32BitOn64System = $false
+ detectionType = 'exists'
+ }
+ )
+ }
+
+ # Build the Win32 app body
+ $AppBody = @{
+ '@odata.type' = '#microsoft.graph.win32LobApp'
+ displayName = $Properties.displayName
+ description = $Properties.description
+ publisher = if ($Properties.publisher) { $Properties.publisher } else { 'CIPP' }
+ fileName = $FileName
+ setupFilePath = 'N/A'
+ installCommandLine = 'powershell.exe -ExecutionPolicy Bypass -File install.ps1'
+ uninstallCommandLine = 'powershell.exe -ExecutionPolicy Bypass -File uninstall.ps1'
+ minimumSupportedWindowsRelease = '1607'
+ detectionRules = $DetectionRules
+ returnCodes = @(
+ @{ returnCode = 0; type = 'success' }
+ @{ returnCode = 1707; type = 'success' }
+ @{ returnCode = 3010; type = 'softReboot' }
+ @{ returnCode = 1641; type = 'hardReboot' }
+ @{ returnCode = 1618; type = 'retry' }
+ )
+ installExperience = @{
+ '@odata.type' = 'microsoft.graph.win32LobAppInstallExperience'
+ runAsAccount = if ($Properties.runAsAccount) { $Properties.runAsAccount } else { 'system' }
+ deviceRestartBehavior = if ($Properties.deviceRestartBehavior) { $Properties.deviceRestartBehavior } else { 'suppress' }
+ }
+ }
+
+ # Create the app first
+ $Baseuri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
+ $NewApp = New-GraphPostRequest -Uri $Baseuri -Body ($AppBody | ConvertTo-Json -Depth 10) -Type POST -tenantid $TenantFilter
+ Start-Sleep -Milliseconds 200
+
+ # Upload the Chocolatey intunewin content
+ Add-CIPPWin32LobAppContent -AppId $NewApp.id -FilePath $IntuneWinFile -FileName $FileName -UnencryptedSize $UnencryptedSize -EncryptionInfo $EncryptionInfo -TenantFilter $TenantFilter
+
+ # Upload PowerShell scripts via the scripts endpoint (newer method)
+ $InstallScriptId = $null
+ $UninstallScriptId = $null
+
+ if ($Properties.installScript) {
+ $InstallScriptContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($Properties.installScript))
+ $InstallScriptBody = @{
+ '@odata.type' = '#microsoft.graph.win32LobAppInstallPowerShellScript'
+ displayName = 'install.ps1'
+ enforceSignatureCheck = $false
+ runAs32Bit = $false
+ content = $InstallScriptContent
+ } | ConvertTo-Json
+
+ $InstallScriptResponse = New-GraphPostRequest -Uri "$Baseuri/$($NewApp.id)/microsoft.graph.win32LobApp/contentVersions/1/scripts" -Body $InstallScriptBody -Type POST -tenantid $TenantFilter
+ $InstallScriptId = $InstallScriptResponse.id
+
+ # Wait for script to be committed
+ do {
+ $ScriptState = New-GraphGetRequest -Uri "$Baseuri/$($NewApp.id)/microsoft.graph.win32LobApp/contentVersions/1/scripts/$InstallScriptId" -tenantid $TenantFilter
+ if ($ScriptState.state -like '*fail*') {
+ throw "Failed to commit install script: $($ScriptState.state)"
+ }
+ Start-Sleep -Milliseconds 300
+ } while ($ScriptState.state -eq 'commitPending')
+ }
+
+ if ($Properties.uninstallScript) {
+ $UninstallScriptContent = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($Properties.uninstallScript))
+ $UninstallScriptBody = @{
+ '@odata.type' = '#microsoft.graph.win32LobAppUninstallPowerShellScript'
+ displayName = 'uninstall.ps1'
+ enforceSignatureCheck = $false
+ runAs32Bit = $false
+ content = $UninstallScriptContent
+ } | ConvertTo-Json
+
+ $UninstallScriptResponse = New-GraphPostRequest -Uri "$Baseuri/$($NewApp.id)/microsoft.graph.win32LobApp/contentVersions/1/scripts" -Body $UninstallScriptBody -Type POST -tenantid $TenantFilter
+ $UninstallScriptId = $UninstallScriptResponse.id
+
+ # Wait for script to be committed
+ do {
+ $ScriptState = New-GraphGetRequest -Uri "$Baseuri/$($NewApp.id)/microsoft.graph.win32LobApp/contentVersions/1/scripts/$UninstallScriptId" -tenantid $TenantFilter
+ if ($ScriptState.state -like '*fail*') {
+ throw "Failed to commit uninstall script: $($ScriptState.state)"
+ }
+ Start-Sleep -Milliseconds 300
+ } while ($ScriptState.state -eq 'commitPending')
+ }
+
+ # Build final commit body with active script references
+ $CommitBody = @{
+ '@odata.type' = '#microsoft.graph.win32LobApp'
+ committedContentVersion = '1'
+ }
+
+ if ($InstallScriptId) {
+ $CommitBody['activeInstallScript'] = @{ targetId = $InstallScriptId }
+ }
+
+ if ($UninstallScriptId) {
+ $CommitBody['activeUninstallScript'] = @{ targetId = $UninstallScriptId }
+ }
+
+ # Commit the app with script references
+ $null = New-GraphPostRequest -Uri "$Baseuri/$($NewApp.id)" -tenantid $TenantFilter -Body ($CommitBody | ConvertTo-Json -Depth 10) -Type PATCH
+
+ return $NewApp
+}
diff --git a/Modules/CIPPCore/Public/Add-CIPPWin32LobAppContent.ps1 b/Modules/CIPPCore/Public/Add-CIPPWin32LobAppContent.ps1
new file mode 100644
index 000000000000..1b238870e622
--- /dev/null
+++ b/Modules/CIPPCore/Public/Add-CIPPWin32LobAppContent.ps1
@@ -0,0 +1,152 @@
+function Add-CIPPWin32LobAppContent {
+ <#
+ .SYNOPSIS
+ Uploads intunewin file content to a Win32Lob app in Intune.
+
+ .DESCRIPTION
+ This function handles the complete process of uploading an intunewin file to a Win32Lob app:
+ 1. Creates a content version file entry
+ 2. Waits for Azure Storage URI
+ 3. Uploads the file to Azure Storage in chunks
+ 4. Commits the file with encryption info
+ 5. Finalizes the content version
+
+ .PARAMETER AppId
+ The ID of the Win32Lob app to upload content to.
+
+ .PARAMETER FilePath
+ Path to the intunewin file to upload.
+
+ .PARAMETER FileName
+ Name of the file (from XML metadata).
+
+ .PARAMETER UnencryptedSize
+ Unencrypted size of the file (from XML metadata).
+
+ .PARAMETER EncryptionInfo
+ Hashtable containing encryption information from XML:
+ - EncryptionKey
+ - MacKey
+ - InitializationVector
+ - Mac
+ - ProfileIdentifier
+ - FileDigest
+ - FileDigestAlgorithm
+
+ .PARAMETER TenantFilter
+ Tenant ID or domain name for the Graph API call.
+
+ .PARAMETER APIName
+ API name for logging (optional).
+
+ .PARAMETER Headers
+ Request headers for logging (optional).
+
+ .EXAMPLE
+ $EncryptionInfo = @{
+ EncryptionKey = '...'
+ MacKey = '...'
+ InitializationVector = '...'
+ Mac = '...'
+ ProfileIdentifier = 'ProfileVersion1'
+ FileDigest = '...'
+ FileDigestAlgorithm = 'SHA256'
+ }
+ Add-CIPPWin32LobAppContent -AppId '12345' -FilePath 'C:\app.intunewin' -FileName 'app.intunewin' -UnencryptedSize 1024000 -EncryptionInfo $EncryptionInfo -TenantFilter 'contoso.com'
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ [string]$AppId,
+
+ [Parameter(Mandatory = $true)]
+ [string]$FilePath,
+
+ [Parameter(Mandatory = $true)]
+ [string]$FileName,
+
+ [Parameter(Mandatory = $true)]
+ [int64]$UnencryptedSize,
+
+ [Parameter(Mandatory = $true)]
+ [hashtable]$EncryptionInfo,
+
+ [Parameter(Mandatory = $true)]
+ [string]$TenantFilter,
+
+ [Parameter(Mandatory = $false)]
+ [string]$APIName = 'AppUpload',
+
+ [Parameter(Mandatory = $false)]
+ [hashtable]$Headers
+ )
+
+ $BaseUri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
+ $FileInfo = Get-Item $FilePath
+
+ # Create content version file entry
+ $ContentBody = ConvertTo-Json @{
+ name = $FileName
+ size = $UnencryptedSize
+ sizeEncrypted = [int64]$FileInfo.Length
+ }
+
+ $ContentReq = New-GraphPostRequest -Uri "$BaseUri/$AppId/microsoft.graph.win32lobapp/contentVersions/1/files/" -Body $ContentBody -Type POST -tenantid $TenantFilter
+
+ # Wait for Azure Storage URI
+ do {
+ $AzFileUri = New-GraphGetRequest -Uri "$BaseUri/$AppId/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)" -tenantid $TenantFilter
+ if ($AzFileUri.uploadState -like '*fail*') {
+ throw "Failed to get Azure Storage URI. Upload state: $($AzFileUri.uploadState)"
+ }
+ Start-Sleep -Milliseconds 300
+ } while ($null -eq $AzFileUri.AzureStorageUri)
+
+ if ($Headers) {
+ Write-LogMessage -Headers $Headers -API $APIName -message "Uploading file to $($AzFileUri.azureStorageUri)" -Sev 'Info' -tenant $TenantFilter
+ } else {
+ Write-Host "Uploading file to $($AzFileUri.azureStorageUri)"
+ }
+
+ # Upload file to Azure Storage in chunks
+ $chunkSizeInBytes = 4mb
+ [byte[]]$bytes = [System.IO.File]::ReadAllBytes($FileInfo.FullName)
+ $chunks = [Math]::Ceiling($bytes.Length / $chunkSizeInBytes)
+ $id = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($chunks.ToString('0000')))
+ # For anyone that reads this, The maximum chunk size is 100MB for blob storage, so we can upload it as one part and just give it the single ID. Easy :)
+ $null = Invoke-RestMethod -Uri "$($AzFileUri.azureStorageUri)&comp=block&blockid=$id" -Method Put -Headers @{'x-ms-blob-type' = 'BlockBlob' } -InFile $FilePath -ContentType 'application/octet-stream'
+ $null = Invoke-RestMethod -Uri "$($AzFileUri.azureStorageUri)&comp=blocklist" -Method Put -Body "$id" -ContentType 'application/xml'
+
+ # Commit the file with encryption info
+ $EncBody = @{
+ fileEncryptionInfo = @{
+ encryptionKey = $EncryptionInfo.EncryptionKey
+ macKey = $EncryptionInfo.MacKey
+ initializationVector = $EncryptionInfo.InitializationVector
+ mac = $EncryptionInfo.Mac
+ profileIdentifier = $EncryptionInfo.ProfileIdentifier
+ fileDigest = $EncryptionInfo.FileDigest
+ fileDigestAlgorithm = $EncryptionInfo.FileDigestAlgorithm
+ }
+ } | ConvertTo-Json
+
+ $null = New-GraphPostRequest -Uri "$BaseUri/$AppId/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)/commit" -Body $EncBody -Type POST -tenantid $TenantFilter
+
+ # Wait for commit to complete
+ do {
+ $CommitStateReq = New-GraphGetRequest -Uri "$BaseUri/$AppId/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)" -tenantid $TenantFilter
+ if ($CommitStateReq.uploadState -like '*fail*') {
+ $errorMsg = "Commit failed. Upload state: $($CommitStateReq.uploadState)"
+ if ($Headers) {
+ Write-LogMessage -Headers $Headers -API $APIName -message $errorMsg -Sev 'Warning' -tenant $TenantFilter
+ }
+ throw $errorMsg
+ }
+ Start-Sleep -Milliseconds 300
+ } while ($CommitStateReq.uploadState -eq 'commitFilePending')
+
+ # Finalize content version
+ $null = New-GraphPostRequest -Uri "$BaseUri/$AppId" -tenantid $TenantFilter -Body '{"@odata.type":"#microsoft.graph.win32lobapp","committedContentVersion":"1"}' -type PATCH
+
+ return $true
+}
diff --git a/Modules/CIPPCore/Public/Add-CIPPWinGetApp.ps1 b/Modules/CIPPCore/Public/Add-CIPPWinGetApp.ps1
new file mode 100644
index 000000000000..df30b2db096c
--- /dev/null
+++ b/Modules/CIPPCore/Public/Add-CIPPWinGetApp.ps1
@@ -0,0 +1,24 @@
+function Add-CIPPWinGetApp {
+ <#
+ .SYNOPSIS
+ Creates a WinGet app in Intune.
+
+ .DESCRIPTION
+ Creates a new WinGet app using the provided app body.
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ [object]$AppBody,
+
+ [Parameter(Mandatory = $true)]
+ [string]$TenantFilter
+ )
+
+ $BaseUri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
+
+ # Create the WinGet app
+ $NewApp = New-GraphPostRequest -Uri $BaseUri -Body ($AppBody | ConvertTo-Json -Compress) -Type POST -tenantid $TenantFilter
+
+ return $NewApp
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAdminPassword.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAdminPassword.ps1
index 27e911fe98b0..b401c18b83b2 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAdminPassword.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAdminPassword.ps1
@@ -13,14 +13,33 @@ function Get-CIPPAlertAdminPassword {
)
try {
$TenantId = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $TenantFilter).customerId
- $AlertData = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'&`$expand=principal" -tenantid $($TenantFilter) | Where-Object { ($_.principalOrganizationId -EQ $TenantId) -and ($_.principal.'@odata.type' -eq '#microsoft.graph.user') } | ForEach-Object {
- $LastChanges = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/users/$($_.principalId)?`$select=UserPrincipalName,lastPasswordChangeDateTime" -tenant $($TenantFilter)
- if ($LastChanges.LastPasswordChangeDateTime -gt (Get-Date).AddDays(-1)) {
- $LastChanges | Select-Object -Property UserPrincipalName, lastPasswordChangeDateTime
+
+ # Get role assignments without expanding principal to avoid rate limiting
+ $RoleAssignments = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10'" -tenantid $($TenantFilter) | Where-Object { $_.principalOrganizationId -EQ $TenantId }
+
+ # Build bulk requests for each principalId
+ $UserRequests = $RoleAssignments | ForEach-Object {
+ [PSCustomObject]@{
+ id = $_.principalId
+ method = 'GET'
+ url = "users/$($_.principalId)?`$select=id,UserPrincipalName,lastPasswordChangeDateTime"
}
}
+
+ # Make bulk call to get user information
+ if ($UserRequests) {
+ $BulkResults = New-GraphBulkRequest -Requests @($UserRequests) -tenantid $TenantFilter
+
+ # Filter users with recent password changes and sort to prevent duplicate alerts
+ $AlertData = $BulkResults | Where-Object { $_.status -eq 200 -and $_.body.lastPasswordChangeDateTime -gt (Get-Date).AddDays(-1) } | ForEach-Object {
+ $_.body | Select-Object -Property UserPrincipalName, lastPasswordChangeDateTime
+ } | Sort-Object UserPrincipalName
+ } else {
+ $AlertData = @()
+ }
+
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get admin password changes for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get admin password changes for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderMalware.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderMalware.ps1
index 252b5abe1b78..8ac96f34286f 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderMalware.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderMalware.ps1
@@ -30,6 +30,6 @@ function Get-CIPPAlertDefenderMalware {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get malware data for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get malware data for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderStatus.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderStatus.ps1
index defef38677a1..44ae39bfc7f1 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderStatus.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderStatus.ps1
@@ -29,6 +29,6 @@ function Get-CIPPAlertDefenderStatus {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get defender status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get defender status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1
index 23004aa5c307..afc731eefb89 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDepTokenExpiry.ps1
@@ -26,6 +26,6 @@ function Get-CIPPAlertDepTokenExpiry {
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check Apple Device Enrollment Program token expiry for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check Apple Device Enrollment Program token expiry for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDeviceCompliance.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDeviceCompliance.ps1
index ebdf7ee55be8..0ea7bd38fe5c 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDeviceCompliance.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDeviceCompliance.ps1
@@ -15,6 +15,6 @@ function Get-CIPPAlertDeviceCompliance {
$AlertData = New-GraphGETRequest -uri "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?`$filter=complianceState eq 'noncompliant'&`$select=id,deviceName,managedDeviceOwnerType,complianceState,lastSyncDateTime&`$top=999" -tenantid $TenantFilter
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get compliance state for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get compliance state for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1
index 31ebb125ad83..6dd99ceeee8e 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertEntraConnectSyncStatus.ps1
@@ -36,8 +36,6 @@ function Get-CIPPAlertEntraConnectSyncStatus {
}
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Entra Connect Sync Status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -LogData (Get-CippException -Exception $_)
- Write-Information "Could not get Entra Connect Sync Status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
- Write-Information $_.PositionMessage
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get Entra Connect Sync Status for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error -LogData (Get-CippException -Exception $_)
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1
index 82ae1ebc1cfb..31a082b0e714 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminAllowList.ps1
@@ -79,6 +79,6 @@ function Get-CIPPAlertGlobalAdminAllowList {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
}
} catch {
- Write-AlertMessage -tenant $TenantFilter -message "Failed to check approved Global Admins: $(Get-NormalizedError -message $_.Exception.Message)"
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "Failed to check approved Global Admins: $(Get-NormalizedError -message $_.Exception.Message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1
new file mode 100644
index 000000000000..79336a3eed63
--- /dev/null
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGroupMembershipChange.ps1
@@ -0,0 +1,47 @@
+function Get-CIPPAlertGroupMembershipChange {
+ <#
+ .FUNCTIONALITY
+ Entrypoint
+ #>
+ [CmdletBinding()]
+ param (
+ [Parameter(Mandatory = $false)]
+ [Alias('input')]
+ $InputValue,
+ $TenantFilter
+ )
+
+ try {
+ $MonitoredGroups = $InputValue -split ',' | ForEach-Object { $_.Trim() } | Where-Object { $_ }
+ if (!$MonitoredGroups) { return $true }
+
+ $OneHourAgo = (Get-Date).AddHours(-3).ToString('yyyy-MM-ddTHH:mm:ssZ')
+ $AuditLogs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=activityDateTime ge $OneHourAgo and (activityDisplayName eq 'Add member to group' or activityDisplayName eq 'Remove member from group')" -tenantid $TenantFilter
+
+ $AlertData = foreach ($Log in $AuditLogs) {
+ $Member = ($Log.targetResources | Where-Object { $_.type -in @('User', 'ServicePrincipal') })[0]
+ $GroupProp = ($Member.modifiedProperties | Where-Object { $_.displayName -eq 'Group.DisplayName' })
+ $GroupDisplayName = (($GroupProp.newValue ?? $GroupProp.oldValue) -replace '"', '')
+ if (!$GroupDisplayName -or !($MonitoredGroups | Where-Object { $GroupDisplayName -like $_ })) { continue }
+
+ $InitiatedBy = if ($Log.initiatedBy.user) { $Log.initiatedBy.user.userPrincipalName } else { $Log.initiatedBy.app.displayName }
+ $Action = if ($Log.activityDisplayName -eq 'Add member to group') { 'added to' } else { 'removed from' }
+
+ [PSCustomObject]@{
+ Message = "$($Member.userPrincipalName ?? $Member.displayName) was $Action group '$GroupDisplayName' by $InitiatedBy"
+ GroupName = $GroupDisplayName
+ MemberName = $Member.userPrincipalName ?? $Member.displayName
+ Action = $Log.activityDisplayName
+ InitiatedBy = $InitiatedBy
+ ActivityTime = $Log.activityDateTime
+ Tenant = $TenantFilter
+ }
+ }
+
+ if ($AlertData) {
+ Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+ }
+ } catch {
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "Could not check group membership changes for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
+ }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1
index 839a0af97e37..195b5d51c31c 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveGuestUsers.ps1
@@ -84,6 +84,6 @@ function Get-CIPPAlertInactiveGuestUsers {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1
index 09288d3fee13..d7cdd091a2b2 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1
@@ -85,6 +85,6 @@ function Get-CIPPAlertInactiveLicensedUsers {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1
index 037f37e501d5..0eef10e4991e 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveUsers.ps1
@@ -80,6 +80,6 @@ function Get-CIPPAlertInactiveUsers {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check inactive users with licenses for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertIntunePolicyConflicts.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertIntunePolicyConflicts.ps1
index 684f6bd0fc87..965170516e28 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertIntunePolicyConflicts.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertIntunePolicyConflicts.ps1
@@ -90,7 +90,7 @@ function Get-CIPPAlertIntunePolicyConflicts {
}
}
} catch {
- Write-AlertMessage -tenant $TenantFilter -message "Failed to query Intune policy states: $(Get-NormalizedError -message $_.Exception.Message)"
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "Failed to query Intune policy states: $(Get-NormalizedError -message $_.Exception.Message)" -sev Error
}
}
@@ -117,7 +117,7 @@ function Get-CIPPAlertIntunePolicyConflicts {
}
}
} catch {
- Write-AlertMessage -tenant $TenantFilter -message "Failed to query Intune application states: $(Get-NormalizedError -message $_.Exception.Message)"
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "Failed to query Intune application states: $(Get-NormalizedError -message $_.Exception.Message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1
index e5284435bcdc..674648585221 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1
@@ -13,7 +13,7 @@ function Get-CIPPAlertLowDomainScore {
)
$DomainData = Get-CIPPDomainAnalyser -TenantFilter $TenantFilter
- $LowScoreDomains = $DomainData | Where-Object { $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne '' } | ForEach-Object {
+ $LowScoreDomains = $DomainData | Where-Object { $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne '' -and $_.Domain -notlike '*.onmicrosoft.com' -and $_.Domain -notlike '*.mail.onmicrosoft.com' } | ForEach-Object {
[PSCustomObject]@{
Message = "$($_.Domain): Domain security score is $($_.ScorePercentage)%, which is below the threshold of $InputValue%. Issues: $($_.ScoreExplanation)"
Domain = $_.Domain
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowTenantAlignment.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowTenantAlignment.ps1
index bc8c5a04672d..52de70f3b0a5 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowTenantAlignment.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowTenantAlignment.ps1
@@ -27,7 +27,7 @@ function Get-CIPPAlertLowTenantAlignment {
$AlignmentData = Get-CIPPTenantAlignment -TenantFilter $TenantFilter
if (-not $AlignmentData) {
- Write-AlertMessage -tenant $TenantFilter -message "No alignment data found for tenant $TenantFilter. This may indicate no standards templates are configured or applied to this tenant."
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "No alignment data found for tenant $TenantFilter. This may indicate no standards templates are configured or applied to this tenant." -sev Warning
return
}
@@ -47,6 +47,6 @@ function Get-CIPPAlertLowTenantAlignment {
}
} catch {
- Write-AlertMessage -tenant $TenantFilter -message "Could not get tenant alignment data for $TenantFilter`: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "Could not get tenant alignment data for $TenantFilter`: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewMFADevice.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewMFADevice.ps1
new file mode 100644
index 000000000000..9208d700d4dc
--- /dev/null
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewMFADevice.ps1
@@ -0,0 +1,41 @@
+function Get-CIPPAlertNewMFADevice {
+ <#
+ .FUNCTIONALITY
+ Entrypoint
+ #>
+ [CmdletBinding()]
+ param (
+ [Parameter(Mandatory = $false)]
+ [Alias('input')]
+ $InputValue,
+ $TenantFilter
+ )
+
+ try {
+ $OneHourAgo = (Get-Date).AddHours(-1).ToString('yyyy-MM-ddTHH:mm:ssZ')
+
+ $AuditLogs = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?`$filter=activityDateTime ge $OneHourAgo and (activityDisplayName eq 'User registered security info' or activityDisplayName eq 'User deleted security info')" -tenantid $TenantFilter
+ $AlertData = foreach ($Log in $AuditLogs) {
+ if ($Log.activityDisplayName -eq 'User registered security info') {
+ $User = $Log.targetResources[0].userPrincipalName
+ if (-not $User) { $User = $Log.initiatedBy.user.userPrincipalName }
+
+ [PSCustomObject]@{
+ Message = "New MFA method registered: $User"
+ User = $User
+ DisplayName = $Log.targetResources[0].displayName
+ Activity = $Log.activityDisplayName
+ ActivityTime = $Log.activityDateTime
+ Tenant = $TenantFilter
+ }
+ }
+ }
+
+ if ($AlertData) {
+ Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
+ }
+
+ } catch {
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not check for new MFA devices for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
+ }
+}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1
index c0691da7fe0d..9686bd134f87 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1
@@ -14,7 +14,7 @@ function Get-CIPPAlertNewRiskyUsers {
# Check if tenant has P2 capabilities
$Capabilities = Get-CIPPTenantCapabilities -TenantFilter $TenantFilter
if (-not ($Capabilities.AAD_PREMIUM_P2 -eq $true)) {
- Write-AlertMessage -tenant $($TenantFilter) -message 'Tenant does not have Azure AD Premium P2 licensing required for risky users detection'
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message 'Tenant does not have Azure AD Premium P2 licensing required for risky users detection' -sev Warning
return
}
@@ -69,6 +69,6 @@ function Get-CIPPAlertNewRiskyUsers {
}
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get risky users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get risky users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRole.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRole.ps1
index 68167632b5b3..c8cae3616484 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRole.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRole.ps1
@@ -43,6 +43,6 @@ function Get-CIPPAlertNewRole {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get get role changes for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get get role changes for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1
index 48ae1dabff57..24055d1b606e 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNoCAConfig.ps1
@@ -30,7 +30,7 @@ function Get-CIPPAlertNoCAConfig {
}
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Conditional Access Config Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Conditional Access Config Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1
index b39ea94d9a48..b2e786bc9286 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOnedriveQuota.ps1
@@ -19,7 +19,7 @@ function Get-CIPPAlertOneDriveQuota {
}
} catch {
$ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
- Write-AlertMessage -tenant $($TenantFilter) -message "OneDrive quota Alert: Unable to get OneDrive usage: Error occurred: $ErrorMessage"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "OneDrive quota Alert: Unable to get OneDrive usage: Error occurred: $ErrorMessage" -sev Error
return
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOverusedLicenses.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOverusedLicenses.ps1
index 69e4f0254a84..f0b87d48ac7c 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOverusedLicenses.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertOverusedLicenses.ps1
@@ -39,6 +39,6 @@ function Get-CIPPAlertOverusedLicenses {
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Overused Licenses Alert Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Overused Licenses Alert Error occurred: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1
index f0ca6d528e40..b20096d59020 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertQuarantineReleaseRequests.ps1
@@ -14,7 +14,7 @@
#Add rerun protection: This Monitor can only run once every hour.
$Rerun = Test-CIPPRerun -TenantFilter $TenantFilter -Type 'ExchangeMonitor' -API 'Get-CIPPAlertQuarantineReleaseRequests'
if ($Rerun) {
- return $true
+ return
}
$HasLicense = Test-CIPPStandardLicense -StandardName 'QuarantineReleaseRequests' -TenantFilter $TenantFilter -RequiredCapabilities @(
'EXCHANGE_S_STANDARD',
@@ -25,11 +25,17 @@
)
if (-not $HasLicense) {
- return $true
+ return
}
try {
- $RequestedReleases = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams @{ PageSize = 1000; ReleaseStatus = 'Requested'; StartReceivedDate = (Get-Date).AddHours(-6) } -ErrorAction Stop | Select-Object -ExcludeProperty *data.type*
+ $cmdParams = @{
+ PageSize = 1000
+ ReleaseStatus = 'Requested'
+ StartReceivedDate = (Get-Date).AddHours(-6)
+ EndReceivedDate = (Get-Date).AddHours(0)
+ }
+ $RequestedReleases = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Get-QuarantineMessage' -cmdParams $cmdParams -ErrorAction Stop | Select-Object -ExcludeProperty *data.type* | Sort-Object -Property ReceivedTime
if ($RequestedReleases) {
# Get the CIPP URL for the Quarantine link
@@ -56,6 +62,6 @@
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
}
} catch {
- Write-AlertMessage -tenant $TenantFilter -message "QuarantineReleaseRequests: $(Get-NormalizedError -message $_.Exception.Message)"
+ Write-LogMessage -API 'Alerts' -tenant $TenantFilter -message "QuarantineReleaseRequests: $(Get-NormalizedError -message $_.Exception.Message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertReportOnlyCA.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertReportOnlyCA.ps1
index 6205c9b6ac40..2ce381def049 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertReportOnlyCA.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertReportOnlyCA.ps1
@@ -36,7 +36,7 @@ function Get-CIPPAlertReportOnlyCA {
}
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Report-Only CA Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Report-Only CA Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecDefaultsDisabled.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecDefaultsDisabled.ps1
index 104cf17e03fa..a8055e2c6261 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecDefaultsDisabled.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecDefaultsDisabled.ps1
@@ -30,6 +30,6 @@ function Get-CIPPAlertSecDefaultsDisabled {
}
}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Security Defaults Disabled Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Security Defaults Disabled Alert: Error occurred: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecureScore.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecureScore.ps1
index 4bf49b56bbc7..a48a163d8532 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecureScore.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSecureScore.ps1
@@ -41,6 +41,6 @@ function Get-CippAlertSecureScore {
}
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $SecureScoreResult -PartitionKey SecureScore
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Could not get Secure Score for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Could not get Secure Score for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSoftDeletedMailboxes.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSoftDeletedMailboxes.ps1
index f446ec2e9161..b8ea70697c90 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSoftDeletedMailboxes.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertSoftDeletedMailboxes.ps1
@@ -24,6 +24,6 @@ function Get-CIPPAlertSoftDeletedMailboxes {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check for soft deleted mailboxes in $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check for soft deleted mailboxes in $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1
index 29043c3288fd..f44bcd016905 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertStaleEntraDevices.ps1
@@ -78,6 +78,6 @@ function Get-CIPPAlertStaleEntraDevices {
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {}
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Failed to check inactive guest users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1
index 4db4e400eb1e..7f470e07d9a1 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertUnusedLicenses.ps1
@@ -35,6 +35,6 @@ function Get-CIPPAlertUnusedLicenses {
}
Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
} catch {
- Write-AlertMessage -tenant $($TenantFilter) -message "Unused Licenses Alert Error occurred: $(Get-NormalizedError -message $_.Exception.message)"
+ Write-LogMessage -API 'Alerts' -tenant $($TenantFilter) -message "Unused Licenses Alert Error occurred: $(Get-NormalizedError -message $_.Exception.message)" -sev Error
}
}
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVulnerabilities.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVulnerabilities.ps1
index f6cb1d37f0b8..7b6c374eecf7 100644
--- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVulnerabilities.ps1
+++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertVulnerabilities.ps1
@@ -81,7 +81,6 @@ function Get-CIPPAlertVulnerabilities {
DaysOld = $DaysOld
HoursOld = $HoursOld
AffectedDeviceCount = $Group.Count
- AffectedDevices = $AffectedDevices
SoftwareName = $FirstVuln.softwareName
SoftwareVendor = $FirstVuln.softwareVendor
SoftwareVersion = $FirstVuln.softwareVersion
@@ -90,6 +89,7 @@ function Get-CIPPAlertVulnerabilities {
RecommendedUpdate = $FirstVuln.recommendedSecurityUpdate
RecommendedUpdateId = $FirstVuln.recommendedSecurityUpdateId
RecommendedUpdateUrl = $FirstVuln.recommendedSecurityUpdateUrl
+ AffectedDevices = $AffectedDevices
Tenant = $TenantFilter
}
$AlertData.Add($VulnerabilityAlert)
diff --git a/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1 b/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1
index 948d2a17f1fa..0ddd57a18fd2 100644
--- a/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1
+++ b/Modules/CIPPCore/Public/Authentication/New-CIPPAPIConfig.ps1
@@ -65,6 +65,14 @@ function New-CIPPAPIConfig {
Write-Information $CreateBody
$Step = 'Creating Application'
$APIApp = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/v1.0/applications' -AsApp $true -NoAuthCheck $true -type POST -body $CreateBody
+
+ try {
+ $PolicyUpdate = Update-AppManagementPolicy -ApplicationId $APIApp.appId
+ Write-Information $PolicyUpdate.PolicyAction
+ } catch {
+ Write-Information "Failed to update app management policy: $($_.Exception.Message)"
+ }
+
Write-Information 'Creating password'
$Step = 'Creating Application Password'
$APIPassword = New-GraphPOSTRequest -uri "https://graph.microsoft.com/v1.0/applications/$($APIApp.id)/addPassword" -AsApp $true -NoAuthCheck $true -type POST -body "{`"passwordCredential`":{`"displayName`":`"Generated by API Setup`"}}" -maxRetries 3
diff --git a/Modules/CIPPCore/Public/Authentication/Test-IpInRange.ps1 b/Modules/CIPPCore/Public/Authentication/Test-IpInRange.ps1
index 2279b20ce110..f7103fbca239 100644
--- a/Modules/CIPPCore/Public/Authentication/Test-IpInRange.ps1
+++ b/Modules/CIPPCore/Public/Authentication/Test-IpInRange.ps1
@@ -31,7 +31,8 @@ function Test-IpInRange {
$IP = [System.Net.IPAddress]::Parse($IPAddress)
$rangeParts = $Range -split '/'
$networkAddr = [System.Net.IPAddress]::Parse($rangeParts[0])
- $prefix = [int]$rangeParts[1]
+ $maxBits = if ($networkAddr.AddressFamily -eq 'InterNetworkV6') { 128 } else { 32 }
+ $prefix = if ($rangeParts.Count -gt 1) { [int]$rangeParts[1] } else { $maxBits }
if ($networkAddr.AddressFamily -ne $IP.AddressFamily) {
return $false
@@ -39,7 +40,6 @@ function Test-IpInRange {
$ipBig = ConvertIpToBigInteger $IP
$netBig = ConvertIpToBigInteger $networkAddr
- $maxBits = if ($networkAddr.AddressFamily -eq 'InterNetworkV6') { 128 } else { 32 }
$shift = $maxBits - $prefix
$mask = [System.Numerics.BigInteger]::Pow(2, $shift) - [System.Numerics.BigInteger]::One
$invertedMask = [System.Numerics.BigInteger]::MinusOne -bxor $mask
diff --git a/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1 b/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1
index 60255008687e..4f4f11e1ad2e 100644
--- a/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1
+++ b/Modules/CIPPCore/Public/Clear-CIPPImmutableId.ps1
@@ -3,14 +3,69 @@ function Clear-CIPPImmutableId {
param (
$TenantFilter,
$UserID,
+ $Username, # Optional - used for better logging and scheduling messages
+ $User, # Optional - if provided, will check sync status and schedule if needed
$Headers,
$APIName = 'Clear Immutable ID'
)
try {
+ # If User object is provided, check if we need to schedule instead of clearing immediately
+ if ($User) {
+ # User has ImmutableID but is not synced from on-premises - safe to clear immediately
+ if ($User.onPremisesSyncEnabled -ne $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+ $DisplayName = $Username ?? $UserID
+ Write-LogMessage -Message "User $DisplayName has an ImmutableID set but is not synced from on-premises. Proceeding to clear the ImmutableID." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -headers $Headers
+ # Continue to clear below
+ }
+ # User is synced from on-premises - must schedule for after deletion
+ elseif ($User.onPremisesSyncEnabled -eq $true -and ![string]::IsNullOrEmpty($User.onPremisesImmutableId)) {
+ $DisplayName = $Username ?? $UserID
+ Write-LogMessage -Message "User $DisplayName is synced from on-premises. Scheduling an Immutable ID clear for when the user account has been soft deleted." -TenantFilter $TenantFilter -Severity 'Warning' -APIName $APIName -headers $Headers
+
+ $ScheduledTask = @{
+ TenantFilter = $TenantFilter
+ Name = "Clear Immutable ID: $DisplayName"
+ Command = @{ value = 'Clear-CIPPImmutableID' }
+ Parameters = [pscustomobject]@{
+ UserID = $UserID
+ TenantFilter = $TenantFilter
+ APIName = $APIName
+ }
+ Trigger = @{
+ Type = 'DeltaQuery'
+ DeltaResource = 'users'
+ ResourceFilter = @($UserID)
+ EventType = 'deleted'
+ UseConditions = $false
+ ExecutePerResource = $true
+ ExecutionMode = 'once'
+ }
+ ScheduledTime = [int64](([datetime]::UtcNow).AddMinutes(5) - (Get-Date '1/1/1970')).TotalSeconds
+ Recurrence = '15m'
+ PostExecution = @{
+ Webhook = $false
+ Email = $false
+ PSA = $false
+ }
+ }
+ Add-CIPPScheduledTask -Task $ScheduledTask -hidden $false -DisallowDuplicateName $true
+ return 'Scheduled Immutable ID clear task for when the user account is no longer synced in the on-premises directory.'
+ }
+ # User has no ImmutableID or is already clear
+ else {
+ $DisplayName = $Username ?? $UserID
+ $Result = "User $DisplayName does not have an ImmutableID set or it is already cleared."
+ Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Info -tenant $TenantFilter
+ return $Result
+ }
+ }
+
+ # Perform the actual clear operation
try {
- $User = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue
+ $UserObj = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -ErrorAction SilentlyContinue
} catch {
+ # User might be deleted, try to restore it
$DeletedUser = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/directory/deletedItems/$UserID" -tenantid $TenantFilter
if ($DeletedUser.id) {
# Restore deleted user object
@@ -22,12 +77,14 @@ function Clear-CIPPImmutableId {
$Body = [pscustomobject]@{ onPremisesImmutableId = $null }
$Body = ConvertTo-Json -InputObject $Body -Depth 5 -Compress
$null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/users/$UserID" -tenantid $TenantFilter -type PATCH -body $Body
- $Result = "Successfully cleared immutable ID for user $UserID"
+ $DisplayName = $Username ?? $UserID
+ $Result = "Successfully cleared immutable ID for user $DisplayName"
Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Info -tenant $TenantFilter
return $Result
} catch {
$ErrorMessage = Get-CippException -Exception $_
- $Result = "Failed to clear immutable ID for $($UserID). Error: $($ErrorMessage.NormalizedError)"
+ $DisplayName = $Username ?? $UserID
+ $Result = "Failed to clear immutable ID for $DisplayName. Error: $($ErrorMessage.NormalizedError)"
Write-LogMessage -headers $Headers -API $APIName -message $Result -sev Error -tenant $TenantFilter -LogData $ErrorMessage
throw $Result
}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1
index 5aae136f1ba4..b643716861a1 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Applications/Push-UploadApplication.ps1
@@ -14,118 +14,166 @@ function Push-UploadApplication {
$CippRoot = (Get-Item $ModuleRoot).Parent.Parent
Set-Location $CippRoot
- $ChocoApp = (Get-CIPPAzDataTableEntity @Table -filter $Filter).JSON | ConvertFrom-Json
- $intuneBody = $ChocoApp.IntuneBody
- $tenants = if ($ChocoApp.tenant -eq 'AllTenants') {
+ $AppConfig = (Get-CIPPAzDataTableEntity @Table -filter $Filter).JSON | ConvertFrom-Json
+ $intuneBody = $AppConfig.IntuneBody
+ $tenants = if ($AppConfig.tenant -eq 'AllTenants') {
(Get-Tenants -IncludeErrors).defaultDomainName
} else {
- $ChocoApp.tenant
- }
- if ($ChocoApp.type -eq 'MSPApp') {
- [xml]$Intunexml = Get-Content "AddMSPApp\$($ChocoApp.MSPAppName).app.xml"
- $intunewinFilesize = (Get-Item "AddMSPApp\$($ChocoApp.MSPAppName).intunewin")
- $Infile = "AddMSPApp\$($ChocoApp.MSPAppName).intunewin"
- } else {
- [xml]$Intunexml = Get-Content 'AddChocoApp\Choco.App.xml'
- $intunewinFilesize = (Get-Item 'AddChocoApp\IntunePackage.intunewin')
- $Infile = "AddChocoApp\$($intunexml.ApplicationInfo.FileName)"
- }
- $assignTo = $ChocoApp.assignTo
- $AssignToIntent = $ChocoApp.InstallationIntent
- $Baseuri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
- $ContentBody = ConvertTo-Json @{
- name = $intunexml.ApplicationInfo.FileName
- size = [int64]$intunexml.ApplicationInfo.UnencryptedContentSize
- sizeEncrypted = [int64]($intunewinFilesize).length
+ $AppConfig.tenant
}
+ $assignTo = $AppConfig.assignTo
+ $AssignToIntent = $AppConfig.InstallationIntent
$ClearRow = Get-CIPPAzDataTableEntity @Table -Filter $Filter
- $RemoveCacheFile = if ($ChocoApp.tenant -ne 'AllTenants') {
- Remove-AzDataTableEntity -Force @Table -Entity $clearRow
+ if ($AppConfig.tenant -ne 'AllTenants') {
+ $null = Remove-AzDataTableEntity -Force @Table -Entity $clearRow
} else {
$Table.Force = $true
- Add-CIPPAzDataTableEntity @Table -Entity @{
- JSON = "$($ChocoApp | ConvertTo-Json)"
+ $null = Add-CIPPAzDataTableEntity @Table -Entity @{
+ JSON = "$($AppConfig | ConvertTo-Json)"
RowKey = "$($ClearRow.RowKey)"
PartitionKey = 'apps'
status = 'Deployed'
}
}
- $EncBody = @{
- fileEncryptionInfo = @{
- encryptionKey = $intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
- macKey = $intunexml.ApplicationInfo.EncryptionInfo.MacKey
- initializationVector = $intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
- mac = $intunexml.ApplicationInfo.EncryptionInfo.Mac
- profileIdentifier = $intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
- fileDigest = $intunexml.ApplicationInfo.EncryptionInfo.FileDigest
- fileDigestAlgorithm = $intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
- }
- } | ConvertTo-Json
+ # Determine app type (default to 'Choco' if not specified)
+ $AppType = if ($AppConfig.type) { $AppConfig.type } else { 'Choco' }
+
+ # Load files based on app type (only for types that need them)
+ $Intunexml = $null
+ $Infile = $null
+ if ($AppType -eq 'MSPApp') {
+ [xml]$Intunexml = Get-Content "AddMSPApp\$($AppConfig.MSPAppName).app.xml"
+ $Infile = "AddMSPApp\$($AppConfig.MSPAppName).intunewin"
+ } elseif ($AppType -in @('Choco', 'Win32ScriptApp')) {
+ [xml]$Intunexml = Get-Content 'AddChocoApp\Choco.App.xml'
+ $Infile = "AddChocoApp\$($Intunexml.ApplicationInfo.FileName)"
+ }
+
+
+ $baseuri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'
foreach ($tenant in $tenants) {
try {
- $ApplicationList = New-GraphGetRequest -Uri $baseuri -tenantid $tenant | Where-Object { $_.DisplayName -eq $ChocoApp.Applicationname -and ($_.'@odata.type' -eq '#microsoft.graph.win32LobApp' -or $_.'@odata.type' -eq '#microsoft.graph.winGetApp') }
+ # Check if app already exists
+ $ApplicationList = New-GraphGetRequest -Uri $baseuri -tenantid $tenant | Where-Object { $_.DisplayName -eq $AppConfig.Applicationname -and ($_.'@odata.type' -eq '#microsoft.graph.win32LobApp' -or $_.'@odata.type' -eq '#microsoft.graph.winGetApp') }
if ($ApplicationList.displayname.count -ge 1) {
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) exists. Skipping this application" -Sev 'Info'
+ Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($AppConfig.Applicationname) exists. Skipping this application" -Sev 'Info'
continue
}
- if ($ChocoApp.type -eq 'WinGet') {
- Write-Host 'Winget!'
- Write-Host ($intuneBody | ConvertTo-Json -Compress)
- $NewApp = New-GraphPostRequest -Uri $baseuri -Body ($intuneBody | ConvertTo-Json -Compress) -Type POST -tenantid $tenant
- Start-Sleep -Milliseconds 200
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) uploaded as WinGet app." -Sev 'Info'
- if ($AssignTo -ne 'On') {
- $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
- Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -Intent $intent -TenantFilter $tenant -groupName "$AssignTo" -AppType 'WinGet'
+
+ # Route to appropriate handler based on app type
+ $NewApp = $null
+ switch ($AppType) {
+ 'WinGet' {
+ $NewApp = Add-CIPPWinGetApp -AppBody $intuneBody -TenantFilter $tenant
}
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) Successfully created" -Sev 'Info'
- continue
- } else {
- $NewApp = New-GraphPostRequest -Uri $baseuri -Body ($intuneBody | ConvertTo-Json) -Type POST -tenantid $tenant
+ 'Choco' {
+ # Prepare encryption info from XML
+ $EncryptionInfo = @{
+ EncryptionKey = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
+ MacKey = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
+ InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
+ Mac = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
+ ProfileIdentifier = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
+ FileDigest = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
+ FileDigestAlgorithm = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
+ }
- }
- $ContentReq = New-GraphPostRequest -Uri "$($BaseURI)/$($NewApp.id)/microsoft.graph.win32lobapp/contentVersions/1/files/" -Body $ContentBody -Type POST -tenantid $tenant
- do {
- $AzFileUri = New-graphGetRequest -Uri "$($BaseURI)/$($NewApp.id)/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)" -tenantid $tenant
- if ($AZfileuri.uploadState -like '*fail*') { break }
- Start-Sleep -Milliseconds 300
- } while ($AzFileUri.AzureStorageUri -eq $null)
- Write-Host "Uploading file to $($AzFileUri.azureStorageUri)"
- Write-Host "Complete AZ file uri data: $($AzFileUri | ConvertTo-Json -Depth 10)"
- $chunkSizeInBytes = 4mb
- [byte[]]$bytes = [System.IO.File]::ReadAllBytes($($intunewinFilesize.fullname))
- $chunks = [Math]::Ceiling($bytes.Length / $chunkSizeInBytes)
- $id = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($chunks.ToString('0000')))
- #For anyone that reads this, The maximum chunk size is 100MB for blob storage, so we can upload it as one part and just give it the single ID. Easy :)
- $Upload = Invoke-RestMethod -Uri "$($AzFileUri.azureStorageUri)&comp=block&blockid=$id" -Method Put -Headers @{'x-ms-blob-type' = 'BlockBlob' } -InFile $inFile -ContentType 'application/octet-stream'
- Write-Host "Upload data: $($Upload | ConvertTo-Json -Depth 10)"
- $ConfirmUpload = Invoke-RestMethod -Uri "$($AzFileUri.azureStorageUri)&comp=blocklist" -Method Put -Body "$id" -ContentType 'application/xml'
- Write-Host "Confirm Upload data: $($ConfirmUpload | ConvertTo-Json -Depth 10)"
- $CommitReq = New-graphPostRequest -Uri "$($BaseURI)/$($NewApp.id)/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)/commit" -Body $EncBody -Type POST -tenantid $tenant
- Write-Host "Commit Request: $($CommitReq | ConvertTo-Json -Depth 10)"
-
- do {
- $CommitStateReq = New-graphGetRequest -Uri "$($BaseURI)/$($NewApp.id)/microsoft.graph.win32lobapp/contentVersions/1/files/$($ContentReq.id)" -tenantid $tenant
- Write-Host "Commit State Request: $($CommitStateReq | ConvertTo-Json -Depth 10)"
- if ($CommitStateReq.uploadState -like '*fail*') {
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($ChocoApp.Applicationname) Commit failed. Please check if app uploaded succesful" -Sev 'Warning'
- break
+ # Build parameters dynamically
+ $Params = @{
+ AppBody = $intuneBody
+ TenantFilter = $tenant
+ FilePath = $Infile
+ FileName = $Intunexml.ApplicationInfo.FileName
+ UnencryptedSize = [int64]$Intunexml.ApplicationInfo.UnencryptedContentSize
+ EncryptionInfo = $EncryptionInfo
+ }
+ if ($AppConfig.Applicationname) { $Params.DisplayName = $AppConfig.Applicationname }
+
+ $NewApp = Add-CIPPPackagedApplication @Params
+ }
+ 'MSPApp' {
+ # Prepare encryption info from XML
+ $EncryptionInfo = @{
+ EncryptionKey = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
+ MacKey = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
+ InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
+ Mac = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
+ ProfileIdentifier = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
+ FileDigest = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
+ FileDigestAlgorithm = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
+ }
+
+ # Build parameters dynamically
+ $Params = @{
+ AppBody = $intuneBody
+ TenantFilter = $tenant
+ FilePath = $Infile
+ FileName = $Intunexml.ApplicationInfo.FileName
+ UnencryptedSize = [int64]$Intunexml.ApplicationInfo.UnencryptedContentSize
+ EncryptionInfo = $EncryptionInfo
+ }
+ if ($AppConfig.Applicationname) { $Params.DisplayName = $AppConfig.Applicationname }
+
+ $NewApp = Add-CIPPPackagedApplication @Params
+ }
+ 'Win32ScriptApp' {
+ # Prepare encryption info from XML
+ $EncryptionInfo = @{
+ EncryptionKey = $Intunexml.ApplicationInfo.EncryptionInfo.EncryptionKey
+ MacKey = $Intunexml.ApplicationInfo.EncryptionInfo.MacKey
+ InitializationVector = $Intunexml.ApplicationInfo.EncryptionInfo.InitializationVector
+ Mac = $Intunexml.ApplicationInfo.EncryptionInfo.Mac
+ ProfileIdentifier = $Intunexml.ApplicationInfo.EncryptionInfo.ProfileIdentifier
+ FileDigest = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigest
+ FileDigestAlgorithm = $Intunexml.ApplicationInfo.EncryptionInfo.FileDigestAlgorithm
+ }
+
+ # Build properties dynamically
+ $Properties = @{
+ displayName = $AppConfig.Applicationname
+ installScript = $AppConfig.installScript
+ }
+
+ # A few of these are probably mandatory
+ if ($AppConfig.description) { $Properties['description'] = $AppConfig.description }
+ if ($AppConfig.publisher) { $Properties['publisher'] = $AppConfig.publisher }
+ if ($AppConfig.uninstallScript) { $Properties['uninstallScript'] = $AppConfig.uninstallScript }
+ if ($AppConfig.detectionPath) { $Properties['detectionPath'] = $AppConfig.detectionPath }
+ if ($AppConfig.detectionFile) { $Properties['detectionFile'] = $AppConfig.detectionFile }
+ if ($AppConfig.runAsAccount) { $Properties['runAsAccount'] = $AppConfig.runAsAccount }
+ if ($AppConfig.deviceRestartBehavior) { $Properties['deviceRestartBehavior'] = $AppConfig.deviceRestartBehavior }
+ if ($null -ne $AppConfig.runAs32Bit) { $Properties['runAs32Bit'] = $AppConfig.runAs32Bit }
+ if ($null -ne $AppConfig.enforceSignatureCheck) { $Properties['enforceSignatureCheck'] = $AppConfig.enforceSignatureCheck }
+
+ $NewApp = Add-CIPPW32ScriptApplication -TenantFilter $tenant -Properties ([PSCustomObject]$Properties)
+ }
+ 'WinGetNew' {
+ # I think we don't need a separate WinGetNew type, just use WinGet?
}
- Start-Sleep -Milliseconds 300
- } while ($CommitStateReq.uploadState -eq 'commitFilePending')
- $CommitFinalizeReq = New-graphPostRequest -Uri "$($BaseURI)/$($NewApp.id)" -tenantid $tenant -Body '{"@odata.type":"#microsoft.graph.win32lobapp","committedContentVersion":"1"}' -type PATCH
- Write-Host "Commit Finalize Request: $($CommitFinalizeReq | ConvertTo-Json -Depth 10)"
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Added Application $($ChocoApp.Applicationname)" -Sev 'Info'
- if ($AssignTo -ne 'On') {
- $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
- Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -Intent $intent -TenantFilter $tenant -groupName "$AssignTo" -AppType 'Win32Lob'
+ default {
+ throw "Unsupported app type: $($AppConfig.type)"
+ }
+ }
+ # Log success and assign app if requested
+ if ($NewApp) {
+ Write-LogMessage -api 'AppUpload' -tenant $tenant -message "$($AppConfig.Applicationname) Successfully created" -Sev 'Info'
+
+ if ($assignTo -and $assignTo -ne 'On') {
+ $intent = if ($AssignToIntent) { 'Uninstall' } else { 'Required' }
+ $AppTypeForAssignment = switch ($AppType) {
+ 'WinGet' { 'WinGet' }
+ 'WinGetNew' { 'WinGet' }
+ default { 'Win32Lob' }
+ }
+ Start-Sleep -Milliseconds 200
+ Set-CIPPAssignedApplication -ApplicationId $NewApp.Id -TenantFilter $tenant -groupName $assignTo -Intent $intent -AppType $AppTypeForAssignment -APIName 'AppUpload'
+ }
}
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message 'Successfully added Application' -Sev 'Info'
} catch {
- "Failed to add Application for $($Tenant): $($_.Exception.Message)"
- Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Failed adding Application $($ChocoApp.Applicationname). Error: $($_.Exception.Message)" -LogData (Get-CippException -Exception $_) -Sev 'Error'
+ "Failed to add Application for $tenant : $($_.Exception.Message)"
+ Write-LogMessage -api 'AppUpload' -tenant $tenant -message "Failed adding Application $($AppConfig.Applicationname). Error: $($_.Exception.Message)" -LogData (Get-CippException -Exception $_) -Sev 'Error'
continue
}
}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1
index 43444b4a4101..f3ac78cf719a 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Domain Analyser/Push-DomainAnalyserTenant.ps1
@@ -5,7 +5,7 @@ function Push-DomainAnalyserTenant {
#>
param($Item)
- $Tenant = Get-Tenants -IncludeAll | Where-Object { $_.customerId -eq $Item.customerId } | Select-Object -First 1
+ $Tenant = Get-Tenants -TenantFilter $Item.customerId
$DomainTable = Get-CippTable -tablename 'Domains'
if ($Tenant.Excluded -eq $true) {
@@ -20,6 +20,14 @@ function Push-DomainAnalyserTenant {
return
} else {
try {
+ # Get domains from cached database instead of making Graph API calls
+ $Domains = New-CIPPDbRequest -TenantFilter $Tenant.defaultDomainName -Type 'Domains'
+
+ if (-not $Domains) {
+ Write-LogMessage -API 'DomainAnalyser' -tenant $Tenant.defaultDomainName -tenantid $Tenant.customerId -message 'No cached domain data found. Domain analysis will be skipped until data collection completes.' -sev Info
+ return
+ }
+
# Remove domains that are not wanted, and used for cloud signature services. Same exclusions also found in Invoke-CIPPStandardAddDKIM
$ExclusionDomains = @(
'*.microsoftonline.com'
@@ -35,7 +43,7 @@ function Push-DomainAnalyserTenant {
'*.ucconnect.co.uk'
'*.teams-sbc.dk'
)
- $Domains = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/domains' -tenantid $Tenant.customerId | Where-Object { $_.isVerified -eq $true } | ForEach-Object {
+ $Domains = $Domains | Where-Object { $_.isVerified -eq $true } | ForEach-Object {
$Domain = $_
foreach ($ExclusionDomain in $ExclusionDomains) {
if ($Domain.id -like $ExclusionDomain) {
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1
index 6bdf8f889ddf..907f5ad3de9d 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPDBCacheData.ps1
@@ -50,9 +50,6 @@ function Push-CIPPDBCacheData {
'SecureScore'
'PIMSettings'
'Domains'
- 'RoleEligibilitySchedules'
- 'RoleManagementPolicies'
- 'RoleAssignmentScheduleInstances'
'B2BManagementPolicy'
'AuthenticationFlowsPolicy'
'DeviceRegistrationPolicy'
@@ -130,13 +127,16 @@ function Push-CIPPDBCacheData {
}
#endregion Conditional Access Licensed
- #region Azure AD Premium P2 - Identity Protection features
+ #region Azure AD Premium P2 - Identity Protection/PIM features
if ($AzureADPremiumP2Capable) {
$P2CacheFunctions = @(
'RiskyUsers'
'RiskyServicePrincipals'
'ServicePrincipalRiskDetections'
'RiskDetections'
+ 'RoleEligibilitySchedules'
+ 'RoleAssignmentSchedules'
+ 'RoleManagementPolicies'
)
foreach ($CacheFunction in $P2CacheFunctions) {
$Batch.Add(@{
@@ -158,6 +158,7 @@ function Push-CIPPDBCacheData {
'IntunePolicies'
'ManagedDeviceEncryptionStates'
'IntuneAppProtectionPolicies'
+ 'DetectedApps'
)
foreach ($CacheFunction in $IntuneCacheFunctions) {
$Batch.Add(@{
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingComplete.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingComplete.ps1
new file mode 100644
index 000000000000..8d86e31a27a3
--- /dev/null
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingComplete.ps1
@@ -0,0 +1,120 @@
+function Push-CIPPOffboardingComplete {
+ <#
+ .SYNOPSIS
+ Post-execution handler for offboarding orchestration completion
+
+ .DESCRIPTION
+ Updates the scheduled task state when offboarding completes
+
+ .FUNCTIONALITY
+ Entrypoint
+ #>
+ [CmdletBinding()]
+ param($Item)
+
+ $TaskInfo = $Item.Parameters.TaskInfo
+ $TenantFilter = $Item.Parameters.TenantFilter
+ $Username = $Item.Parameters.Username
+ $Results = $Item.Results # Results come from orchestrator, not Parameters
+
+ try {
+ Write-Information "Completing offboarding orchestration for $Username in tenant $TenantFilter"
+ Write-Information "Raw results from orchestrator: $($Results | ConvertTo-Json -Depth 10)"
+
+ # Flatten nested arrays from orchestrator results
+ # Activity functions may return arrays like [result, "status message"]
+ $FlattenedResults = @(
+ foreach ($BatchResult in $Results) {
+ if ($BatchResult -is [array] -and $BatchResult.Count -gt 0) {
+ Write-Information "Result is array with $($BatchResult.Count) elements, extracting elements"
+ # Output all elements from the array
+ foreach ($element in $BatchResult) {
+ if ($null -ne $element -and $element -ne '') {
+ $element
+ }
+ }
+ } elseif ($null -ne $BatchResult -and $BatchResult -ne '') {
+ # Single item - output it
+ $BatchResult
+ }
+ }
+ )
+
+ # Process results in the same way as Push-ExecScheduledCommand
+ if ($FlattenedResults.Count -eq 0) {
+ $ProcessedResults = "Offboarding completed successfully for $Username"
+ } else {
+ Write-Information "Processing $($FlattenedResults.Count) flattened results: $($FlattenedResults | ConvertTo-Json -Depth 10)"
+
+ # Normalize results format
+ if ($FlattenedResults -is [string]) {
+ $ProcessedResults = @{ Results = $FlattenedResults }
+ } elseif ($FlattenedResults -is [array]) {
+ # Filter and process string or resultText items
+ $StringResults = $FlattenedResults | Where-Object { $_ -is [string] -or $_.resultText -is [string] }
+ if ($StringResults) {
+ $ProcessedResults = $StringResults | ForEach-Object {
+ $Message = if ($_ -is [string]) { $_ } else { $_.resultText }
+ @{ Results = $Message }
+ }
+ } else {
+ # Keep structured results as-is
+ $ProcessedResults = $FlattenedResults
+ }
+ } else {
+ $ProcessedResults = $FlattenedResults
+ }
+ }
+
+ Write-Information "Results after processing: $($ProcessedResults | ConvertTo-Json -Depth 10)"
+
+ # Prepare results for storage
+ if ($ProcessedResults -is [string]) {
+ $StoredResults = $ProcessedResults
+ } else {
+ $ProcessedResults = $ProcessedResults | Select-Object * -ExcludeProperty RowKey, PartitionKey
+ $StoredResults = $ProcessedResults | ConvertTo-Json -Compress -Depth 20 | Out-String
+ }
+
+ if ($TaskInfo) {
+ # Update scheduled task to completed state
+ $Table = Get-CippTable -tablename 'ScheduledTasks'
+ $currentUnixTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
+
+ # Check if results are too large and need separate storage
+ if ($StoredResults.Length -gt 64000) {
+ Write-Information 'Results exceed 64KB limit. Storing in ScheduledTaskResults table.'
+ $TaskResultsTable = Get-CippTable -tablename 'ScheduledTaskResults'
+ $TaskResults = @{
+ PartitionKey = $TaskInfo.RowKey
+ RowKey = $TenantFilter
+ Results = [string](ConvertTo-Json -Compress -Depth 20 $ProcessedResults)
+ }
+ $null = Add-CIPPAzDataTableEntity @TaskResultsTable -Entity $TaskResults -Force
+ $StoredResults = @{ Results = 'Offboarding completed, details are available in the More Info pane' } | ConvertTo-Json -Compress
+ }
+
+ $null = Update-AzDataTableEntity -Force @Table -Entity @{
+ PartitionKey = $TaskInfo.PartitionKey
+ RowKey = $TaskInfo.RowKey
+ Results = "$StoredResults"
+ ExecutedTime = "$currentUnixTime"
+ TaskState = 'Completed'
+ }
+
+ Write-LogMessage -API 'Offboarding' -tenant $TenantFilter -message "Offboarding completed successfully for $Username" -sev Info
+
+ # Send post-execution alerts if configured
+ if ($TaskInfo.PostExecution -and $ProcessedResults) {
+ Send-CIPPScheduledTaskAlert -Results $ProcessedResults -TaskInfo $TaskInfo -TenantFilter $TenantFilter
+ }
+ }
+
+ return "Offboarding completed for $Username"
+
+ } catch {
+ $ErrorMsg = "Failed to complete offboarding for $Username : $($_.Exception.Message)"
+ Write-LogMessage -API 'Offboarding' -tenant $TenantFilter -message $ErrorMsg -sev Error
+ throw $ErrorMsg
+ }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingTask.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingTask.ps1
new file mode 100644
index 000000000000..7f0243f4d9c9
--- /dev/null
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-CIPPOffboardingTask.ps1
@@ -0,0 +1,38 @@
+function Push-CIPPOffboardingTask {
+ <#
+ .SYNOPSIS
+ Generic wrapper to execute individual offboarding task cmdlets
+
+ .DESCRIPTION
+ Executes the specified cmdlet with the provided parameters as part of user offboarding
+
+ .FUNCTIONALITY
+ Entrypoint
+ #>
+ [CmdletBinding()]
+ param($Item)
+
+ $Cmdlet = $Item.Cmdlet
+ $Parameters = $Item.Parameters | ConvertTo-Json -Depth 5 | ConvertFrom-Json -AsHashtable
+
+ try {
+ Write-Information "Executing offboarding cmdlet: $Cmdlet"
+
+ # Check if cmdlet exists
+ $CmdletInfo = Get-Command -Name $Cmdlet -ErrorAction SilentlyContinue
+ if (-not $CmdletInfo) {
+ throw "Cmdlet $Cmdlet does not exist"
+ }
+
+ # Execute the cmdlet with splatting
+ $Result = & $Cmdlet @Parameters
+
+ Write-Information "Completed $Cmdlet successfully"
+ return $Result
+
+ } catch {
+ $ErrorMsg = "Failed to execute $Cmdlet : $($_.Exception.Message)"
+ Write-Information $ErrorMsg
+ return $ErrorMsg
+ }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1
index 0f14c76645ab..2a4ec142805d 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecJITAdminListAllTenants.ps1
@@ -13,27 +13,26 @@ function Push-ExecJITAdminListAllTenants {
# Get schema extensions
$Schema = Get-CIPPSchemaExtensions | Where-Object { $_.id -match '_cippUser' } | Select-Object -First 1
- # Query users with JIT Admin enabled
- $Query = @{
- TenantFilter = $DomainName # Use $DomainName for the current tenant
- Endpoint = 'users'
- Parameters = @{
- '$count' = 'true'
- '$select' = "id,accountEnabled,displayName,userPrincipalName,$($Schema.id)"
- '$filter' = "$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false" # Fetches both states to cache current status
- }
- }
- $Users = Get-GraphRequestList @Query | Where-Object { $_.id }
+ # Query users with JIT Admin enabled using bulk request
+ $BulkRequests = [System.Collections.Generic.List[object]]::new()
+ $BulkRequests.Add(@{
+ id = 'users'
+ method = 'GET'
+ url = "users?`$count=true&`$select=id,accountEnabled,displayName,userPrincipalName,$($Schema.id)&`$filter=$($Schema.id)/jitAdminEnabled eq true or $($Schema.id)/jitAdminEnabled eq false&`$top=999"
+ })
+
+ $BulkResults = New-GraphBulkRequest -tenantid $DomainName -Requests $BulkRequests
+ $Users = ($BulkResults | Where-Object { $_.id -eq 'users' }).body.value | Where-Object { $_.id }
if ($Users) {
# Get role memberships
- $BulkRequests = $Users | ForEach-Object { @(
- @{
- id = $_.id
+ $BulkRequests.Clear()
+ foreach ($User in $Users) {
+ $BulkRequests.Add(@{
+ id = $User.id
method = 'GET'
- url = "users/$($_.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
- }
- )
+ url = "users/$($User.id)/memberOf/microsoft.graph.directoryRole/?`$select=id,displayName"
+ })
}
# Ensure $BulkRequests is not empty or null before making the bulk request
if ($BulkRequests -and $BulkRequests.Count -gt 0) {
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1
index 23ca76c1adeb..b3d6805ff988 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecOnboardTenantQueue.ps1
@@ -47,7 +47,10 @@ function Push-ExecOnboardTenantQueue {
@{ Name = 'SharePoint Administrator'; Id = 'f28a1f50-f6e7-4571-818b-6a12f2af6b6c' },
@{ Name = 'Authentication Policy Administrator'; Id = '0526716b-113d-4c15-b2c8-68e3c22b9f80' },
@{ Name = 'Privileged Role Administrator'; Id = 'e8611ab8-c189-46e8-94e1-60213ab1f814' },
- @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' }
+ @{ Name = 'Privileged Authentication Administrator'; Id = '7be44c8a-adaf-4e2a-84d6-ab2649e08a13' },
+ @{ Name = 'Billing Administrator'; Id = 'b0f54661-2d74-4c50-afa3-1ec803f12efe'; Optional = $true },
+ @{ Name = 'Global Reader'; Id = 'f2ef992c-3afb-46b9-b7cf-a126ee74c451'; Optional = $true },
+ @{ Name = 'Domain Name Administrator'; Id = '8329153b-31d0-4727-b945-745eb3bc5f31'; Optional = $true }
)
if ($OnboardingSteps.Step1.Status -ne 'succeeded') {
@@ -99,14 +102,16 @@ function Push-ExecOnboardTenantQueue {
}
if (($MissingRoles | Measure-Object).Count -gt 0) {
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Missing roles for relationship' })
- if ($Item.IgnoreMissingRoles -ne $true) {
+ $RequiredMissingRoles = $ExpectedRoles | Where-Object { $_.Optional -ne $true -and $MissingRoles -contains $_.Name }
+ if ($Item.IgnoreMissingRoles -ne $true -and ($RequiredMissingRoles | Measure-Object).Count -gt 0) {
+ $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Missing the following required roles: $($MissingRoles -join ', ')" })
$TenantOnboarding.Status = 'failed'
$OnboardingSteps.Step2.Status = 'failed'
$OnboardingSteps.Step2.Message = "Your GDAP relationship is missing the following roles: $($MissingRoles -join ', ')"
} else {
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Ignoring missing roles' })
$OnboardingSteps.Step2.Status = 'succeeded'
- $OnboardingSteps.Step2.Message = 'Your GDAP relationship is missing some roles, but the onboarding will continue'
+ $OnboardingSteps.Step2.Message = "Your GDAP relationship is missing some roles, but the onboarding will continue. Missing roles: $($MissingRoles -join ', ')"
}
} else {
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Required roles found' })
@@ -121,6 +126,7 @@ function Push-ExecOnboardTenantQueue {
if ($OnboardingSteps.Step2.Status -eq 'succeeded') {
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Checking group mapping' })
$AccessAssignments = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
+ $AccessAssignments = $AccessAssignments | Where-Object { $_.status -notin @('deleted', 'deleting') }
if ($AccessAssignments.id -and $Item.AutoMapRoles -ne $true) {
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Groups mapped' })
$OnboardingSteps.Step3.Status = 'succeeded'
@@ -223,6 +229,7 @@ function Push-ExecOnboardTenantQueue {
do {
$AccessAssignments = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/tenantRelationships/delegatedAdminRelationships/$Id/accessAssignments"
+ $AccessAssignments = $AccessAssignments | Where-Object { $_.status -notin @('deleted', 'deleting') }
Start-Sleep -Seconds 15
} while ($AccessAssignments.status -contains 'pending' -and (Get-Date) -lt $Start.AddMinutes(8))
@@ -231,19 +238,58 @@ function Push-ExecOnboardTenantQueue {
$OnboardingSteps.Step3.Status = 'succeeded'
$Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = 'Checking for missing groups for SAM user' })
- $SamUserId = (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/me?`$select=id" -NoAuthCheck $true).id
- $CurrentMemberships = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/me/transitiveMemberOf?`$select=id,displayName" -NoAuthCheck $true
- $ExpectedCippRoles = $Item.Roles | Where-Object { $_.roleDefinitionId -in $ExpectedRoles.roleDefinitionId }
+ $BulkRequests = @(
+ @{
+ id = 'samUserId'
+ method = 'GET'
+ url = "/me?`$select=id"
+ },
+ @{
+ id = 'currentMemberships'
+ method = 'GET'
+ url = "/me/transitiveMemberOf?`$select=id,displayName"
+ }
+ )
+ $BulkResults = New-GraphBulkRequest -Requests $BulkRequests -NoAuthCheck $true
+ $SamUserId = ($BulkResults | Where-Object { $_.id -eq 'samUserId' }).body.id
+ $CurrentMemberships = ($BulkResults | Where-Object { $_.id -eq 'currentMemberships' }).body.value
+ $ExpectedCippRoles = $Item.Roles | Where-Object { $_.roleDefinitionId -in $ExpectedRoles.Id }
+
+ # Build bulk requests for missing group memberships
+ $GroupMembershipRequests = [System.Collections.Generic.List[object]]::new()
+ $GroupMembershipLogs = [System.Collections.Generic.List[object]]::new()
+
foreach ($Role in $ExpectedCippRoles) {
if ($CurrentMemberships.id -notcontains $Role.GroupId) {
- $PostBody = @{
- '@odata.id' = 'https://graph.microsoft.com/v1.0/directoryObjects/{0}' -f $SamUserId
- } | ConvertTo-Json -Compress
- try {
- New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($Role.GroupId)/members/`$ref" -body $PostBody -AsApp $true -NoAuthCheck $true
- $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Added SAM user to $($Role.GroupName)" })
- } catch {
- $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Failed to add SAM user to $($Role.GroupName) - $($_.Exception.Message)" })
+ $GroupMembershipRequests.Add(@{
+ id = "addSamUser-$($Role.GroupId)"
+ method = 'POST'
+ url = "groups/$($Role.GroupId)/members/`$ref"
+ body = @{
+ '@odata.id' = 'https://graph.microsoft.com/v1.0/directoryObjects/{0}' -f $SamUserId
+ }
+ headers = @{
+ 'Content-Type' = 'application/json'
+ }
+ })
+ $GroupMembershipLogs.Add(@{
+ id = "addSamUser-$($Role.GroupId)"
+ GroupName = $Role.GroupName
+ })
+ }
+ }
+
+ # Execute bulk group membership additions if any are needed
+ if ($GroupMembershipRequests.Count -gt 0) {
+ $GroupMembershipResults = New-GraphBulkRequest -Requests $GroupMembershipRequests -AsApp $true -NoAuthCheck $true
+
+ foreach ($LogEntry in $GroupMembershipLogs) {
+ $Result = $GroupMembershipResults | Where-Object { $_.id -eq $LogEntry.id }
+ if ($Result.status -match '^2[0-9]+') {
+ $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Added SAM user to $($LogEntry.GroupName)" })
+ } else {
+ $ErrorMessage = if ($Result.body.error.message) { $Result.body.error.message } else { 'Unknown error' }
+ $Logs.Add([PSCustomObject]@{ Date = (Get-Date).ToUniversalTime(); Log = "Failed to add SAM user to $($LogEntry.GroupName) - $ErrorMessage" })
}
}
}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1
index ccc7249ed798..a7744b0a1af0 100644
--- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1
+++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1
@@ -7,6 +7,9 @@ function Push-ExecScheduledCommand {
$item = $Item | ConvertTo-Json -Depth 100 | ConvertFrom-Json
Write-Information "We are going to be running a scheduled task: $($Item.TaskInfo | ConvertTo-Json -Depth 10)"
+ # Define orchestrator-based commands that handle their own post-execution and state updates
+ $OrchestratorBasedCommands = @('Invoke-CIPPOffboardingJob')
+
# Initialize AsyncLocal storage for thread-safe per-invocation context
if (-not $script:CippScheduledTaskIdStorage) {
$script:CippScheduledTaskIdStorage = [System.Threading.AsyncLocal[string]]::new()
@@ -225,6 +228,12 @@ function Push-ExecScheduledCommand {
try {
if (-not $Trigger.ExecutePerResource) {
try {
+ # For orchestrator-based commands, add TaskInfo to enable post-execution updates
+ if ($Item.Command -eq 'Invoke-CIPPOffboardingJob') {
+ Write-Information 'Adding TaskInfo to command parameters for orchestrator-based offboarding'
+ $commandParameters['TaskInfo'] = $task
+ }
+
Write-Information "Starting task: $($Item.Command) for tenant: $Tenant with parameters: $($commandParameters | ConvertTo-Json)"
$results = & $Item.Command @commandParameters
} catch {
@@ -308,45 +317,25 @@ function Push-ExecScheduledCommand {
}
Write-LogMessage -API 'Scheduler_UserTasks' -tenant $Tenant -tenantid $TenantInfo.customerId -message "Failed to execute task $($task.Name): $errorMessage" -sev Error -LogData (Get-CippExceptionData -Exception $_.Exception)
}
- Write-Information 'Sending task results to target. Updating the task state.'
-
- if ($Results) {
- $TableDesign = ''
- $FinalResults = if ($results -is [array] -and $results[0] -is [string]) { $Results | ConvertTo-Html -Fragment -Property @{ l = 'Text'; e = { $_ } } } else { $Results | ConvertTo-Html -Fragment }
- $HTML = $FinalResults -replace '', "This alert is for tenant $Tenant.
$TableDesign" | Out-String
-
- # Add alert comment if available
- if ($task.AlertComment) {
- if ($task.AlertComment -match '%resultcount%') {
- $resultCount = if ($Results -is [array]) { $Results.Count } else { 1 }
- $task.AlertComment = $task.AlertComment -replace '%resultcount%', "$resultCount"
- }
- $task.AlertComment = Get-CIPPTextReplacement -Text $task.AlertComment -TenantFilter $Tenant
- $HTML += "Alert Information
$($task.AlertComment)
$JSONContent`"}"
- Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $JSONBody
+ $TeamsBody = [PSCustomObject]@{
+ text = "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log.
$ReplacedContent"
+ } | ConvertTo-Json -Compress
+ Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $TeamsBody
}
'*discord.com*' {
- $JSONBody = "{`"content`": `"You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log. $JSONContent`"}"
- Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $JSONBody
+ $DiscordBody = [PSCustomObject]@{
+ content = "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log. ``````$ReplacedContent``````"
+ } | ConvertTo-Json -Compress
+ Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $DiscordBody
}
'*slack.com*' {
$SlackBlocks = Get-SlackAlertBlocks -JSONBody $JSONContent
if ($SlackBlocks.blocks) {
- $JSONBody = $SlackBlocks | ConvertTo-Json -Depth 10 -Compress
+ $SlackBody = $SlackBlocks | ConvertTo-Json -Depth 10 -Compress
} else {
- $JSONBody = "{`"text`": `"You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log. $JSONContent`"}"
+ $SlackBody = [PSCustomObject]@{
+ text = "You've setup your alert policies to be alerted whenever specific events happen. We've found some of these events in the log. ``````$ReplacedContent``````"
+ } | ConvertTo-Json -Compress
}
- Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $JSONBody
+ Invoke-RestMethod -Uri $webhook -Method POST -ContentType 'Application/json' -Body $SlackBody
}
default {
$RestMethod = @{
Uri = $webhook
Method = 'POST'
ContentType = 'application/json'
- Body = $JSONContent
+ Body = $ReplacedContent
}
if ($Headers) {
$RestMethod['Headers'] = $Headers
diff --git a/Modules/CIPPCore/Public/Send-CIPPScheduledTaskAlert.ps1 b/Modules/CIPPCore/Public/Send-CIPPScheduledTaskAlert.ps1
new file mode 100644
index 000000000000..1f8b163fe714
--- /dev/null
+++ b/Modules/CIPPCore/Public/Send-CIPPScheduledTaskAlert.ps1
@@ -0,0 +1,100 @@
+function Send-CIPPScheduledTaskAlert {
+ <#
+ .SYNOPSIS
+ Send post-execution alerts for scheduled tasks
+
+ .DESCRIPTION
+ Handles sending alerts (PSA, Email, Webhook) for scheduled task completion
+
+ .PARAMETER Results
+ The results to send in the alert
+
+ .PARAMETER TaskInfo
+ The task information from the ScheduledTasks table
+
+ .PARAMETER TenantFilter
+ The tenant filter for the task
+
+ .PARAMETER TaskType
+ The type of task (default: 'Scheduled Task')
+ #>
+ [CmdletBinding()]
+ param(
+ [Parameter(Mandatory = $true)]
+ $Results,
+
+ [Parameter(Mandatory = $true)]
+ $TaskInfo,
+
+ [Parameter(Mandatory = $true)]
+ [string]$TenantFilter,
+
+ [Parameter(Mandatory = $false)]
+ [string]$TaskType = 'Scheduled Task'
+ )
+
+ try {
+ Write-Information "Sending post-execution alerts for task $($TaskInfo.Name)"
+
+ # Get tenant information
+ $TenantInfo = Get-Tenants -TenantFilter $TenantFilter
+
+ # Build HTML with adaptive table styling
+ $TableDesign = ''
+ $FinalResults = if ($Results -is [array] -and $Results[0] -is [string]) {
+ $Results | ConvertTo-Html -Fragment -Property @{ l = 'Text'; e = { $_ } }
+ } else {
+ $Results | ConvertTo-Html -Fragment
+ }
+ $HTML = $FinalResults -replace '', "This alert is for tenant $TenantFilter.
$TableDesign" | Out-String
+
+ # Add alert comment if available
+ if ($TaskInfo.AlertComment) {
+ $AlertComment = $TaskInfo.AlertComment
+
+ # Replace %resultcount% variable
+ if ($AlertComment -match '%resultcount%') {
+ $resultCount = if ($Results -is [array]) { $Results.Count } else { 1 }
+ $AlertComment = $AlertComment -replace '%resultcount%', "$resultCount"
+ }
+
+ # Replace other variables
+ $AlertComment = Get-CIPPTextReplacement -Text $AlertComment -TenantFilter $TenantFilter
+ $HTML += "Alert Information
$AlertComment